While Sarbanes-Oxley shook up the world of publicly traded companies and forced them to scramble to achieve compliance, it also played a pivotal role in bringing enterprise risk management (ERM) to the attention of corporate executives. Enterprise risk management, for many companies, has emerged as a value-added continuation of Sarbanes-Oxley compliance and audit efforts. Seventy-six percent of respondents in a recent survey said they either intended to expand SOX compliance into ERM or were in a stage of implementation.1
With the growing interest in ERM that has emerged in recent years, it
has not just been seen as an initiative but a key component of
corporate strategy. The strategic importance of ERM is mentioned in the
Committee of Sponsoring Organizations (COSO) ERM integrated framework
definition, which states: "Enterprise risk management is a process,
affected by an entity's board of directors, management and other
personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity. . . to
provide reasonable assurance regarding the achievement of entity
objectives." This definition describes ERM as a part of corporate
strategy that is influenced by organizational leadership and put in
motion to guide the achievement of organizational goals.
Aligning ERM to Strategy through the Balanced Scorecard
To understand ERM's linkage to strategic execution, strategy and objectives have to be defined. Objectives are defined as the goals an organization strives to achieve while strategy can be understood as the action plan that is intended to ensure the achievement of objectives.2, 3 ERM requires the participation of the entire organization to be effective against the wide variety of risks that affect all business units. Similar to ERM, corporate strategy requires the action and concern of individuals and business units across the entire enterprise to achieve objectives.
Since ERM can be an integral part of strategy, it can be incorporated into performance management systems that translate strategy into actionable terms such as the balanced scorecard (BSC). The BSC is a tool that communicates strategy and strategic objectives through performance metrics that are segmented into four major stakeholder perspectives:4
A complete BSC will contain measures, targets and initiatives within each of the four perspectives, which link to strategy. Measures, targets and initiatives within the perspectives are derived out of a strategy map, a diagram reflecting the cause-and-effect relationship between the strategic objectives of the four perspectives.5 The learning/growth perspective and the internal process perspective are regarded as input perspectives because they drive results within the customer and financial perspectives (also known as outcome perspectives). At the core of the strategy map is learning and growth. The growth and development of employees is a catalyst for the performance of the organization and has a direct influence on the success of internal processes. An educated and well-trained workforce can execute more sophisticated processes, which in turn improves organizational efficiency, directly influencing the perspective of the customer. Improved efficiency from better processes can increase customer satisfaction and loyalty (better efficiency can translate into greater responsiveness or quicker service). And finally, improved customer satisfaction and loyalty can result in larger sustainable revenue streams for the organization, which translates into greater financial performance, directly impacting shareholder satisfaction.6
Figure 1: The Strategic Linkage of the Four Perspectives of the BSC (Source: Kaplan and Norton, The Balanced Scorecard)
Identifying and Communicating Risk through the Strategy Map
ERM and the BSC can integrate with each other because of the organization-wide view that each requires from users. To be effective, the BSC has to provide a balanced view of the organization to drive strategy execution and business performance across the enterprise. The BSC requires input and feedback from entities inside and outside the organization. It does not solely rely on the viewpoints of shareholders or the financial returns of the enterprise, but on the perspectives of customers, employees and other internal stakeholders. ERM is not just about mitigating operational risks or the risks that affect a specific business unit. ERM requires the assessment and management of the entire portfolio of risks that can impact any internal process, employee, customer perspective or financial result.
Strategic objectives for risk management can be built into the internal process perspective of the organizational strategy map. In the internal process perspective of a traditional strategy map, processes are segregated into four categories: operations management, customer management, innovation and regulatory/social. There are risks that can be managed within each of these categories. In operations management, there are risks that can affect supplies, logistics and production. In managing customers, there are risks behind selecting and acquiring customers. There are risks in developing new products and introducing them to the marketplace. Also, there are damages that can be done to an organization's reputation when there is a failure to comply with regulations. Strategic objectives related to ERM can be linked into each of these process categories to ensure alignment across the perspective and achieve broad impact.
There are also risks in the learning and growth perspective upon which ERM-related strategic objectives can be built. In hiring new talent, there are risks behind selecting potential employees. In the development of new employees, there is the risk of improperly training and supervising them. Also, there are risks behind not having an effective succession plan for the future health of the organization. ERM-related strategic objectives can be built into this perspective to mitigate the chance and impact of these risks. Specific objectives created for such risks can communicate the importance of ERM to human resources and organizational development professionals that work within the enterprise.
Through applying ERM to the input perspectives, there are positive results that can emerge in the customer and financial perspectives. In driving ERM in the learning/growth and internal process perspectives, greater control in costs can be realized and, as a result, prices can be kept at a reasonable rate for customers. ERM applied in the internal process perspective can ensure product quality which can strengthen the organizational brand image to the customer. In every benefit that is provided to customers through integrating ERM in the input perspectives, there is the greater opportunity that can come through ensuring customer loyalty and acquiring new customers which can drive financial results for shareholders.
The BSC can effectively align ERM efforts to strategy while communicating the relevance of risk management to individuals and business units. Through applying short (typically no more than nine to 10 words) and clearly stated strategic objectives within the organizational strategy map that communicate the mitigation of specific risks, individuals can understand how risk management aligns to their specific jobs.
ERM requires one to take a broad view of their organization to understand the risks that affect all business units. Similar to ERM, the BSC requires one to adopt a comprehensive viewpoint of the organization through its four perspectives. The BSC is a management tool that communicates strategy to the internal and external stakeholders throughout the organization. Strategy maps and the BSC can help risk managers and executives identify where risks can exist. The BSC enables ERM efforts to be aligned to corporate strategy and drive individuals to understand their roles in managing risk.
Henry Killackey is the educational services manager and founder of the Global Institute for Management.