The color of risk: Enterprise Risk Management (ERM) is an important strategic framework that also requires skilled, tactical execution of its precepts.

• Author: Orenstein, Edith
• Position: Cover story

Risk is everywhere: On your balance sheet, hiding within vendors and bubbling up in the employee lunchroom. One of the few tools available to financial executives to monitor these varied worries is an enterprise-wide risk management (ERM) program.

For many who lived through the economic crisis that engulfed global markets in 2008, a key lesson was that while ERM is an important strategic framework, it also requires skilled and tactical execution of its precepts. And that is much more challenging than originally thought, especially for having a plan in place for mitigating low-frequency, high-impact "black swan" events that can wipe out a balance sheet overnight.

This caused companies, and industry as a whole, to take a fresh look at ERM frameworks and review how they are applied. Combined with an increased regulatory focus on risk management, the roles of the chief financial officer (CFO), chief risk officer (CRO) and chief audit executive have been elevated as companies strive to fine-tune their risk management processes to support a more profitable business.

Janet Nasburg joined Intuit Inc. as CRO six years ago, following 16 years at Visa Inc., where she had served as senior vice president and controller. Upon joining Intuit, known for its flagship products QuickBooks, TurboTax and Quicken, Nasburg was given a mandate of implementing an ERM program at the company. Founded in 1985, Intuits annual revenues currently exceed $4 billion.

"Like most companies, Intuit's ERM journey began with risk management practiced on an ad hoc basis," says Nasburg, noting that ERM is now ingrained at the leadership level of the company. The company employed an "ERM Maturity" model to benchmark the progress of its ERM program.

The most effective ERM programs, says Nasburg, leverage the process to build a sustainable, enterprise-wide risk management capability that evolves to address emerging and changing exposures. "The process is foundational but will not enhance strategic decisions if risk management capability and accountability is not built into how leaders operate," Nasburg adds.

"Fostering a culture of risk awareness and risk management goes beyond assessments and frameworks," notes Nasburg. "At Intuit, we have incorporated performance measurement and innovation as critical components of Intuit's ERM program to strengthen the link between risk management, decision-making, strategy formation and operational execution."

Making ERM part of the fabric of the company is crucial, she adds. "Our business leaders have built a regular rhythm of risk management capability throughout the company."

Renee Yozzi, strategic and enterprise risk senior manager at Benjamin Moore & Co., notes her company was proactive in creating an ERM functional lead to drive the development of a more formal and enhanced approach to ERM.

"The goal was to create a robust and sustainable program," Yozzi says.

As a result, the ERM program at Benjamin Moore, a privately-held company owned by investor Warren Buffett, "has already had an impact in bringing the discussion of risks to the table regardless of whether or not it is in the context of a risk discussion," says Yozzi. "It has become, and will continue to become, an integral part of the company DNA and culture."

Cost--or Benefit?

Traditionally, some observers--generally those not directly responsible for ERM--have viewed it as a cost of business, aimed at what the company 'can't' or 'shouldn't' do, to avoid risk of loss.

But that is only part of the story, experts say.

"The objective of ERM at Intuit is not only to help the company avoid risks, but to help the company manage risk through action and to enable embracing uncertainty," says Nasburg. Significantly, she notes, "In order to be successful, risk cannot be mitigated entirely. Managing risks intelligently allows Intuit to make better and quicker decisions considering both the risks and rewards of strategic decisions. "

"ERM creates and protects value for Intuit," Nasburg adds. "Key performance indicators (KPIs) and...