Embed Size (px)
Citation preview
Engineering ValueInto EnterpriseRisk Management
SRIDHAR RAMAMOORTI. PHD, CIA, ACA, CPAPARTNER, CORPORATE GOVERNANCE
GRANT THORNTON LLP
MARCIA WEIDENMIER WATSON, PHD, CPAASSISTANT PROFESSOR
MISSISSIPPI STATE UNIVERSITY
MARK ZABELPRESIDENT
STRAIGHT LINE PERFORMANCE SOLUTIONS LLC
Six Sigma techniques
can improve the quality
of ERM processes and
enable organizations
to manage risks more
successfully.
ORGANIZATIONS SHOULD NOT ONLY RECOG-
NIZE AND MINIMIZETRADITIONAL DOWNSIDE
RISKS, but also embrace upside risks, or opportuni-
ties, as a strategy for success. According to a 2005 survey by man-
agement consulting firm Booz Allen, 87 percent of the market
value lost by large companies with market capitalizations over
US $1 billion was the result of strategic and operational blunders.
Compliance failure, typically the focus of downside risk, destroyed
only 13 percent of market value during the five-year study.
Faced with this counter-intuitive finding, companies may
wish to pursue a more balanced and positive approach to
OCTOBER 3008 ItTERIAL AUPITOI
53
risk management. Enterprise risk man-agement (ERM) goes beyond mere riskmitigation and compliance — it requiresa deep appreciation of upside risks, aswell. Building a solid ERM infrastruc-ture is a tall order that calls for leadersand managers skilled in understanding,synthesizing, and presenting informa-tion across the organization.
Internal auditors can help their orga-nization improve its risk managementand control systems by viewing ERMthrough the lens of Six Sigma, a busi-ness and quality management strategyadopted by many large oiganizadons (see"Six Sigma Explained" on this page). SixS'^ma is a scientific, data-driven, project-based business improvement methodol-ogy that uses processes as enablers toachieve business results. By combiningthe process discipline of Six Sigma withThe Committee of Sponsoring Organi-zations of the Treadway Commission's(COSO's) Enterprise Risk Management-Integrated Framework, internal auditorscan help their organization establish a
Six Sigma Explained
proactive approach to addressing bothupside and downside risks and creatingstakeholder value.
ERM AND SIX SIGMAStandard 1120 of The IIA's InternationalStandards for the Professional Practice ofInternal Auditing states that "the inter-nal audit activity should assist the orga-nization by identifying and evaluatingsignificant exposures to risk and contrib-uting to the improvement of risk man-agement and control systems." One wayinternal auditors can fialfill this directiveis by assuming the role of matchmakerto many ERM initiatives with Six Sigmain their organization.
ERM and Six Sigma share some com-mon goals and principles. Both arefocused on delivering value to stake-holders, such as investors, businesses,customers, employees, and society.Both rely heavily on business processesand data integrity. Moreover, both dealhead-on with risk and uncertainty, butfrom different perspectives — ERM from
Six Sigma gets many of its operational principles and tools from the qualitymovement. Originating at Motorola in the early 1980s and expanded by GeneralElectric in the 1990s, modern Six Sigma initiatives incorporate managementprinciples and a formal program and project structure. At its inception. Six Sigmawas mostly about reducing the amount of "defects" in manufacturing processes.However, Six Sigma is applied today to do much more. It encompasses a broaderdefinition of defect — for example, an invoice not paid within 30 days could beconsidered a defect — and its techniques extend into proactive and retrospec-tive prediction. Because risks are, in effect, "defects waiting to happen," SixSigma techniques can be used to reduce, mitigate, transfer, or eliminate them.
Key Six Sigma principles include:• Relevance and value to customers.m Enabling data-driven decisions.m Understanding how outcomes are related to key outputs and how
inputs and key outputs are related to each other (e.g., input-outputratio analysis).
m Eliminating waste of action and inaction.m Working in a team environment across traditional department silos.m rmancial accountability of projects.
