The Binomial Bookstore

ENTERPRISE RISK MANAGEMENT:
PULLING IT ALL TOGETHER
by Paul L. Walker, Ph.D., CPA; William G. Shenkir, Ph.D., CPA; Thomas L. Barton, Ph.D.,
CPA

“Optimize your role in the enterprise risk management process by:
* Gaining support from executive management.
* Focusing on adding value.
* Discerning changes to the internal audit profession.
* Understanding the ERM infrastructure.
* Differentiating between ownership and facilitation.
* Opening the lines of communication to enhance corporate governance.
* Integrating risks throughout the enterprise.”

- - - - - - - -

“Traditional approaches to risk management compartmentalized risks and handled them
independently. Recent studies have shown that organizations have a better chance of
meeting their overall business objectives when risks are managed using an integrated and
holistic approach. Enterprise risk management (ERM) does just that, identifying
enterprise-wide risks that could not be found using traditional methods.

“The internal audit function has undergone a parallel transformation, moving from compliance
auditing to a risk-based audit approach. In Enterprise Risk Management: Pulling It All
Together, the authors examine the role of internal audit in ERM implementation in five different
types of organizations: the electric utility industry, manufacturing, retailing, oil and gas
operations, and the public sector. This groundbreaking research report published by The
Institute of Internal Auditors Research Foundation demonstrates how ERM can help
organizations focus the efforts of employees on the most important issues and boost
shareholder value.

“The organizations used in this study demonstrate that a well-managed internal audit function
can add unique value to risk management. The authors assert that ERM is most effective
when the internal audit function plays a key role in its implementation. Additionally,
management must view internal audit as a key consultant, not as a watchdog.

“Three noted professors of internal audit and risk management theory authored this ambitious
report. Dr. Thomas L. Barton draws from his vast professional experience in securities,
internal audit, and lending to teach accounting courses at the University of North Florida. Dr.
William G. Shenkir teaches at the University of Virginia’s McIntire School of Commerce and
once served as the dean of that institution. He has combined years of committee work and
accounting experience with rigorous academic study to become one of Virginia’s most
outstanding educators. Paul L. Walker, also from the University of Virginia, teaches
enterprise risk management and has authored several publications on risk. Together, they
conducted in-depth interviews at each organization to build the research for this report.

“The first chapter of the report introduces the research and the ERM approach. ERM
broadens the definition of risk to include any event or action that might prevent an
organization from meeting its business objectives. The ERM framework classifies risks in four
different categories: strategic risk, operational risk, financial risk, and hazard risk. The
authors justify the need for an advanced risk management program like ERM by explaining
how current market trends such as mergers, global competition, changing technology,
increasing customer demands, and the threat of terrorism create a riskier operating
environment.

“The study objectives are clearly defined. The authors conducted their research to examine
how the internal audit function partners with management to contribute to the ERM process,
identify successful tools and techniques in ERM implementation, and provide examples of
reporting structures used by internal audit to report ERM findings.

“The next chapter provides an overview of internal audit’s role in the ERM process. The
authors purport that the recent professional shift from control-based reviews to risk
management make the internal audit function a “natural ally to the daunting work of identifying
risks and ... monitoring those risks across the organization.” The study identifies seven key
checkpoints at which internal audit’s role in the ERM process can be analyzed.

1. ERM starts at the top. Everyone, from CEO and CFO to the audit committee and process
management, must take responsibility for an enterprise-wide risk management process.
2. Management should recognize the potential of ERM to increase shareholder value. The
ERM team should find tangible benefits to support these efforts.
3. Internal audit must change, focus on business objectives, and move from testing to
assessing risks to ensure the success of ERM.
4. Business unit management should take ownership of the ERM process and understand
the vital role each unit plays in the success of the process.
5. ERM infrastructure should be well developed. Organizations should identify the scope of
ERM initiatives and build upon existing infrastructures, define risks and identify ERM’s
purpose, conduct thorough risk assessments and risk workshops, and develop new tools
such as scorecards and action plans.
6. Each organization should identify its full spectrum of risk, a task best completed with the
use of subject-matter experts.
7. ERM should improve and enhance existing corporate governance structures.

