What are the main drivers for successful ERM implementations in organizations?
Full Description In the PDF
Alleged Corruption at Chessfield: Corporate Governance and the Risk Oversight Role of the Board of Directors
Associate Professor of Law, Governance, and Ethics at York University
The police and the regulator contacted the author early in the author’s governance review process. When the author attended his first meeting with the chairman of the board of directors for Chessfield Inc. and the regulator, the regulator mentioned the word corruption explicitly. Now the New York Police Department was also investigating the conduct of some of Chessfield’s directors, by interviewing them and collecting evidence. The author’s role was to conduct a thorough governance review, with a specific focus on risk management, and report his findings and recommendations to the regulator and board of directors. Chessfield is a fictional company; however, this case is based in part on actualsituations that have been modified and disguised.
CHESSFIELD INC. AND ITS BOARD OF DIRECTORS
Chessfield is a well-known American company in the sports and entertainment industry. It is headquartered in New York, and is led and governed by an outspoken and successful CEO and a blue-chip board of directors. Several directors are household names and have been on the board for many years, knowing each other in social and professional circles. One director had been on the board for 28 years, the second-longest-serving director had been on the board for 24 years, and so on. The shortest-serving director’s tenure was seven years. It was an all-male board, known fondly among a few directors as “the good ol’ boys.”
Governance and decision making were informal, and almost always by consensus. By externally viewing Chessfield, it would be difficult to glean that it had any governance shortcomings whatsoever. It had a majority of directors who were current or former CEOs, a separate chair, and other independent directors from prestigious New York professional services firms. It had three committees that were all composed of independent directors. The size of the board was 10 members. Chessfield appeared to comply at least in letter with all applicable governance regulations in place at the time.
A credible and anonymous whistle-blowing complaint had recently reached the regulator, from a possible former director or officer.
Chessfield was not a publicly traded company, but was in an industry that was highly regulated, given the potential for misuse of information and cash receipts, as well as the potential for harm (of patrons) and for organized crime.
The regulator had concerns about the compensation awarded to the CEO being approximately four times that of comparable industry peers, and potentially creating an incentive for undue risk taking; the apparent lack of internal controls over material risks, including operational risks; and possible impropriety by certain directors in using their positions for self-gain.
MESSAGE FROM THE CEO REQUESTING TO MEET THE AUTHOR
Chessfield’s CEO e-mailed the author when the author was in Dallas, Texas, at a conference, asking for a meeting within 24 hours if possible. At that meeting in New York, with the CEO and Chessfield’s legal counsel, the author was told that the company had just been put under regulatory investigation.
The author was asked whether he could assist by reviewing Chessfield’s overall governance, and, in particular, risk management and compliance practices. The board chair had recommended the author to the regulator because the author had assessed a previous board on which the chair served at the time, and the author was independent.
The author agreed to conduct the governance review of Chessfield for a mutually agreed fee under two conditions. He made it clear to the board chair, CEO, and general counsel that:
All parties agreed, including the regulator. The author was to have separate meetings with both the regulator and the New York Police Department official conducting the investigation.
GOVERNANCE DOCUMENTS, INTERVIEWS, AND ON-SITE OBSERVATION REQUESTED BY THE AUTHOR
As a starting point, the author asked for the following: any and all governance documents, including recent board minutes and meeting materials, bylaws, relevant correspondence, board and committee charters, risk registers, compensation plans, and financial statements (in no particular order).
The author, as part of his methodology and data collection, would also interview each director, each member of senior management, the internal audit function, and possibly other assurance staff. The author would also tour Chessfield’s facilities and have access to the cash room1 so he could see operations firsthand. All requests were acceded to, and the author began his work. This work took about 30 days on a part-time basis, and a report was generated to the board and endorsed by the regulator.
It soon became apparent that governance documentation at Chessfield was minimal. The board did not have guidelines; committees did not have charters; position descriptions for board leadership roles, directors, and the CEO did not exist; and meeting agendas and minutes were very sparse, with the average meeting agenda being one page with key headings only. There was no documented, board-approved strategic plan or risk appetite framework. Indeed, many material risks were not reported to the board at all.
Documentation for key board decisions, including evidence of review, reporting, assurance, due diligence, and deliberation, appeared to be either lacking meaningful content or nonexistent.
Many noncompensation committee directors neither knew nor approved what or how the CEO and the former CEO (who was also on the board as the longest-serving director) were paid. The nonexecutive board chair had a consulting stream paid to him by Chessfield, which certain other directors did not know about. The internal auditor was junior, inexperienced, and unqualified; had operational and revenue generation responsibilities; and had little exposure to, or oversight by, the audit committee. Audit committee members did not possess adequate financial literacy or relevant qualifications. The compensation committee chair rarely attended meetings in person for health reasons, and did not possess compensation expertise. His tenure as committee chair exceeded 11 years. He was a former service provider (now retired) of a large New York law firm.
CEO COMPENSATION ISSUE
There was little correspondence evidencing the basis on which total compensation was awarded to the CEO. There was a spreadsheet with a password that was provided to the author by the CEO’s assistant. When the author interviewed the chair of the compensation committee about the lack of either supporting documentation or independent assurance by a compensation consultant, the compensation committee chair told the author that the compensation committee was composed of experienced businessmen who were of the view that the CEO’s compensation was appropriate given the CEO’s performance.
The author was not provided with any CEO goals and objectives, key performance indicators, or trigger and target requirements for short-term or long-term incentives to be awarded or to vest. The foregoing items were asked for but, to the author’s knowledge, did not exist. The compensation committee chair had friendships and social relationships with a number of directors, including the CEO. The basis for the quantum of compensation awarded to the CEO (1) relative to peers or (2) relative to company performance was not explicit.
