Enterprise Risk Management

Risk Management Metrics and Risk

Assessments

BADM 458
Spring 2008
Thomas Lee
Introduction
In the ever-changing information world where risk is greater, security is becoming more

vital to business organizations. However, the business value of security is often questioned.

While, Information Technology holds great potential for companies, security risks and privacy

issues are a significant limitation. Enterprise Risk Management includes risk management

metrics and risk assessments to determine the business value of security. ERM in itself is a

framework of risk management which helps identifying instances of risks and opportunities as

well as the magnitude of impact and response strategy.

This paper will detail and outline Enterprise Risk Management pertaining to a generic

major personal computer manufacturer that is comparable to Dell or Hewlett-Packard called Tom

Lee Computers (TLC). Analysis of risk assessment for this fictitious company will serve as a

model to demonstrate that risk is extremely significant in the ever-changing industry of

computing services and products. The research plan will follow an exploration of the overview

of the risks of a similar company such as Dell and from those risks, develop basic guidelines of a

metrics management system. Some major risks that are faced include general economic and

business environment risks, product/service demand, competition, risks from new technology,

and ability to manage operating costs effectively. It is important to analyze the risks of a major

industry player in the ever-changing and consumer-driven computer manufacturing company.

Risks have forced firms in this industry to be unable to compete and these risks have true

business value and a real impact in whether an organization can be successful or not. The target

is an investigation into the measures of Enterprise Risk Management and how a metrics

management system can be implemented at a personal computing manufacturer.

2|Page
Risk Management Overview
While risk has negative implications on all organizations, it is especially important in an

industry that has matured and become highly concentrated with competitors such as the personal

computing industry. The true value of risk management is through proper implementation it can

identify the present risks, assess the potency and impact of the risk, and allows for development

of measures to reduce the risk. TLC should implement an Enterprise Risk Management system in

order to improve management of mission-related risks and ensure that it is essential part and a

priority for top management. The objectives of Risk Management for TLC are to effectively

secure their operations to make certain that there is no failure in operations. Information

technology systems are an important part of this development because they contain and process

vital organizational information. This is important for TLC because of the amount of data that is

used and changed every day through the orders received, processed, and completed to maintain

healthy business functions. Another objective is to enable executive management to be informed

about risk and for them to successfully make managerial decisions based on existing risks. The

cost to implement sufficient security control measures can be great but are necessary.

Management needs this information to prepare and equip the organization with appropriate

protection and safety measures. Finally, a risk metrics management system creates indicators that

allow management to recognize and identify the effectiveness of such an initiative (National

Institute of Standards and Technology). Clearly, Enterprise Risk Management is a strong

managerial tool and it can prepare an organization for any situation and circumstance.

Risk Management needs to be of utmost importance to TLC. Several major risk factors

including emerging technology risk, sourcing risk, and competition risk, among others have

3|Page
molded the industry and have removed unprepared and unequipped competitors. To continue as

an effective organization, TLC needs to adapt and be flexible in light of risk developments. The

identification and evaluation of risks and the impact of risk are vital to the recognition of the

function and need of Risk Management. One method in which business value of risk can be

measured is through the effect that risk has on whether an organization can balance operational

and economic costs. The costs of protective measures and the ability to achieve organizational

goals are highly dependent on whether they can protect and maintain their information systems

and data. TLC, similar to Dell, operates with a direct build-to-order model as well as sales in

retail stores. The systems that TLC manages and utilizes on a daily basis to maintain sales are

staggering. The functions that such systems need to fulfill include Internet-related sales, retail

store sales, ordering, customization, supply chain systems, customer relationship management,

inventory management and customer service. Susceptibility to system failure or malicious attack

would cripple TLC’s operations and would cause a great amount of damage. Without recognition

of the existing threats through Risk Management, TLC cannot operate.

Top management plays a significant role in Enterprise Risk Management because they

have the responsibility to ensure that TLC as an organization has the capacity to accomplish its

missions and goals as a leader in the personal computer industry. CEOs and CFOs are the most

common members of risk management committees (KPMG). Management must determine the

security levels in which their systems need to be protected by in order to maintain their mission

regardless of possible threats. Many internal and external factors cause risk and thus the need for

security measures. Information technology security will always be a pervasive issue in

businesses and there will need to be allocation in the IT budget to account for this.

