After reading Chapter 34: Turning Crisis into Opportunity, answer the question below. Make sure you write a detailed explanation and include an example. Use APA style for any outside sources.
Question: Do you think that companies need to experience a crisis to take risk seriously?
Turning Crisis into Opportunity Building an ERM Program at General Motors
MARC S. ROBINSON Assistant Director, Enterprise Risk Management, GM
LISA M. SMITH Assistant Director, Enterprise Risk Management, GM
BRIAN D. THELEN General Auditor, GM
This case study chronicles the ground-up implementation of enterprise riskmanagement (ERM) at General Motors Company (GM), starting in 2010through the first four years of implementation. Discussion topics include lessons learned during implementation and some of the unique approaches, tools, and techniques that GM has employed. Examples of senior management reporting are also included.
I think risk management is an element of all good executive management teams and boards. It will ensure viability in downturns and high-risk periods. I think if that is done not only within the automotive industry, but on a global and specif- ically on a national scale, economies will be in better shape because it is additive. If everybody is doing their job in assessing and understanding risk, the ultimate outcome will be much more positive for our national economy and society, and it is incumbent that corporate leadership understands that responsibility.
—Daniel F. Akerson, Chairman and Chief Executive Officer, General Motors, October 2012
BACKGROUND AND IMPLEMENTATION The enterprise risk management (ERM) program at General Motors was founded in late 2010 at the direction of GM’s then newly appointed chief executive officer (CEO), Daniel F. Akerson, who sought to leverage the program as another means to achieve a competitive advantage in the industry. Having gone through bankruptcy in 2009 as a new board member, Akerson felt that a more robust risk management program would help guide the organization around the drivers of killer risks1
going forward. His goal was to help the company ensure that it was prepared,
608 Implementing Enterprise Risk Management
agile, and fast to respond in an ever-changing world. Perhaps most importantly, Akerson wanted an ERM program that would focus not only on risks but on oppor- tunities as well.
A chief risk officer (CRO) was selected and appointed from within, and the Finance and Risk Policy Committee of the board of directors was chartered to over- see risk management as well as financial strategies and policies. In support of the program, a senior manager and director joined the team. Risk officers were also identified and aligned to all direct reports of the CEO; this helped to ensure that all aspects of the business were covered. The CEO is the ultimate chief risk officer, and his direct reports are the ultimate risk owners. Members of the risk officer team were carefully selected by senior leadership based on their strong business expe- rience, financial acumen, and most of all their ability to lead in the identification and discussion of risk in an objective and transparent manner. These representa- tives were expected to actively participate in the evolving ERM program while still handling their existing responsibilities.
In 2011, the general auditor and CRO roles were combined, and in support of this change, the Audit Committee assumed oversight of risk management. The Finance and Risk Policy Committee continued its focus on financial policy and decision making.
GENERAL MOTORS’ APPROACH TO ENTERPRISE RISK MANAGEMENT The ERM process was built with GM’s vision in mind: to design, build, and sell the world’s best vehicles (see Exhibit 34.1). The process itself was geared toward the identification and management of key (potential “killer”) risks. The ERM team assisted line management in developing a list of top company risks, identifying risk owners, assisting management in the development of risk mitigation plans in conjunction with the management teams, providing ongoing monitoring, and reporting results to senior management and the board.
The scope of GM’s initial ERM program intentionally did not fit the typical ERM definition of an all-encompassing, holistic approach. As a bottom-up imple- mentation, senior leadership wanted ERM to focus on those elements of risk and opportunity that were most important to the company. We at GM have since enhanced our program with additional high-impact features, which are detailed later in this chapter.
Overall, however, our approach was to move away from the typical ERM view, which focuses on “what can go wrong.” We took a more actionable view of “what can go right,” placing emphasis on both opportunities and risks, to ensure that we were leveraging our ERM program to be well-positioned in the industry.