The board chair and compensation committee chair said to the author that the regulator did not have the business judgment to opine on the quantum of CEO compensation. The author responded by saying that (1) the quantum of total compensation was very high compared to industry peers of a similar size and complexity, but, more importantly and particularly given this fact, (2) there should be a visible, diligent process to employ such business judgment of directors and to explicitly link pay to performance, which appeared to be what was lacking in any event.
There were very few explicit risk management protocols or systems to identify and mitigate material risks, including operational risk in particular. In the cash room, the controls were all manual (i.e., paper, with greater capability for management override or weaker controls, it would appear), as information technology was not used. Risk identification and assessment were not documented explicitly. There was no risk function reporting directly to the board or to a committee. Indeed, there was no risk function.
There was little evidence that internal controls over operational and compliance risks were designed and/or effective, regularly tested by the internal audit function, and reported to the board or a committee. A number of directors appeared blindingly ignorant of their obligation to oversee risk management.
There was not a conflict of interest policy that applied to directors. Board guidelines did not exist to address confidentiality, the use of corporate opportunity, the treatment of inside information, related-party transactions, or identifying and adequately addressing perceived conflicts of interest. The author was unable to ascertain self-dealing, but robust policies and controls did not exist to deter, detect, monitor, or enforce anticorruption, in any event.
As mentioned previously, several directors were long-serving. Independent directors were selected originally (and to the author’s observation, still) on the basis of personal knowledge and prior working relationships. All directors, however, were believed to comply with formal independence standards in place. There was little if any documentation of such independence, of the expertise directors possessed, or of collective expertise that the board needed.
PREPARATION OF THE AUTHOR’S REPORT AND COMMUNICATION WITH THE REGULATOR
Given the foregoing, the author prepared 43 recommendations for the review of the regulator and the board of directors.
The regulator endorsed the 43 recommendations that the author provided, with minor modifications and with two additional recommendations to establish a compliance committee of the board and to have a board-approved strategic plan, which the regulator suggested and which the author incorporated into his report. There were 45 recommendations in the author’s final report, which he was now to present to the board of directors of Chessfield. The report was 14 pages long.
CHESSFIELD BOARD MEETING TO DISCUSS THE AUTHOR’S RECOMMENDATIONS
The author was invited to present his report and 45 recommendations to the full board of directors of Chessfield Inc. in New York City at 10 A.M. on a Friday morning in December. This was a special board meeting, and the author’s report was the only item on the agenda.
The author had 15 minutes to present a summary of his recommendations. (Note: The board had a full week prior to the board meeting to read the author’s report.) There was to be a 45-minute period of dialogue and questions and answers, after which the author would leave the room and the board would discuss the report in closed session.
The author was told by the general counsel that the regulator had requested to the chair of the board that the board approve a resolution adopting the author’s report in whole, supported by a commitment to implement the recommendations within the time frame prescribed in the report. The chairman of the board was to telephone the regulator shortly after the meeting to report whether this requested approval had occurred. (The regulator had told the chair early in the process that Chessfield was close to having its license to operate revoked because of the governance and risk shortcomings.)
When the author was invited into the boardroom, he saw that it was very formal. There were portraits of past directors on the walls, large mahogany chairs, and dark wood. The author did not observe any use of technology, such as laptops or tablet computers, which is typical in most boardrooms now.
At the board meeting, the author presented 45 recommendations based on his review and discussions with the regulator. A time frame for each recommendation was set out (up to eight months, eight to 12 months, and 12 to 18 months) within the report, along with independent validation and reporting back to the regulator, to ensure execution of the recommendations.
TWO CONTENTIOUS RECOMMENDATIONS
Directors accepted all of the recommendations initially except for two, which were: (1) that the three longest-serving directors (28, 24, and 23 years, respectively) resign, and (2) that a woman be selected for directorship and serve on the compensation committee in particular.
As far as the three longest-serving directors resigning was concerned, one director (28-year tenure) had, during the data collection phase, invited the author to his estate in Boston prior to the final report to tell the author how important the board was to him, and how he should be allowed to continue to serve so long as he is able. The author indicated politely that regulators are moving toward term limits of nine or 10 years to guard against entrenchment and compromising of independence over time. The author said that one of his recommendations was not only that he and two other directors should resign, but also that term limits be in place at 15 years for all incumbent directors and nine years for all new directors.
RECOMMENDING A WOMAN TO SERVE ON THE BOARD
The second issue was more contentious and surfaced at the board meeting itself. It was the author’s recommendation that a woman be added to the board.
One director remarked, “Dr. Leblanc, you want us to put a lady on the board?” (Emphasis in original remark.) Another director remarked, “Perhaps we can have a lady in a wheelchair who is a lesbian.” Many of the directors laughed at this comment.
The author indicated that evidence existed that CEO turnover is more sensitive to stock return performance in firms with a greater proportion of women; that women are more likely to join committees that perform monitoring-performing tasks; and that male directors have fewer attendance problems, the greater the number of women on the board.2 The author also indicated that the regulator had agreed to all of his recommendations, including this one, and that there was a need for the skill set of compensation and information technology literacy on the board, given prior concerns and the transformation of the industry.
This case concluded one month after the author’s presentation to the board, when the regulator asked the author to black-line, with suggested improvements, forthcoming regulations to apply to all companies under the regulator’s purview, adopting many of the recommendations the author had provided for Chessfield.
