ERM Profiles

RiskView® ERM case study

One of our RiskView customers is a leading creator of manufactured products used in a wide variety of consumer products and packaged goods.  These products include household goods, beverages, and food products.  To provide customers with differentiated product offerings, the Company focuses on R&D and innovation.  A member of the S&P 500 Index, the Company has sales, manufacturing and creative facilities worldwide.

As part of its focus on R&D, the Company embarked on an ERM initiative in 2008. Each functional area in the organization assigned a leader to gather and prioritize their individual risks by function.  Risks were captured in Excel spreadsheets for tracking and scoring.  The executive team then prioritized these functional risks into an enterprise view.  Armed with this information, the Company planned to allocate resources for risk mitigation actions.

Business Challenge

Unfortunately, the gathering and prioritizing approach presented many challenges.  The time and effort required to collect data, update it, and agree on priorities impacted the Company’s business operations.  Additionally, the data collected was inconsistent and difficult to analyze. Compounding the problem was an expectation from the Company’s Board of Directors to sustain an ongoing ERM effort that went beyond risk mitigation to driving competitive advantage.

Rev2 was brought in and asked to review the ERM effort to date – including process, data gathering, tools, etc. – and to provide a fact-based recommendation for a path forward.  Rev2 was asked to address the organization’s key challenges and improve their overall ERM effort.  Our assessment identified a set of limitations and gaps in the Company’s process:

- The company was gathering annual frequency-current assessments, however risks change much more frequently.

- Perspective-risks were considered in isolation according to their area of functionality, without a complete Enterprise view of risk.

- Focus-risks tended to be high level and strategic, without consideration for how risks from various areas – geographic, business unit, or process risks – might impact each other.

- The scalability-process involved too much manual, time-intensive labor, and lacked sufficient automation for scaling.

- Testing-controls and mitigation efforts were put in place without testing for impact.

Taking Action

The result of the initial phase of work was to scope a 5-step plan:

1 – Define a process and operating model to support quarterly risk reviews,

2 – Develop a normalized scoring model that allows for cross-functional comparisons of risk on a quantitative basis-add structure to qualitative process,

3 – Expand the ERM effort to go beyond functions by creating business unit, geographic, and value-chain risk analyses,

4 – Implement full automation to capture data inputs and perform quantitative analysis,

5 – Expand the scope of vulnerability data to capture sales and customer risks not previously sought.

Outcomes

The result was the development of a new ERM process and governance model that dramatically increased the amount of data for analysis by additional participants, while substantively reducing required organization investment.  This included:

1 – Creating a new common syntax around probability by breaking it into its components of Exploitability and Susceptibility,

2 – Creating a common scale for Impact based on financial measures,

3 – Translating the risk profiles into survey instruments for data collection,

4 – Using RiskView to automate data analysis and provide the correlation engine to identify areas of risk concentration and their key drivers,

5 – Allowing quantitative, apples-to-apples comparisons of Enterprise-related risks.

For more information, please contact Rev2 at infoatrev2dotnet.

Copyright © 2011, Rev2. All rights reserved. The RiskView® application is a registered trademark of Rev2. The Rev2 Managing Risks That Matter logo design and the Risk Concentration Analysis(RCA) methodology are trademarks of Rev2. All other trademarks in this document are the properties of their respective owners.