+1 (208) 254-6996 essayswallet@gmail.com

After reading this week’s article, and any other relevant research you locate, please discuss the following in your main post:.

  • Which enterprise risk management case study is most interesting to you and why?
  • Do you think that ERM is necessary in the contemporary organization and why?

Please make your initial post and two response posts substantive. A substantive post will do at least TWO of the following:

  • Ask an interesting, thoughtful question pertaining to the topic
  • Provide extensive additional information on the topic
  • Explain, define, or analyze the topic in detail
  • Share an applicable personal experience
  • Provide an outside source that applies to the topic, along with additional information about the topic or the source (please cite properly in APA 7)
  • Make an argument concerning the topic.

At least one scholarly source should be used in the initial discussion thread. Use proper citations and references in your post.

Integration of ERM with Strategy Case Study Analysis – April 2016

Prepared by: Ha Do, Maria Railwaywalla, Jeremiah Thayer Graduate Students, Poole College of Management, NCSU

Table of Contents

I. Introduction …………………………………………………………………………………………… 2

II. Case Study: Mitchell Industries ……………………………………………………………….. 3

III. Case Study: Eli Lilly ……………………………………………………………………………….. 9

IV. Case Study: Daisy Company …………………………………………………………………… 15

V. Conclusion …………………………………………………………………………………………….. 21

VI. Appendix ………………………………………………………………………………………………. 22

A1: Mitchell Industries: Risk Assessment Template

A2: Mitchell Industries: Template Assessing Risk in Relation to Strategy

A3: Eli Lilly: Risk Assessment Template

A4: Eli Lilly: Risk Ranking Matrix

A5: Daisy Company: Risk Template

A6: Daisy Company: Rating Scale

VII. About the Authors …………………………………………………………………………………. 34



One of the greatest sources of risk for today’s companies arises from the context of its strategic

plan. While a company’s strategy drives its value creation, it also entails risk-taking; when

strategies change or new initiatives are implemented, new risks may be introduced or existing

risks could change. The greater the degree of integration between strategy and risk management,

the more likely it is that a company will be able to successfully implement its strategy.

Enterprise Risk Management (ERM) is an emerging process that can serve many purposes: as a

tool for risk management, strategic planning, and identification of emerging opportunities and

potential competitive advantages. The purpose of this case study is to provide a description of the

processes used by three different companies in different industries to illustrate the ways these

companies have integrated ERM in the context of their strategy.

These case studies are based on real life examples of how companies have attempted to better

integrate their ERM process within their strategic planning process. The three cases reveal the

variety of methods that can be used based on a company’s strategic objectives, business model,

culture, and maturity in ERM implementation. This report also highlights key takeaways as

points of comparison when assessing the level of integration between ERM and the strategic

planning and implementation process.

Readers should keep the following in mind:

● ERM personnel can use this document to assess their company’s level of integration and

discuss how their current ERM process can be improved and be more closely aligned with

the strategic planning process.

● The methods of integrating ERM with strategy will vary based on the company. Just as ERM

requires customization to suit a company’s unique objectives, culture, and business model,

the integration of risk management and strategic planning also requires a company to

consider its objectives and culture before deciding the best way to align the two processes.

Increasing complexity due to industry changes, globalization, and shifts in technology and

business cycles can produce more risks related to strategy than ever before. By establishing a

close link between a company’s strategic planning and risk management processes, management

can help ensure that new strategic initiatives are connected to appropriate risk mitigation

strategies, that changes in the company’s strategic direction are accompanied by timely

assessment of new or emerging risks, and that the company is better prepared to identify risk-

related competitive advantages.


Case Study: Mitchell Industries

Background of the Organization

Mitchell Industries is a global aerospace, defense and information technology company. They

provide a broad range of management, engineering, technical, scientific, logistics and

information services. The company was founded in 1985 and has grown organically and through

a number of acquisitions. Headquartered in Chicago, Illinois and incorporated in Delaware, the

company conducts most of its business with the U.S. Government, principally the Department of

Defense (DoD) and intelligence community. The company has 120 locations worldwide,

including 72 international offices, approximately 24,000 employees and customers in 150


Overview of ERM

Mitchell Industries views risk management as critical to its success. Risk management is

embedded in many business processes such as executive planning, program / contract

management, research and development, etc. However, following the financial crisis, there was

an increased focus on risk oversight practices. Credit rating agencies, such as Standard and

Poor’s, began assessing enterprise risk management processes as part of their corporate credit

ratings analysis, and there were signs that new requirements would be placed on Boards of

Directors regarding their risk oversight responsibilities. During this same time frame, the

company appointed a new board member to chair the Audit Committee who placed an increased

focus on the company’s risk management practices. Leadership of the organization also began to

see the need for a more formal enterprise wide process for managing risk. All of these events led

to the implementation of a formal structured ERM process in 2009.