1 Part of this company’s business operation involved receiving cash directly from consumers, which was assembled, tallied, and reconciled in what is known in the industry as the “cash room.”2 R. B. Adams and D. Ferreira, “Women in the Boardroom and Their Impact on Governance and Performance,” Journal of Financial Economics 94 (2009): 291–309.
ABOUT THE CONTRIBUTOR
Richard Leblanc is a governance lawyer, certified management consultant, and Associate Professor of Law, Governance & Ethics at York University. He holds a PhD focusing on board of director effectiveness. He has published in leading academic and practitioner journals, has advised regulators on corporate governance guidelines, and, as part of his external professional activities, has served as an external board evaluator and governance adviser for Australian Securities Exchange (ASX), London Stock Exchange (LSE), New York Stock Exchange (NYSE), NASDAQ, New Zealand Stock Exchange (NZX), and Toronto Stock Exchange (TSX) listed companies, as well as in an expert witness capacity in litigation concerning corporate governance reforms.
Operational Risk Management Case Study
DIANA DEL BEL BELLUZ
President, Risk Wise Inc.
Bon Boulangerie is a bakery business located in Oakville, Ontario. When the owner, Ray Pane, purchased the business three years ago, it consisted of a single site with baking facilities and a retail store and café. Based on market research with the bakery’s retail and café clientele, Ray began to change and expand the product offerings to increase the volume of sales and margins. He also began a new line of business, wholesaling to local restaurants and high-end grocery stores within a 20-kilometer radius of the bakery.
Based on the success over the past three years (see Exhibit 31.1), Ray has made a strategic decision to expand his wholesale business, with the goal of tripling profits over the next three years (see Exhibit 31.2). He expects to accomplish this by: (1) covering a larger territory (i.e., expanding to a 120 km radius) for wholesaling to local restaurants and independent grocery stores across the entire Greater Toronto Area, and (2) introducing a new business line, white label products that he can supply to major supermarket chains.
|(all figures in $000’s)||Year 3||Year 2||Year 1|
|Cost of Inventories Sold||1,349||1,090||610|
|Marketing, General, and Administrative||361||291||163|
Exhibit 31.1 Financials for Past Three Years
|(all figures in $000’s)||Year 6||Year 5||Year 4|
|Cost of Inventories Sold||4,926||3,105||2,175|
|Marketing, General, and Administrative||1,301||816||557|
Exhibit 31.2 Projections for Next Three Years
To realize this strategy, Ray has leased and outfitted a separate baking facility to be primarily dedicated to supplying the wholesale business. Ray also hired a full-time vice president of sales and marketing (see Exhibit 31.3 for a summary of the Bon Boulangerie management team) to take over from him on the wholesale side. Finally, he purchased a second previously owned delivery truck and hired a full-time distribution manager.
Growth in the first three years is attributable to enhancement of product offerings and continual drive to find efficiencies in operations. In year 4, the new baking facility will open. It is expected that it will take several years to add new wholesale customers and wholesale products. Therefore, there will be unutilized capacity in the new facility. It is anticipated that expanding the wholesale business will, at least initially, require an increased level of product development, marketing, sales, and distribution.
Exhibit 31.3 The Bon Boulangerie Team
ABOUT THE CONTRIBUTOR
Diana Del Bel Belluz is the President and Founder of Risk Wise Inc., a risk management consulting firm that provides advice and support to executive leadership teams and boards who want to achieve more effective, proactive, and strategic management and oversight of risk. Her forte is helping leaders to solve the people issues associated with bringing enterprise risk management (ERM) to life in their organizations. Diana advances the practice of ERM through her thought leadership as an educator, conference organizer, speaker, and author of ERM resources, including numerous articles, book chapters, and the Risk Management Made Simple Advisory, a quarterly publication of ERM implementation tips and resources available at www.riskwise.ca. She also wrote Chapter 16, “Operational Risk Management,” of the book Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, edited by John Fraser and Betty J. Simkins (John Wiley & Sons, 2010). She holds bachelor’s and master’s degrees in systems design engineering from the University of Waterloo and is a professional engineer.
Turning Crisis into Opportunity
Building an ERM Program at General Motors
MARC S. ROBINSON
Assistant Director, Enterprise Risk Management, GM
LISA M. SMITH
Assistant Director, Enterprise Risk Management, GM
BRIAN D. THELEN
General Auditor, GM
This case study chronicles the ground-up implementation of enterprise risk management (ERM) at General Motors Company (GM), starting in 2010 through the first four years of implementation. Discussion topics include lessons learned during implementation and some of the unique approaches, tools, and techniques that GM has employed. Examples of senior management reporting are also included.
I think risk management is an element of all good executive management teams and boards. It will ensure viability in downturns and high-risk periods. I think if that is done not only within the automotive industry, but on a global and specifically on a national scale, economies will be in better shape because it is additive. If everybody is doing their job in assessing and understanding risk, the ultimate outcome will be much more positive for our national economy and society, and it is incumbent that corporate leadership understands that responsibility.
—Daniel F. Akerson, Chairman and Chief Executive Officer, General Motors, October 2012
BACKGROUND AND IMPLEMENTATION
The enterprise risk management (ERM) program at General Motors was founded in late 2010 at the direction of GM’s then newly appointed chief executive officer (CEO), Daniel F. Akerson, who sought to leverage the program as another means to achieve a competitive advantage in the industry. Having gone through bankruptcy in 2009 as a new board member, Akerson felt that a more robust risk management program would help guide the organization around the drivers of killer risks1 going forward. His goal was to help the company ensure that it was prepared, agile, and fast to respond in an ever-changing world. Perhaps most importantly, Akerson wanted an ERM program that would focus not only on risks but on opportunities as well.
