Full Text

Depending on the size, nature and complexity of a company, different enterprise risk management (ERM) strategies must be applied. A mammoth corporation such as Bentonville, Arkansas-based Wal-Mart Stores, Inc. requires a simplified process that can evaluate and mitigate the many risks that the company faces. In the 1990s, Wal-Mart's chief financial officer at the time, John Menzer, asked vice president John Lewis to formulate a corporate ERM plan.

Wal-Mart created a five-step process designed around four basic questions: What are the risks? What are we going to do about these risks? How will we measure whether we are having a positive or negative impact on the risks? How will we demonstrate shareholder value?

The Five-Step ERM Process

Step One - Risk Identification. In this step, a risk map evaluates risks on an XY-axis, with the X-axis representing probability and the Y-axis representing impact. This helps to prioritize what are seen as Wal-Mart's biggest risks.

"We schedule a four- to five-hour risk identification workshop, which helps to get senior leadership thinking about what risks may keep them from meeting their business objectives," says Michael Tush, Wal-Mart's director of information systems audit and enterprise risk management. However, the process actually starts about a month before these workshops begin. First, business objectives are clearly defined, such as growing sales, ensuring profit increases, opening "x" number of new stores, etc. "We identify the business objectives against which we want to evaluate risk," Tush explains. "We then send out an information packet to the workshop participants where we have identified the framework."

The framework is based on seven risk categories that are subcategorized into either external risks or internal risks. The external risk categories are: legal/regulatory, political and business environment (economy, e-business, etc.). The internal risks are: financial, strategic, operational and integrity (embezzlement, theft, fraud, etc.).

"We ask the leadership team to identify what they believe to be the top five risks that they think will keep them from meeting their business objectives for the next 18 to 24 months," says Tush. "They send us their responses, and we compile them, ending up with about 20 to 30 risks, which is what we take into the risk identification workshop."

When it is time to vote, there is often a range...