Lessons Learned: Identifying Risks
A critical success factor that has been a part of our program since inception has been to continually seek out several views, including views from sources outside the company, of risks that the industry and company may face. In addition to reg- ular meetings with our risk officers, we conducted a number of focus groups and
TURNING CRISIS INTO OPPORTUNITY 609
Risk Dashboard Established using the Risk Owners and Business Plan Assessment Risk Indicators
Design, Build, and Sell the World’s Best
Assess and Prioritize Output: Top Company Risks
(Key Factors: potential impact, likelihood, and velocity)
GM Risk Management Process
Monitor, Validate, Report Ongoing monitoring of the
environment, status on action place, and validation of actions
Identify Key Risks Output: Risks that could significantly impact the
achievement of Business Objectives and Strategies
Develop Risk Management Plans
Risk owners develop action plans and identify Key Risk
Indicators to monitor
Risk Owners Assigned Responsibility for managing risks is dispersed throughout the business and as close to
source of risk as possible
Exhibit 34.1 GM Risk Management Process
workshops to gain insight into potential blind spots that may exist, and to cap- ture various views on emerging risks. To solicit this information, we reached out to deep thinkers and those with broad business experience both within and out- side of our organization and sought input across demographic groups, including Generation Ys or recent college graduates and young professionals.
The careful attention devoted to capturing several perspectives from various demographics, both inside and outside of the organization, has led to some great successes and has consistently influenced the composition of our top risks list. Our commitment to seeking out diverse views has helped us to avoid confirma- tion bias,2 and helped us to ensure that we are not seeing our world through rose- colored glasses.
Lessons Learned: Developing Top Risks Lists and Reporting to Senior Management
There is a tendency to underestimate risks. If you go back and look at the problems we ran into over the last four to five years, everybody knew there was a housing bubble there. Everybody knew the banks and others were stretched out. But rather than face up to the fact that you had this huge risk and understand what the con- sequences were of the risk materializing, it was relatively easy to say, “Well, it is a low-probability risk, so let’s go on—things look good.” It may be a low-probability event, but those low-probability events have a way of materializing, and therefore we need to better understand what happens.
—Mustafa Mohatarem, Chief Economist, General Motors, October 2012
610 Implementing Enterprise Risk Management
While we understand the value of assessing probability and impact for risks, we have made additional improvements to our process for ranking and prioritizing risks. In the past, we facilitated meetings at which our risk officers were asked to score proposed risks individually along defined impact and probability scales. The output of the session was a typical “heat map” with risks that were ranked or plotted based on probability and impact scores.
However, we quickly learned that not only was this a very tedious process, but it injected a great deal of subjectivity since many of the participants did not really have specific knowledge of these parts of the business. We have also learned from various world events, such as the Fukushima disaster in Japan, that there may be a tendency to dismiss risks with the potential for very high impact because they have a very low probability of occurring. These low-probability events are often risks that companies cannot afford to miss. As we looked back on what has worked well or needed improvement, we thought there was a better way to provide our board and other stakeholders with more meaningful and actionable information. This prompted us to make a number of changes to improve the program.
First, we gave the responsibility for assessing the probability and impact rat- ings related to risk to the senior executives who were assigned the primary respon- sibility for overseeing the risks, since they were uniquely positioned to provide the most accurate assessment. We stopped the practice of asking risk officers to vote on impact and likelihood levels. Instead, when developing (or refreshing) the top risks list, we employed a real-time, web-based pairwise comparison3 tool to assist in prioritizing the risks in relation to each other. When developing our top risks, we briefed participants (risk officers) with precise risk descriptions to help enable their decisions when voting on each risk pair. Once we completed the various pairing sequences, the tool generated our preliminary risks list. This preliminary list was then subjected to various sense checks4 prior to delivering a proposed top risks list to our senior management or board.
Second, we moved away from using a ranked top risks list altogether. Too much time was being spent on whether a risk should be number 3 or number 5, for example, when the choice did not at all affect how the ERM team or management would address the risk. We moved instead to a three-tiered approach (Exhibit 34.2), which more broadly separated risks by their relative importance. We did not limit ourselves to any predefined number of risks in any given tier; we looked for natural breaks in terms of concurrence on what is a top risk (often looking at the pairwise scoring) versus what is more of an emerging risk.