A chief risk officer (CRO) was selected and appointed from within, and the Finance and Risk Policy Committee of the board of directors was chartered to oversee risk management as well as financial strategies and policies. In support of the program, a senior manager and director joined the team. Risk officers were also identified and aligned to all direct reports of the CEO; this helped to ensure that all aspects of the business were covered. The CEO is the ultimate chief risk officer, and his direct reports are the ultimate risk owners. Members of the risk officer team were carefully selected by senior leadership based on their strong business experience, financial acumen, and most of all their ability to lead in the identification and discussion of risk in an objective and transparent manner. These representatives were expected to actively participate in the evolving ERM program while still handling their existing responsibilities.
In 2011, the general auditor and CRO roles were combined, and in support of this change, the Audit Committee assumed oversight of risk management. The Finance and Risk Policy Committee continued its focus on financial policy and decision making.
GENERAL MOTORS’ APPROACH TO ENTERPRISE RISK MANAGEMENT
The ERM process was built with GM’s vision in mind: to design, build, and sell the world’s best vehicles (see Exhibit 34.1). The process itself was geared toward the identification and management of key (potential “killer”) risks. The ERM team assisted line management in developing a list of top company risks, identifying risk owners, assisting management in the development of risk mitigation plans in conjunction with the management teams, providing ongoing monitoring, and reporting results to senior management and the board.
Exhibit 34.1 GM Risk Management Process
The scope of GM’s initial ERM program intentionally did not fit the typical ERM definition of an all-encompassing, holistic approach. As a bottom-up implementation, senior leadership wanted ERM to focus on those elements of risk and opportunity that were most important to the company. We at GM have since enhanced our program with additional high-impact features, which are detailed later in this chapter.
Overall, however, our approach was to move away from the typical ERM view, which focuses on “what can go wrong.” We took a more actionable view of “what can go right,” placing emphasis on both opportunities and risks, to ensure that we were leveraging our ERM program to be well-positioned in the industry.
LESSONS LEARNED: IDENTIFYING RISKS
A critical success factor that has been a part of our program since inception has been to continually seek out several views, including views from sources outside the company, of risks that the industry and company may face. In addition to regular meetings with our risk officers, we conducted a number of focus groups and workshops to gain insight into potential blind spots that may exist, and to capture various views on emerging risks. To solicit this information, we reached out to deep thinkers and those with broad business experience both within and outside of our organization and sought input across demographic groups, including Generation Ys or recent college graduates and young professionals.
The careful attention devoted to capturing several perspectives from various demographics, both inside and outside of the organization, has led to some great successes and has consistently influenced the composition of our top risks list. Our commitment to seeking out diverse views has helped us to avoid confirmation bias,2 and helped us to ensure that we are not seeing our world through rose-colored glasses.
LESSONS LEARNED: DEVELOPING TOP RISKS LISTS AND REPORTING TO SENIOR MANAGEMENT
There is a tendency to underestimate risks. If you go back and look at the problems we ran into over the last four to five years, everybody knew there was a housing bubble there. Everybody knew the banks and others were stretched out. But rather than face up to the fact that you had this huge risk and understand what the consequences were of the risk materializing, it was relatively easy to say, “Well, it is a low-probability risk, so let’s go on—things look good.” It may be a low-probability event, but those low-probability events have a way of materializing, and therefore we need to better understand what happens.
—Mustafa Mohatarem, Chief Economist, General Motors, October 2012
While we understand the value of assessing probability and impact for risks, we have made additional improvements to our process for ranking and prioritizing risks. In the past, we facilitated meetings at which our risk officers were asked to score proposed risks individually along defined impact and probability scales. The output of the session was a typical “heat map” with risks that were ranked or plotted based on probability and impact scores.
However, we quickly learned that not only was this a very tedious process, but it injected a great deal of subjectivity since many of the participants did not really have specific knowledge of these parts of the business. We have also learned from various world events, such as the Fukushima disaster in Japan, that there may be a tendency to dismiss risks with the potential for very high impact because they have a very low probability of occurring. These low-probability events are often risks that companies cannot afford to miss. As we looked back on what has worked well or needed improvement, we thought there was a better way to provide our board and other stakeholders with more meaningful and actionable information. This prompted us to make a number of changes to improve the program.
First, we gave the responsibility for assessing the probability and impact ratings related to risk to the senior executives who were assigned the primary responsibility for overseeing the risks, since they were uniquely positioned to provide the most accurate assessment. We stopped the practice of asking risk officers to vote on impact and likelihood levels. Instead, when developing (or refreshing) the top risks list, we employed a real-time, web-based pairwise comparison3 tool to assist in prioritizing the risks in relation to each other. When developing our top risks, we briefed participants (risk officers) with precise risk descriptions to help enable their decisions when voting on each risk pair. Once we completed the various pairing sequences, the tool generated our preliminary risks list. This preliminary list was then subjected to various sense checks4 prior to delivering a proposed top risks list to our senior management or board.
Second, we moved away from using a ranked top risks list altogether. Too much time was being spent on whether a risk should be number 3 or number 5, for example, when the choice did not at all affect how the ERM team or management would address the risk. We moved instead to a three-tiered approach (Exhibit 34.2), which more broadly separated risks by their relative importance. We did not limit ourselves to any predefined number of risks in any given tier; we looked for natural breaks in terms of concurrence on what is a top risk (often looking at the pairwise scoring) versus what is more of an emerging risk.