4|Page
 The significance of risk assessment and consequently a risk metrics management system

are apparent once a risk management system is developed and management wants to recognize

the effectiveness of such a system. As previously mentioned, security controls can be expensive

for an organization and whether a risk management system is effective is crucial to the continual

mitigation of risk. A risk metrics management system serves as a measurement to track costs and

benefits. Thriving business operations or a successful denial of service attack can serve to prove

the effectiveness of a risk management system. However, without proper analysis of the

processes affected and the results, attacks or risks can go unnoticed because there are no metrics

or measurement of the circumstances. TLC needs to have a risk metrics management system in

place to recognize the costs and benefits of implementing risk management. An internal

evaluation of the company can serve to expose risks and weaknesses as well as serving as an

indicator of successful operation.

5|Page
Approach to Risk Assessment
The first development in risk management is risk assessment. Risk assessment provides

the organization an opportunity to determine the vulnerabilities and risk associated with an

organization’s systems. The result of risk assessment allows for the development of security

controls to reduce risk. The risk assessment methodology for TLC will be based on a rational

approach to assessing risk as well as a scientific approach to risk. These two methodologies were

developed by consulting firm, Tillinghast - Towers Perrin. The Rational Approach to Assessing

Risk follows three steps. These three steps are to Identify risk factors, Prioritize risk factors, and

Classify risk factors. The Scientific Approach to Shaping Risks will be used later on to develop

the risk metrics management system for TLC. This methodology includes the steps to Model

various risk factors individually, Link risk factors to common financial measures, Set up a

portfolio of risk remediation strategies, and Optimize investment across remediation strategies

(Tillinghast-Towers Perrin). These methods of assessing risk will be applied in the development

and analysis a risk management metrics system for TLC. After in-depth research and careful

deliberation, the risks that will be investigated for TLC will be as follows:

• Risk associated with general economic and business conditions;

• Risk from the level and intensity of competition in the technology industry;

• Risk from the ability of TLC to develop new products based on new or evolving

technology and the market's acceptance of those products;

• Risk from the ability of TLC to manage its inventory;

• Risks from operational activities including manufacturing process and supply chain

management;
6|Page
 • Risks from outsourcing, i.e. customer service;

Rational Approach to Assessing Risk

The first step of identifying risk factors that prevent an organization from properly

operating, takes into account all the aspects of the business that may be affected by risk. The

Rational Approach to Assessing Risk consists of a qualitative approach where information is

gathered from interviews with stakeholders and documents are reviewed. Those interviewed are

primarily management and staff that are integral to key business operations. The information

gathered are opinion-based as well as data and information about the organization. Because TLC

is a fictitious company, this process cannot be executed as outlined. The next step is prioritizing

the risk factors by which a numeric score is given based on the threat and likelihood of

occurrence. A risk matrix was developed for this step and it displays a general overview of

TLC’s risks, the effect that they potentially have and the likelihood that the risk would occur.

The risk score is a general indicator on how significant of a risk that it is to an organization’s

mission. Finally, the risk factors are classified as manageable or strategic and if they will utilize a

system that requires action (Tillinghast-Towers Perrin). This paper will focus on the risk

assessment aspect of this approach.

Risk Matrix

Risk Factors Impact (Severity) Likelihood Risk Score (impact*likelihood)

General economic and High High 100
business conditions

Competition High High 100

New product Medium Medium 10

development

7|Page
 Inventory management Medium Medium 10
Operational activities Medium Medium 10

