Depending on the size, nature and complexity of a company, different enterprise risk management (ERM) strategies must be applied. A mammoth corporation such as Bentonville, Arkansas-based Wal-Mart Stores, Inc. requires a simplified process that can evaluate and mitigate the many risks that the company faces. In the 1990s, Wal-Mart's chief financial officer at the time, John Menzer, asked vice president John Lewis to formulate a corporate ERM plan.
Wal-Mart created a five-step process designed around four basic questions: What are the risks? What are we going to do about these risks? How will we measure whether we are having a positive or negative impact on the risks? How will we demonstrate shareholder value?
The Five-Step ERM Process
Step One--Risk Identification. In this step, a risk map evaluates risks on an XY-axis, with the X-axis representing probability and the Y-axis representing impact. This helps to prioritize what are seen as Wal-Mart's biggest risks.
"We schedule a four- to five-hour risk identification workshop, which helps to get senior leadership thinking about what risks may keep them from meeting their business objectives," says Michael Tush, Wal-Mart's director of information systems audit and enterprise risk management. However, the process actually starts about a month before these workshops begin. First, business objectives are clearly defined, such as growing sales, ensuring profit increases, opening "x" number of new stores, etc. "We identify the business objectives against which we want to evaluate risk," Tush explains. "We then send out an information packet to the workshop participants where we have identified the framework."
The framework is based on seven risk categories that are subcategorized into either external risks or internal risks. The external risk categories are: legal/regulatory, political and business environment (economy, e-business, etc.). The internal risks are: financial, strategic, operational and integrity (embezzlement, theft, fraud, etc.).
"We ask the leadership team to identify what they believe to be the top live risks that they think will keep them from meeting their business objectives for the next 18 to 24 months," says Tush. "They send us their responses, and we compile them, ending up with about 20 to 30 risks, which is what we take into the risk identification workshop."
When it is time to vote, there is often a range of voting, where one person will vote on a particular risk as being a one (low), while someone else will vote on it as a 10 (high). "At this point, we ask for more information and details and keep discussions going until we can come to some agreement," he says. "I find this process to be fascinating."
Step Two--Risk Mitigation. This step involves another facilitated workshop, where the three to five most important risks are further defined. During the mitigation workshop, the people who will be impacted most by a specific risk will be invited to participate. For employee risks, for example, these would include people from the operations, human resources, training and legal departments. Once the risk is identified and quantified, the participants create project teams, in areas such as recruiting, training and retention.
One goal of the mitigation workshops is to reduce the workload for the managers involved. To do this, the team conducts an initiative inventory of the procedures that are already in place to address a specific risk. They then pose questions such as: When and why did we start these initiatives? How are we measuring them? Are these initiatives effective? The answers to these questions will help the team identify unnecessary activities that can be eliminated.
Step Three--Action Planning. In this phase, the project teams meet and create simple project plans that identify who will do what by when. The teams then spend several months implementing their project plans. …