Exhibit 34.2 Three-Tiered Approach
Third, we focused on using three measures—the levels of inherent, current, and residual risk—as indicators of where the organization currently viewed the effect of its mitigation activity and where the level of risk was expected to be upon completion of the mitigation plans. We created a five-point scale with definitions surrounding the ratings for inherent and residual risks (see Exhibit 34.3), and asked the respective risk officers to provide these assessments in consultation with their Executive Committee members (GM senior leaders reporting directly to the CEO) using the ERM risk template. While just a minor modification to the previous ERM risk template, this assessment of current and expected future risk levels quickly became a focal point for senior management and the board committees when presented. With current and future risk levels now documented, we were able to provide the board with better insight into the status and projected movement of our top risks (see Exhibit 34.4). We continued to provide the standard heat map of risks, but the new chart provided the type of forward-looking insight and status that heat maps do not provide. The new chart has been very well received and we continue to utilize it.
Exhibit 34.3 Five-Point Scale
Exhibit 34.4 Heat Map
LESSONS LEARNED: UNDERSTANDING CORPORATE CULTURE
The ERM implementation at General Motors has enjoyed great success for several reasons: There has been excellent support from the CEO and senior management; we have a strong, knowledgeable, and highly engaged ERM team and risk officer organization that touches every part of the business; and we have been able to garner proactive involvement through understanding and properly leveraging corporate culture.
We recognized early on that we would need to ensure that the ERM environment at General Motors was an open forum where people could share freely. In fact, the importance of objectivity and transparency cannot be understated in terms of the success of any ERM program. Perhaps it is attributable to human nature, but we found in the past that people had a tendency to identify a problem and keep it to themselves while they tried to resolve or address it, rather than putting it on the table for discussion. As this was not the culture that we wanted in the ERM program, we reduced the probability that this would occur by selecting the right people to lead by example.
We looked for several specific traits when selecting our risk officers:
To the extent that we had any concerns regarding the ability of participants to be objective and transparent, we were able to largely avoid these issues by seeking out and selecting the right risk officer team members. The team has been highly engaged, and we are beginning to see evidence of this culture spreading through their various areas of accountability. We are now at the point where our services are often on a “pull” rather than “push” basis, which has been very rewarding to achieve.
My role as a risk officer is to look across the product development enterprise, and identify risks which are systemic that we may already be addressing, but I am taking a look to make sure that the risk is sufficiently addressed. Or, in the case of where it is a new technology or a new risk, working with the owner to take a look from a strategic perspective. What can they do more? What can they do better in terms of addressing the risk? Are they engaging all of the cross-functional groups? Do they really understand the societal impacts of the technology they are putting in place? As engineers, we tend to think about F = MA,5 but this is about expanding the scope a little bit more so that we take it at a holistic level.
The ERM program gets quite a bit of support from senior leadership. We regularly review the status of our projects with leadership and we also seek advice and guidance from them on where they see risks in the enterprise that we might not otherwise be addressing in our regular channels.
—Katherine Johnson, Director, Global Product Development, General Motors, October 2012
We also understood that our risk officers came from various functional and regional positions, and would not necessarily be experts in risk management. As a result, we created an orientation/training for risk officers that was very well received. Once the first two individuals were given the orientation we did not have to contact anyone else to take it, as word quickly spread because it was seen as value-added and good use of their time. Risk officers contacted us to ask for the orientation, and this positively impacted the engagement of our program participants.
It was during these orientations that we learned more about various micro cultures in the company. One of the slides in the orientation talked about various risk management techniques: to avoid, accept, reduce, or transfer risk. Early on, as we explained the slide to one risk officer—that there are many ways to deal with risk—he had an insightful comment: “You know, I am really glad that you are implementing this program. Some think that risk is bad and you have to eliminate it 100 percent.”
The orientation sessions provided an environment for healthy discussions about risk being ubiquitous and therefore always a part of doing business. We stressed that the intention of this program was to manage risk, not attempt to eliminate all risk. To reinforce this, we discussed different ways to deal with identified risks, including accepting them. Going forward, we verbally included these points with every risk officer orientation. This was another means for us to support the transparency and objectivity we sought—people would not feel comfortable talking about risks openly if they thought there was a corporate culture that mandated all risk was to be eliminated.
Our orientation session also included discussions about our risk templates (see Exhibit 34.5). While companies, including General Motors, seem to embrace the use of red-yellow-green-colored charts, the problem of course is that the use of red is often associated with a failure or poor result. We were concerned, given the prior comments, that people might not adequately assess their risks if they believed the point of the program was to make everything green on the charts. At one of our risk officer meetings, a risk officer presented a chart showing a key risk that was rated with an orange color, both before and after mitigation efforts. We took time in the meeting to point this out—that some risks “are what they are”—and there is only so much we can do to be prepared. The point is not to get the risk to be rated green, but to assess it accurately for what it is, and to ensure that we are prepared and doing everything we reasonably can to deal with it.
Exhibit 34.5 Risk Template
LESSONS LEARNED: STRATEGIC RISK MITIGATION AND DECISION SUPPORT
The central philosophy of GM’s ERM approach is that the responsibility for risk mitigation and opportunity seizing rests with the operational leaders of the company. No staff can or should address all the varied risks of the company; they lack the awareness, expertise, manpower, and authority. But ERM can provide—and has at GM even at this early stage—enormous value beyond the core and critical functions of risk identification and risk education. This is essential to have enterprise risk management rather than enterprise list management. GM’s ERM is able to provide this value because of a combination of a unique perspective and expertise in a set of analysis, facilitation, and decision-support tools of particular relevance to risk mitigation and opportunity seizing.
