While Sarbanes-Oxley shook up the world of publicly traded companies and forced them to scramble to achieve compliance, it also played a pivotal role in bringing enterprise risk management (ERM) to the attention of corporate executives. Enterprise risk management, for many companies, has emerged as a value-added continuation of Sarbanes-Oxley compliance and audit efforts. Seventy-six percent of respondents in a recent survey said they either intended to expand SOX compliance into ERM or were in a stage of implementation.1
With the growing interest in ERM that has emerged in recent years, it has not just been seen as an initiative but a key component of corporate strategy. The strategic importance of ERM is mentioned in the Committee of Sponsoring Organizations (COSO) ERM integrated framework definition, which states: “Enterprise risk management is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity. . . to provide reasonable assurance regarding the achievement of entity objectives.” This definition describes ERM as a part of corporate strategy that is influenced by organizational leadership and put in motion to guide the achievement of organizational goals.
Aligning ERM to Strategy through the Balanced Scorecard
To understand ERM’s linkage to strategic execution, strategy and objectives have to be defined. Objectives are defined as the goals an organization strives to achieve while strategy can be understood as the action plan that is intended to ensure the achievement of objectives.2, 3 ERM requires the participation of the entire organization to be effective against the wide variety of risks that affect all business units. Similar to ERM, corporate strategy requires the action and concern of individuals and business units across the entire enterprise to achieve objectives.
Since ERM can be an integral part of strategy, it can be incorporated into performance management systems that translate strategy into actionable terms such as the balanced scorecard (BSC). The BSC is a tool that communicates strategy and strategic objectives through performance metrics that are segmented into four major stakeholder perspectives:4
-
Customer: How do customers view the organization?
-
Internal process: Where must the organization excel?
-
Learning/growth: How can the organization continuously improve and create value?
-
Financial: How do shareholders view the organization?
A complete BSC will contain measures, targets and initiatives within each of the four perspectives, which link to strategy. Measures, targets and initiatives within the perspectives are derived out of a strategy map, a diagram reflecting the cause-and-effect relationship between the strategic objectives of the four perspectives.5 The learning/growth perspective and the internal process perspective are regarded as input perspectives because they drive results within the customer and financial perspectives (also known as outcome perspectives). At the core of the strategy map is learning and growth. The growth and development of employees is a catalyst for the performance of the organization and has a direct influence on the success of internal processes. An educated and well-trained workforce can execute more sophisticated processes, which in turn improves organizational efficiency, directly influencing the perspective of the customer. Improved efficiency from better processes can increase customer satisfaction and loyalty (better efficiency can translate into greater responsiveness or quicker service). And finally, improved customer satisfaction and loyalty can result in larger sustainable revenue streams for the organization, which translates into greater financial performance, directly impacting shareholder satisfaction.6
Identifying and Communicating Risk through the Strategy Map
ERM and the BSC can integrate with each other because of the organization-wide view that each requires from users. To be effective, the BSC has to provide a balanced view of the organization to drive strategy execution and business performance across the enterprise. The BSC requires input and feedback from entities inside and outside the organization. It does not solely rely on the viewpoints of shareholders or the financial returns of the enterprise, but on the perspectives of customers, employees and other internal stakeholders. ERM is not just about mitigating operational risks or the risks that affect a specific business unit. ERM requires the assessment and management of the entire portfolio of risks that can impact any internal process, employee, customer perspective or financial result.
Be the first to comment on this post using the section below.