Enterprise Risk Management Examples by Scenario While some scenarios are too unlikely to receive high-priority status, low-probability risks are still worth running through the ERM process. Robust risk management creates a culture and response capacity that better positions a company to deal with a crisis. In the following enterprise risk examples, you will find scenarios and details of how organizations manage the risks they face. Scenario: ERM and the Global Pandemic While most businesses do not have the resources to do in-depth ERM planning for the rare occurrence of a global pandemic, companies with a risk-aware culture will be at an advantage if a pandemic does hit. These businesses already have processes in place to escalate trouble signs for immediate attention and an ERM team or leader monitoring the threat environment. A strong ERM function gives clear and effective guidance that helps the company respond. A report by Vodafone found that companies identified as future ready fared better in the COVID-19 pandemic. The attributes of future-ready businesses have a lot in common with those of companies that excel at ERM. These include viewing change as an opportunity having detailed business strategies that are documented, funded, and measured working to understand the forces that shape their environments having roadmaps in place for technological transformation and being able to react more quickly than competitors. Only about 20 percent of companies in the Vodafone study met the definition of future ready. But 54 percent of these firms had a fully developed and tested business continuity plan, compared to 30 percent of all businesses. And 82 percent felt their continuity plans worked well during the COVID-19 crisis. Nearly 50 percent of all businesses reported decreased profits, while 30 percent of future-ready organizations saw profits rise. Scenario: ERM and the Economic Crisis The 2008 economic crisis in the United States resulted from the domino effect of rising interest rates, a collapse in housing prices, and a dramatic increase in foreclosures among mortgage borrowers with poor creditworthiness. This led to bank failures, a credit crunch, and layoffs, and the U.S. government had to rescue banks and other financial institutions to stabilize the financial system. Some commentators said these events revealed the shortcomings of ERM because it did not prevent the banks mistakes or collapse. But Sim Segal, an ERM consultant and director of Columbia Universitys ERM masters degree program, analyzed how banks performed on 10 key ERM criteria. Segal says a risk-management program that incorporates all 10 criteria has these characteristics: 1. Risk management has an enterprise-wide scope.. 2. The program includes all risk categories: financial, operational, and strategic. . 3. The focus is on the most important risks, not all possible risks. . 4. Risk management is integrated across risk types.. 5. Aggregated metrics show risk exposure and appetite across the enterprise.. 6. Risk management incorporates decision-making, not just reporting.. 7. The effort balances risk and return management.. 8. There is a process for disclosure of risk.. 9. The program measures risk in terms of potential impact on company value.. 10. The focus of risk management is on the primary stakeholder, such as shareholders, rather than regulators or. rating agencies. In his book Corporate Value of Enterprise Risk Management, Segal concluded that most banks did not actually use ERM practices, which contributed to the financial crisis. He scored banks as failing on nine of the 10 criteria, only giving them a passing grade for focusing on the most important risks. Scenario: ERM and Technology Risk The story of retailer Targets failed expansion to Canada, where it shut down 133 loss-making stores in 2015, has been well documented. But one dimension that analysts have sometimes overlooked was Targets handling of technology risk. A case study by Canadian Business magazine traced some of the biggest issues to software and data-quality problems that dramatically undermined the Canadian launch. As with other forms of ERM, technology risk management requires companies to ask what could go wrong, what the consequences would be, how they might prevent the risks, and how they should deal with the consequences. But with its technology plan for Canada, Target did not heed risk warning signs. In the United States, Target had custom systems for ordering products from vendors, processing items at warehouses, and distributing merchandise to stores quickly. But that software would need customization to work with the Canadian dollar, metric system, and French-language characters. Target decided to go with new ERP software on an aggressive two-year timeline. As Target began ordering products for the Canadian stores in 2012, problems arose. Some items did not fit into shipping containers or on store shelves, and information needed for customs agents to clear imported items was not correct in Target's system. Target found that its supply chain software data was full of errors. Product dimensions were in inches, not centimeters height and width measurements were mixed up. An internal investigation showed that only about 30 percent of the data was accurate. In an attempt to fix these errors, Target merchandisers spent a week double-checking with vendors up to 80 data points for each of the retailers 75,000 products. They discovered that the dummy data entered into the software during setup had not been altered. To make any corrections, employees had to send the new information to an office in India where staff would enter it into the system. As the launch approached, the technology errors left the company vulnerable to stockouts, few people understood how the system worked, and the point-of-sale checkout system did not function correctly. Soon after stores opened in 2013, consumers began complaining about empty shelves. Meanwhile, Target Canada distribution centers overflowed due to excess ordering based on poor data fed into forecasting software. The rushed launch compounded problems because it did not allow the company enough time to find solutions or alternative technology. While the retailer fixed some issues by the end of 2014, it was too late. Target Canada filed for bankruptcy protection in early 2015. Scenario: ERM and Cybersecurity System hacks and data theft are major worries for companies. But as a relatively new field, cyber-risk management faces unique hurdles. For example, risk managers and information security officers have difficulty quantifying the likelihood and business impact of a cybersecurity attack. The rise of cloud-based software exposes companies to third-party risks that make these projections even more difficult to calculate. As the field evolves, risk managers say its important for IT security officers to look beyond technical issues, such as the need to patch a vulnerability, and instead look more broadly at business impacts to make a cost benefit analysis of risk mitigation. Frameworks such as the Risk Management Framework for Information Systems and Organizations by the National Institute of Standards and Technology can help. Health insurer Aetna considers cybersecurity threats as a part of operational risk within its ERM framework and calculates a daily risk score, adjusted with changes in the cyberthreat landscape. Aetna studies threats from external actors by working through information sharing and analysis centers for the financial services and health industries. Aetna staff reverse-engineers malware to determine controls. The company says this type of activity helps ensure the resiliency of its business processes and greatly improves its ability to help protect member information. For internal threats, Aetna uses models that compare current user behavior to past behavior and identify anomalies. (The company says it was the first organization to do this at scale across the enterprise.) Aetna gives staff permissions to networks and data based on what they need to perform their job. This segmentation restricts access to raw data and strengthens governance. Another risk initiative scans outgoing employee emails for code patterns, such as credit card or Social Security numbers. The system flags the email, and a security officer assesses it before the email is released.

State and explain how the Covid-19 pandemic poses risk to businesses using the case study and your knowledge.