Enterprise Risk Management
eBook - ePub

Enterprise Risk Management

Advances on its Foundation and Practice

  1. 196 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Enterprise Risk Management

Advances on its Foundation and Practice

About this book

Enterprise Risk Management: Advances on its Foundation and Practice relates the fundamental enterprise risk management (ERM) concepts and current generic risk assessment and management principles that have been influential in redefining the risk field over the last decade. It defines ERM with a particular focus on understanding the nexus between risk, uncertainty, knowledge and performance.

The book argues that there is critical need for ERM concepts, principles and methods to adapt to the latest and most influential risk management developments, as there are several issues with outdated ERM theories and practices; problems include the inability to effectively and systematically balance both opportunity and downside performance, or relying too much on narrow probability-based perspectives for risk assessment and decision-making. It expands traditional loss-based risk principles into new and innovative performance-risk frameworks, and presents fundamental risk principles that have recently been developed by the Society for Risk Analysis (SRA). All relevant statistical and risk concepts are clearly explained and interpreted using minimal mathematical notation. The focus of the book is centered around ideas and principles, more than technicalities.

The book is primarily intended for risk professionals, researchers and graduate students in the fields of engineering and business, and should also be of interest to executive managers and policy makers with some background in quantitative methods such as statistics.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Enterprise Risk Management by Terje Aven,Shital Thekdi in PDF and/or ePUB format, as well as other popular books in Business & Business General. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Routledge
Year
2019
Print ISBN
9781138386235
eBook ISBN
9780429756757
Topic
Business
Subtopic
Business General
Index
Business

1 Some illustrating examples

This chapter presents some cases that will be used to illustrate the coming discussions about enterprise risk and ERM. The first example relates to product liability risk – the General Motors (GM) ignition switch case. It shows how ERM needs to carefully balance safety aspects and costs. The second example relates to environmental risk and sustainability – the Volkswagen emissions case. It demonstrates the need to consider aspects of risk that cannot always be meaningfully quantified, such as sustainability and reputation. The third and final example relates to cybersecurity – the Equifax data breach. The case explores the role of ERM in the rapidly changing and uncertain cyber-technology environment.

1.1 The GM ignition switch scandal

The automobile manufacturing industry is highly competitive, and firms achieve competitive advantage in aspects of cost, quality, service, brand, innovation and convenience. One major factor in the assessment of vehicle quality is safety. The United States Code for Motor Vehicle Safety defines motor vehicle safety as “the performance of a motor vehicle or motor vehicle equipment in a way that protects the public against unreasonable risk of accidents occurring because of the design, construction, or performance of a motor vehicle, and against unreasonable risk of death or injury in an accident, and includes non-operational safety of a motor vehicle” (US Department of Transportation 2019). When vehicle manufacturers knowingly mislead customers about safety, there is potential for severe consequences, as described in this case study.
In 2001, GM detected an ignition switch defect during pre-production testing of the Saturn Ion vehicle. In 2005, GM detected an ignition switch defect for the Saturn Ion vehicle, then again in the Chevrolet Cobalt (Valukas 2014). The ignition switch in these vehicles could unintentionally be moved out of the “run” position and into “accessory”, and disable airbags, engine, power assists and other safety features. In 2005, GM sent a bulletin to dealers indicating that drivers of vehicles should remove unessential items from their key chains, to avoid the weight of these unessential items causing the initiation switch to be moved (GM 2005).
In February 2014, GM announced that a safety defect existed in several 2005–2007 model year vehicles, totaling over two million vehicles (NHTSA 2014). The consequences were severe, with allegedly 124 deaths and nearly 300 injuries resulting from the faulty ignition switches (Read 2015). In May 2014, GM agreed to pay a $35 million civil penalty due to their failure to report the safety defect to the federal government in a timely manner (NHTSA 2015). GM also faced hundreds of lawsuits alleging injury or death related to the recall (Stempel 2017), hundreds of class action lawsuits alleging economic harm from the recalls, investigations by state attorneys general and a criminal probe by the Department of Justice. Eventually, GM paid a $900 million penalty to settle a US Department of Justice criminal case (Department of Justice 2015), about $600 million in compensation to victims of accidents caused by the faulty switches (Shepardson 2015), and also paid $120 million to settle claims from dozens of states (Lawrence 2017).
It was found that this ignition switch issue resulted from an engineering decision to continue using this switch, despite knowing the switch was defective. For example, a 2002 email was signed “Ray (tired of the switch from hell)” (Valukas 2014). The supplier, Delphi, claimed the automaker approved the switch while knowing it did not meet GM’s performance specifications (Staff 2014). Despite the evidence of severe safety concerns, GM continued to use the faulty switch, knowing that a fix would cost less than one dollar per vehicle, in addition to $400,000 in tooling costs (Lienert and Thompson 2014). It was later found that in 2006, GM had redesigned the switch without changing the part number, severely complicating the ongoing investigation (Valukas 2014).
During the time when engineers were considering whether to change the ignition switch, GM and other automakers were facing fierce competition, eventually leading to bankruptcy in 2009. This led to a culture that prioritized cost savings, in order to provide competitive pricing and promote profits. GM was forced to consider risk in their balancing of cost and customer safety, knowing they operated in a highly regulated industry (Jennings and Trautman 2016; V alukas 2014).
We ask the reader to consider the following questions:
  • What risks and uncertainties were relevant to the various stakeholders?
  • How can and should a company in a similar position measure and describe performance, risk and uncertainties?
  • How should the risks have been handled? What risk strategies and policies are relevant to a company in a similar position? Which should be adopted?
In Section 9.1 we will return to these topics.