Initially, Mitchell Industries maintained independent ERM and strategy processes that occurred

in parallel. As leaders recognized the value of being better informed of and prepared for risk

events, steps were taken to align and integrate ERM with the strategic planning process. There

are now several points of integration between the two processes to ensure they are in sync and

reflect the priorities of the organization as a whole.

Integration of ERM with Strategy

The next few paragraphs highlight the details of the ERM cycle, strategy planning process and

their integration.

ERM Cycle

The company has an annual ERM cycle which is facilitated by the ERM team. The ERM team

consists of three members, the Director and two analysts. They are the link between the members

of the organization responsible for risk management and the enterprise risk management process.

The annual process begins with the identification and assessment of risks in the January /

February time frame. The ERM team administers a survey to Vice Presidents (VPs) and selected


Directors (direct reports to VPs). At the same time, interviews are conducted with the CEO and

the CEO’s direct reports (senior executives).

The ERM team analyzes the information gathered in the surveys and interviews to prioritize the

risks. The prioritized risks are typically presented using a heat map. For each of the

organization’s top risks (typically 8-10 risks), an owner is identified. The risk owners, also

referred to as risk champions, are responsible for assigning a risk manager, approving mitigation

(action) plans, resourcing the plan, and briefing the plan to the Board. The risk owners are

assisted by risk managers who are responsible for the risk action plan. The ERM team works

with the risk managers to understand survey findings and develop mitigation plans. The risk

managers are responsible for managing the risk and tracking the progress of the mitigation plan.

They own the risk and report progress of the mitigation plans to the ERM team on a quarterly

basis. The ERM team summarizes the risks, the risk mitigation plan and the progress in

implementing the plans on a dashboard that is reported to executive leadership and the Board.

During the third quarter, the ERM team updates the earlier identified risks by conducting a

second round of interviews with the CEO and senior executives. They factor in risks that arise

due to external factors such as regulatory risks, geo-political risks, economic risks, technological

risks, etc. Any significant changes are incorporated into the heat map and used to refine the risk

mitigation plans.

The company has several business units and the ERM team shares business unit specific risks

(heat maps) with the executive leadership team of each business unit during the March timeframe.

During the second quarter, the business units consider these risks, determine the risks critical to

their respective business unit and communicate their action/ mitigation plans back to the

executive team during the July time frame as part of their strategic plan.

Strategic Planning Process

Mitchell Industries has an annual strategic planning cycle. The process starts in December and is

both a top-down and bottom-up approach. The CEO owns the overall strategy. That strategy is

primarily developed by the Corporate Strategy office, working in conjunction with business unit

strategists. Once the overall strategy is developed, the plan is communicated by the CEO to the

VPs at the annual Senior Leadership Meeting in the January/February timeframe and to the

Board in February.

The business units develop their respective strategies in light of their portfolio of products and

within the framework of the corporate strategy and guidance provided by the Corporate Strategy

office. This process begins in February and culminates in July with the Strategic Planning

Conference where the business unit leaders present their strategy for the upcoming year to the

CEO. Each business unit is also responsible for annually developing a three-year business plan

that reflects the implementation of the strategy. This plan is updated concurrently with the

strategy and is finalized in November.


Mitchell Industries ERM & Strategy Implementation Timeline

Continuous review of progress of mitigation plans

Corporate strategy kick-off

CEO communicates strategy to VPs &

Corporate Strategy provides planning guidance to

Business Units



Business Units develop strategic plans and factor in risks communicated by ERM team in formulation of plans

Interview results fed in to Dec corporate strategy kickoff

Business Units communicate

strategic plans to CEO

Business Units develop and present 3 year business plan

ERM team analyzes survey

results and prioritizes


ERM team conducts enterprise-wide survey of VPs and interviews executive leadership

team (CEO, Business unit leaders)

ERM team communicates survey results

to CEO and Business Unit


Communication of enterprise risks

to the Board

Communication of risk status to executive

leadership and the board

Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sep. Oct. Nov. Dec.

