• Cognizant 20-20 Insights

Enterprise Risk Management:

Minimizing Exposure, Fostering
Innovation and Accelerating Growth
A systematic examination of risk exposure can help
organizations design strategies and implement initiatives
to minimize risk, strengthen their brand, and stay in step
with new, disruptive technologies.

Executive Summary reinforce the benefits of these initiatives which,

when properly implemented and maintained, can
Formal processes for enterprise risk management
lessen risk, accelerate strategic development and
(ERM) have been mainly limited to large companies
bolster bottom-line growth.
in highly regulated fields, such as financial
services and healthcare. In more technology- We believe that ERM should be approached with
focused businesses that center on software devel- the following points in mind:
opment and Internet-based products and services,
risk management is often viewed as an obstacle • Understanding a company’s risk profile is
to innovation. That’s because companies in these nothing more or less than understanding the
sectors place a high premium on innovation and environment in which the company exists
developer-friendly environments. The ERM stigma and functions, which is key to establishing
is reinforced in a recent study by the American an appropriate product mix that supports
Institute of Certified Public Accountants (AICPA), revenue growth.
which found that only about 25% of organizations
that responded claimed to have implemented an • Knowing an organization’s risk exposures and
1 their potential real-dollar impacts is critical to
enterprise risk management program.
a sound resource-allocation strategy.
The purpose of this white paper is to counter • A first-class ERM program, built upon a formal
negative perceptions of ERM programs and framework and continuously updated to reflect

cognizant 20-20 insights | june 2015

 circumstances as they occur, is possibly the An ERM program can help
single most valuable tool a company can have
for managing its overall strategy and the organizations understand emerging
allocation of its resources. developments that are on the
• Finally, rather than being regarded as a barrier horizon, and assign the resources
to innovation, ERM should be viewed as an needed to stay in step or
invaluable asset when transforming a great
idea into a successful and profitable product
one step ahead of the next
– with less risk over both the short- and long- disruptive technology.
terms.
highly profitable businesses often need additional
The Importance of Enterprise Risk funds to make a big strategic push, enter a new
Management market or build a bigger facility. Yet unlike in past
Simply stated, the failure to understand your years – say 20 years ago – today’s capital markets
business’s risk profile and take the appropriate are unlikely to part with money to simply support
steps to mitigate its major exposures will cost a good idea. Although showing some signs of
money, and directly affect the company’s bottom easing control, financial institutions in general
line in the following areas: have become far more restrictive in doling out
credit since the 2008 global recession. They want
Project/Product Selection proof that a company is controlling its risk wisely,
Revenues are the lifeblood of business. When which in turn will reduce the lender’s risk.
allocating resources to projects and product-
development efforts, it is crucial to target and Regulatory Compliance
analyze areas of risk before taking these actions. According to a study published in the Journal
2
Failure to do so amounts to tossing money in the of Enterprise Risk Management, regulatory
air and hoping it lands on something profitable. compliance has been rated as a top concern of
Assigning resources without understanding the most executives for three years in a row. New
potential effect on the business can jeopardize regulations, particularly in the financial and
healthcare sectors, are issued frequently. Many
3
Simply stated, the failure to of these mandates, such as Sarbanes-Oxley,
4 5 6
HIPAA/HITECH, Dodd-Frank and Basel II, not
understand your business’s only have requirements for how businesses must
risk profile and take the conduct their operations, but also for how they
appropriate steps to mitigate its should manage risk. Although highly regulated
entities are well ahead in adopting structured
major risks will cost money. ERM programs, they often enter into contrac-
tual obligations with vendors that may not be as
a company’s brand and result in a product that strictly controlled.
could potentially fall flat – either because it
doesn’t fit a need or cannot compete with a major For example, healthcare organizations frequently
(and better resourced) player. have contracts with medical supply vendors,
which are not directly affected by HIPAA/HITECH.
Market Positioning However, since the purchasing organization is
A technology vendor that is not ready to compete affected, the contract with the vendor will impose
in emerging markets (i.e., the Internet of Things a term of compliance with all regulations, which
space or predictive analytics) could be heading could potentially impact the purchaser. Litigation
for a fall if competitors have a head start. An can be protracted and expensive; it can disrupt
ERM program can help organizations understand all areas of the business and is a huge risk for
emerging developments and assign the resources companies to manage.
needed to stay in step or one step ahead of the
IT Resilience
next disruptive technology.
One of the most common risks in business is the
Capital Availability lack of a truly resilient IT infrastructure. Major IT
Access to capital is critical when launching and outages can sap an organization’s revenue stream
implementing strategic initiatives. Even large, (particularly if the company conducts business
online). These events can also waste resources