A central aspect of Six Sigma is its specific problem-solving process: define,measure, analyze, improve, and control (DMAIC). DMAIC is a process thatguides a specific project team to improve its process using a rigorous, scientificmethod. For example, analysis begins only after a baseline for performance isestablished, solutions can't be implemented until their efficacy is clear, andstandardization only takes place after process changes have been demonstratedto work. Six Sigma also uses a large number of statistical, team-oriented, andprocess-related tools. Six Sigma projects and programs are incremental innature and, therefore, primarily provide evolutionary, rather than revolutionary,improvement to a business.
IRTEIMAL AUDITOI OCTOBfR 1008
a financial reporting \newpoint and SixSigma fVom an operations and produc-tion viewpoint.
One important difference between tlietwo disciplines, though, is that ERM typi-cally does not try to determine whetherthe organization's ERM process is improv-ing over time — a key Six Sigma princi-ple. According to COSO, a robust designand implementation of E iM correlateswith effective governance and account-ability. However, implementing ERMis a large-scale, long-term undertaking,involving all levels of personnel vnthinan organization. In this sense, Six Sigmamay provide a "meta-process" of scien-tifically proven tools that can be used toimplement and measure the effectivenessand improvement of ERM. Internal audi-tors can play a "cultural translator" role inthis process, bridging the gap betweenthe two traditionally separate worlds ofoperations and financial reporting. SixSigma's structure, statistical methods,and deployment readiness can enableand enhance the application and effec-tiveness of ERM in three key areas: skilledemployees, implementation tools, andvalue creation.
SKILLED EMPLOYEESAn organization that already has imple-mented Six Sigma has a great head startin establishing ERM. As a shared serviceto most businesses. Six Sigma, or processexcellence departments, have missionsto supply skilled people for businessimprovement projects throughout theirorganization. Project managers whoare Six Sigma Black Belts receive fourweeks of training in team tools, pro-cess tools, and statistical methods andthinking, while Green Belts receive twoweeks of training. Six Sigma programsalso generally have their own steeringcommittees, in which project opportu-nities are prioritized and resources areallocated. ERM projects can benefit fromthese resources, and ongoing risk man-agement concerns can be addressed ona consultative basis.
Dominion, a gas and electric energycompany based in Richmond, Va., wasthe first company in its industry toimplement Six Sigma enterprisewide,beginning in 2000. The company hiredretired Admiral Jay Johnson, former U.S.Chief of Naval Operations, as seniorvice president—business excellence and
E N G I N E E R I N G V A L U E I N T O E N T E R P R I S E R I S K M A N A G E M E N T
put him in charge of Six Sigma deploy-ment. Johnson built a team of more thanIOO Six Sigma Black Belts that identifiedareas where the company could improvethe efficiency of processes and loweroperating costs.
In organizations that have not imple-mented Six Sigma, internal auditors canintroduce the concept, its tool set, andhow the discipline can help define, con-trol, and improve processes, includingrisk management. Auditors also can useSix Sigma techniques to help their orga-nizations assess risks facing all systemsand processes.
IMPLEMENTATION TOOLSKnowledgeable internal auditors canhelp their organization identify expertsto implement a variety of Six Sigmatools to manage risk. Failure modesand effects analysis (FMEA) is a pri-oritization tool that scores potentialproduct, people, or process risks alongthree dimensions: likelihood, severity,and possibility of detection. FMEA canbe used to quantify traditionally hard-to-measure, qualitative concepts suchas risk appetite and risk tolerance. Forexample. Bank of America uses FMEA toidentify all operational risks that wouldaffect its core processes and then linkseach risk with quality, completion time,and cost metrics. FMI':A has the poten-tial to be a breakthrough tool for copingwith the chronic challenge of assessing,aggregating, and responding to quanti-tative and qualitative risk factors.
Six Sigma also offers an array of toolsapplicahle to the eight componentsspecified in COSO's ERM framework —internal environment, objective setting,event identification, risk assessment, riskresponse, control activities, informationand communication, and monitoring —such as:• Data collection plans, statistical
sampling, check sheets, and mea-surement systems analyses to ensuredata correctness and relevancy.
• Statistical process control (SPC) toprovide monitoring, trend spotting,and decision support.