ERM team conducts follow-up interviews with executive team

Integrating the Two Processes

The strategic planning process and ERM process are initiated in two different organizations and

start at slightly different times. Strategic planning starts with the CEO and strategy leads. ERM

starts with surveying the VPs and their direct reports. The two processes operate in parallel, with

both following an annual cycle and combined top-down / bottoms-up approach. There are several

points where information is shared between the two. This is how the company integrates the two

processes to ensure ERM and strategy are in sync and have an enterprise wide impact. The

following are the specific points of integration:

● Macro Level – The first point of integration is the third quarter risk update. This updated

information, which includes external risk developments that may impact the organization, is

communicated to the corporate strategy team who then factors the information into the

corporate-level strategy.

● Micro Level – The second stage of integration is at the business unit level. Each business

unit receives the broad strategic objectives post the CEO and VPs meeting (January/

February time frame). The business units also receive specific information about their top

risks from the ERM team (March time frame). The business units factor this information into

the formulation of their strategic plans.

● Third Level – The final stage of integration occurs when Functions develop strategies/

action plans to support Business Unit plans and address specific risks.


Mitchell Industries ERM & Strategy Integration

Risk owners identify a risk manager, approve

mitigation plans and provide resources for plans

BU leaders are responsible for preparing mitigation plans for their

respective BUs

ERM team surveys the VPs and directors to identify broad

level risks

ERM team interviews the CEO & senior executives for additional risk

identification and assessment

ERM team:

 Gathers information about external risks to the organization

 Consolidates the survey/ interview results

 Communicates top risks to risk owners and business units through heat maps

 Works with risk managers to develop risk mitigation plans

 Conducts second round of interviews and communicates to senior executive team

Risk managers develop and execute risk

mitigation plans and report progress quarterly

Quarterly reporting

CEO communicates strategy to all VPs at Senior Leadership


Business Units:  Receive broad strategic objectives

post CEO/ VP meeting

 Receive guidance from Corporate strategy office

 Communicate respective strategic plan to CEO

 Develop 3 year business plans

ERM Process Strategy Planning Process

Macro level integration ERM team communicates the results of the interviews/ surveys to the corporate

strategy team who incorporates the same in strategic planning

Micro level integration BU’s develop individual strategic

plans within the corporate guidance framework and include BU specific


Corporate strategy office develops corporate strategy

plan on behalf of CEO

Planning guidance to BUs

Functional units develop strategies/ action plans to

support BU plans and address specific risks

Third level integration Functional unit support to


Issues in Integration

The initial integration of the two processes was not simple and smooth. The company

encountered some challenges, but ultimately was able to adapt the process. The key issues faced

by the company and the steps that were taken to remedy those issues are as follows:

● Non-value Add Perception

The strategy and business unit leaders believed they had a complete understanding of the

internal and external environment. Therefore, they did not see the value offered by the ERM

team and the need for a separate risk identification and assessment process.

To deal with this, the ERM team worked to eliminate duplication and redundancy and show

the business unit leaders the value added by taking a comprehensive, enterprise wide

approach to risk. For example, the ERM team accumulated risk information from across the

enterprise and provided executive leaders with an enterprise view of risks that they otherwise


would not get. In addition, they provided business unit leaders with an opportunity to shape

the process for gathering risk information so that the process would be more meaningful for

the business units. Over time, this helped the strategic and business unit leaders be more

accepting of the ERM process and team.

● Leadership Change

Another challenge faced by the organization was the frequent turnover in the top corporate

strategist position. This led to frequent adjustments in the planning process for the

organization. For example, at one time, there was heavy reliance on external sources for risk

information, however, with a change in personnel, the strategic planning function began

relying more on the internal ERM team for risk information. With that shift, the ERM team

was able to be more involved in the strategic planning process.

Through these changes, the ERM team recognized the need to

educate and advocate the value the ERM process can bring. They

now provide a basic introduction and overview of ERM to new

leaders. The education process is not always formal; ERM

professionals also look for opportunities to network within the

organization to make more people aware of the work the ERM

team performs and the resources they have to offer.

Future Steps

Like the ERM process overall, the integration of ERM and strategy is an ongoing effort which

continues to make incremental improvements each year. The company believes the integration is

working well especially since the current leadership is open to further opportunities to fine tune

the integration between the two.

Even with the advances the company has made in their ERM process, the company feels that

parts of the organization are still operating in silos and that improvements could be made in the

linkage of risk mitigation processes across organizational boundaries. The company does not

have a system to align strategic initiatives and risks at the business unit level with initiatives and

risks at the corporate level. This could potentially result in disconnects between the two. The

company is now piloting a new software tool that has the potential to link corporate level and

business unit level strategies and risks.