Outsourcing Medium High 50

Impact: High: 100, Medium:50, Low:10 Likelihood: High 1.0, Medium 0.5, Low: 0.1

The first main risk factor involved for TLC is risk that is associated with general

economic and business conditions. A negative worldwide economic status as well as negative

activity in economy of the United States has led to the belief that customers may delay or reduce

their investment in computer products. The demand for TLC’s products is important because it

determines the amount of revenue that is received. TLC must take into account that the economic

factors may reduce profitability and must prepare with contingency preparation plans for such

occurrences. An example of this effect as in fiscal 2002, Dell had a decline in revenues and

earnings because of the worldwide economic condition greatly reduced demand for their

products and services (Center for Management Research). The risk for this aspect of TLC is

rated as HIGH is terms of Impact and HIGH in terms of Likelihood. The general economic and

business conditions drive the industry in whether it can be profitable or not. Product demand is

tied to this fact. The current state of the United States economy has resulted in an increase in

prices of commodities and reduced consumer spending. Despite the immense consumer interest

in personal computers, demand is expected to decrease, creating a huge challenge in terms of

operation for TLC.

There is much risk from competition in the industry. The computing manufacturer

industry is mature and highly concentrated by the number of producers available. Dell had held

the top spot until Hewlett-Packard made strides to gain market share and take the leading spot.

Manufacturers must compete based on technology offering as well as price or in some cases such

8|Page
as Apple, product differentiation. For TLC, the risk is rated as HIGH is terms of Impact and

HIGH in terms of Likelihood. Customers have a vast amount of options to choose from with

many different and unique requirements. For example, there are millions of variations that are

available for many models from Dell. TLC needs to constantly monitor the activities of their

competition and react accordingly. A recent trend of industry competitors was development of

the product of a subnotebook that is extremely light and also sold at low prices. Asus was the

first mover in this department and they created the hugely popular, Eee PC. Many computer

manufacturers responded by beginning development of their own subnotebook. Such leaders

such as Dell and Hewlett-Packard are also developing their own subnotebook which indicates the

impact that competition as well as new products have on this industry.

Risk from the ability of TLC to develop new products based on changing technology

standards and the market’s acceptance of such products is significant on whether there will be an

effect with revenues and earnings. There is great risk in an industry that has continuous

technology updates and the frequent introduction of new products. Products have short life

cycles and companies must continually compete based on price and performance standards.

TLC’s risk levels for new products are rated as MEDIUM in terms of Impact and MEDIUM in

terms of Likelihood. New standards of technology are being developed and accepted in the

industry. Intel’s Centrino platform has become the standard for notebook computers. TLC needs

to align themselves and their products to the best standards available in order to increase demand

for their products. TLC should also seek to begin development of their own subnotebook in

response to consumer demands. In an industry with ever-changing technology, organizations

need to educate consumers on the latest developments. If there is no understanding for the need,

9|Page
it will be difficult to push sales. TLC faces this challenge and needs to adapt in order to operate

effectively.

TLC faces risk from the ability to maintain inventory levels. In an industry where

inventory buildup is damaging to an organization because of the short product life cycle,

minimizing excess inventory is extremely important. The value of inventory can only go down

and become obsolete. Inventory management risk is rated as MEDIUM in Threat and MEDIUM

in Likelihood for TLC. Effective inventory management is important, especially being able to

market and sell older technology. Demand for older technology still exists if sold at the right

price and TLC needs to recognize this distinction in order to sell products before value is

completely diminished.

Operational risk for TLC consists of manufacturing processes and supply chain

management. TLC should implement a supply chain structure similar to that of Dell’s where they

coordinate with suppliers to the point where they own the parts when the final product is about to

be assembled. This is a difficult process because of the amount of investment and working

relationships necessary to develop such an intuitive process. This has definitely given Dell a

competitive advantage. Time of delivery and completion of production and it is very important

for TLC to maintain strong levels of production. Threat of operational risk is rated at MEDIUM

and Likelihood is rated as MEDIUM. The threat of any stoppage of production is possible but

would only be likely if an unforeseen circumstance occurred.

