Using risk-mapping software developed internally, the group then plotted the risks on a PowerPoint risk matrix — a template depicting low-level infrequent risks in the bottom left quadrant, and the risks presenting the greatest threat of frequency and severity in the top right quadrant.
Once a risk is plotted in the matrix, it is color-coded to indicate how it has been addressed: red indicates that a risk has had little or no transfer; blue indicates that a risk has been transferred; and a partial risk transfer, such as workers' compensation, is in green, showing that Peabody is partially self-insured in this regard. "You don't want to see something red in that upper right-hand quadrant," warns Navarre.
Peabody's Risk Matrix
Drill down on a particular risk and a detailed analysis of that risk emerges, from its relative importance in the risk hierarchy to how or if it is transferred or mitigated to whose responsibility it is to manage the risk.
Governance risks posed by Sarbanes-Oxley are managed by Peabody's active board of directors and by audits, a code of business conduct, and a comprehensive set of controls as mitigations, says Navarre. Although such regulatory risks as stricter environmental controls cannot be insured, he notes that even these risks are mitigated, in this case through lobbying efforts.
The entire process is dynamic: Peabody formed a cross-functional risk-management committee with Navarre as chairman that meets monthly to continually assess the company's risks. "If a new risk emerges — say we enter into a joint venture or acquisition — we meet to assess the inherent risks and feed them into the ERM process," explains Navarre.
Why is this a better mousetrap? "This is a broadly focused process that involves the entire senior-management teams across all functions to evaluate risk," the CFO replies. "Instead of looking at individual risks, ERM gives us the ability to assess all the risks of the company and understand them, separately and in relation to each other, potentially identifying risks we may not otherwise have identified, and then making a determination to either mitigate that risk or choose to accept it."
Evidently Peabody's audit committee is pleased. "We've learned through this process not only the scope and breadth of risks inherent in the business, but also the various methods that management is using to effectively manage and balance those risks," says William Rusnack, chairman of the audit committee.
Still a Costly Process
The value of ERM must be balanced against its cost. Several third-party firms approached Peabody to facilitate the ERM process, not one of which quoted less than a $200,000 fee. Instead, Navarre decided to facilitate the process internally.
But even without a consultant, the process and infrastructure costs associated with uncovering material risks are significant. "You have to be more invasive within the organization, meaning that you have to ensure that each of the business units is examining its risks in a rigorous, well-defined, systematic way, as opposed to ad hoc oversight," says Terzuoli. "That costs money, since you have to put in place policies and procedures and then ensure that these are being complied with. Then you have to automate this process with an IT component, building a conduit from back-end legacy systems to capture risk-based data to provide risk transparency in a dynamic environment — a flow of information that typically is daily or at the very least weekly."
Fortunately the software tools to construct a dynamic ERM technology infrastructure already exist in package form, sold by vendors Hyperion, Cognos, and Active Strategy, among others. The tools identify the dozens of data elements that require ongoing monitoring, extract them from legacy systems, and gather them in one place, typically a data warehouse. The tools then create a conduit from the data warehouse to a front-end dashboard that alerts users when risks emerge. "Once tied together, the data may reveal, for example, a cash-flow surprise relative to market expectations," says Terzuoli.
The cost of a good back-end to front-end system, with all the hoopla in between? Another $500,000.
Seminole's Strategy
Cost concerns didn't stop Seminole Electric Cooperative Inc., a not-for-profit Tampa-based electrical generation and transmission cooperative with $714 million in 2002 revenues, from pursuing ERM. Seminole's strategic plan mandated a broad corporate-risk profile. "We needed to create a broad list of risks facing the company, not just the risks that executive staff had cited, but risks perceived by executives across all corporate lines," says Seminole vice president of financial services John Geeraerts.
To create it, Geeraerts and Timothy Rogers, manager of tax risk and property accounting, put together a fully fledged ERM strategy with assistance from London-based global insurance broker Willis Group Holdings. Like Peabody, they assembled a multi-departmental committee that included risk overseers from internal audit, tax, finance, and power-plant operations — roughly 8 people altogether. The committee wrote up a detailed questionnaire that was E-mailed to 110 other people in the organization asking them to identify and list risks in their individual areas of oversight, what Rogers calls "brainstorming across all corporate lines."
Reader Comments» Post a comment