Another area of improvement recognized by the company is the resource allocation process as it

relates to risk mitigation. While risks are being considered in the strategic planning process, the

need for resources to mitigate high priority risks is not being considered alongside the resources

needed to implement strategic initiatives in each function area. Each functional team has their

initiatives that support the corporate strategy, but those initiatives are not explicitly linked to the

potential risks of achieving the corporate strategy. The ERM team is working with strategy and

functional teams to create better alignment of objectives, strategies and risks.


The company has crossed the initial hurdle of identifying

and spreading awareness about the need for and benefits of

integrating ERM and strategy. In other words, they have

successfully answered the question “why is integration

necessary”. However, they are now in the stage of

answering the question “how to effectively implement the

integration” and “how to overcome the challenges of

integration”. Successfully dealing with these questions will

enable Mitchell Industries to move onto the advanced stage

of integration where corporate level and business unit level

strategies and risks are developed and managed in an

integrated, enterprise-wide process.


Case Study: Eli Lilly

Background of the Organization

Headquartered in Indianapolis Indiana, Eli Lilly and Company focuses on the research,

development, manufacturing, sale and distribution of human pharmaceutical and animal health

products. The company sells products in approximately 120 countries worldwide. Eli Lilly has a

market capitalization of approximately $90 billion, revenue in 2014 of $20 billion, and

approximately 41,300 employees worldwide.

Overview of ERM

While the company’s ERM program began formally in 2005, the integration of ERM with the

company’s strategic planning process started in 2007. In order to promote the importance of a

strong connection and assess ways to improve the link between ERM and the company’s

strategic planning process, the Sr. Director of ERM initiated a series of sessions amongst leaders

from the Corporate Strategy, Ethics and Compliance (E&C), and Legal functions. It was

especially important that key strategic risks be included in the ERM process, and that leaders

within Eli Lilly’s strategic functions be able to provide input on what risks were ultimately

elevated to an enterprise level.

Eli Lilly and Company uses a highly structured approach to implement its ERM process and

accomplish integration of ERM and strategy. The board-level components consist of the Audit

Committee and the Public Policy and Compliance Committee (PPCC), which provide oversight

and accountability at the board level.

The company chose to align ERM with its E&C function to benefit

from two key attributes: risk identification and independence. The

E&C function at Eli Lilly conducts risk identification and mitigation

as part of its daily operations; keeping ERM aligned with Compliance

would provide for greater efficiency. The Ethics and Compliance

department reports to the CEO with a dotted line of reporting to the

board, so aligning ERM with the E&C function allowed ERM to

maintain this essential, independent line of reporting as well.

The next element is the Compliance and Enterprise Risk Management Committee (CERMC),

which consists of senior management, including the Presidents of each of the company’s

business units and functions (e.g. LRL, Manufacturing, Quality and Global Services, etc.), the

President of Lilly’s largest affiliate, the Chief Medical Officer, the Chief Information Officer,

and the General Auditor.

Another critical component is the ERM Core Team, which consists of a group of six selected

members representing various areas of the business, including two executives in charge of

strategy (including the leader of Corporate Strategy), the board secretary, who is an attorney in


the Lilly Law Division, a CERMC member (Chief Ethics and Compliance Officer), and the two

individuals in charge of the company’s ERM process.

Eli Lilly ERM Structure

Having a group such as the ERM Core Team provides several benefits. A multi-disciplinary

team provides an enterprise-wide perspective on both risk identification as well as prioritization.

Including strategic personnel provides a uniquely strategic point of view, and including a board

level perspective can keep the ERM team informed of board-level priorities or concerns and

more closely link ERM risks to the company’s current and future strategic initiatives. The mix of

personnel on the Core Team allows the group to evaluate operational risks through a long-term

strategic lens to identify entity-level risks and opportunities.

Each January and February, the ERM Core Team conducts workshops involving 40-50 leaders

across the company’s geographic regions and business units. The Core Team then uses the

information gathered from the workshops as well as its own internal discussions to put together a

report on entity level risks that is reviewed by the CERMC. The Core Team is able to pull


together themes that cross business unit/functional area boundaries and use their respective

points of view to prioritize these themes into entity level risks based on a strategic, enterprise-

wide perspective. In this way, the ERM Core Team serves as a critical transition point from the

“silo” perspective of the individual business units to the more enterprise-wide view of executive

management and the board.

