As evidence of reaching stage 3, all the companies studied have a policy for using some variation of a systematic process that includes the same steps: identify, assess (for impact and severity), plan responses, track, and control. They have standard templates in which risk information is recorded. An example of a standard tool is the Risk Matrix Status Board used by Unocal which shows which types of risk (financial, resource, operating, etc.) affect which projects and by how much. The existence of a company-wide risk management process, also called “framework” by DuPont, allows risk management to be performed in a consistent, repeatable manner across departments.
Movement along the road to risk management maturity by these companies was enabled by senior management commitment and involvement. It’s clear where risk management begins at Microsoft by this statement made by the treasurer that “At the end of the day, the chief risk officer is Bill Gates.” Bill Evancho, the U.S. treasurer and global risk manager at DuPont at the time of the publication of Making Enterprise Risk Management Pay Off, said that “the ultimate risk manager at any company is the CEO.” Champions for risk management are found at the highest levels of the organization in each case study. Instituting a policy and systematic process could have become just another failed corporate initiative without the senior management commitment to see it through.
Another factor contributing to risk management maturity at these companies has been their efforts to instill a risk aware culture. Microsoft effectively uses its company intranet for disseminating risk management information. Unocal requires annual risk assessments within all business units. Chase has taken risk awareness to the ultimate level by its SVA (shareholder value-added) approach by which it ties financial compensation of decision-makers to risk management.
With champions at the most senior levels, a policy, a systematic process, and a culture of risk awareness, each company has been able to take the next step on the road in which risks are quantified and more precise decision making has been enabled. United Grain Growers focused on its top six risks and gathered historical quantitative data on dollar exposures and frequency distributions for these risks which the company has used to determine appropriate decisions and responses. They were then able to quantitatively evaluate the effectiveness of future responses against the historical baseline data. Chase, Microsoft, and United Grain Growers each use a quantitative tool called VAR (value at risk) as a risk monitoring tool. It measures the monetary potential loss from adverse market moves, and informs decision making intended to minimize risk exposures. DuPont uses a tool called EAR (earnings at risk) which measures the potential effect of a risk on company earnings and helps managers see the relationship between earnings and risk and manage those risks in order to stay within required earning levels.
At each of these companies there is a supporting infrastructure in the form of a risk management committee, or risk management group as Microsoft calls it. This type of support is another indicator of a company on at least stage 4 of the road to maturity. Chase has the most organized of the five companies studied in the book. They have risk committees for five different areas of risk - credit, market, capital, operating, and fiduciary. The five committees report to an executive risk committee which integrates information from each committee and reports to the risk committee of the board of directors where the information is used to inform management decision making. DuPont and United Grain Growers both have risk committees comprised of high level executives. At Unocal the internal audit committee and safety committee joined forces to promote risk management.