Six Sigma and Enterprise Risk Management
BY Michael Young
Much has been written about the increasing uncertainty enterprises face due to globalization, restructuring, changing markets and increased competition. An increased call for transparency is causing organizations to focus on the benefits of enterprise risk management (ERM). Leading companies are using the methods and tools of Six Sigma to improve existing processes so they can better incorporate and generate information regarding risk.
The Benefits of Enterprise Risk Management
ERM, a framework for risk management, improves an organization's ability to accept the right amount of risk to capture strategic opportunities. Companies can avoid negative operational and financial surprises and conduct both internal and external reporting with greater confidence, allowing executives to govern and manage the business better.
Risk management also creates value by providing enhanced capabilities to align risk appetite and strategy, linking growth, risk and return. ERM minimizes operational surprises and losses, identifies and manages cross-enterprise risks, enables an integrated response to multiple risks, and facilitates a more informed risk-based decision making capability.
Listening to the Voices
An ERM program must consider the following voices:
• Voice of the
regulator (VOR) - Rating agencies, such as Standard and Poor's and
Moody's Investors Service, evaluate risk management actions and
capabilities. U.S. Stock Exchange listing requirements mandate that the
audit committee of a company's board of directors discuss guidelines and
policies as they apply to risk assessment and management. Rules of the
U.S. Securities and Exchange Commission emphasize an added focus on risk
management, including section 404 of the Sarbanes-Oxley Act. And
updates to the a company's internal audit standards require the internal
audit team to evaluate risk management capabilities.
• Voice of the business (VOB) - One of the challenges facing the leadership of any enterprise is to quantify how much uncertainty the enterprise is prepared to accept. The entity must focus on this to create value for its stakeholders.
• Voice of the customer (VOC) - Customers who purchase the organization's products or services also provide feedback regarding a set of attributes they use to compare one competitor to others. VOC is the final source of critical requirements, which become performance targets for the enterprise's processes.
Six Sigma provides a methodology and tools to allow leadership to translate VOR, VOB and VOC into specific attributes that can then be quantified to establish performance requirements. The enterprise then uses data to measure variability against these requirements. Root causes of variability are then identified, quantified and eliminated. Finally, internal controls and measures are incorporated into a performance management system.
Six Sigma is directly linked to helping an organization focus on four common objective categories: strategic, operations, reporting and compliance.
Leadership must translate the vision of the organization into both the strategies and values required to achieve that vision. These, in turn, determine the key improvement initiatives and desired behaviors necessary to align the business and the people with the vision.
Business strategy also determines the core business processes the organization will use to create products and services for the marketplace. Process output metrics, determined by VOC, VOB and VOR, help to identify and prioritize improvement initiatives to achieve strategic goals and objectives. Measurement provides justification, rationale and guidance regarding the nature and scope of the allocation of investment in improvement. Effective process improvement and pursuit of Six Sigma quality requires businesses to understand and quantify the cause-and-effect relationships of every element of their operations.
A business that wants to improve must begin by viewing itself from the perspective of its customers. How do customers view a business? Customers look at a business in terms of their experience regarding the use of its products and services. Most customers see little or none of the functions and departments that make up the business. They see only the outcomes of its business processes, such as a software package, an ATM receipt or a credit card statement.
Businesses that want to improve must learn to view themselves in terms of the processes that deliver market-differentiating products and services to its customers. The core business processes that provide products and services to customers are horizontal, and require the participation of virtually everyone in the business. Improving customer satisfaction requires that a business understand and improve these processes, while breaking down the functional silos that typically exist.
A risk management program must consider activities at all levels of the organization. In addition to the core business processes that serve the customer, there are internal enabling processes that can affect overall performance. An enabling process supports one or more core business processes, typically by supplying inputs that if left unmanaged could negatively impact the core performance. Examples of enabling processes include human resources, legal and information technology.
ERM also applies to those Lean Six Sigma initiatives that may not have a specified place in the organization's hierarchy or organization chart, but have been deemed critical to the enterprise's long-term success by the leadership team and must be managed accordingly.
External reporting requirements are defined by the VOC and VOR, and internal by the VOB. Adherence to these reporting requirements should be measured, as any other process, and process performance metrics should be calculated, just as any other output. These process output metrics can be monitored through corporate dashboards or balanced scorecards. The most valuable metrics to the organization are those at the process level that measure efficiency and effectiveness.
Regulatory compliance relies on the activities and controls that make up the process. Companies should consider regulatory agencies another customer of the process, and ensure that they incorporate VOR into their performance requirements and measurement systems.
Most processes include value-added, operational-value-added and non-value-added activities to meet these critical compliance requirements. The value-added activities typically address the VOC and VOB. To satisfy the VOR, operational-value-added steps are included. Non-value-added steps normally evolve to compensate for inefficient processes that may fail the compliance test. By applying the concepts of Six Sigma, compliance can be improved and operating costs reduced.
Method for Managing Risk
There is a synergistic relationship between ERM and Six Sigma. The continuous improvement methodology assists leadership in managing both the operations of the organization and the inherent risk associated with it. Six Sigma is not "something else to do," but rather a robust framework in which an organization can manage its risk across the enterprise.