cognizant 20-20 insights 2

 – especially when one considers the amount of and the Global ISO 31000 Alliance, very few of the
non-productive time spent by employees trouble- 150 respondents agreed on a simple definition of
shooting and repairing an existing system rather ERM. We prefer the most direct and most useful
than putting in hours pushing out a new strategic meaning:
initiative.
Enterprise risk management connotes a deep
In terms of enterprise risk management, resilience understanding of the “ecosystem” in which a
covers three primary areas, defined below: company does business, and the use of that
knowledge to allocate finite resources in the most
• Infrastructure. Ensuring that critical systems/ effective way possible to remove obstacles to
devices within the IT infrastructure are backed success as much as possible.
up, have hot-swappable parts, use multiple
While statistical analysis is a tool practitioners
In the era of Yelp.com and similar use to help develop an overall risk model for a
company, it is not the primary emphasis in ERM
sites that enable consumers to initiatives. ERM, like quality management and
voice opinions on retailers in what supply chain analysis, is first and foremost a
amounts to real time, unreliable way of thinking about how a company conducts
business.
systems pose a risk that can
undermine a company’s brand. ERM in Practice
When developing an ERM initiative, it is best
telecom carriers, have multiple paths through to take a programmatic approach that involves
the network, and are using hot failover, for identifying primary exposures and their
example. potential impact; assessing the probability of
those exposures creating events; determining
• Disaster recovery. Making sure that during a the organization’s risk appetite; prioritizing the
major outage situation, when normal resilience
weighted exposures, and allocating resources
controls fail to prevent the outage, services can
for risk mitigation.
continue from a remote site, with minimal time
to failover and minimal time to return, and with Identifying Exposures
data integrity maintained during the failover
Identifying major sources of risk exposure is
and return processes.
the key activity in developing a risk-manage-
• Security. Confirming that the organization’s ment program. In addition to providing a basis
data, applications, systems and infrastruc-
ture are safe from unauthorized intrusions – Enterprise risk management
internal and external.
requires a deep understanding
Another risk to consider has to do with a
business’s reputation. For example, in the retail
of the “ecosystem” in which a
world an increasing number of shoppers choose company does business, and the
to buy online when that option is available. If use of that knowledge to allocate
a company’s e-commerce application is not up
and running, especially during peak seasons
resources in the most effective
like Christmas and Valentine’s Day, prospective way possible.
customers will “vote with their feet” and find
another vendor that can sell them what they for developing an ERM program, an exposure
want. In the era of Yelp.com and similar sites profile can be extremely helpful when reviewing
that enable consumers to voice opinions on corporate strategies and determining whether
retailers in what amounts to real time, unreliable the business’s operating plan is on track.
systems pose a risk that can undermine a
Risk exposure pertains to every aspect of a
company’s brand.
company’s business, and identifies the areas in
Defining Enterprise Risk Management which it may not be operating as effectively as
possible. The most common types of risk are
Based on the results of an informal straw poll
explained below. Together, they make up an orga-
recently conducted among practitioners on
nization’s risk-exposure profile.
LinkedIn by the Institute for Risk Management