“The first case study was conducted at Canada Post Corporation (CPC), a recognized "world
leader in providing innovative physical and electronic delivery solutions." There, the hiring of a
new chief audit executive (CAE), Carman Lapointe Young, led to the implementation of an
integrated risk management process. Canada Post Corporation used the new process to find
out how likely the organization was to meet its objectives, how risks were being managed,
and how the organization was recognizing and acting on opportunities. Called Dynamic
Assessment of Risks and Enablers (D.A.R.E.), the process is composed of three stages:
preliminary surveys, workshops, and risk assessments. Risk assessments were conducted
at three levels in CPC: organizationally, functionally, and departmentally. The internal audit
department went through rigorous training in workshop facilitation and risk assessment, a
training process that continues as new employees join the department.

“The audit function at CPC added real value to the organization by significantly improving the
quality and quantity of audit reports and audit findings. By focusing their efforts on
organizational objectives rather than audit objectives, the auditors at CPC increased
departmental accountability, strengthened management understanding of business
objectives, and improved corporate governance.

“At FirstEnergy Corp., the fourth largest investor-owned electric utility system in the United
States, the authors found a number of concrete ways in which integrated risk management
has added value to the organization. Deregulation has altered the risk profile of the electric
industry, changing the way electric utilities must conduct business. At FirstEnergy, a recent
merger and the diversification of its enterprise have further complicated the landscape,
making the organization’s attention to risk management all the more important.

“The internal audit function at FirstEnergy, under the direction of CAE Dave Richards, has
undergone a major transformation to deliver value to its shareholders. Internal audit focus has
shifted from compliance to consultation and problem solving. As a reflection of this paradigm
shift, internal audit developed a risk map for FirstEnergy’s new e-business initiative while it
was still in the implementation phase. The internal audit function also conducted a five-month
risk assessment for the unregulated businesses, principally trading. The audit executives at
FirstEnergy agree that internal audit is an integral part of any ERM initiative. They also found
that ERM delivered its own benefits to the internal audit function, streamlining the audit
process and increasing efficiency and effectiveness.

“General Motors Corporation (GM), the world’s largest automotive corporation and vehicle
manufacturer, is exposed to a wide range of risks. GM Audit Services (GMAS), led by
general auditor Jacqueline Wagner, is organized along global service lines and offers a variety
of value-added services. GMAS has adapted ERM to advance its risk management strategy
on three fronts: process risk management (PRM), business risk management (BRM), and
business continuity planning (BCP).

“Business risk management at GM takes a two-pronged approach by looking at internal
processes through PRM and focusing on external objectives through objective risk
management (ORM). Strategically, GMAS had to implement PRM first while it marketed the
benefits of the more forward-thinking ORM. Process risk management relies on a
self-assessment methodology and requires the active participation of audit customers. GMAS
used several successful public relations techniques to build management support for PRM:
distributing PRM bulletins and developing training programs for process owners, operators,
PRM facilitators, and GMAS staff.

“Unocal Corp. is one of the world’s largest, independent, investor-owned, oil and gas
exploration and production companies. Enterprise risk assessment at Unocal was motivated
by a shift in the internal audit department to a focus on risk, a poor existing compliance
approach, and a pioneering chief financial officer. Internal audit facilitates the ERM process
by assisting operating and support units in their own required risk assessments. Each
business unit filed a risk report that was followed up by a separate internal audit report on the
risk assessment.

“The involvement and ownership of operating managers in ERM was a critical element in the
overall success of ERM at Unocal. Business unit management influences and encourages
participation in ERM because the positive results of the program are self-evident.

“The final case study was conducted at Wal-Mart, the world’s largest retailer. Wal-Mart
manages enterprise risks through facilitated workshops and a focus on organizational
objectives. The ERM process prompts participants to develop detailed action plans and use
scorecards with designated champions and time frames.

“Internal audit plays a fundamental role in ERM implementation at Wal-Mart and is involved in
every step of the process. In order to contribute to the process, the internal audit function
built upon its workshop facilitation skills by conducting on-site training. ERM also helped
internal audit shape its approach and identify audit objectives.

“Each of the case studies demonstrates how important an internal audit focus on risk (as
opposed to controls) is to the success of any ERM initiative. When management views the
internal audit function as a consulting partner in achieving organizational and business unit
objectives, it is more likely to participate in and promote risk management.

“In the words of esteemed economist Frank Knight, the paradox of risk is that it results from
the future being different from the past, while traditional risk management relies upon the
future being similar to the past. Modern organizations cannot absolve themselves from
responsibility for disaster by saying that they didn’t anticipate an event because it had never
happened before. Risk assessment must be pervasive and diligent. Managers must
understand and acknowledge all potential risks and have action plans in place to mitigate
them. Proactive audit practitioners can use the practical and timely guidance in Enterprise
Risk Management: Pulling It All Together to implement ERM in their own organizations.