Through the risk identification process, ERM staff is exposed to the entire range of global functions and issues, along with internal assessments of corporate strengths and weaknesses, in a way that is typically limited to senior management. Risk identification also requires engaging with internal and external thought leaders and experts to think through emerging risks and blind spots to create an information base similar to a partner at a strategy consulting firm. The assignment to focus on risk and opportunity, with a corporate perspective and without operational responsibilities, gives a frame of mind and freedom for strategic thinking that is often helpful to decision makers.
At GM, the unique perspective within ERM is made more valuable with a set of tools that helps decision makers better understand and evaluate issues involving external risks and opportunities, and thereby improve their decisions. Any list of top risks will have both internal risks—typically involving execution or compliance—and external risks, whether from shocks, predictable events, evolutionary changes, or actions from outside actors like competitors, current or potential partners, dealers, suppliers, governments, or unions. Internal execution risks are usually managed with special focus from operating units, while compliance risks are typically addressed by education and controls monitored by specialized staffs such as security, information technology, human resources, legal, tax, and audit.
External risks, on the other hand, are more difficult for operating leaders to evaluate and react to appropriately. There is a natural human tendency to think that tomorrow’s external environment will be like today’s, only better. Operating leaders tend to focus on their own strategies, worldviews, and “day jobs,” failing to fully consider external players and uncertain events.
Even in a negotiation, the tendency to focus on the company’s perspective can be a problem. Of course, the negotiating team is aware of the other party at the table—whether a union, supplier, or potential partner. But even experienced negotiating teams can benefit from thinking through systematically what is truly important to both sides and how to improve negotiating leverage and to frame issues. However, the biggest blind spots for negotiators usually relate to parties not at the table or to the aftermath of a deal. For example, GM often engages in bargaining with its labor unions while those unions are simultaneously bargaining with other companies in the industry. Understanding the perspective and issues in those parallel negotiations can be important to the outcome at GM, particularly since there is often an expectation that the pattern established with one company will apply to others. Union locals or subgroups can also have powerful effects on the final outcome. In other contexts, predicting possible rejection by regulators may lead to a different strategy on a merger or acquisition deal, or understanding legislative risk might alter a corporate initiative. Identifying stresses and differences in interests in advance can lead to favorable restructuring of a joint venture or early resolution of an underlying issue.
GM’s ERM staff has adapted a set of tools designed to improve decisions in complex, multiplayer situations or issues. The approach usually involves organizing workshops with cross-functional leaders and subject matter experts, facilitated by ERM staff. When the issue or event is known—such as a major current negotiation or an announced change in fuel economy regulations 10 years in the future—the workshop focuses on answering three questions:
The importance of thinking through these questions systematically can be shown in a mistake from GM’s past. Like other auto companies, GM relies on independently owned dealers to sell its vehicles. In the late 1990s, some GM executives saw the potential for significant strategic benefits from having a few company-owned dealers, such as an unfiltered exposure to shoppers and a chance to test new marketing and retailing concepts. Though it was recognized that dealers would oppose the idea and that it would be illegal in some states, extensive planning proceeded and a major initiative—GM Retail Holdings—was announced. Within days of the announcement, GM quickly realized this was a poor decision, and within months GM’s CEO went to the annual dealer association conference to announce the termination of the initiative and to apologize for it.
What happened to cause such an unfortunate outcome? First, the leaders of the initiative misread GM’s preferences. They thought that GM valued the potential benefits of the company-owned dealers more than they would regret an adverse dealer reaction. When the angry reaction came forcefully through many channels to numerous executives, it turned out that the assessment was wrong. Second, some options controlled by the dealers were not well understood. When dealers started pulling or threatening to pull some of those levers, GM recognized the decision’s downside potential. Third, the executives forgot a player—state legislatures. Legislation was introduced in several states (where GM Retail Holdings was considering the placement of dealerships) that would make company-owned stores illegal competition for the independent dealers, and it seemed likely that the legislation would pass. If you miss preferences, options, and/or a player, your strategy, negotiation, or initiative can fail.
When GM’s actions will have an impact on what the others do (see Exhibit 34.6), a form of game theory can help avoid misunderstandings. Using game theory,6 the team can put themselves into the shoes of each player and ask whether they want each option to be taken (including options they do not control) and how important that option is relative to others on the list. With these assessments, it is possible to identify a natural outcome7—where momentum will lead the issue—as well as a danger outcome8and a target outcome9 for GM. The information gathered is so rich that it can guide both strategy and tactics. Because there is a tight logical connection between the recommendations and the inputs provided by participants, decisions are often changed based on the analyses.
Exhibit 34.6 Game Theory
Since the combined knowledge of the participants about the external players and their options is usually strong, the predictions of their behavior are remarkably accurate. Even when there is disagreement or uncertainty about what other players want, the analysis can identify robust strategies or narrow the areas where additional information is needed. GM used to have a Defense Operations unit that once developed a design for a military vehicle that the designers thought could displace the Humvee10 used by the U.S. Army. At the time, GM had recently acquired the Hummer brand (since discontinued), which sold a civilian version of the Humvee, so this idea generated significant controversy. Game theory analysis showed that the right actions for GM depended heavily on the preferences of the Army, with disagreement about what they were. GM leaders decided to ask the Army, inviting key generals to hear about the Defense Operations concept. The generals made clear that they had no interest in switching from the Humvee, and further investment was avoided.