3
• Financial. Exposure to capital markets; number of standard deviations the probability
extending ROI on existing capital investments; of an event occurring, for example.
the availability of additional capital for projected
strategic initiatives (i.e., credit risk), etc.
• Cost factors. This refers to both the potential
cost of a risk-related event and the real-time
• Economic. Exposure to currency fluctua- cost of mitigating the potential risk from
tions, interest rate changes and governmental exposure. Generally speaking, organiza-
monetary policy, for example. tions must consider the cost of capital and
discounted cash flows when determining
• Legal and regulatory. Changes in legislation or whether to mitigate a risk now or allow for the
attendant regulations affecting the industry in
potential of a future occurrence.
which the organization operates; risk of legal
liability in tort or contract, etc. When completed, the model produces a real-
dollar impact figure for each risk identified in the
• Operations. Internal systemic risk created
exposure profile, allowing for a clear understand-
or aggravated by management decisions.
ing of the cost of risk to the business.
(Corporate policies’ failure to address new
situations; significant unexplained deviations Once created, the model should be regularly
from industry best practices and standards; the updated to reflect the impact of real-world cir-
lack of an up-to-date business continuity plan,
and failure to plan for environmental disasters,
etc.). Understanding your organization’s
• The market. Threats to an organization’s risk exposure means understanding
position in its market. (New competitive the entirety of your business and
products; a major new competitor; company’s
failure to exploit new disruptive technolo-
the world in which it operates.
gies; lack of access to emerging markets, for
example). cumstances as they change. Note: The discount
rate used for cash-flow analysis should be
• Technology. Potentially business-disrupting
adjusted at least yearly.
events caused by failure in some aspect of
technology, such as insufficient information Determining Risk Appetite
security; non-existent, untested or insufficient
After determining the real-dollar impact for
disaster recovery programs; insufficiently
the exposure profile, it is incumbent upon
resilient IT infrastructure, etc.
management to decide exactly how much risk –
Understanding your organization’s risk exposure in terms of actual dollars – is acceptable when
means understanding the entirety of your compared with the immediate cost of mitigation.
business and the world in which it operates.
In simple terms, an organization’s leadership
Modeling must decide how much potential loss can be
Once the risk profile is developed, the identified tolerated, and whether it is cost-effective to
exposures are placed into a model to determine invest in mitigating those losses now or incurring
the real-dollar impact of a given exposure-relat- them later. This is an extremely critical step, but
ed event. This model can be simple or complex, one performed by only 33% of respondents in
7
depending on the needs of the organization and the AICPA poll.
the mathematical understanding of the people
using the information. A simple model includes Setting Priorities
the following: When budgeting for risk-mitigation activities,
corporate initiatives and cost-effectiveness must
• Probability of an exposure event. This can be be weighed. Usually, risk-mitigation initiatives
as simple as high, medium and low, with high that bring the biggest “bang for the buck” will
(for example) being over 50% likely to occur take priority, which is reasonable. However, it is
within the next three years; medium being important to remember to address upcoming
between 25% and 50% likely to occur within strategic initiatives, as well as the business’s
the next three years; and low being less than overall strategic direction.
25% likely to occur over the next three years.
For complex businesses, more rigid statistical For example, if a risk assessment determines
modeling can be used to determine within a that the network infrastructure is based on old