1.2 The Volkswagen emission case

Over the last decade, there has been growing interest for companies to develop and impose policies for environmental sustainability. The rise of the sustainability movement follows major legislations, including the United States Clean Air Act (CAA) that aims to reduce emissions from both stationary and mobile sources of air pollution (EPA 2019b). These regulations include tailpipe emissions standards for pollutants, such as NOx. Similarly, the European Union has enacted the Ambient Air Quality Directive, which includes the control of emissions from mobile sources (EU 2019).
The CAA regulation requires that new vehicle manufacturers submit an application for a Certificate of Conformity (CoC), demonstrating that test vehicles meet emissions standards (EPA 2019a). While this CoC is used as evidence for CAA compliance, there is potential for manufacturers to mislead regulators about vehicle emissions. This was the case of Volkswagen as they installed cheating software, also described as a “defeat device” on their vehicles. While 2009–2015 model year diesel vehicles were being tested, the vehicles switched to a mode that was specifically designed to pass the test, then immediately switched back to normal driving mode. It is estimated that the normal driving mode NOx emissions were 10 to 40 times the federal limits (House Committee 2015). This affected 482,000 Volkswagen and Audi vehicles in the United States, and a total of about 11 million vehicles globally (House Committee 2015). In May 2014, West Virginia University published a study suggesting that on-road emissions for Volkswagen sample vehicles were far above the Environmental Protection Agency (EPA) standards (Clemons 1995). While executive testimony claims that a key executive was not aware of this defeat device until after the West Virginia University publication, testimony quotes the following (House Committee 2015):
“Mr. Murphy. Thank you, Mr. Horn. I now recognize myself for five minutes of questioning. On September 3rd, 2015, VW admitted to CARB and EPA that it had installed defeat devices in certain model year 2009 and model year 2015 vehicles. To the best of your knowledge, did VW install this software for the express purpose of defeating emissions controls?”
“Mr. Horn. To our understanding – and this is also part of the investigation – it was installed to this purpose, yes, for this purpose”.
As part of the settlement, Volkswagen was required to remove or perform an approved emissions modification on at least 85% of the affected 2.0-liter engine vehicles or else pay an amount equal to $85 million for each percentage point by which it fell short of the recall target, and $13.5 million for each percentage point for which it fell short of the California recall target (EPA 2019a). Similarly, Volkswagen was required to remove from commerce or perform an emissions modification to affected 3.0-liter engine vehicles. These were in addition to a $1.45 billion civil penalty for civil violations of the CAA (EPA 2019a). As for the environmental mitigation, the CAA settlement required Volkswagen to fund a $2.7 billion trust to pay for projects that reduce NOx mitigation actions including reducing NOx from heavy duty diesel sources near population centers, such as large trucks, school buses and freight switching railroad locomotives (EPA 2019a). Also as part of the agreement, Volkswagen was required to establish a whistleblower system and establish a survey to gauge environmental compliance (EPA 2019a). Volkswagen implemented the “Trust Building Measure” in European countries, intended for:
informing its customers that it would consider any complaints that are established to have arisen as a result of the implementation of the technical measure on vehicles with EA189 type diesel engines and that relate to certain parts of the engine and exhaust treatment system.
(Volkswagen 2018)
While Volkswagen is one example of a company using a defeat device, they are not the first (Myers 1995), and other car manufacturers also continue to face similar allegations (Staff 2018).
We ask the reader to consider the following questions:
  • What risks and uncertainties were relevant to the various stakeholders, in particular the corporation?
  • How can and should performance, risk and uncertainties be characterized in a situation like this?
  • How should the risk have been handled? What risk strategies and policies would have been relevant to a company in a similar position? Which should be adopted?