The high value that GM leaders attach to the predictions and insights that the game theory process generates is reflected in the more than 120 times the tool has been deployed since 1999. The issues have included negotiations of all types, competitive strategy, public policy strategy, crisis management, and new business development, and have covered every region and most functions. Speed and efficiency are also major attractions; a complex issue can be analyzed and action plans developed and approved in less than one week. When the Risk Management function was created, a natural home for these decision-making tools became obvious.
WAR GAMING AND SCENARIO PLANNING
Even when GM decisions do not affect the decisions of other players—as often is the case with long-term product or technology strategies—it can be valuable to think through how other players will act, since that can give a more accurate and unbiased assessment of the risks and opportunities. War gaming workshops often start with known information on the strategies, strengths, weaknesses, and plans of key players. The key trend or issue that is the focus of the war game is explained; for example, there may be tighter fuel economy regulations scheduled to go into effect in some country in a few years. Then participants put themselves in the shoes of the other players and predict their responses to the trend or issue. Implications for GM’s strategy and opportunities to mitigate risks are then identified.
When events are highly uncertain or even have low probability, like an economic crisis or oil shock, it can still add value to assess how external actors would respond if the event were to occur. This helps to stress test the contingency plans and can identify potential opportunities or risks to mitigate. By adding external players to the scenario planning, the need to bring in additional functions becomes apparent. If and when the event occurs, the action or crisis team will have a broader perspective and connection to important expertise, and information will be easier to access. The ERM staff can facilitate this type of contingency planning and the cross-organization connections through the risk officer network.
Thinking through how an event can spread or become a crisis makes the organization more sensitive to signals and triggers for more intense planning and preparation. A tool that GM has used in contingency planning is “DefCon” level,11 an idea borrowed from the U.S. Defense Department. When a risk with high impact but low likelihood is identified, it may not make sense to spend time and resources on detailed plans and preparations, particularly if there is likely to be significant notice or more urgent signals prior to the event. Instead, there can be a “plan to plan” with only preliminary analysis done at an early stage but commitment made for further analysis and action if particular indicators or signals are seen. The leadership group decides whether the event likelihood has reached a more serious DefCon level, triggering the appropriate preparations and actions.
External risks are difficult for any organization to understand and manage, particularly if the risks are only emerging or rare, or involve parties not at the table. By going beyond risk identification to helping decision makers achieve a 360 degree understanding of the external environment and players, ERM can aid good decision making. By using their unique perspective and a broad array of tools, ERM staff can frame the risks and opportunities and make actionable recommendations, thereby making the good decisions more likely and more robust.
As we enter our third year of ERM, we have a number of initiatives under way to enhance the ERM program and better integrate it with other internal control efforts. First, we have worked with our internal audit leadership to ensure that the top company risks are being considered in their annual internal audit risk assessment, which drives the internal audit plan. These top risks will be one of many factors used to assess which processes, areas, and functions in the company should be considered for an internal audit.
We continue to look for ways to identify and assess emerging and blind spot risks and opportunities earlier and more comprehensively. In that regard, we intend to engage the corporate Intelligence Network—a cross-functional and informal group of people whose jobs require looking for societal, market, technology, and competitive trends relevant to GM around the world to supplement the knowledge and sources of the risk officer network and ERM team.
There is always room for improvement in the plans to mitigate risks and seize opportunities. Both the risk officer network and the ERM staff can be valuable resources to an individual risk officer or functional leader trying to analyze a risk, develop a plan, and check it for robustness. We intend to utilize these capabilities more fully and systematically, particularly for complex cross-functional and cross-regional issues.
While our initial ERM focus has been to identify and manage top risks, we also realize that this is only one part of a successful ERM program. With reasonable attention to the top risks now in place, we are ready to address oversight of the day-to-day operational controls. In this regard, we are in the process of developing an enhanced program for operational control self-assessment (CSA),12 which is often cited as a fundamental and critical component of any successful ERM program. This program will begin with a joint risk assessment conducted across the organization in conjunction with internal audit.
GM implemented various versions of CSA over the years, but these processes waned over time and no longer fully support the business as intended, largely due to resources being redirected to support Sarbanes-Oxley resource requirements. There are many ways to achieve control self-assessment, and we recognize that typical programs are often criticized as not adding value because they lack substance or are simply check-the-box exercises. On the other hand, Sarbanes-Oxley at its core is intended to be a management self-assessment of controls over financial reporting despite having evolved into requiring very in-depth, time-consuming assessments.
There is a need to avoid either creating a burden on the organization to the point where the cost outweighs the benefits (which is how many businesses have viewed Sarbanes-Oxley) or creating a program that is low-cost but lacks any substantive value. Our goal in creating an improved CSA program is to strike a balance so that we are maximizing value to the organization and our shareholders by enhancing operational control assurance while spending resources wisely.
The approach we have developed is a policy-based CSA that will start with asking business unit operations’ line managers simple yes or no questions with regard to their compliance on specific policy requirements. However, we are taking this process a few steps further by requiring the managers to attach supporting evidence for their responses. To ensure that the supporting evidence is valid and sufficient, an ERM CSA representative will consult with the manager on control design and perform a quality assurance validation of the submission. The representative will also respond to any questions and assist in action plan development as needed. The ERM CSA representative will also review any action plans to correct self-identified deficiencies to make sure that the action plan addresses the root cause of the issue (see Exhibit 34.7).
