Second Evolution: Risk Mitigation Progress Measurement
With the rhythm of an annual ERM assessment in place and top risks at the company and business line level appropriately prioritized, the focus shifted to building risk management strength. The objective was to ensure direct alignment of risk management activities and resources to the most critical issues identified as part of the assessment process. The focus of performance measurement was one of the top risks identified at the company and business line levels. Ownership and accountability for the top risks are specifically designated to a senior leader at the company level or business line level. Performance measurement includes an indicator of the status of overall risk exposure, an indicator of current risk trending, as well as a separate measure tracking the progress on individual risk mitigation activities.
Exhibit 12.5 provides an example of the levels of status indicators.
Quarterly ERM performance reporting is integrated into Intuit's annual enterprise and business line strategic planning process and quarterly operating reviews. Exhibit 12.6 provides a sample business line top risk status report.
Exhibit 12.5 Example of Levels of Status Indicators
This type of performance measurement and reporting provides many benefits, including:
• Demonstrating the breadth of top risk coverage with defined risk management plans
• Highlighting potential gaps in resources to execute mitigation activities
• Providing transparency to risk management activities across the organization and opportunities to leverage common risk management strategies and best practices
Exhibit 12.6 Sample Business Line Top Risk Status Report
Exhibit 12.7 Sample Executive Dashboard
Third Evolution: Multidimensional Risk Management Performance Measurement
As Intuit's program evolved, performance measurement and reporting focus moved from tracking progress on risk mitigation to a more holistic approach. The objective was to actively monitor the most important risks facing the company and ensure that business leaders were proactively adjusting strategies to balance managing these risks and leveraging the opportunities they provide. To this end, executive dashboards were developed, which use a combination of key performance indicators and key risk indicators. Aggregation of a number of different KPIs provides a multidimensional view of risk and an overall risk score. Standard metrics are used enterprise-wide to ensure that all business lines are aligned to the objectives. Additionally, an overall risk rating is assigned that demonstrates the collective effect of these activities on the risk exposure at the company level. Dashboards for each of the company's top risks and an overall summary are routinely reported to the board and executive management. Exhibit 12.7 provides a sample executive dashboard.
This type of performance measurement and reporting has provided many benefits, including:
• Providing visibility into business line risks to aid understanding of the cumulative impact of these risks on Intuit as a whole
• Enabling the company to drive focus and allocate resources to the highest- impact work, and to accelerate progress on specific risks by leveraging a rigorous program from the center and coordinated business line effort
Exhibit 12.8 From Tactical Risk Management to Strategic Risk Management
• Driving the development and adoption of enterprise standards and best practices (e.g., hosting principles, security standards, technology principles)
As Intuit's ERM program, and the approach to performance measurement and reporting, has matured, we have a higher bar for risk management – it is more strategic, and we have significantly improved execution. We have moved from tactical risk management to strategic risk management, as shown in Exhibit 12.8.