1.3 Risk in information technology - Equifax data breach

Cybersecurity continues to be a critical issue for businesses, societies and nations. Cybersecurity threats are described as: “Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services” (DHS 2019), making cybersecurity and resilience an important mission. This need for effective cybersecurity is echoed in a recent CEO survey, stating that 53% of CEOs in North America are ‘extremely concerned’ about cyber threats (PWC 2018). At a global level, the United Nations Global Cyber-security Index states that only 38% of countries have a published cybersecurity strategy (ITU 2017). While cybersecurity frameworks exist (NIST 2013), and continue to adapt, it is important for these cybersecurity frameworks to be integrated within ERM processes.
While there are many recent examples of cybersecurity incidents, this case discusses a data breach at Equifax in 2017. On March 8, 2017, the US Department of Homeland Security Computer Emergency Readiness Team notified Equifax of the need to patch the “Apache Struts” software system vulnerability. On March 9, Equifax disseminated the patch notification by email to request a software upgrade. Equifax’s internal policy required patching to occur within 48 hours of notification. However, this software was not patched in response to this notification. On March 15, Equifax security scans also should have identified the Apache Struts vulnerability, however the vulnerability was not identified (Smith Testimony 2017). The software system was attacked from May 13, 2017 through July 30, while Equifax’s security tools did not detect this attack. On July 29, the attack was detected and the attack was immediately blocked (Smith Testimony 2017).
Over 143 million people were impacted by a data breach resulting from the attack, which is about 44% of the total U.S. population. The illegally accessed information includes names, birthdates, addresses and drivers’ license information. A total of 200,000 people had their credit card information stolen and 180,000 had credit dispute documentation stolen (House of Representatives 2017).
Other Equifax security measures have been questioned, such as the revelation that the breached data was not encrypted (House of Representatives 2017). Additionally, there were issues with the dedicated website www.equifaxsecurity2017.com where consumers could learn whether their personal information was included in the data breach. This dedicated website address was easily confused with similar-looking fake phishing websites. Even the official Equifax Twitter account posted a link to a fake website. Additional delay was caused when a massive hurricane disrupted the already understaffed call centers for days following the breach. (House of Representatives 2017).
While class action and individual lawsuits have been filed, the true financial consequences of this data breach are still unclear (Henning 2017).
We ask the reader to consider the following questions:
  • What risks and uncertainties were relevant to the various stakeholders, in particular Equifax?
  • What ERM processes/procedures could avoid this type of event?

2 What is risk and enterprise risk?

This chapter first reflects on the meaning of the risk and enterprise risk concepts. Then, we discuss how to measure, describe and characterize risk and enterprise risk. We address a common risk management issue: How should we express the magnitude of risks, recognizing that some risks are big while others are not? The chapter is partly based on SRA (2015a) and Aven (2017b).

2.1 The risk and enterprise risk concepts

The concept of risk is intuitively clear. Think about the activity driving a car from point a to b. Some values are at stake, such as the lives and health of the people in the car. The activity may result in an accident with loss of lives or injuries. Looking into the future we do not know what will happen or what will be the consequences of the activity. There are uncertainties. The persons in the car face risk.
As another example, think about a company that runs a project. The focus is the project costs. A cost budget of c is specified. The company faces risk when looking into the future. The real or actual costs could be higher than c. They could also be lower. In advance, we do not know, there are uncertainties. The company faces risk.
As a third and last example, consider a global risk issue, for example climate change. What will be the consequences for the planet and human beings of climate change? Will it have severe effects on the world economy? Looking into the future we do not know, there are uncertainties. We face risk.
If we look at these three examples, we see that there are some common features (see Figure 2.1). There is a context, an activity, which has some consequences with respect to something that humans value (life and health, environment, economic assets). The activity in the first example is “driving the car from a to b”, whereas in the second example, the activity is “execution of the project”. In the last example, we can consider the activity as “life on the earth”. The consequences in the car example relate to life and health, whereas they are linked to money in the second. In the third example, all types of consequences are addressed, including environmental ones. In all examples, the consequences could be negative or undesirable: loss of lives, economical loss, or environmental damage. However, the consequences could also be “neutral” or positive, for example, that the car trip gets the people succe...

Table of contents

  1. Cover
  2. Half Title
  3. Title
  4. Copyright
  5. Contents
  6. Preface
  7. Acknowledgements
  8. 1 Some illustrating examples
  9. 2 What is risk and enterprise risk?
  10. 3 Basic principles of ERM
  11. 4 Distinguishing between ERM and Task (project) Risk Management (TRM)
  12. 5 Potential surprises and the unforeseen (black swans)
  13. 6 Integrating performance, risk and resilience-based thinking and methods
  14. 7 Balancing different concerns, by seeing beyond traditional cost-benefit types of analysis using expected values
  15. 8 Improving ERM practices
  16. 9 Revisiting key case study issues
  17. References
  18. Appendices
  19. Index