Third, we focused on using three measures—the levels of inherent, current, and residual risk—as indicators of where the organization currently viewed the effect of its mitigation activity and where the level of risk was expected to be upon completion of the mitigation plans. We created a five-point scale with definitions surrounding the ratings for inherent and residual risks (see Exhibit 34.3), and asked the respective risk officers to provide these assessments in consultation with their Executive Committee members (GM senior leaders reporting directly to the CEO) using the ERM risk template. While just a minor modification to the previous ERM risk template, this assessment of current and expected future risk levels quickly became a focal point for senior management and the board committees when pre- sented. With current and future risk levels now documented, we were able to pro- vide the board with better insight into the status and projected movement of our
TURNING CRISIS INTO OPPORTUNITY 611
Watch list. Complete templates; monitored by Risk Officer & Senior
Complete risk templates and send to Committee at least annually.
Top Risks. Closely followed & presented to Board / Committees
Exhibit 34.2 Three-Tiered Approach
top risks (see Exhibit 34.4). We continued to provide the standard heat map of risks, but the new chart provided the type of forward-looking insight and status that heat maps do not provide. The new chart has been very well received and we continue to utilize it.
Lessons Learned: Understanding Corporate Culture
The ERM implementation at General Motors has enjoyed great success for several reasons: There has been excellent support from the CEO and senior management; we have a strong, knowledgeable, and highly engaged ERM team and risk offi- cer organization that touches every part of the business; and we have been able to garner proactive involvement through understanding and properly leveraging corporate culture.
We recognized early on that we would need to ensure that the ERM environ- ment at General Motors was an open forum where people could share freely. In fact, the importance of objectivity and transparency cannot be understated in terms of the success of any ERM program. Perhaps it is attributable to human nature, but we found in the past that people had a tendency to identify a problem and keep it to themselves while they tried to resolve or address it, rather than putting it on the table for discussion. As this was not the culture that we wanted in the ERM program, we reduced the probability that this would occur by selecting the right people to lead by example.
We looked for several specific traits when selecting our risk officers:
� High potential executives and leaders � Strong business experience and good financial acumen, including strong
technical expertise in the region/function of responsibility � Superior communication skills; unafraid to speak up and discuss issues
openly � Big picture thinkers
TURNING CRISIS INTO OPPORTUNITY 613
� The ability to reach across the organization and provide outstanding support to the top-line executive they represent
To the extent that we had any concerns regarding the ability of participants to be objective and transparent, we were able to largely avoid these issues by seeking out and selecting the right risk officer team members. The team has been highly engaged, and we are beginning to see evidence of this culture spreading through their various areas of accountability. We are now at the point where our services are often on a “pull” rather than “push” basis, which has been very rewarding to achieve.
My role as a risk officer is to look across the product development enterprise, and identify risks which are systemic that we may already be addressing, but I am taking a look to make sure that the risk is sufficiently addressed. Or, in the case of where it is a new technology or a new risk, working with the owner to take a look from a strategic perspective. What can they do more? What can they do better in terms of addressing the risk? Are they engaging all of the cross-functional groups? Do they really understand the societal impacts of the technology they are putting in place? As engineers, we tend to think about F=MA,5 but this is about expanding the scope a little bit more so that we take it at a holistic level.
The ERM program gets quite a bit of support from senior leadership. We reg- ularly review the status of our projects with leadership and we also seek advice and guidance from them on where they see risks in the enterprise that we might not otherwise be addressing in our regular channels.
—Katherine Johnson, Director, Global Product Development, General Motors, October 2012
Exhibit 34.4 Heat Map
614 Implementing Enterprise Risk Management
We also understood that our risk officers came from various functional and regional positions, and would not necessarily be experts in risk management. As a result, we created an orientation/training for risk officers that was very well received. Once the first two individuals were given the orientation we did not have to contact anyone else to take it, as word quickly spread because it was seen as value-added and good use of their time. Risk officers contacted us to ask for the orientation, and this positively impacted the engagement of our program partici- pants.