Exhibit 34.7 CSA Root Cause
We prefer this approach because it strengthens accountability at the operational level having frontline responsibility for internal controls. As a policy-based program, it drives behaviors that strengthen the company as a whole:
Given that CSA is a global program, we expect that implementation will continue well into 2014.
We expect that the ERM tools we have implemented will improve GM’s ability to identify, exploit, or mitigate, and communicate risk to senior leaders and the board of directors. We view this as a competitive advantage for General Motors that will enable us to react more quickly with improved and well-defined actions. We believe that an integrated risk management process (ERM, Sarbanes-Oxley, CSA, and consolidation of other compliance/assessment types of activities) will enable GM to utilize its compliance resources much more efficiently. Importantly, it will enable the company to have a consolidated, holistic view of risk and allow management and the board of directors to take comfort knowing that mitigation activities will be visible and tracked, and owners will be held accountable.
1 Killer risks are those that would have a major effect on the short- or long-term profitability of the enterprise.2 Confirmation bias is the tendency of people to favor information that confirms their beliefs.3 Pairwise comparison is a method of ranking that compares a list two at a time. Earlier assessments are used to reduce the total number of comparisons.4 Sense checks are a means of avoiding large errors by reviewing preliminary results with experts or management.5 F = MA stands for the basic equation of mechanics: Force = Mass × Acceleration.6 Game theory is a large topic. The tool described is a practical application that predicts actions based on assessments of the options and preferences in the situation or “game.”7 Natural outcome is a stable outcome (set of choices by the various players on the options they control) that will result if players do not behave strategically. It can be thought of as momentum.8 Danger outcome is a stable outcome that is worse than the natural outcome from the perspective of the project sponsor; it can result if assessments are mistaken or players make errors.9 Target outcome is a stable outcome that is the best potentially attainable by the company, given the options and preferences of the various players. It is better for the company than the natural outcome and mitigates the risk of the danger outcome.10 Commonly known as the Humvee, the High Mobility Multipurpose Wheeled Vehicle (HMMWV) is a military transport used by the U.S. Army for many functions and produced by AM General.11 DefCon is short for defense condition and is used by the U.S. military to describe the desired state of readiness. Wikipedia has a good description and history.12 Control self-assessment is a technique that has managers review and certify the existence and quality of the controls around policies, procedures, and practices.
ABOUT THE CONTRIBUTORS
Marc Robinson is Assistant Director of Enterprise Risk Management at GM. He is an economist with over 25 years as an internal consultant at GM. He has also taught at UCLA, Stanford University, and the University of Michigan, and was Senior Staff Economist on the Council of Economic Advisers under President George H.W. Bush.
Lisa Smith, CRMA, CCSA, is Assistant Director of Enterprise Risk Management at GM. She has served in a variety of audit-related roles since joining GM in 2002, including the global implementation of ERM starting in 2010. She has an MBA from the University of Michigan and also serves as an instructor for the Institute of Internal Auditors.
Brian Thelen has been General Auditor at GM since 2011, and served as Chief Risk Officer through July 2014. Prior to that, he was Vice President of Audit Services at Delphi Corporation, Vice President of Internal Audit Services at Waste Management, and general auditor at American Standard. He started his career at Ernst & Young and has a CPA and an MBA.
Why Choose Us
At Myhomeworkwriters.com, we always aim at 100% customer satisfaction. As such, we never compromise o the quality of our homework services. Our homework helpers ensure that they craft each paper carefully to match the requirements of the instruction form.
Professional Academic Writers
With Myhomeworkwriters.com, every student is guaranteed high-quality, professionally written papers. We ensure that we hire individuals with high academic qualifications who can maintain our quality policy. These writers undergo further training to sharpen their writing skills, making them more competent in writing academic papers.
Our company maintains a fair pricing system for all academic writing services to ensure affordability. Our pricing system generates quotations based on the properties of individual papers.
My Homework Writers guarantees all students of swift delivery of papers. We understand that time is an essential factor in the academic world. Therefore, we ensure that we deliver the paper on or before the agreed date to give students ample time for reviewing.
Myhomeworkwriters.com maintains a zero-plagiarism policy in all papers. As such, My Homework Writers professional academic writers ensure that they use the students’ instructions to deliver plagiarism-free papers. We are very keen on avoiding any chance of similarities with previous papers.
Customer Support 24/7
Our customer support works around the clock to provide students with assistance or guidance at any time of the day. Students can always communicate with us through our live chat system or our email and receive instant responses. Feel free to contact us via the Chat window or support email: firstname.lastname@example.org.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.
Our Homework Writing Services
My Homework Writers holds a reputation for being a platform that provides high-quality homework writing services. All you need to do is provide us with all the necessary requirements of the paper and wait for quality results.
At My Homework Writers, we have highly qualified academic gurus who will offer great assistance towards completing your essays. Our homework writing service providers are well-versed with all the aspects of developing high-quality and relevant essays.
Admission and Business Papers
With Myhomeworkwriters.com, we will help you secure a position at your desired institution. Our essay writing services include the crafting of admissions papers. We will still help you climb your career ladder by helping you write the official papers that will help you secure a job. We will guide you on how to write an outstanding portfolio or resume.
Editing and Proofreading
Myhomeworkwriters.com has a professional editorial team that will help you organize your paper, paraphrase it, and eliminate any possible mistakes. Also, we will help you check on plagiarism to ensure that your final paper posses quality and originality.
My Homework Writers harbors professional academic writers from diverse academic disciplines. As such, we can develop homework writing services in all academic areas. The simplicity or complexity of the paper does not affect the quality of homework writing services.