For example, after completing its annual ERM

workshop process and reviewing the results, if the

ERM Core Team discovered that several different

business units have identified a similar risk, the

ERM Core Team could upgrade the risk from a

business unit risk to an entity level risk in the

report to the CERMC. Upon review by the

CERMC, additional resources could be assigned,

including the creation of a task force/team to look

specifically at the enterprise level risk and craft a

mitigation plan to be implemented on a company-

wide basis. This is just one example of how Eli

Lilly’s process is designed to take what appears to

be a business unit risk and escalate it to an

enterprise level to be dealt with and mitigated before it negatively affects the company.

Directly supporting the ERM Core Team are the ERM Liaisons, which typically have operational

responsibilities at the business unit or functional level. The ERM Core Team works closely with

the ERM Liaisons to identify risk owners within each business unit or functional area, and the

ERM Liaisons in turn work with the identified risk owners to craft a mitigation plan for the risks

they have been assigned. This ensures that those most directly responsible for managing and

mitigating the identified risks maintain ownership of the risks.

In addition to the assignment of risk ownership, oversight and monitoring is conducted

throughout the process to ensure that the mitigation plans are put into action. Based on whether a

risk has been assigned a high (red), medium (yellow), or low (green) risk designation on the

company’s ERM heat map, oversight is assigned to the CERMC, ERM Core Team, or Business

Unit Liaisons respectively (see Appendix A3 and A4). For example, review and oversight by the

CERMC involves a risk owner providing an update to the members. The ERM Core Team meets

with ERM Liaisons to review documents that support execution of the various mitigation steps,

and Business Unit Liaisons conduct their own review of the documentation supporting execution

of the various mitigation steps.

Integration of ERM with Strategy

One of the first obstacles to integration faced by Eli Lilly was

getting those involved in the process to avoid mentally

separating ERM risks from other strategic processes. From the


company’s point of view, integration should begin at the individual employee level, and this

required helping employees understand that ERM should not be separated from their other work.

One method the company used to overcome this obstacle was to ensure the timing of the

company’s ERM process coincided with the strategic planning process during the company’s

regular business cycle. When the strategic planning process begins in January and February,

business areas are responsible for establishing their portion of the strategic plan. Information

from this business unit level process is used as an input for annual ERM workshops, which

encourages employees to think about ERM at the same time they are already engaged in the

strategic planning process. This helps embed the ERM process at the strategic planning level and

increases the likelihood that strategic objectives directly inform the risk identification process.

Since the strategic planning process also involves scenario analysis activities, the company is

able to identify potential opportunities for competitive advantage arising from successfully

mitigated risks.

One of the keys to ensuring that personnel perceive ERM as more than just “another corporate

exercise” has been to focus on building relationships and educating employees on how the ERM

process has value for the company. This education has occurred by conducting CERMC and

board meetings as well as sessions with ERM Liaisons. Since the strategic planning process is

well-understood, and its importance widely accepted, linking ERM to the strategic planning

process from a corporate perspective helped forge the correct mindset.

The other key to integrating the process with strategy at the

employee level has been to create “local” ownership of the

process at the business unit level. This was accomplished by

establishing that the business leaders would ultimately be

responsible for the identified risks and their subsequent

management and mitigation. Additionally, making it clear that

the board of directors was keenly interested in knowing what the

risks were and how they were being managed created a powerful incentive that represented the

“tone at the top” and encouraged business unit leaders to make the process work.

After the CERMC conducts its review of the ERM Core Team’s report on entity-level risks, they

also review business unit strategic plans, which provides another level of strategy and ERM


integration. The CERMC is able to view the strategic plans through the lens of the recently

reviewed enterprise-wide risks distilled from the work of the ERM Core Team and ERM

workshops. Having this dual outlook helps identify overlooked areas or risks that may have been

included in the risk portfolio but not addressed in the strategic plan.

The last component of the integration cycle happens at the end of the business plan process, after

the final funding decisions have been made as part of the company’s budgeting process. The

ERM Core Team and the CERMC meet again to discuss whether any funding changes resulting

from the budgeting process have affected the previously identified risks, and whether any

changes need to be reflected in the company’s risk profile. The ERM Core Team reviews and

provides input regarding the risks included in the company’s 10-K, which provides a final

critical communication link between risk, strategy, and the company’s stakeholders. This

provides a good summation point for the ERM process, and ensures one final point of review

that includes both ERM and strategic perspectives.