It was during these orientations that we learned more about various micro cultures in the company. One of the slides in the orientation talked about various risk management techniques: to avoid, accept, reduce, or transfer risk. Early on, as we explained the slide to one risk officer—that there are many ways to deal with risk—he had an insightful comment: “You know, I am really glad that you are implementing this program. Some think that risk is bad and you have to eliminate it 100 percent.”
The orientation sessions provided an environment for healthy discussions about risk being ubiquitous and therefore always a part of doing business. We stressed that the intention of this program was to manage risk, not attempt to elim- inate all risk. To reinforce this, we discussed different ways to deal with identified risks, including accepting them. Going forward, we verbally included these points with every risk officer orientation. This was another means for us to support the transparency and objectivity we sought—people would not feel comfortable talk- ing about risks openly if they thought there was a corporate culture that mandated all risk was to be eliminated.
Our orientation session also included discussions about our risk templates (see Exhibit 34.5). While companies, including General Motors, seem to embrace the use of red-yellow-green-colored charts, the problem of course is that the use of red is often associated with a failure or poor result. We were concerned, given the prior comments, that people might not adequately assess their risks if they believed the point of the program was to make everything green on the charts. At one of our risk officer meetings, a risk officer presented a chart showing a key risk that was rated with an orange color, both before and after mitigation efforts. We took time in the meeting to point this out—that some risks “are what they are”—and there is only so much we can do to be prepared. The point is not to get the risk to be rated green, but to assess it accurately for what it is, and to ensure that we are prepared and doing everything we reasonably can to deal with it.
Lessons Learned: Strategic Risk Mitigation and Decision Support
The central philosophy of GM’s ERM approach is that the responsibility for risk mitigation and opportunity seizing rests with the operational leaders of the com- pany. No staff can or should address all the varied risks of the company; they lack the awareness, expertise, manpower, and authority. But ERM can provide—and has at GM even at this early stage—enormous value beyond the core and critical functions of risk identification and risk education. This is essential to have enter- prise risk management rather than enterprise list management. GM’s ERM is able to
TURNING CRISIS INTO OPPORTUNITY 615
4 – Siqnificant
2 – Managed
2 – Low
[insert approved risk scenario] Inhernet Risk (before any actions) Current Level of Residual Risk Residual Risk
1. Insert Event 2. Insert Event 3. Insert Event 4. Insert Event
• Financial: • Strategic: • Reputation: • Other:
Name Name Name Name Name
Insert Related Risks / Additional Comments
Date Date Date Date Date
5. Insert Event
1. Insert Improvement Opportunity 2. Insert Improvement Opportunity 3. Insert Improvement Opportunity 4. Insert Improvement Opportunity 5. Insert Improvement Opportunity
Insert Key Risk Indicators
Once Implemented, will risk mitigation actions reduce exposure to an acceptable level? YES / NO
Risk Definition Assessment
Key Events That Trigger Risk Exposure Description of Residual Risk
Key Risk Indicators
Risk Mitigation Actions Responsibility
Related Risks / Additional Comments
Completed / Due Date
Exhibit 34.5 Risk Template
provide this value because of a combination of a unique perspective and expertise in a set of analysis, facilitation, and decision-support tools of particular relevance to risk mitigation and opportunity seizing.
Through the risk identification process, ERM staff is exposed to the entire range of global functions and issues, along with internal assessments of corpo- rate strengths and weaknesses, in a way that is typically limited to senior manage- ment. Risk identification also requires engaging with internal and external thought leaders and experts to think through emerging risks and blind spots to create an information base similar to a partner at a strategy consulting firm. The assignment to focus on risk and opportunity, with a corporate perspective and without oper- ational responsibilities, gives a frame of mind and freedom for strategic thinking that is often helpful to decision makers.
At GM, the unique perspective within ERM is made more valuable with a set of tools that helps decision makers better understand and evaluate issues involv- ing external risks and opportunities, and thereby improve their decisions. Any list of top risks will have both internal risks—typically involving execution or compliance—and external risks, whether from shocks, predictable events, evolu- tionary changes, or actions from outside actors like competitors, current or poten- tial partners, dealers, suppliers, governments, or unions. Internal execution risks are usually managed with special focus from operating units, while compliance risks are typically addressed by education and controls monitored by specialized
616 Implementing Enterprise Risk Management
staffs such as security, information technology, human resources, legal, tax, and audit.