cognizant 20-20 insights 4

 and/or obsolete equipment but the company and work in conjunction with business teams
intends to migrate to a public cloud environment to ensure that risk-management goals and
within one to two years, the initiative should be priorities are built into product-development
considered against the cost/benefit of upgrading and delivery processes.
to new routers and switches. Generally, the risk
in any given scenario can and should be tolerated
• Participate. Give employees at all levels,
with all types of responsibilities, a sense of
if the expense to mitigate it is greater than the ownership in the ERM process by developing
negative business impact that the breach or a sufficiently robust business-continuity plan
outage would cause. This is another way ERM (BCP). Then ensure that employees from
each business area understand their roles
Leadership must decide how much in the event of a major outage situation.
potential loss can be tolerated, At least twice-yearly exercises should be run
to test the BCP and determine its effectiveness
and whether it is cost-effective to
invest in mitigating those losses • Educate. Continually monitor and measure the
ERM program against expected results. Reports
now or incurring them later. should be company-wide, in-depth (to inform
the model and enable continuous updates) and
informs corporate strategy, and corporate understandable (to educate the employee base
strategy informs ERM. and keep them engaged in the ERM process).
Enterprise Risk Management
Resource Allocation
and Innovation
It is critical to integrate ERM program consid-
In many organizations, risk management is
erations into the organization’s short-to-inter-
viewed as the main obstacle to innovation. The
mediate-range staffing plan. Not only should
market demands new products, quick delivery
programmatic budget funds be included for risk-
and disruptive ideas – now. How can a business
mitigation activities (equipment, services, etc.);
with a culture that views ERM as part of its
staff resources must also be allocated.
very foundation remain innovative, and deliver
Based on a mitigation project’s priorities, groundbreaking products to the marketplace at
leadership must determine how best to assign maximum speed?
existing staff to mitigation and non-risk-related
It is exactly the contention of this paper that the
activities, and build real-dollar impact models to
control, transparency and discipline resulting
gauge the cost of potentially adding more staff to
from integrating an ERM program into an orga-
risk-mitigation projects. Recruitment/HR should
also build these additional resources into global
staffing plans. Often, the single largest obstacle to
Building the Risk Management Mindset successful implementation of an ERM
Often, the single largest obstacle to successful program is a lack of understanding
implementation of an ERM program is the lack and cooperation by employees.
of understanding and cooperation by employees,
8
from front-line staff to senior management.
nization’s corporate strategy can help a business
It is important to establish a risk-management
send cutting-edge products to market faster
mindset throughout the organization, at all levels.
and less expensively – with fewer defects, better
Management must emphasize that each employee
support and with a more complete understanding
plays a key role in executing the program itself,
of the potential benefits to the business’s current
and supporting the overall corporate strategy
and future financials, as well as its position in the
and future success of the business.
marketplace.
The following is one proven approach to instilling
As stated earlier, ERM is no more or less than
a risk-management mindset into the business:
the understanding of a company’s business, the
• Assimilate. Embed ERM and a risk-manage- environment in which it operates, and the effect
ment mentality into affected business areas by that these factors have on corporate strategy and
creating a risk-management liaison. RM liaisons operations. Organizations with a well-designed
are then incorporated into the business units ERM program understand which “great ideas”

cognizant 20-20 insights 5

 can translate into a product or service that meets The ERM team is not the
a market need and brings healthy returns. These
businesses also appreciate how an innovative new people who say “no” – it is
product affects the existing or planned offerings the people who say “here’s how.”
in its product mix. Potential production defects fosters innovation by helping to identify and
have already been identified and mitigated. systematically develop new ideas and, just as
Barriers to market entry have been recognized, important, providing an effective framework for
and a plan is already in place to remove them. delivering innovations to market.
Obstacles to success are identified and systemati-
cally eliminated. Looking Forward: Conducting a
Gap Analysis
In the event of product defects or service
outages, comprehensive support procedures The first step in optimizing your ERM program is
are in place as an integral part of the product- to evaluate what is already in place. Questions to
development process. Management reporting is resolve include:
also established – making it easier to measure
product performance and identity and exploit • Do we have a formal ERM program that is
documented and shared with employees and
new opportunities.
stakeholders?
The ERM team is not the people who say “no” – • Does our ERM program follow a standards-
it is the people who say “here’s how.” A properly based framework?
designed and executed ERM program is a
powerful tool, not only for mitigating risk in an • Are we communicating the benefits of ERM to
our teams?
organization’s operations, but also for developing
and determining the effectiveness of corporate Once your organization has a full understanding
strategy. An organization with a risk-management of its existing ERM program, it should determine
mindset engages and educates its employees if and where there are gaps that are at odds
– from leadership to staff – with the belief that with best practices in your industry. After gaps
preparation, discipline, transparency and controls are identified, develop a plan to prioritize and
are part and parcel of efficiently delivering a con- mitigate those shortfalls. Documentation is key for
sistently outstanding product. The organization educating personnel about ERM, and about how
is run in the most cost-effective manner, and is best practices are implemented in your company.
quickly able to respond effectively in the event of
a major outage situation. An effective ERM program takes into account
the company’s fundamentals, including its risk
ERM encompasses the entire span of the business, appetite, major exposures, the potential impact of
and provides a more complete understanding of each exposure and the cost to mitigate. Set ERM
the organization and the environment in which priorities in conjunction with business priorities,
it operates. Finally, a successful ERM program and let those inform your company’s overall
business strategy.
Organizations with a well-
To best foster an environment of innovation,
designed ERM program make sure your teams are included in creating
understand which “great ideas” and implementing an updated ERM program.
can translate into a product or Innovators need to understand and feel a sense
of ownership in the process, and fully understand
service that meets a market need its effect on their activities before the plan is
and brings healthy returns. implemented.