Future Steps

The integration of ERM and strategy is an ongoing process that

Eli Lilly seeks to improve each year. The company has

identified three broad areas where it intends to further improve

integration between ERM and the company’s strategic process.

The first area of focus includes improving its identification of

opportunities and not just the threats represented by risks

identified in the ERM process. Further integration of ERM and

strategy will allow risks to begin to inform new strategic

directions and initiatives that add value to the company. The

company plans to implement this change by specifically

discussing possible opportunities during the risk identification

workshop process each year. The discussion will seek to

identify risks that, if mitigated properly, may lead to a

competitive advantage in the industry or marketplace. Any

opportunities identified will then be passed along to those in

charge of business planning.

The second area of focus is to more systematically consider

key risk indicators, or what the company calls “signposts”.

Identifying “signposts” can enable the company to activate or

revise a mitigation plan in time to effectively address emerging

risks. While there are business units that are doing this currently, the goal is to ensure consistent

enterprise-wide adoption in a more formal and documented manner.

The last area of focus will be to more clearly identify risk interconnectedness. Viewing all risks

as being potentially linked in some way will improve both the identification of how one risk can

amplify others, as well as improve management of risks across affected business units. This will


allow the company to be more efficient in managing risk, as well as assist in the identification of

new opportunities for improvement.

The company recognizes that integration is an ongoing process. Each of the critical elements of

integration have grown over time, and are the result of consistent leadership and support from the

top levels of the organization as well as a positive company culture surrounding risk

management and its integration with strategy.


Case Study: Daisy Company

Background of the Organization

Daisy Company is a leading national specialty manufacturer of high-quality personal care

products. The company’s products are sold in more than 95 countries and territories around the

world. The company’s net sales for fiscal year 2015 was $12.4 billion and net income was $1.3


Overview of ERM

ERM is a process by which the company identifies critical risks affecting its ability to

successfully attain its goals and strategy. The company has adapted its ERM process over the

years by adopting a subcommittee ERM approach that deals with major risk areas such as

strategy, technology, human resources, and emerging markets.

Daisy Company Corporate Risk Management Committee

The company has a corporate-level Risk Management Committee (RMC) which meets four

times a year and is made up of ten members from the senior level of the corporation. The

committee includes Presidents of Brands, Head of HR, the CFO, the Treasurer, and the Head of

Operations. Below the RMC, there are nine other subcommittees: Strategic Business Risk, Legal,

Research and Development, Finance and Reporting, Supply Chain, Cyber Risks, IT, HR, and

Emerging Markets. Each of these subcommittees has approximately 8-12 members at VP or

above level. Each subcommittee is made up of multi-disciplinary members to identify the risks to

the company as a whole. Towards the end of the year, the CRO will present the top risks

identified and escalating risks to the CFO, CEO, Chairman, the Audit Committee and the Board

once a year.



Daisy Company ERM Structure

The risk identification process begins with a questionnaire that goes to all subcommittee

members as well as risk owners and senior management. The questionnaire, which is part of the

company’s integration of ERM and strategy, includes the following questions:

 What are the risks that would affect the strategy?

 What are the operational risks?

 What risks are escalating that will require priority focus in the current year, and

 What risks are emerging risks that could have significant impacts in the future?

The questionnaire includes a catalogue of existing risks for reference, and then the risks are

updated based upon the results of the questionnaire. A risk template is used to record the

identified risks with a description, the risk owner, and a scenario analysis that shows how the risk

affects the company. The template also includes 1-3 risk drivers. The inherent risk is then rated

by the risk owner and RMC based on 3 criteria: probability, impact, and velocity. Then the risk

score is derived from these criteria. As part of the mitigation strategy, a risk owner is assigned

responsibility for developing a mitigation plan. There are also risk mitigation tasks which are

high-level tasks done to implement the strategy for mitigating the risk. In the subcommittee, each


task is rated to come to a composite score for the strategy and later, each owner of the committee

is responsible for having the template filled out. (See Appendix A5).

After completing the template, the risk owners and the committees then rate the risk on a residual

basis using the same 3 criteria (impact, probability, and velocity) to see how the mitigation

strategy has affected the level of risk. In addition, there is also a mitigation effort score using a 1-

5 scale (deficient, weak, basic, acceptable, and comprehensive) to rate the mitigation actions.