External risks, on the other hand, are more difficult for operating leaders to evaluate and react to appropriately. There is a natural human tendency to think that tomorrow’s external environment will be like today’s, only better. Operating leaders tend to focus on their own strategies, worldviews, and “day jobs,” failing to fully consider external players and uncertain events.
Even in a negotiation, the tendency to focus on the company’s perspective can be a problem. Of course, the negotiating team is aware of the other party at the table—whether a union, supplier, or potential partner. But even experienced nego- tiating teams can benefit from thinking through systematically what is truly impor- tant to both sides and how to improve negotiating leverage and to frame issues. However, the biggest blind spots for negotiators usually relate to parties not at the table or to the aftermath of a deal. For example, GM often engages in bargaining with its labor unions while those unions are simultaneously bargaining with other companies in the industry. Understanding the perspective and issues in those par- allel negotiations can be important to the outcome at GM, particularly since there is often an expectation that the pattern established with one company will apply to others. Union locals or subgroups can also have powerful effects on the final out- come. In other contexts, predicting possible rejection by regulators may lead to a different strategy on a merger or acquisition deal, or understanding legislative risk might alter a corporate initiative. Identifying stresses and differences in interests in advance can lead to favorable restructuring of a joint venture or early resolution of an underlying issue.
GM’s ERM staff has adapted a set of tools designed to improve decisions in complex, multiplayer situations or issues. The approach usually involves organiz- ing workshops with cross-functional leaders and subject matter experts, facilitated by ERM staff. When the issue or event is known—such as a major current negotia- tion or an announced change in fuel economy regulations 10 years in the future— the workshop focuses on answering three questions:
1. Who else can affect the outcome? (Players) 2. What can GM and others do? (Options) 3. What do GM and the other players want? (Preferences)
The importance of thinking through these questions systematically can be shown in a mistake from GM’s past. Like other auto companies, GM relies on inde- pendently owned dealers to sell its vehicles. In the late 1990s, some GM executives saw the potential for significant strategic benefits from having a few company- owned dealers, such as an unfiltered exposure to shoppers and a chance to test new marketing and retailing concepts. Though it was recognized that dealers would oppose the idea and that it would be illegal in some states, extensive planning pro- ceeded and a major initiative—GM Retail Holdings—was announced. Within days of the announcement, GM quickly realized this was a poor decision, and within months GM’s CEO went to the annual dealer association conference to announce the termination of the initiative and to apologize for it.
What happened to cause such an unfortunate outcome? First, the leaders of the initiative misread GM’s preferences. They thought that GM valued the potential
TURNING CRISIS INTO OPPORTUNITY 617
benefits of the company-owned dealers more than they would regret an adverse dealer reaction. When the angry reaction came forcefully through many channels to numerous executives, it turned out that the assessment was wrong. Second, some options controlled by the dealers were not well understood. When dealers started pulling or threatening to pull some of those levers, GM recognized the deci- sion’s downside potential. Third, the executives forgot a player—state legislatures. Legislation was introduced in several states (where GM Retail Holdings was con- sidering the placement of dealerships) that would make company-owned stores illegal competition for the independent dealers, and it seemed likely that the legis- lation would pass. If you miss preferences, options, and/or a player, your strategy, negotiation, or initiative can fail.
GAME THEORY When GM’s actions will have an impact on what the others do (see Exhibit 34.6), a form of game theory can help avoid misunderstandings. Using game theory,6 the team can put themselves into the shoes of each player and ask whether they want each option to be taken (including options they do not control) and how important that option is relative to others on the list. With these assessments, it is possible to identify a natural outcome7—where momentum will lead the issue—as well as a danger outcome8 and a target outcome9 for GM. The information gathered is so rich that it can guide both strategy and tactics. Because there is a tight logical con- nection between the recommendations and the inputs provided by participants, decisions are often changed based on the analyses.