• Visual techniques, such as flow-charts, to provide transparency toprocesses.
• Tools that help pinpoint the sourceof a problem to assist in determiningcause-and-effect patterns that can
In organizations that have not implemented Six Sigma,
internal auditors can introduce the concept, its tool set,
and how the discipline can help define, control, and
improve processes, including risk management.
be used to anticipate and preventfuture anomalies.SPC provides a good example of how
these tools work. Organizations that haveadopted Six Sigma or other performanceexcellence programs rely on the correctapplication of SPC to business processesto answer two critical questions aboutmeeting customer requirements: Canwe do it right? Are we doing it right?SPC uses tools like control charts toview all critical data simultaneously anddirect the organization when to reactand when not to react to changing risksand environments.
Another significant Six Sigma-drivenapplication would be devising a capabil-ity maturity model framework to track
the effectiveness of ERM implementationand sophistication over time. "Evaluat-ing ERM With Six Sigma," on this page,shows that in addition to implementingan ERM process, the organization couldsimultaneously establish a measurementsystem for each ERM component basedon Six Sigma principles and tools. TheSix Sigma application would evaluatewhether ERM processes are getting bet-ter progressively over time or changesneed to be made.
Contrary to popular belief. Six Sigmais not limited to only objective tasks.Six Sigma tools can be used no matterwhat the business process is, although itmay require a bit of creativity. Six Sigmahas been used successfully to improve
Evaluating ERM With Six Sigma
This chart illustrates the parallel processes involved in adopting enterprise riskmanagement (ERM) and Six Sigma simultaneously. The organization establishesERM in Year o and develops processes for each of the ERM components over thenext five years. At the same time, the organization adopts Six Sigma methodolo-gies, including the DMAIC problem-solving process, for each ERM component.By Year 5, the organization should use Six Sigma to evaluate and continuouslymonitor the effectiveness of ERM. making changes as necessary.
Adopt ERM
ERM PROCESS
Develop ERM processfor eight components
Evatuate ERM effective-ness using the SixSigma OMAIC process
Adopt SixSigma for ERM
PARALLEL MEASUREMENT SYSTEM
For each ERM component, establish strate-gic, operations, reporting, and complianceobjectives, and implement DMAIC
OCTOBER 2008 IITERKAL AUDITOI
55
E N G I N E E R I N G V A L U E I N T O E N T E R P R I S E R I S K M A N A G E M E N T
more subjective processes. For example.General Hectric uses Six Sigma in itslegal department to limit the number ofsignatures needed per document. Thischange not only increased throughputand efficiency, but also reduced costsand improved relationships with exter-nal parties due to faster response times.
VALUE CREATIONInternal auditors with a sound appre-ciation for the potential of Six Sigmatechnology also can use it to unleash thevalue side of ERM through a disciplined,systematic means of keeping track ofupside and downside risk, giving a morebalanced application of ERM. In addi-tion to strengthening risk assessmentprocesses overall, all Six Sigma projectteams must consider the voice of thecustomer (VCX:). Tools and steps usedearly in any Six Sigma project force theteam to make sure its processes and met-rics have direct relevance to customersand aiake sense fi-om a global perspec-tive of the organization.
One tool that can create value is aSuppliers, Inputs, Process, Outputs,and Customers (SIPOC) map, a rela-tional map that clearly illustrates input-
output linkages as well as the impact oncustomer outcomes (see "SIPOC Map"on this page). A SIPOC view coupledwith VOC analysis often brings intofocus not only the challenges related todefects in customer outcomes, but alsopotential opportunities to create valuein the marketplace. This has significantimplications for customer relationshipmanagement and can help oiganizationsmove up the value chain. For example.
satisfaction, helping the company buildan expected io-year net present value ofUS »87 million, according to a presenta-tion at the 2007 American Society forQuahty World Conference on Qualityand Improvement in Orlando, Fla.
Internal auditors also should be awarethat Six Sigma can help organizationsm ^ t the COSO ERM requirement to con-sider tolerance levels related to all possi-ble outcomes, including customer service.
