Board risk oversight and reputation risk

Great blog here from the Harvard Law School Forum. Those that work with boards should read the entire thing but here's two key paragraphs with my emphasis added:



For as long as Caremark continues to be the law, directors should ensure that they at least meet the Caremark standard in connection with the #MeToo movement and other issues relevant to their businesses, but they should not be too concerned about new liability risks, even in the current environment. Meeting the Caremark standard includes periodically assuring that there is a system for information and problems to come to the board’s attention. The application of the Caremark standard to today’s issues does not require novel efforts.

However, reputational risks for companies and directors, distinct from liability risks, deserve to be highlighted in the current environment. The enterprise risk approach that many companies and boards take should be re-examined to ensure that they are designed so that reputational risk concerns will bubble up to the board. In our experience this adjustment has already happened at many companies.

ERM and High Performance

Some ERM habits of high-performing organizations:

High-performing organizations are:

- more likely to factor risk into decisions than non high-performing companies

- twice as likely as low performers to be involved in decision making up front (instead of afterwards or never) 

- three times more likely to have "engaged" leadership on risk than low-performers


Preliminary data analysis based on the Center for Excellence in ERM at St. John's April 30th ERM Summit- The ERM Journey. Final analysis and white paper is forthcoming.

IMA Releases Updated SMA - Enterprise Risk Management: Tools & Techniques for Effective Implementation

ERM: Tools & Techniques for Effective Implementation has been released by the IMA. This is a nice overview of ERM and can be given to colleagues that might not want to read the entire COSO ERM Framework or the ISO Framework. This updated report highlights:

* Risk identification techniques

* Analysis of Risk by Drivers

* Risk Assessment Tools, and

* Practical Implementation Considerations. 

IMA Releases Updated SMA - Enterprise Risk Management: Frameworks, Elements, and Integration


Enterprise Risk Management: Frameworks, Elements, and Integration has been released by the IMA. This is a nice overview of ERM and can be given to colleagues that might not want to read the entire COSO ERM Framework or the ISO Framework. The report includes 

* a review of ERM Frameworks

* ERM Foundational Elements, and

* a section on Integrating ERM into Ongoing Management Activities.

According to the IMA, "SMAs present IMA’s position on best practices in management accounting. These authoritative monographs cover the broad range of issues encountered in practice."

Only 38% are confident that all strategic risks are identified

Recent work at The Center for Excellence in ERM at St. John's University shows that only 38% of ERM executives agree that they are confident that all strategic risks are identified. This work was part of the October 2017 ERM Summit survey. Although the sample is small the results are still quite interesting. Other early highlights show that ERM executives believe that only 19% of the their leaders are very effective at both setting strategy and executing strategy.

April 30 Center for Excellence in ERM Risk Summit

Our next risk summit is all set. The them is the ERM Journey. We'll focus on how PepsiCo, ADP, Estee Lauder, and ConEdison built, grew, sustained, and even today, challenge and assess, their ERM programs for better success. 

Guest speakers include:

Byron Stephen and Diane LaCosta, ADP

Rich Muzikar, Long Island Power Authority and formerly Con Edison and Zack Wolff (Con Edison)

Denise Treacy, PepsiCo.

Frank Fronzo, Estee Lauder

ERM and Culture—Time to Step It Up?

Organizations looking to step up and improve ERM might want to consider "culture." The new COSO ERM Framework highlights and emphasizes the link between culture and ERM in the following ways:

• There are 124 mentions of the word "culture" in the ERM framework.

• The first Component is called "Governance and Culture."

• Principle 3 is called "Defines Desired Culture."

• Principle 20 is called "Reports on Risk, Culture, and Performance."

Quick Ideas for Getting Ready to Answer Board and Management Questions about the ERM-Culture Connection:

— Find your resources to dig deeper on culture. For example, read the NACD Blue Ribbon Commission on Culture as a Corporate Asset. I'm still a fan of our Risk Challenge Culture study we did for the IMA and ACCA. The IIA has a lot of good material too. 

— Read Principle 3 and 20 and determine how your organization compares to the Principle. Does your board and management define the desired culture? Is culture embraced by all personnel? Do you know the factors that drive culture in your organization? Do you know how culture is influencing your ability to identify risks or properly assess risks? Is risk an afterthought to strategy and other big decisions? Do you have escalation policies? Do you have a risk aware culture (this will most likely require training employees and management on ERM)?


Why Does ERM Add Value?

Our research (which won an award) is published in the Spring 2012 Management Accounting Quarterly, Vol 13, No 3. The implications from that empirical paper state:

"The results suggest that an ERM framework and an ERM implementation can help companies improve performance by enabling executives to manage the company better. From a practical standpoint, companies ask how ERM adds value. Our results show that value comes from implementing the process, which then enables the company to make better decisions. Given that implementing the components takes time, compa- nies should be patient with finding immediate value. "



Does ERM Add Value?

Yes! Of course it does! If you need academic evidence to confirm the obvious... here it is. 


