BCG Matrix

Figure 7.1 shows the BCG Matrix. This simple four-part matrix, created in 1968 by the Boston Consulting Group, illustrates the value potential of different business units across market growth (which consumes cash) and market share (which generates cash).¹ A star business unit is one that experiences both high growth and high market share. Cash cows are those that require little cash input yet hold onto market share nonetheless. By categorizing business initiatives in this way, a company can determine where to invest for the future. Note that the matrix does not offer a solution, but simply a clearer depiction of the issue at hand.

Porter Five Forces

Figure 7.2 shows the Porter Five Forces model. Michael Porter of Harvard University devised this framework in 1979 to represent the competitive threats to a company within its industry.² Porter saw this framework as a more rigorous alternative to SWOT (strengths, weaknesses, opportunities, treats) analysis. Each of these forces affects a company's ability to serve its customers and make a profit. Two competitive threats (substitute products or services and new entrants) and two supply-chain forces (the bargaining powers of suppliers and customers, respectively) exert continual pressure, while a third competitive threat, established rivals, is both central and cyclical.

The Balanced Scorecard

The Balanced Scorecard (Figure 7.3) was introduced by Bob Kaplan and David Norton in 1992 as a technique for evaluating management performance based on the organization's vision and strategy.³ Its greatest innovation is including non-financial elements alongside financial ones, which makes it perennially relevant to today's holistic view of business leadership. At its heart is the vision and strategy of the organization, which inform the other elements of the framework: financial, customer, internal processes, and learning and growth. The Balanced Scorecard is valuable also for its structure, which emphasizes feedback loops in which measured results spur continuous improvement.

Moore's Four Zones

In his 2015 book, Zone to Win, Geoffrey Moore sets out a framework to help mature companies with a growing problem: defending themselves against paradigm-shifting technology that disrupts their incumbent franchises.⁴ The framework (Figure 7.4) follows a portfolio model, allocating strategic resources along three investment horizons: Horizon 1 is the coming fiscal year; horizon 2, one to three years; and horizon 3, three to five years. Established franchises live on the sustaining side of this matrix and focus on the shortest horizon. Emerging businesses gestate in Horizon 3 as they might in a venture capital portfolio: Weaker ones fail quickly and inexpensively while stronger bets win additional resources. When an investment in that stage shows enough promise to bring to scale, it can move into Horizon 2 supported by greater investment to propel it into a revenue-producing business.

The Structure

The concept behind the COSO ERM framework is a set of four basic entity objectives (See Figure 7.5). The framework is a cube-shaped matrix that breaks down these objectives in terms of control components and the organization's business structure. One dimension of the framework provides four categories of entity objectives:

1. Strategic: high level, mission-oriented goals
2. Operations: effective and efficient resource usage
3. Reporting: reliable information and communication
4. Compliance: conformity to laws and regulations

The second dimension of the framework is a list of eight ERM components. While these elements could be considered sequential, COSO avoids such a view, instead emphasizing their interconnected nature. These include:

1. Internal Environment: shaping company culture, ethical values, risk perception and appetite
2. Objective Setting: creating goals within the four categories listed above
3. Event Identification: distinguishing between internal and external risks and opportunities
4. Risk Assessment: evaluating risk based on likelihood and impact
5. Risk Response: deciding whether to avoid, accept, reduce, or share risk
6. Control Activities: establishing procedural precedent to ensure appropriate response
7. Information and Communication: capturing and sharing information to support informed decisions
8. Monitoring: continually evaluating and optimizing business and risk processes

Finally, there is a third dimension to the framework in which all four objectives and eight components above are broken down by the structural elements of the organization itself:

1. Entity-Level
2. Division
3. Business Unit
4. Subsidiary

The idea behind the framework is to create a complete taxonomy of risk management, permitting evaluation and analysis at a granular level. For example, how optimized is the company's risk assessment when it comes to operations at the business unit level? What is the division-level internal environment surrounding regulation compliance? As you can see, a full implementation of the COSO framework is both broad and detailed.

