ERM Strategy

You, StrategyRiskRisk ManagementSecurityERM
Back

Introduction

Enterprise Risk Management (ERM) is one of the preeminent frameworks organizations use to manage risk at an organizational level (Anton & Nucu, 2020). Some researchers have suggested that ERM can serve as an important part of an organization’s strategic planning process (Do et al., 2016). Do et al. (2016) attempt to investigate this concept through case studies of organizations that have attempted to align ERM and strategic planning functions. This paper will examine whether ERM can be integrated with strategic planning and, if so, how it can be done.

Case Studies

In their article titled “Integration of ERM with Strategy,” Do et al. (2016) examine how three organizations undertook the task of integrating their ERM functions with their strategic planning functions. The three organizations in question are Mitchell Industries, Eli Lilly, and Daisy Company (Do et al., 2016). Mitchell Industries provides aerospace and information technology solutions to government customers (Do et al., 2016), Eli Lilly and Company (Eli Lilly) is a multinational pharmaceutical company (Do et al., 2016), and Daisy Company manufactures personal-care products (Do et al., 2016).

Mitchell Industries

Mitchell Industries has distinct strategic planning and ERM functions that largely operate separately from each other; however, there are three main areas where they cross paths (Do et al., 2016). The first is in the third quarter, where the ERM team delivers a risk update to the strategy team (Do et al., 2016). The second occurs at the business unit level when business unit leaders receive strategic goals from the leadership team as well as key risks from the ERM team (Do et al., 2016). The business unit leaders are then expected to merge this information when coming up with their own strategic plans (Do et al., 2016). The final area of overlap occurs when specific functional leaders receive their strategic goals and risks from business unit leaders (Do et al., 2016).

However, the business did cite a couple of specific points of friction in this integration (Do et al., 2016). The first friction point was the perceived redundancy of the ERM team from the Strategic Planning team’s point of view (Do et al., 2016). The second friction point was high levels of leadership turnover within the Strategic Planning team, which caused shifting priorities and methodologies (Do et al., 2016).

Eli Lilly and Company

Eli Lilly opted to place its ERM function inside of its Ethics and Compliance (E&C) unit (Do et al., 2016). This was done to give the ERM team more independence as the E&C unit has a direct line to the board and to give the ERM team more opportunities to identify risk within the organization (Do et al., 2016).

The company took several steps to integrate ERM with strategic planning (Do et al., 2016). The first step was to educate the company on why ERM should be integrated into other work processes and the value it brings (Do et al., 2016). Another step was to align the timing of the ERM process and the company’s strategic planning process so that these two concepts could be discussed and considered at the same time (Do et al., 2016). The business unit leaders were also assigned responsibility for the risks that were identified by the ERM team (Do et al., 2016). The final step is a review and summation of risks by the ERM team that ultimately ends up in the company’s 10-K (Do et al., 2016).

Eli Lilly has several plans to improve their integration efforts going forward (Do et al., 2016). The first plan is to improve risk identification through annual workshops (Do et al., 2016). The second plan is to establish key risk indicators that signal the need for revisions to risk mitigation plans (Do et al., 2016). The final plan is to develop an organizational understanding of how risks are connected to each other (Do et al., 2016).

Daisy Company

Integration of ERM and strategic planning at Daisy Company is being driven by the CEO (Do et al., 2016). The CEO has implemented an organizational structure of risk committees and subcommittees in an attempt to align these two functions (Do et al., 2016). Daisy Company also implemented lagging Key Performance Indicators (KPIs) to track risk and risk mitigation efforts (Do et al., 2016). The last major integration effort for Daisy Company is the inclusion of risk templates in the regular strategic planning process (Do et al., 2016).

Daisy Company plans to continue to improve its integration efforts through the implementation of new reporting procedures and dashboards (Do et al., 2016). Additionally, Daisy Company is attempting to lighten the ERM workload at the business level by leveraging the Risk Management Committee (RMC) to facilitate (Do et al., 2016). Foremost, Daisy Company believes that informal discussions between risk and strategy personnel are the key to successful integration (Do et al., 2016).

COSO Framework

In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a document titled “Enterprise Risk Management—Integrated Framework” (Pierce & Goldstein, 2018). This document was “recognized as best practice guidance concerning the management of risk in organizations throughout various industries within the USA” (Pierce & Goldstein, 2018, Introduction). This original document served the industry well but had several critiques, such as immaturity and a lack of integration of strategic planning (Pierce & Goldstein, 2018).

In 2017, COSO released a document titled “Enterprise Risk Management: Integrating Strategy and Performance” (Pierce & Goldstein, 2018). This was an update to their ERM framework that sought to integrate ERM and strategic planning, going as far as to introduce the term Strategic Risk Management (SRM) (Pierce & Goldstein, 2018).

Despite the updates to the framework, Pierce and Goldstein (2018) have highlighted several potential issues. The first issue is that the original ERM framework that did not include a strategic planning component may be deeply embedded into many organizations (Pierce & Goldstein, 2018). The second issue is the tendency for organizations to separately consider strategic risk and operational risk (Pierce & Goldstein, 2018). The final issue mentioned by Pierce and Goldstein (2018) is that organizations may perceive the ERM process as a linear one rather than an iterative one.

Conclusion

Do et al. (2016) provided examples of several organizations that are making efforts to integrate their ERM processes with their strategic planning processes. While integration issues remain in these organizations, they are continuing to make iterative progress toward the goal (Do et al., 2016). Researchers have suggested that this iterative approach is the ideal way to apply continuous integration to organizations (Pierce & Goldstein, 2018). Despite frameworks such as COSO (Pierce & Goldstein, 2018) prescribing specific methodologies for integrating ERM and strategic planning, each of the cases studied by Do et al. (2016) had unique approaches for integration.

References

Anton, S. G., & Nucu, A. E. A. (2020). Enterprise Risk Management: A Literature Review and Agenda for Future Research. Journal of Risk and Financial Management, 13(11), 281. https://doi.org/10.3390/jrfm13110281

Do, H., Railwaywalla, M., & Thayer, J. (2016). Integration of ERM with strategy: Case study analysis. NC State Poole College of Management. Retrieved September 5, 2024, from https://erm.ncsu.edu/az/erm/i/chan/library/Integration_of_ERM_and_Strategy_Case_Study.pdf

Pierce, E. M., & Goldstein, J. (2018). ERM and strategic planning: a change in paradigm. International Journal of Disclosure and Governance, 15(1), 51–59. https://doi.org/10.1057/s41310-018-0033-3

© Trevor French.RSS