The amount outsourcing by computer manufacturers has been highly publicized in the

past several years. Sourcing risk is a big concern because while it doesn’t necessarily affect the

main operational processes of a computer manufacturer, it affects the support aspects of the

business. Customer service has been outsourced for Dell and has had a huge negative impact on

10 | P a g e
its reputation and its ability to deliver the best service. While the products are still produced in

the same methods before, the support system for customers is not as the same quality. The

necessity of training and proper communication for customer service is very important. Without

the proper recognition of this and proper funding by top management, the Likelihood of

occurrence is HIGH. While the threat is rated at MEDIUM because the impact for the

organization is limited to its support activities, still possesses the threat to damage the reputation

of a company. TLC, with a similar structure to Dell’s customer service outsourcing, needs to take

these aspects into account because outsourcing can become a big cost saver for them.

11 | P a g e
Application of Risk Assessment
The development of the risk management metric system will be done utilizing some of the

aspects and concepts of the Scientific Approach to Shaping Risks (Tillinghast-Towers Perrin).

This methodology was chosen because of its dependence on operations research methods as well

as probability and statistics. It is important to see quantification analysis of the risks and its effect

and impact on an organization from a top management standpoint. Without proper metrics, it is

difficult to determine the best course of action. This methodology enables management to realize

the value of the risks and provide guidelines in which to develop strategies to counter and reduce

the risk. This method will be used to counter the risks previously outlined for TLC and provide

strategies in which changes can be made. Some of the methodology will be modified to better fit

our case study of TLC.

Scientific Approach to Shaping Risks

(Tillinghast-Towers Perrin)

The Scientific Approach to Shaping Risks has the steps to Model various risk factors

individually, Link risk factors to common financial measures, Set up a portfolio of risk

remediation strategies, and Optimize investment across remediation strategies. The first step of

the Scientific Approach to Shaping Risks is modeling various risk factors individually which

consists of generating probability distributions and determining correlation among risk sources.

In this case, the first step will be modified to Analyze the Various Sources of Risk. Generating

12 | P a g e
probability distributions and determining correlation among risk sources is not feasible with a

fictitious company. With the second step, the risk will be associated with financial measures in

order to discover which financial aspects of the business are directly and indirectly affected by

the threat and likelihood of risk. Then strategies to combat the vulnerabilities faced by TLC will

be created. Finally, investment optimization for these strategies will be explored (Tillinghast-

Towers Perrin).

The risk factors of the general economic and business conditions result because of the

current state of the US economy. Economic downturns and business cycles have a big influence

on whether TLC can operate effectively. To properly analyze the situation, economic indicators

should be utilized. Such financial measures that change according to the economy are

unemployment, Consumer Price Index, Gross Domestic Product, retail sales, stock market prices,

and money supply changes. While these may not have much relevance to the personal computer

industry, TLC should take these measures and associate them with performance during different

periods in time. The metrics to determine the risk from general economic and business

conditions should be benchmarks with past performances with association with economic

indicators. This will allow TLC to recognize the risk resulting from the changes in the economy.

The risk from competitors obviously results from the operation and results from the

competitors in this highly concentrated industry. Dell and Hewlett-Packard are the largest and

most powerful competitors in the industry. As they have maintained their positions, they have

allowed personal computers to become more of a commodity than a luxury item. A good metric

to distinguish risk from competition is analysis of competitor’s sales, market share gain/loss,

ROI, and stock price over time. These measures show how well that competitors are performing

13 | P a g e
in comparison to TLC. Benchmarking can allow TLC to see the competitor’s place in the market

and how to react accordingly.

Risk from new products is an interesting factor when it comes to an aspect of a business.

As previously stated, the personal computing industry is affected by new technologies that are in

desktop and laptop computers. Those computer components cause risk because standards do not

remain consistent for long periods of time. This type of risk is difficult to calculate. As a metric,

TLC should look at degree of customization that consumers can demand and order. Through

customized offerings, TLC can cater directly to the needs of their customers. They should look at

inventory levels of those particular parts and the sales directly associated with the different

components.

Inventory management and operational activities are directly related. The risks from both

of these aspects are derived by the ability of TLC to produce computers and to maintain levels of

inventory. How well they complete these activities are important to customer needs. For both of

these activities, TLC should focus on the metrics of inventory turnover and the time of delivery

and production. This will determine how efficient the processes are. Manufacturing time is very

important to the customer.

