Implementing a Structured and Integrated ERM Framework
DUBAL’s new ERM framework is well-streamlined, structured, and unified with clear visibility into the top risks affecting each business unit. These risks are systematically and regularly assessed in qualitative and quantitative terms, and then consolidated and roll up to the enterprise level where they can be used to support strategic decision-making.
Below are the steps DUBAL took to implement its new ERM framework:
A baseline maturity assessment
DUBAL conducted a baseline ERM maturity assessment to determine where it stood from a risk perspective. The maturity level of the ERM processes were plotted on a graph where the lowest level of maturity - Level 1 - is characterized by fragmented risk processes and silos, while the highest level - Level 5 - is characterized by a holistic, integrated, and optimized risk framework. At the start of the ERM project, DUBAL found itself in the middle of the maturity assessment curve. The company’s goal for the next 5/ 7 years of the ERM program implementation is to end up at level 5.
Identification of business unit risks
DUBAL knew that attempting to collate and understanding every single risk across all its business units, would have taken several years. Instead, the company decided to focus on identifying and collating the top 50-60 risks in each business unit. The risks were than evaluated on a scale ranging from Very High, to High, Medium, Low, and Very Low.
Quantitative assessment of business unit risks
After identifying the top risks in each business unit, DUBAL transitioned to quantitatively assessing these risks to understand their impact on the business in terms of a 3-point estimate: Minimum Anticipated Financial Impact, Anticipated Financial Impact, and Maximum Anticipated Financial Impact. Eventually, the company combined the quantitative risk assessments with qualitative assessments.
Monte Carlo simulation exercise
As part of the quantitative risk assessment process, DUBAL began to run Monte Carlo simulations to determine its Value-at-Risk (VaR) would be if a particular risk were to occur. The company implemented specific tools to calculate the maximum VaR, minimum VaR, and anticipated risk. It was then possible to predict with 95% confidence, that if risk “x” were to occur, “y” would be the maximum VaR.
Over time, DUBAL hopes to run the Monte Carlo simulations on all identified risks. Yet the necessary understands that these simulations are merely one part of the risk assessment tool, and serve to validate what the risk managers already know and believe to be correct for the business. The biggest benefit of the Monte Carlo simulations is in helping DUBAL put a dollar value to risks by simulating the high, low, and expected losses.
Dubals Structured ERM Roll-out
However, there some risks like Environment, Health, and Safety risks (EHS) which can be difficult to put a monetary value on. In such instances, DUBAL often consults its insurers, most of whom have already quantified the risk of various physical injuries in monetary terms. The company also works closely with business analysts to quantify how a safety risk like an employee injury could affect the reputation of the company; or how a health risk like a flu pandemic, arising from so many employees living together in close quarters on the company facilities, could impact production. DUBAL analyzes these various scenarios, and then tries to determine what the financial impact of the scenarios would be.
Gradually, DUBAL started getting employees comfortable with idea of reporting on risks in an open and transparent manner. The company drafted policies and procedures, implemented an extensive training program, and began to integrate their risk and control processes. At every stage, its aim was to ensure that the ERM framework roll-out was structured and sustainable.
Selecting an ERM Software Solution
Towards the end of 2011, DUBAL began looking for an ERM software solution vendor to support and enable its new ERM framework. The company identified six vendors, and then shortlisted three after an evaluation of each vendor’s product presentations and demonstrations.
Eventually, DUBAL chose MetricStream as its ERM solution provider for the following reasons: (a) the flexibility and configurability of the MetricStream product (b) MetricStream’s highly integrated GRC platform which would help DUBAL leverage synergies between Risk, Internal Control, and Audit(c) MetricStream’s rich product functionality - especially data driven Key Risk Indicators (KRIs) and quantitative risk analytics (d) and MetricStream’s positioning in the Leaders Quadrant of Gartner’s Magic Quadrant for Enterprise GRC platforms.
MetricStream had just a few months to implement the ERM solution, as the DUBAL board required an enterprise-wide risk report to be presented by April 2012. Despite the tight deadline, MetricStream met the client requirements in time - the solution went live on March 31, 2012.