The risk owner is then given the chance to provide an explanation for the risk rating score. In

order to know whether the plan has been implemented in the future or whether the mitigation

plan has worked, the risk owner re-rates the risk after mitigation has been implemented using the

same 3 criteria (impact, probability, and velocity). From the risks and the ratings provided by the

risk owners, escalating risks are determined and reported to senior management [See Appendix

A6]. For example, cyber risk is a high impact and high likelihood risk, and if it is graphed on the

heat map, it would be upper right. However, the heat map does not give people a chance to

communicate and talk about what they have done to mitigate the risk. Therefore, the residual

rating gives people the chance to show that they are doing all they can, and despite their efforts,

the risk is still remaining high, even with a mitigation plan in place.

Integration of ERM with Strategy

The CEO has driven the integration of ERM with strategy,

therefore, changes and improvements each year have been in the

direction towards integrating ERM with strategy. The support and

strong tone at the top play an important role in the success of the

integration process of ERM with strategy. The risk committees

are made up of 8 operational subcommittees and one strategic risk

subcommittee with risk owners who are typically members of the

operational subcommittees. The strategic risk subcommittee is chaired by the head of strategy

and made up of senior management members. Each subcommittee, except for the risk

subcommittee, has its own risk owner, and risk owners are interviewed individually by the CRO

of the risk subcommittee.

The other key area of integration is the development of lagging KRIs for risk and mitigation

purposes. As a business, from the strategic plan, the company develops lagging KRIs to track the

various mitigation tasks. The risk indicators help the company to enact the mitigation plan in

time to effectively address emerging risks. For example, a lagging KRI might track sales in a

particular place and use the existing KRI to address any changes in risk and mitigation tasks

when the company plans to earn revenue in a particular location.

Finally, the company includes the risk templates in the normal strategy process and includes a

process for identifying the main risks to the strategy and the plan for managing those risks. After

the mitigation plan has been implemented, the RMC will re-assess to see whether additional

actions would be needed and send the summary to the finance department to make sure funds are



The corporate risk management committee and the risk subcommittees meet quarterly. The

subcommittees usually meet early in the third quarter. The strategic planning process typically

starts near the end of the year, while the budgeting process takes place in the later part of the

third quarter. The strategy process and the risk management process are ongoing, simultaneous

processes. The company sees risk management and strategic planning as a continuous, ongoing

cycle, so they do not try to fit things into a prescribed time, but rather maintain flexibility to

respond to changing conditions.

Daisy Company ERM Timeline


Future Steps

The ERM process has been improving each year, involving more personnel throughout the

organization. Since its inception 15 years ago, it has matured in tandem with the strategic

planning process. The company has a very strong tone at the top which has supported the

continuous improvement of these processes. One of the most significant improvements in the

process came about during the aftermath of the financial crisis, when the company put more

structure around risk mitigation plans and mitigation efforts.

The company is now in the process of introducing a new set of

reporting procedures which will take more of a dashboard

approach, in an effort to better communicate risk information.

However, the company still believes that informal

communications between the key players dealing with risks

and strategy are critical, and those discussions need to continue.

At the business level, at first, personnel may have felt that

considering risks represented additional work, and did not

really see the immediate benefit. However, the RMC has been

trying to be a facilitator to keep the load on others as light as

possible, so the workload effect was not so dramatic. For

example, the strategic business risk subcommittee used to

request that the other risk committees complete the risk

templates. Now, the strategic business risk committee gathers

the information themselves, completes the templates, and sends

it to the other risk committees for review. Now that the benefits

of the ERM process are widely recognized, and the process has become institutionalized,

changes in personnel have not had a disruptive effect. New personnel quickly adapt to the

process as a result of the strong culture of the company.

The company realized the importance of integration of ERM and strategy early from the

beginning of the ERM process, and considers integration to be an ongoing process. The ERM

process as well as the integration with strategy have grown over time as a result of consistent

support from the top levels of management and the company’s culture.



 There is no best “home” for ERM within a company’s operations; rather, ERM should be

well-positioned to have proper reporting channels and have an effective vantage point of the

company’s operations to avoid potential “blind spots.” This can vary depending on the nature

of the company’s operations, its culture, and organizational structure.

 It is essential to remember how important the tone and expectation coming from top

leadership is in creating and maintaining a successful ERM process, especially one that is

functionally integrated with strategic planning.

 Take time to build relationships through educating key business process leaders about the

benefits of the company’s ERM process. Business leaders will more fully engage in the

process when they see inherent value in the process.