Since the combined knowledge of the participants about the external players and their options is usually strong, the predictions of their behavior are remarkably accurate. Even when there is disagreement or uncertainty about what other players want, the analysis can identify robust strategies or narrow the areas where addi- tional information is needed. GM used to have a Defense Operations unit that once developed a design for a military vehicle that the designers thought could displace the Humvee10 used by the U.S. Army. At the time, GM had recently acquired the Hummer brand (since discontinued), which sold a civilian version of the Humvee, so this idea generated significant controversy. Game theory analysis showed that the right actions for GM depended heavily on the preferences of the Army, with disagreement about what they were. GM leaders decided to ask the Army, invit- ing key generals to hear about the Defense Operations concept. The generals made
Issue/event knownOther players Issue/event uncertain
Other player(s) decisions important and affected by your actions
Game Theory Scenario gaming or tabletop
Other player(s) decisions are important but independent
War gaming Scenario planning
Exhibit 34.6 Game Theory
618 Implementing Enterprise Risk Management
clear that they had no interest in switching from the Humvee, and further invest- ment was avoided.
The high value that GM leaders attach to the predictions and insights that the game theory process generates is reflected in the more than 120 times the tool has been deployed since 1999. The issues have included negotiations of all types, competitive strategy, public policy strategy, crisis management, and new business development, and have covered every region and most functions. Speed and effi- ciency are also major attractions; a complex issue can be analyzed and action plans developed and approved in less than one week. When the Risk Management func- tion was created, a natural home for these decision-making tools became obvious.
War Gaming and Scenario Planning
Even when GM decisions do not affect the decisions of other players—as often is the case with long-term product or technology strategies—it can be valuable to think through how other players will act, since that can give a more accurate and unbiased assessment of the risks and opportunities. War gaming workshops often start with known information on the strategies, strengths, weaknesses, and plans of key players. The key trend or issue that is the focus of the war game is explained; for example, there may be tighter fuel economy regulations scheduled to go into effect in some country in a few years. Then participants put themselves in the shoes of the other players and predict their responses to the trend or issue. Implications for GM’s strategy and opportunities to mitigate risks are then identified.
When events are highly uncertain or even have low probability, like an eco- nomic crisis or oil shock, it can still add value to assess how external actors would respond if the event were to occur. This helps to stress test the contingency plans and can identify potential opportunities or risks to mitigate. By adding external players to the scenario planning, the need to bring in additional functions becomes apparent. If and when the event occurs, the action or crisis team will have a broader perspective and connection to important expertise, and information will be easier to access. The ERM staff can facilitate this type of contingency planning and the cross-organization connections through the risk officer network.
Thinking through how an event can spread or become a crisis makes the orga- nization more sensitive to signals and triggers for more intense planning and preparation. A tool that GM has used in contingency planning is “DefCon” level,11
an idea borrowed from the U.S. Defense Department. When a risk with high impact but low likelihood is identified, it may not make sense to spend time and resources on detailed plans and preparations, particularly if there is likely to be significant notice or more urgent signals prior to the event. Instead, there can be a “plan to plan” with only preliminary analysis done at an early stage but commitment made for further analysis and action if particular indicators or signals are seen. The lead- ership group decides whether the event likelihood has reached a more serious DefCon level, triggering the appropriate preparations and actions.
External risks are difficult for any organization to understand and manage, particularly if the risks are only emerging or rare, or involve parties not at the table. By going beyond risk identification to helping decision makers achieve a 360 degree understanding of the external environment and players, ERM can aid good decision making. By using their unique perspective and a broad array of tools, ERM
TURNING CRISIS INTO OPPORTUNITY 619
staff can frame the risks and opportunities and make actionable recommendations, thereby making the good decisions more likely and more robust.
LOOKING FORWARD As we enter our third year of ERM, we have a number of initiatives under way to enhance the ERM program and better integrate it with other internal control efforts. First, we have worked with our internal audit leadership to ensure that the top company risks are being considered in their annual internal audit risk assessment, which drives the internal audit plan. These top risks will be one of many factors used to assess which processes, areas, and functions in the company should be considered for an internal audit.
