Summary by James R. Martin, Ph.D., CMA
Professor Emeritus, University of South Florida
The purpose of this paper is to show how enterprise risk management, the balanced scorecard, and the budgeting process are integrated to manage the risks associated with the scorecard's value drivers. The authors begin by mentioning some of the risks facing organizations today (e.g., global competition, deregulation, increased consumer demands, etc.), describe the enterprise risk management framework, and then show how it can be integrated with the balance scorecard and the budgeting process.
Enterprise Risk Management
Enterprise risk management (ERM) was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and represents a new framework for integrating and coordinating risk across the organization. ERM provides the framework for an organization to implement strategic planning, the balanced scorecard, and budgeting. According to COSO, ERM is "...designed to identify potential events that may affect the entity and manage risk within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives." Risks can be classified in various ways. For example, an organization can begin with four broad types of risks including:
Strategic - strategy, political, economic, regulatory, global market, reputation, brand, changing customer needs, etc.,
Operational - organization systems, processes, technology, people,
Financial - volatile foreign currencies, interest rates, commodities, liquidity, and market, and
Hazard - insurable risks such as natural disasters, liabilities, impairment of physical assets, and terrorism.
COSO's ERM Framework
The COSO framework is three dimensional including four categories of objectives (strategic, operations, reporting, and compliance), eight interrelated components (internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring), and the various units of the organization (entity level, division, business unit, and subsidiary) as illustrated in the graphic below.
The Eight Components of ERM
The internal environment involves the company's risk appetite, the board of directors, integrity and ethical values, commitment to competence, organizational structure, assignment of authority and human resource standards. The main question in this component is how much risk can the company accept and manage based on its capabilities and stakeholder expectations?
The objective setting includes strategic, related, and selected objectives, the risk appetite and risk tolerances at all levels of the organization.
Event identification includes influencing factors, event identification techniques, event categories and interdependencies, and risks and opportunities. Events are internal or external incidents that could affect the implementation of strategy or achievement of objectives. Some risk are knowns, some are known unknowns, and some are unknown unknowns. Techniques for identifying risks include SWOT (strengths-weaknesses-opportunities-threats) analysis, risk workshops, risk questionnaires, links to strategic plans and balanced scorecards, value chain analysis, process analysis, benchmarking, and scenario analysis.
Risk assessment involves establishing the likelihood and impact of inherent and residual risks, data sources, and event relationships. Risk assessment can be qualitative or quantitative including risk maps or risk assessment grids where risks are plotted based on the likelihood of occurrence, and the impact or significance of the risks. For more involved risk assessment grids see the McKay summary listed below.
Risk response includes evaluating possible and selected responses such as accepting, avoiding, reducing, or sharing the risk. This component establishes the company's risk appetite.
Control activities are integrated with the risk response and include types of control, policies, procedures, approvals, authorizations, verifications, reconciliations, reviews of performance, security of assets, and segregation of duties.
Information and Communication
ERM requires executive level support and includes timely reporting of risks to the board of director's audit committee.
Monitoring includes separate evaluations, and periodic reporting by risk committees, management, auditors and consultants with board oversight and review.
Linking ERM to Strategy
Strategy and enterprise risk management must be integrated to create, enhance, and protect shareholder value. The embedded risks associated with each strategic alternative must be identified and placed on a risk grid to determine if it is aligned with the company's risk appetite.
Linking ERM to the Balanced Scorecard
The Balanced Scorecard's four perspectives (Financial, Customer, Internal Processes, and Innovation and Learning) provide a framework for integrating strategy and risk throughout the organization. Integrating the balanced scorecard with ERM enhances the organization's ability to identify risks, control processes and achieve its strategic objectives. Risk scorecards can be developed to show objectives, risk, suggested control processes, focus areas, mitigation processes and their effectiveness, as well as other information. An example related to the innovation and learning perspective appears below.
Linking ERM to the Budgeting Process
Including a risk grid with each unit's budget makes the risk implicit in the numbers, gives senior management risk information without having to uncover the risk involved, and facilitates comparing risks across the organization.
A strategy-risk-focused organization blends the five principles of the strategy-focused organization (see the Kaplan and Norton 2001 summary below) with the enterprise risk management framework to align unit strategies with the entire organization.
Related ERM summaries:
Axson, D. A. J. 2011. Scenario planning: Navigating through today's uncertain world. Journal of Accountancy (March): 22-27. (Summary).
COSO. 2016. Enterprise Risk Management: Aligning Risk with Strategy and Performance. Public Exposure Draft. (June). (Summary).
Kaplan, R. S. and A. Mikes. 2012. Managing risks: A new framework. Smart companies match their approach to the nature of the threats they face. Harvard Business Review (June): 48-60. (Discussion of three categories of risks: Preventable risks, strategy risks, and external risks that are beyond the organization's influence and control. Each type of risk requires a different risk-management approach). (Summary).
Malone, D. and M. Mouritsen. 2014. Change management: Risk, transition, and strategy. Cost Management (May/June): 6-13. (Summary).
McKay, S. 2016. CGMA tools: How to communicate risks using a heat map. Journal of Accountancy (June): 35-40. (Summary).
Merchant, K. A. 2012. ERM: Where to go from here. Journal of Accountancy (September): 32-34, 36. (Summary).
Other related summaries:
Kaplan, R. S. and D. P. Norton. 1992. The balanced scorecard - Measures that drive performance. Harvard Business Review (January-February): 71-79. (Summary).
Kaplan, R. S. and D. P. Norton. 1996. The Balanced Scorecard: Translating Strategy into Action. Boston: Harvard Business School Press. (Summary).
Kaplan, R. S. and D. P. Norton. 1997. Why does business need a balanced scorecard? Journal of Cost Management (May/June): 5-10. (Summary).
Kaplan, R. S. and D. P. Norton. 2001. The Strategy-Focused Organization: How Balanced Scorecard Companies Thrive in the New Business Environment. Boston, MA: Harvard Business School Press. (Summary).
Martin, J. R. Not dated. Balanced scorecard concepts. Management And Accounting Web. (Summary).
Rafii, F. and L. P. Carr. 1997. Why major change programs fail: An integrative analysis. Journal of Cost Management (January/February): 41-45. (Summary).