Farrell and Gallagher's peer reviewed empirical paper in one of the highest ranked risk journals has the following abstract. See the full paper in the Journal of Risk and Insurance, September 2015, Volume 82, Issue 3, pages 625-657. 



Enterprise Risk Management (ERM) is the discipline by which enterprises monitor, analyze, and control risks from across the enterprise, with the goal of identifying underlying correlations and thus optimizing the risk-taking behavior in a portfolio context. This study analyzes the valuation implications of ERM Maturity. We use data from the industry leading Risk and Insurance Management Society Risk Maturity Model over the period from 2006 to 2011, which scores firms on a five-point maturity scale. Our results suggest that firms that have reached mature levels of ERM are exhibiting a higher firm value, as measured by Tobin's Q. We find a statistically significant positive relation to the magnitude of 25 percent. Upon decomposition of the maturity score, we find that the most important aspects of ERM from a valuation perspective relate to the level of top–down executive engagement and the resultant cascade of ERM culture throughout the firm. Firms that have successfully integrated the ERM process into both their strategic activities and everyday practices display superior ability in uncovering risk dependencies and correlations across the entire enterprise and as a consequence enhanced value when undertaking the ERM maturity journey ceteris paribus.

Oversight of Corporate Culture Webcast


Center for Audit Quality

Published on Dec 23, 2017

Sound corporate culture is a cornerstone of fraud deterrence and detection. This December 2017 webcast, hosted by the Anti-Fraud Collaboration, highlights leading practices on assessing and strengthening a company’s corporate culture. Hear from an expert panel, who share actionable recommendations that organizations can implement to deter fraud and misconduct. The panel also addresses oversight responsibilities of audit committee members, company management, and internal auditors. Expanding on insights contained in a 2017 National Association of Corporate Directors Blue Ribbon Commission report, Culture as a Corporate Asset, the webcast covers how culture impacts strategy, risk, and performance.



Mark Carawan Citigroup Chief Compliance Officer

Cindy Fornelli (Moderator) Center for Audit Quality Executive Director

Brenda J. Gaines Tenet Healthcare Corp. Audit Committee Chair

Gilly Lord PwC Head of Regulatory Affairs and Audit Strategy & Transformation

Paul L. Walker St. John’s University Schiro/Zurich Chair in Enterprise Risk Management


Watch the video replay of this webcast using the following link: 


ERM and Reputational Risk in Higher Ed: More Talk Than Action

Today’s uncertain environment poses constant threats to the most valuable asset of colleges and universities--their reputation. Taking action to identify risks that could impact your institution’s reputation, and finding ways to prevent or mitigate those risks, is essential to long-term sustainability. A recent study by United Educators and the Center for Excellence in ERM at St. John's University provides insights into reputation risk in higher education and provides separate toolkits

Sources of Emerging Risks

A recent Risk Summit by the Center for Excellence in ERM at St. John's University focused on how to review noise and emerging risks.  Numerous tools and methods were also discussed, as well as the sources of risk. 

To best identify noise and emerging risks a wide variety of sources should be used. The sources mentioned included:

Operational incidents

RSS feeds

Political timelines and stories

Where startups and angel investors are focusing


Industry reports

Customer complaints

Social Media

Academic studies

New implementations

Published risk surveys

NGO agendas

Customer satisfaction surveys and metrics

Annual plans 

Internal risk assessments

Macroeconomic news

Strategic plans

Employee feedback



Industry conferences

Client input

Regulator and competitor actions

Value shifts appearing in the market 


Managing Strategic Risk by Creating New Business Models

One tool all risk and strategy professionals should have is creating new businesses. After all, if you are on the leading edge of uncertainty then that should create an advantage and view point that enables you to see new opportunities (perhaps) better than others. Thus, one way to manage strategic risk is to create new business models. In our graduate ERM degree the students and working professionals learn how to identify the heart and soul of the business and how to search for ways the business could get destroyed or seriously disrupted. Armed with this knowledge they go on a new business model search. In this week's class we created 36 new business models for Netflix (see attached list of business model creative ideas). 




Why we need to link risk to strategy

Managing strategic risk helps avoid the downside:

- 66% agree that "A key destroyer of value in my organization is strategic risk and uncertainty."

Managing strategic risk improves the upside:

- 92% agree that "A major key to success for our organization is managing strategic risk and uncertainty." 



The results are based on the Center for Excellence in ERM Fall Risk Summit that focused on moving from risk to strategic risk. The Summit included a pre-Summit survey. 

From Risk to Strategic Risk

Five strategy and risk leaders from prestigious organizations discussed how risk and strategy are intertwined at the Center for Excellence in ERM at St. John's University. Strategy leaders from Time Inc. (Erik Moreno) and Con Edison (Guru Nadkarni) shared their views of strategy, strategy frameworks, the acceleration of disruption, business models, etc., and answered questions from leading risk executives about the strategy link to risk and how ERM can help strategy leaders. Risk leaders from General Motors (Kristie Bidlake and Ken Shogren) and PepsiCo (Denise Treacy) shared their tools for strategic risk identification and analysis as well as wisdom they've learned from making the strategy risk connection.