Current Use

In 2010, about 55% of U.S. organizations of various sizes and in numerous industries were using the COSO framework, with only 2% using the next most popular one.⁶ COSO is a leading voice when it comes to compliance with legal codes. When the United States passed the Sarbanes-Oxley Act of 2002, which expanded internal control requirements for public companies, COSO was quick to publish an updated internal controls framework that incorporated the new legislation.⁷ Companies that use some version of the COSO framework include Newell Rubbermaid, Alliant Energy, Mirant, and TD Ameritrade.

The COSO ERM framework is especially popular among very large corporations and banks, which must comply with extensive legal codes and face particularly complex, high-stake risks. However, the complexity that draws large organizations to this framework can be an obstacle for small to mid-size companies. Of 460 organizations polled in 2010, over 76% had a moderate or significant concern that the framework was overly theoretical, while 26% felt that the cube illustration was unnecessarily complicated.⁸

Referring back to our five initial criteria for an ERM framework, COSO is neither simple nor MECE. Consider the overlap between control activities and risk response or between information and monitoring. What's more, the sheer size of the matrix inevitably results in numerous similar or identical cells. How does the intersection of reporting and objective-setting truly differ from the confluence of information and strategic objectives? While certain corporations may need that level of nuanced detail in their ERM processes, it is difficult to grasp and to communicate to stakeholders.

The COSO ERM framework is also not very flexible when it comes to evolving needs. It is designed to account for any possible eventuality or change in business plan, so in that sense it has the potential to fit the needs of any business. But its rigid structure may result in a lot of management waste. It is like a one-size-fits-all life jacket: workable for big businesses, but awkward and unwieldy for smaller ones. And when it comes to a practical ERM model, we are looking for a well-tailored suit.

Nor is COSO as effective as it could be. The framework doesn't fully address the relationship between risk and reward. Remember that risk is a bell curve that indicates the relative probability of all outcomes, upside, downside, and neutral. The peak of the bell curve merely represents the likeliest of these outcomes. Visualizing risk in this manner offers opportunities to tweak the curve's shape to increase the likelihood of favorable results (for instance by reallocating resources) and reduce not only the likelihood of negative ones but their severity as well (for example, via risk transfer). With its strong emphasis on assessment and governance, COSO gives short shrift to actual risk management.

Finally, I have concerns about how many companies are using the COSO framework for their risk assessments. Most simply plot each risk against its probability and severity. While this has the virtue of simplicity, it essentially collapses the risk bell curve into a single point. Many companies compound this error by applying mathematics to their qualitative analyses, for example, multiplying severity rating by probability rating to create an overall risk “score.” A healthcare company I once worked with had used an even more baffling equation: probability rating plus severity rating divided by 2. Their only reasoning? That a consultant had recommended that years before!

As discussed above, the new COSO framework will address many of these shortcomings. My purpose here is not to beat a dead horse. And the transition from the old to new framework will take time. Nevertheless, it is important for companies that are currently using the old framework to understand its potential pitfalls.

The Structure

Whereas COSO emphasized the interconnection of all aspects of risk management, the AS/NZS ERM model is a linear process (see Figure 7.6). COSO urges a continual evaluation of one component in terms of the others; the AS/NZS model is cyclic and iterative. There are seven interconnected elements in the AS/NZS framework. The basic cycle of the model begins with establishing the risk context and progresses through identification, analysis, evaluation, treatment, and monitoring/reviewing before returning to establishing context. The monitoring and reviewing step also influences each stage of the ERM process, as does the first component of the framework, communicating and consulting.

1. Communicate and Consult. Communicating with internal and external stakeholders at each stage in the process is central to this model.
2. Establish the Context. Context includes business objectives, risk appetite, and criteria for evaluating risk.
3. Identify Risks. Identify where, when, why, and how events could prevent, degrade, delay, or enhance the achievement of business objectives.
4. Analyze Risks. Determine likelihood and consequences; identify and evaluate the effectiveness of existing controls.
5. Evaluate Risks. Prioritize risks by measuring them with the pre-established criteria and consider the potential benefits and adverse outcomes.
6. Treat Risks. Develop and implement specific cost-effective strategies and action plans for increasing potential benefits and reducing potential costs.
7. Monitor and Review. Monitor the effectiveness of the risk management program to ensure that it is operationally sound and cost-effective.