 No matter where a company is in its ERM process, communication and education of those

involved is critical to keeping ERM relevant, accepted, and supported.

 Assign risk ownership and mitigation at the business unit level. Making business unit and

functional area level personnel responsible for owning risks and crafting mitigation plans

makes strategy and risk management coexist in the same space. This provides the “front-line”

integration of risk and strategy, since the individuals responsible for carrying out strategic

objectives are also involved in risk ownership and mitigation.



A1: Mitchell Industries: Risk Assessment Template


A2: Mitchell Industries: Template Assessing Risk in Relation to Strategy


A3: Eli Lilly: Risk Assessment Template


A4: Eli Lilly: Risk Ranking Matrix


A5: Daisy Company: Risk Template

Risk Number: Date Completed/Updated:

1. Risk Information

Risk Name:

Summary Risk Category:

Risk Short Description:

Risk Committee:

Risk Owner:

Inherent Risk Element Ratings: Velocity Impact Probability Risk Score

(Based on 5 point scale: VL-Very Low, L-Low, M-Medium, H-High, VH-Very High)

2. Risk Scenario

Key Risk Drivers:

 X

 X

 X


3. Current Risk Mitigation Strategies and Tasks

(Effectiveness Ratings are based upon a 1 to 5 scale, with 5 being “Highly Effective”, the Overall Effectiveness Rating represents an assessment of the overall Mitigation Strategy based upon the Risk Mitigation Tasks that are in place and the assessment of their effectiveness.)

Task No.

Mitigation Task Name

Mitigation Task Owner

Description Task Mitigation Effect Risk Element Rating Affected

Metrics & Monitoring Effectiveness Rating




Strategy No.

Mitigation Strategy Name

Mitigation Owner Description Mitigation Effect Overall Effectiveness




4. Current Residual Risk Ratings

Risk Element Ratings: Velocity Impact Probability VIP Risk


(Based on 5 point scale: VL-Very Low, L-Low, M-Medium, H-High, VH-Very High)

5. Current Mitigation Effort (to be completed by Risk Owner)

Mitigation Effort Rating: Comprehensive Acceptable Basic Weak Deficient

Mitigation Effort Justification:

6. Current Mitigation In Action Example

Current Mitigation Effort rating is Basic or below, risk requires Future Risk Mitigation Strategies


7. Future Risk Mitigation Strategies (If Current Mitigation Effort rating is Basic or below, risk requires Future Risk Mitigation Strategies) Mitigation

Strategy Name Mitigation

Owner Description Action Plan Implementation Date Required Resources Incremental


8. Future Residual Risk Ratings

Risk Element Ratings: Velocity Impact Probability VIP Risk


(Based on 5 point scale: VL-Very Low, L-Low, M-Medium, H-High, VH-Very High)

9. Future Mitigation Effort (to be completed by Risk Owner)

Mitigation Effort Rating: Comprehensive Acceptable Basic Weak Deficient

Mitigation Effort Justification:


10. Risk Outlook (to be completed by Risk Owner): Qualitative rating based on micro and macro factors, not directly connected to risk mitigation

Risk Outlook: Increasing Decreasing Stable

Risk Outlook Justification:

11. Opportunities: Opportunities are favorable or advantageous circumstances arising from the identification and/or mitigation of the risk that can promote the achievement of our strategic goals and objectives.

Opportunities Description:


A6: Daisy Company: Rating Scale




About the Authors

Ha Do is currently pursuing her Master of Accounting degree with a

concentration in Enterprise Risk Management at NC State University.

While obtaining her Bachelor of Science degree in Quantitative

Economics from Tufts University, she built a diverse experience in

financial services industry through her internships in banking and public

accounting firms. Upon graduation, she hopes to begin her career in audit

or risk advisory services.

Maria Railwaywalla is a second year Master of Business Administration

student at NC State’s Poole College of Management. Her concentration

areas are Supply Chain Management and Data Analytics. She has an

undergraduate Juris Doctor degree and over four years consulting

experience. Akin to working in multicultural environments, she gained

varied experience in manufacturing, services, and information technology


Jeremiah Thayer is a graduate student pursuing a Master of Accounting

degree with a concentration in Enterprise Risk Management from NC State

University. While obtaining a Bachelor of Science in Business

Administration with a concentration in Accounting from the University of

South Carolina, Aiken, he worked as part of a team at a small business

consulting firm, interacting with rural and agricultural businesses to create

feasibility studies, business plans, and marketing documents.