We continue to look for ways to identify and assess emerging and blind spot risks and opportunities earlier and more comprehensively. In that regard, we intend to engage the corporate Intelligence Network—a cross-functional and infor- mal group of people whose jobs require looking for societal, market, technology, and competitive trends relevant to GM around the world to supplement the knowl- edge and sources of the risk officer network and ERM team.
There is always room for improvement in the plans to mitigate risks and seize opportunities. Both the risk officer network and the ERM staff can be valuable resources to an individual risk officer or functional leader trying to analyze a risk, develop a plan, and check it for robustness. We intend to utilize these capabili- ties more fully and systematically, particularly for complex cross-functional and cross-regional issues.
While our initial ERM focus has been to identify and manage top risks, we also realize that this is only one part of a successful ERM program. With reason- able attention to the top risks now in place, we are ready to address oversight of the day-to-day operational controls. In this regard, we are in the process of develop- ing an enhanced program for operational control self-assessment (CSA),12 which is often cited as a fundamental and critical component of any successful ERM pro- gram. This program will begin with a joint risk assessment conducted across the organization in conjunction with internal audit.
GM implemented various versions of CSA over the years, but these processes waned over time and no longer fully support the business as intended, largely due to resources being redirected to support Sarbanes-Oxley resource requirements. There are many ways to achieve control self-assessment, and we recognize that typical programs are often criticized as not adding value because they lack sub- stance or are simply check-the-box exercises. On the other hand, Sarbanes-Oxley at its core is intended to be a management self-assessment of controls over financial reporting despite having evolved into requiring very in-depth, time-consuming assessments.
There is a need to avoid either creating a burden on the organization to the point where the cost outweighs the benefits (which is how many businesses have viewed Sarbanes-Oxley) or creating a program that is low-cost but lacks any sub- stantive value. Our goal in creating an improved CSA program is to strike a bal- ance so that we are maximizing value to the organization and our shareholders by enhancing operational control assurance while spending resources wisely.
l s up
ds , l
A ; f
Execution: Business Units
Oversight: Local ERM Rep
is t D
no , a
• • • •
TURNING CRISIS INTO OPPORTUNITY 621
The approach we have developed is a policy-based CSA that will start with asking business unit operations’ line managers simple yes or no questions with regard to their compliance on specific policy requirements. However, we are tak- ing this process a few steps further by requiring the managers to attach supporting evidence for their responses. To ensure that the supporting evidence is valid and sufficient, an ERM CSA representative will consult with the manager on control design and perform a quality assurance validation of the submission. The repre- sentative will also respond to any questions and assist in action plan development as needed. The ERM CSA representative will also review any action plans to cor- rect self-identified deficiencies to make sure that the action plan addresses the root cause of the issue (see Exhibit 34.7).
We prefer this approach because it strengthens accountability at the opera- tional level having frontline responsibility for internal controls. As a policy-based program, it drives behaviors that strengthen the company as a whole:
� Policy and process owners realize that they can leverage policies as a means to ensure results. If key risks are addressed in the policy, they will be assessed through CSA, and deficiencies will be uncovered and resolved by operating management.
� All business teams obtain a clear and consistent understanding of major activities and objectives of global or regional processes.
� CSA elevates the importance of up-to-date, accurate policies that address key risks.
Given that CSA is a global program, we expect that implementation will con- tinue well into 2014.
CONCLUSION We expect that the ERM tools we have implemented will improve GM’s ability to identify, exploit, or mitigate, and communicate risk to senior leaders and the board of directors. We view this as a competitive advantage for General Motors that will enable us to react more quickly with improved and well-defined actions. We believe that an integrated risk management process (ERM, Sarbanes-Oxley, CSA, and consolidation of other compliance/assessment types of activities) will enable GM to utilize its compliance resources much more efficiently. Importantly, it will enable the company to have a consolidated, holistic view of risk and allow management and the board of directors to take comfort knowing that mitigation activities will be visible and tracked, and owners will be held accountable.
QUESTIONS 1. What are the pros and cons of having risk officers as part-time assignments within dif-
ferent functions and business units? 2. Can you think of a company whose strategy failed due to their failing to consider the
actions of external players? 3. Do you think that companies need to experience a crisis to take risk seriously?