cognizant 20-20 insights 6

Footnotes
1 AICPA 2015 Report on the Current State of Enterprise Risk Oversight. http://www.aicpa.org/interestar-
eas/businessindustryandgovernment/resources/erm/downloadabledocuments/aicpa_erm_research_
study_2015.pdf.
2 Beasley, M., Branson, B., Pagach, D., “An Examination of the Assessment of Top Risks on the Horizon,
Evidence from Executives and Risk Professionals,” Journal of Enterprise Risk Management,
Vol 1, Issue 1, p. 7. http://www.ermjournal.org/index.php/erm/article/view/9.
3 The Sarbanes-Oxley Act of 2002 requires a company’s senior management to certify the accuracy
of financial reporting statements. This act applies to all publicly traded U.S. corporations.
4 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) created standards for electronic
healthcare transaction records. HITECH is a specific provision within HIPAA establishing data privacy
requirements for covered healthcare records.
5 The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 created a large number of new
regulatory restrictions on banks and other financial institutions as a reaction to the financial crisis of
2008.
6 The Basel Accords II and III established minimum capital requirements for banks and other financial
institutions to mitigate risk in the event of a future economic downturn.
7 AICPA 2015 Report on the Current State of Enterprise Risk Oversight, p. 4. http://www.aicpa.org/intere-
stareas/businessindustryandgovernment/resources/erm/downloadabledocuments/aicpa_erm_research_
study_2015.pdf.
8 Beasley, et al, p. 15. http://www.ermjournal.org/index.php/erm/article/view/9.

About the Author

Stuart Roseman is a Senior Manager in Cognizant’s Enterprise Risk and Security Consulting Practice. His
practice focuses on enterprise risk management, corporate and IT governance, regulatory compliance,
network security and business continuity/disaster recovery – working primarily with clients in highly-reg-
ulated industries. He has 25 years of experience in corporate and IT strategy, operations, governance,
compliance, and risk management across the public, private and non-profit sectors. Stuart has an MBA from
North Carolina State University, a JD from Villanova University School of Law, and a bachelor’s in business
administration from Temple University. He is a licensed attorney in the Commonwealth of Pennsylvania.
Stuart can be reached at [email protected].

About Cognizant
Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business
process outsourcing services, dedicated to helping the world’s leading companies build stronger busi-
nesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfac-
tion, technology innovation, deep industry and business process expertise, and a global, collaborative
workforce that embodies the future of work. With over 100 development and delivery centers worldwide
and approximately 217,700 employees as of March 31, 2015, Cognizant is a member of the NASDAQ-100,
the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and
fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.

World Headquarters European Headquarters India Operations Headquarters

500 Frank W. Burr Blvd. 1 Kingdom Street #5/535, Old Mahabalipuram Road
Teaneck, NJ 07666 USA Paddington Central Okkiyam Pettai, Thoraipakkam
Phone: +1 201 801 0233 London W2 6BD Chennai, 600 096 India
Fax: +1 201 801 0243 Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000
Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060
Email: [email protected] Email: [email protected] Email: [email protected]

­­© Copyright 2015, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is
subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.
Codex 1336