- - - - - - - -

CONTENTS

About the Authors
Acknowledgements
Executive Summary
1. Introduction
2. The Role of Internal Auditing in ERM: Implementation and Foundational Elements
3. Canada Post Corporation
4. FirstEnergy Corp.
5. General Motors Corporation
6. Unocal Corporation
7. Wal-Mart Stores, Inc.
8. Conclusion

Appendix I: Interview Protocol - Internal Auditor’s Role in Enterprise-Wide Risk
Management
Appendix II: Bibliography

IIA Research Foundation Board of Trustees 2001/2002
IIA Research Foundation Board of Research Advisors 2001/2002
IIA Research Foundation Chairman’s Circle

- - - - - - - -

ABOUT THE AUTHORS

“PAUL L. WALKER is an associate professor of accounting at the University of Virginia’s
McIntire School of Commerce. He obtained his Ph.D. from the University of Colorado and is a
CPA. He has professional experience as both an auditor and systems auditor for a Big Five
accounting firm. He also worked in securities, internal auditing, and lending at a major U.S.
corporation. Professor Walker has also served as a consultant to entities such as Ernst &
Young and COSO (the Committee of Sponsoring Organizations of the Treadway
Commission). He is a member of the AICPA, the AICPA Risk Task Force, and the American
Accounting Association. He teaches courses on accounting information systems, auditing,
risk management, and financial accounting. Professor Walker’s articles have appeared in The
Accounting Review, Decision Sciences, Auditing: A Journal of Practice and Theory, Research
in Accounting Regulation, and Review of Accounting Information Systems. He co-authored
the 2001 Financial Executives Research Foundation Study, Making Enterprise Risk
Management Pay Off.

“WILLIAM G. SHENKIR is the William Stamps Farish Professor of Free Enterprise at the
University of Virginia’s McIntire School of Commerce. He served as dean of the school from
1977 to 1992. His teaching and research interests are in enterprise risk management,
strategic cost management, and accounting policy. He has produced more than 50
professional publications in leading academic and practitioner journals, made more than 70
presentations before professional and academic organizations, and edited or coauthored six
books, including two for the Financial Executives Research Foundation: Open Book
Management: Creating an Ownership Culture (1998) and Making Enterprise Risk
Management Pay Off (2001). From 1973 to 1976, he served as a technical advisor and project
director at the Financial Accounting Standards Board. Dr. Shenkir has served as president of
the American Assembly of Collegiate Schools of Business and as a vice president of the
American Accounting Association. He has been on numerous committees of the American
Accounting Association, American Institute of Certified Public Accountants, Financial
Executives Institute, Institute of Management Accountants, and the Virginia Society of CPAs.
He was a member of the Board of Directors of Dominion Bankshares Corporation, the Deloitte
& Touche Academic Advisory Board, and First Union National Bank¾Mid-Atlantic Region. He
is currently on the board of directors of ComSonics, Inc. He has taught executive
development programs for personnel from industry, government, and accounting firms. He is a
CPA and has consulted with a variety of organizations, including COSO on whether they
should embark on an enterprise risk management project. In 1995 he received the Virginia
Outstanding Educator Award from the Carman Blough Chapter of the IMA, and in 1997 he
was recognized as one of the 10 University of Virginia Distinguished Professors in the
students’ yearbook, Corks and Curls.

“THOMAS L. BARTON is Kathryn and Richard Kip Professor of Accounting and KPMG
Research Fellow of Accounting at the University of North Florida. He holds a Ph.D. in
accounting from the University of Florida and is a certified public accountant (CPA). Dr.
Barton has over 35 professional publications, including research articles in Barron’s, Decision
Sciences, Abacus, Advances in Accounting, CPA Journal, and Management Accounting. He
coauthored the 1998 Financial Executives Research Foundation study, Open Book
Management: Creating an Ownership Culture, and the 2001 study, Making Enterprise Risk
Management Pay Off. He received the Lybrand Silver Medal for his article, "A System Is
Born: Management Control at American Transtech." Dr. Barton is the creator of the Minimum
Total Propensity to Disrupt method of allocating gains from cooperative ventures. This method
has been the subject of several articles in Decision.”

- - - - - - - -
2002, 163 pages. Order #DR717. Special Order Item.
- - - - - - - -

The Binomial Bookstore

Risk Management, Business Impact

Rothstein Associates Inc.