S&P 500 Case Study
Accomplished | Reliable | Cost Effective
The most potentially devastating risks to your business are lying beneath the surface. Our team of Business Risk Analytics professionals will help you find them.
Rev2 Case Study: ERM
One of our customers is a leading creator of manufactured products used in a wide variety of consumer products and packaged goods. These products include household goods, beverages, and food products. To provide customers with differentiated product offerings, the Company focuses on R&D and innovation. A member of the S&P 500 Index, the Company has sales, manufacturing and creative facilities worldwide.
As part of its focus on R&D, the Company embarked on an Enterprise Risk Management (ERM) initiative. Each functional area in the organization assigned a leader to gather and prioritize their individual risks by function. Risks were captured in Excel spreadsheets for tracking and scoring. The executive team then prioritized these functional risks into an enterprise view. Armed with this information, the Company planned to allocate resources for risk mitigation actions.
Unfortunately, the gathering and prioritizing approach presented many challenges. The time and effort required to collect data, update it, and agree on priorities impacted the Company’s business operations. Additionally, the data collected was inconsistent and difficult to analyze. Compounding the problem was an expectation from the Company’s Board of Directors to sustain an ongoing ERM effort that went beyond risk mitigation to driving competitive advantage.
Rev2 was brought in and asked to review the ERM effort to date – including process, data gathering, tools, etc. – and to provide a fact-based recommendation for a path forward. Rev2 was asked to address the organization’s key challenges and improve their overall ERM effort. Our assessment identified a set of limitations and gaps in the Company’s process:
- The company was gathering annual frequency-current assessments, however risks change much more frequently.
- Perspective-risks were considered in isolation according to their area of functionality, without a complete Enterprise view of risk.
- Focus-risks tended to be high level and strategic, without consideration for how risks from various areas – geographic, business unit, or process risks – might impact each other.
- The scalability-process involved too much manual, time-intensive labor, and lacked sufficient automation for scaling.
- Testing-controls and mitigation efforts were put in place without testing for impact.
The result of the initial phase of work was to scope a 5-step plan:
1 – Define a process and operating model to support quarterly risk reviews,
2 – Develop a normalized scoring model that allows for cross-functional comparisons of risk on a quantitative basis-add structure to qualitative process,
3 – Expand the ERM effort to go beyond functions by creating business unit, geographic, and value-chain risk analyses,
4 – Implement full automation to capture data inputs and perform quantitative analysis,
5 – Expand the scope of vulnerability data to capture sales and customer risks not previously sought.
The result was the development of a new ERM process and governance model that dramatically increased the amount of data for analysis by additional participants, while substantively reducing required organization investment. This included:
1 – Creating a new common syntax around probability by breaking it into its components of Exploitability and Susceptibility,
2 – Creating a common scale for Impact based on financial measures,
3 – Translating the risk profiles into survey instruments for data collection,
4 – Using our proprietary tools to automate data analysis and provide the correlation to identify areas of risk concentration and their key drivers.
5 – Allowing quantitative, apples-to-apples comparisons of Enterprise-related risks.
Every year we either expanded the scope and refined the focus to match the changing needs of the company and the global environment it operated in. The primary focus of the previous ERM approach was to measure and rank risks by business function. The process consisted of:
- Building a risk-inventory per functional area driven by issue/cause pairs.
- Generating questions to quantify the external, internal and impact factors for each risk item.
- Conducting company-wide surveys with key individuals to collect responses.
- Performing data analytics to measure and rank the risks based on the information collected.
- Consolidating the information for board presentation on an annual basis.
For the 2015 ERM initiative, a new approach oriented toward identification of existing and emerging risks will be adopted, rather than the previous focus on measurement.
The new process is designed to be more flexible. It will:
- Significantly reduce the workload on the respondents by eliminating the survey-driven data collection process.
- Directly address key areas of concern as identified by the board members.
- Provide increased frequency of reporting with the ability to provide follow-up status on action items.
- Address the more subjective nature of risks and their mitigation efforts.
The primary goal of the new approach is to enable team leads to identify the risks in their business function that directly affects the Company’s strategic objectives.
To arrange your Proof of Concept, please contact us at inforev2com (inforev2com)