Enterprise Wide Risk Management

This article is the sixth in a series on what causes a firm’s value to increase

Serious employee accidents, information technology melt down, white-collar crime (valued at billions of dollars globally), supply chain shortfalls, board governance issues, external/internal audit strife, competitive encroachment or leapfrog, patent/trade secrets leakage, changes in the White House….

Do you know where your firm experiences its greatest risk exposure? If you have not pondered this question you will be surprised how many risk areas your firm has or could have. While some risks like fire, flood, and other acts of god are insurable, most risks are non-insurable.

Previously we have discussed actions that are known to help increase the value of your firm. However, some of these very actions, like innovation, can actually increase your firm’s risk exposure! To grow the value of your firm you need to take some risks, but they must be proactively managed. Enterprise Risk Management (ERM) is a relatively new field that helps firms manage primarily non-insurable risks. Why is this important? This kind of risk management is indispensable in helping grow the value of your firm, often preventing it from experiencing major headaches or even failure.

A little history. The COSO framework called the Enterprise Risk Management – Integrated Framework (www.coso.org) was provided in 1992 to give firms a general framework to manage risk after some illegal practices surfaced in the Savings and Loan industry following the Bank Deregulation Act of 1980. Risk management gained even more steam with the illegal and unethical actions of firms like Enron, WorldCom, and Tyco in the early 2000s. This led to the Sarbanes-Oxley Act and even greater emphasis on risk management for publically traded firms. The mortgage and banking collapse of 2008 fueled the fire even more.

With globalization, technology advancements, customer fickleness and myriad other uncertainties, most publically traded firms feel that ERM is vital and is here to stay.

Fortunately for your firm, there are good frameworks and approaches that can get you practicing good risk management fairly easily and quickly.

In 2005, I and several colleagues developed a tool called the Risk Universe. There are 144 risk areas organized into thirteen, mostly non-insurable categories. Here are three of those thirteen categories:

  1. Corporate governance risk – ineffective board make-up and roles, firm reputation issues, strategic control and communication of performance shortfalls
  2. External environment risk – catastrophic occurrences like a hurricane, bad shareholder relations, news and social media attacks, security analyst strife, supply chain shocks, executive security protection, exchange rate risk
  3. Operating process risk – employee safety, information technology breaches, data non-reliability and IT infrastructure meltdown, crisis mis-management of all kinds from terrorist attacks to a plant fire, knowledge protection via patents/trade secrets, illegal acts of employees

A board and management team would go crazy trying to think about and manage 144 areas of risk. The good news is you do not have to juggle all of this at once.

We can describe risks via the Probability of Occurrence and Verified Impact of the Risk, which is how much damage would happen to your firm if the risk actually occurs. A great tool for this is called a “Heat Matrix” and risks can be color coded as Red, Yellow or Green.









Risk areas like A (High Probability of Occurrence and Large Verified Impact) are no brainers. They are on everyone’s radar screen and would be such things as the expected shortage of highly trained engineers, which first surfaced at Parker Aerospace in 2005. Risk areas like D would likely just be accepted as the cost to mitigate them would not be worth it. This would be like a fender-bender accident for one of your truck drivers and would be insurable. The risk areas that are real issues are Low or Medium Probability of Occurrence but Large or Medium Verified Impact (B or C) if they occur. These kinds of risks are potential game changers and can range from a hurricane possibly hitting New Orleans to needed sources of capital drying up to even developments in space technology obsoleting certain kinds of ground based communications technologies.

Boards and management teams have these major options to manage risk when they see their key risks arrayed on their Heat Matrix:
1. Avoidance: exiting the activities giving rise to the risk (like moving out of New Orleans)

2. Reduction: taking actions to reduce the probability or impact of the risk

3. Insuring the Risk: Sharing a portion of the risk by financing it

4. Accepting: no action is taken and the risk is accepted due to a cost/benefit decision

If your firm has not embraced some kind of ERM, it is very likely to be scrambling in some fashion in the near to mid-term future. This is avoidable as ERM is straight forward and easy to start.

Next Up: Strategic Planning Process – The Good and the Bad and Impact on Firm Value

Bill Bigler is Director of MBA Programs and associate professor of strategy at LSU Shreveport. He spent twenty five years in the strategy consulting industry before returning to academia full time at LSUS. He is on the board of directors of the Association for Strategic Planning, one of the leading professional associations in the field of strategy. He can be reached at bbigler@lsus.edu