Outsourcing risks result from operations that are taken overseas. Mainly, TLC has

sourced customer service and some production lines overseas. Risks are a consequence of not

properly knowing the environment in which they are operating in result. Metrics for this would

be customer service call times, time of resolution, and customer satisfaction. For production lines

overseas, TLC should benchmark their productivity compared to their previous production line

activities.
14 | P a g e
 Risk Strategies

The strategies that TLC should implement as a result of risk assessment can greatly reduce the

risk that they experience. Developing contingency planning can help combat risk from the

economy in order to be prepared for any possible circumstance. Monitoring competitor activities

will help TLC react to the activities from competition and help them develop strategies to take

market share. They need to increase research and development costs to remain competitive with

new products. By reducing excess inventory and developing new delivery methods, TLC can

reduce risks caused by inventory management. TLC should streamline their operational activities

and reduce inefficiencies in their production cycle to reduce operational risk. Lastly, risk from

outsourcing can be reduced by training and hiring personnel with good communication skills and

also knowing and understanding the needs of the environment in which they operate in.

Results for TLC

Risk Factors Source of Risk Plan of action Metric
General economic Global economy, US Contingency Planning, Benchmark according to past
and business economy, consumer research planning performances and economic
conditions demand indicators
Competition Competitors activities Monitor competitor Sales and competitors’ sales,
activities market share, ROI, stock price
over time
New product Emerging Increase Research and Sales of new products
development technologies and development costs
standards
Inventory Delivery methods Reduce excess Inventory turnover, time of
management inventory, develop new delivery/production
delivery methods
Operational activities Manufacturing Streamline all Time of delivery/production
processes, supply processes, reduce
chain management inefficiencies
Outsourcing Personnel Train, hire based on Customer service call times,
communication skills time of resolution, and
customer satisfaction

15 | P a g e
Conclusion

The true value of Enterprise Risk Management is it possesses the ability and functions to aid

organizations identify the present risks, assess the potency and impact of the risk, and allows for

development of measures to reduce the risk. The personal computer industry has been developed

to maturity and has become highly concentrated with many manufacturers. Risk increases as

computers become more a commodity item instead of a luxury good. The widespread use and

ownership or personal computers has greatly increased in the past decade and should continue to

develop. For TLC to remain a competent producer in this industry, they must identify and adjust

to the different risks that exist in their operations. The major risks that exist include risks from

general and economic business conditions, competition, new product development, inventory

management, operational activities, and outsourcing. To properly mediate these risks, the sources

of the risks were exposed and strategies were suggested in order to reduce and eliminate risk.

The business value of Enterprise Risk Management and development of a risk metrics

management system is proven through this process. Enterprise Risk Management is an effective

management tool that every organization should implement.

16 | P a g e
 References
"Enterprise Risk Management At DELL Computer." Center for Management Research. 2003. 10
Apr. 2008
<http://www.icmrindia.org/casestudies/catalogue/Enterprise%20Risk%20Management/ERMT-
005.htm>.

Enterprise Risk Management in the United States. KPMG. 2006. 20 Apr. 2008
<http://www.taxgovernanceinstitute.com/documents/TGI/3132007203018kpmg082560.pdf>.

Kovacich, Gerald L. "Establishing a Metrics Management System." The Information Systems

Security Officer's Guide: Establishing and Managing an Information Protection Program. 10
Apr. 2008 <http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1069748,00.html>.

Miccolis, Jerry, and Samir Shah. Enterprise Risk Management, an Analytic Approach.
Tillinghast - Towers Perrin. A Tillinghast - Towers Perrin Monograph. 1-36. 18 Apr. 2008.

National Institute of Standards and Technology Special Publication 800-30 Natl. Inst. Stand.
Technol. Spec. Publ. 800-30, 54 pages (July 2002)

Nocco, Brian W., and Rene M. Stulz. Enterprise Risk Management: Theory and Practice. Ohio
State Univeristy. 30 Apr. 2008 <http://www.cob.ohio-state.edu/fin/dice/papers/2006/2006-
15.pdf>.

17 | P a g e