Six Sigma can help organizations meet the COSO ERM
requirement to consider tolerance levels related to
all possible outcomes, including customer service,
reputation, and other qualitative areas.
BJC Healthcare, a large nonprofit U.S. reputation, and other qualitative areas.health-care organization, used a SIPOC To measure the organization's risk toler-
ance, auditors can assemble Six Sigmaprofessionals with expertise in dealingwith qualitative judgments and using
view to understand who its customersare and "to listen to their voice" so theorganization could improve customer
SIPOC Map
Creating a Suppliers, Inputs, Process, Outputs, and Customers (SIPOC) map is one of the first things a Six Sigma team doeson a project. This map enables tbe team to see how "wbat we do" (process) relates to "what we produce" (outputs) and"who we produce it for" (customers). It also brings "wbat we need" önputs) and "where we get wbat we need" (suppliers)into focus. In doing so, a SIPOC map helps teams make better decisions by enabling them to see beyond "what they do" andto consider and balance a wider variety of reasons wby their process is experiencing difficulties and is replete with risks.
SUPPUERS CUSTOMERS
57OCTOBEft 2D0B IRTEIiAL AHDITOI
E N G I N E E R I N G V A L U E I N T O E N T E R P R I S E R I S K M A N A G E M E N T
methods like VOC analysis to bring anal-ysis of such risk outcomes into the realmof measurement.
In organizations with an active SixSigma program, internal auditors canhelp coordinate available people andtools to deploy ERM more effectively.A key goal of many Six Sigma proj-ects is to transfer management of aprocess from output to input. Thisenables organizations to obtain betterbusiness and customer outcomes throughcontrol mechanisms tbat are known towork in practice, not just in theory. Intbe parlance of ERM, management canuse leading indicators to control risksin operations more effectively. Internalauditors can play a valuable intermedi-ary role in embedding Six Sigma pro-cesses into control self-assessment (CSA)efforts, making risk and control map-ping exercises — including monitor-ing — bighly relevant, reliable, useful,and timely. Specifically, as part of tbeERM process, auditors can help ensuretbat the appropriate risk tone is set inthe control environment. To cany thisrisk tone througbout tbe organization.
Once auditors understand the versatility and usefulness
of Six Sigma solutions, they can help their organization
match the appropriate Six Sigma approach to an
existing risk problem.
they can facilitate departmental CSAs toidentify risks and estahlisb appropriaterisk responses. Moreover, to make therisk management process more effec-tive, internal auditors wbo are well-versed witb Six Sigma can introducethese concepts across departments,facilitate education and awareness build-ing, integrate them witb CSA processes,and ensure they are applied to ERMefforts appropriately.
MAKING THE MATCHIn many ways. Six Sigma represents asolution in search of relevant problems.Internal auditors are keenly aware of
difficult measurement challenges andunsolved problems tbat currently existin tbeir respective organizations. Onceauditors understand tbe versatility andusefulness of Six Sigma solutions, theycan help tbeir organizations matcb tbeappropriate Six Sigma approacb to anexisting risk problem. Thus, internalauditors can act as facilitators to bringnew solutions to long-standing riskmanagement problems, including for-midable measurement cballenges.
To comment on this article, e-mail the authorat sridhar.ramamoorti@theiia,org.
FAST TRACK YOUR CAREER!All Star ConferenceOctober 20-22, 2008Caesars Palace / Las Vegas, NV i
The Institute ofInternal Auditors
It's fast approaching, but there are still seats in the grandstand,l l ie All Star Conférence brings ic^etber the bighc-st-ratestspeakers from recent conferences for a conference thai doesdonuts around tbe competition. Choose from 41 topic specificsessions on the critical issues tbat are driving the profession.enjoy unlimited networking during conference "Fit Stops." andbenefit from the experience of tbe profession's leading drivers.From start to linisb, ibis event will belp put you in the driver'sscat as a leader in your organization.
There's still time to reserve your seat. Register today at www.theiia.org/AIIStaK)8 or call +1-407-937-1111.
59OCTOBER 7008 IITERWAL AUDITOR