Current Use

Like COSO, AS/NZS has found widespread use around the globe. In addition to ISO's version, nearly identical frameworks are in use by London's Institute of Risk Management, the U.S.-based Institute of Management Accountants, and the U.S. Department of Energy. As its designers intended, there is some variation among implementations. In fact, they considered the framework a template that each organization would fill out according to its needs.¹⁰ The result is an intuitive structure based on a set of processes and principles applicable to any organization.

While the AS/NZS framework meets many of our criteria for a strong ERM framework, it could be more balanced. Three of the seven components have to do with risk assessment while there is very little guidance about actually dealing with risks or making risk-informed business strategy and policy decisions. The similarity among the three risk-assessment components (identify, analyze, and evaluate) makes it less MECE than we'd like.

Level 1: Risk Governance

1. Corporate governance sits at the top of the entire framework. It ensures that the board of directors and management have established the appropriate organizational processes and corporate controls to measure and manage risk across the company.

Level 2: Risk Origination and Management

1. Line management integrates risk management into the revenue-generating activities of the company, including business development, product and relationship management, risk-based pricing, and so on.
2. Portfolio management aggregates risk exposures, incorporates diversification effects, and monitors risk concentrations against established risk limits.
3. Risk transfer mitigates risk exposures that are deemed too high, or are more cost efficient to transfer to a third party than to hold in the company's risk portfolio.

Level 3: Risk Analytics and Data Management

1. Risk analytics provides the measurement, analysis, and reporting tools to quantify the company's risk exposures as well as track external drivers.
2. Data and technology support the analytics and reporting processes.

Level 4: Communication and Relationship Management

1. Stakeholder management includes meeting stakeholder expectations and communicating and reporting the company's risk information to its key stakeholders. As with corporate governance, stakeholder management encompasses the breadth of ERM and serves as the model's foundation.

Risk Governance

How should the board provide effective risk oversight?

• Should the board consider establishing a separate risk committee, or assign risk oversight responsibility to the audit committee or the full board?
• Should the board consider adding a risk expert to assist in risk issues, similar to the addition of financial experts to oversee financial issues?
• Should board members be more engaged in the risk management process?

Companies should address these questions regarding the board's governance structure, risk expertise, and its role in ERM to enhance the board's effectiveness in providing risk oversight. As a recent example, UBS announced that it added one CRO and two CFOs to the board, and investors reacted favorably, sending the stock price up seven percent in late trading. At the same time, board members should be fully engaged in the risk management process. This includes debating risk tolerance levels, challenging management on critical business assumptions, and holding management accountable for the risk–return performance of past decisions.

ERM Policy

Companies should establish an ERM policy to support the risk oversight activities of senior management and the board. One of the most important components of an ERM policy is the delineation of specific risk tolerance levels for all critical risk exposures, known as the risk appetite statement (RAS). These risk tolerance levels enable the board and corporate management to control the overall risk profile of the organization. Other key components of an ERM policy typically include:

• Board and management governance structure
• Summaries of risk committee charters
• Risk management roles and responsibilities
• Guiding risk principles
• Summaries of risk policies and standards
• Analytical and reporting requirements
• Exception management and reporting processes

Risk-Compensation Linkage

The design of incentive compensation systems is one of the most powerful levers for effective risk management (including risk culture), yet until very recently companies have paid insufficient attention to how incentives influence risk/return decisions. For example, when earnings growth or stock price appreciation drives incentive compensation, as is typical, corporate and business executives are effectively motivated to increase risks in order to drive up short-term earnings and stock price. To better align the interests of management and investors, long-term, risk-adjusted financial performance should drive incentive compensation systems. There are several ways to achieve this:

• Incorporating risk management performance into incentive compensation
• Establishing long-term risk-adjusted profitability measurement
• Using vesting schedules consistent with the duration of risk exposures
• Applying clawback provisions to account for tail risk losses.