When Matt Krawczyk (MAC, spring 2018) joined the audit unit of KPMG’s Raleigh, N.C. office this summer, he brought a solid foundation in enterprise risk management to his new role. It was knowledge – and experience – gained while completing the Enterprise Risk Management concentration at the NC State University Poole College of Management, a course of study open to Jenkins Master of Accounting and Master of Business Administration students.
“As an accounting major, I always viewed the word “risk” as somewhat of a negative due to having learned about risks, such as fraud risk or risk of material misstatement. However, ERM taught me that risk can also have positive connotations and that taking calculated and disciplined risks can lead to financial success for a company,” Krawczyk said.
Learning to Manage Risks, Top to Bottom
“ERM takes a look at the company as a whole – from the top to the bottom – and allows management to take a holistic approach to managing its risks,” he said. “This is interesting to me as an accountant because many of these risks have a financial impact.”
“That kind of insight is also attractive to organizations,” said Mark Beasley, professor and director of the ERM Initiative based in the NC State Poole College of Management’s Department of Accounting. “Students who study ERM are increasing their attractiveness to organizations because companies value individuals who have a rich understanding of how to manage risks in whatever position the students take,” he said.
Krawczyk’s interest in ERM grew after taking an introductory course in the first semester of his MAC program.
“After taking Dr. Beasley’s course (MBA 518: Overview of Enterprise Risk Management), I wanted to find out more about ERM processes that many companies are starting to implement,” he said. That led him to gain real-world experience through the ERM practicum course that, along with a business analytics course he completed in the spring semester, qualified him to complete a concentration in enterprise risk management.
His teammates for this project – MAC student Elena (Xuyan) Zhao and Jenkins MBA Student Leah Aronin – also were drawn to the practicum for the hands-on experience it provided after completing the introductory course in the fall.
Aronin said, “I realized, from taking ERM in the fall semester, that risk is a critical component of business. I wanted to gain some first-hand experience in risk, so that I could be more prepared for my post-MBA career,” she said.
Helping the YMCA of the Triangle in their ERM process
For their practicum project, the three students worked with the YMCA of the Triangle, building on work that a previous MAC ERM team had completed for the organization to identify and prioritize a list of potential risks on the horizon that might impact the Y’s strategic success.
In this latest project, Krawczyk and his teammates – using a process called bow-tie analysis – reviewed the Y’s previously identified potential risks and formulated questions that they used in face-to-face discussions with the Y’s senior management team, to help them determine whether the Y’s responses were effectively managing those potential risks.
In their bow-tie analysis, the practicum team focused on the causes of a potential risk event and what would happen if the event should occur.
“After we came up with the causes, we had to think of ways that we would prevent those from happening and then come up with questions to ask the Y about their current prevention measures, to help management think about whether those responses are actually impacting the likelihood of the risk occurring at the Y,” he said.
“Next we looked at the other side of the bow-tie and focused on the consequences of the event happening. We asked ourselves what would be the immediate impact of this particular event occurring and then formulated questions to ask the risk owners – members of the management team assigned to oversee the individual potential risks – about their responses to minimize the impact of a risk should the event occur,” Krawczyk said.
“Our goal was not to critique or tell the Y what to do, but (rather) to make them aware of the effectiveness of their current risk prevention and responses. Focusing on their current prevention and response techniques allowed the Y to identify any potentially significant gaps in their approach to managing some of the most significant risks on the horizon for the Y, as it seeks to better serve its members and the Triangle community. It also provided insight about how robust their ERM process is and allowed Bryan Huffman, chief financial officer, and others on the leadership team to decide if they needed to implement any more risk management measures,” he said.
“The Y has a very robust ERM process already in place and they were doing many things to address their current risks,” Krawczyk said. “Our goal was to help the Y think about their current responses to those ranked risks and (to determine) if there was anything else they could be doing to address them,” he said.
The student team presented a final report of their findings at the end of the spring semester to the Y’s leadership team.
“The ERM team project with NC State was a wonderful experience for our YMCA,” Huffman said. “We were at a ‘now what’ phase in our ERM process, and the team really helped us continue on our journey to more deeply understand our risks, what causes them and how we respond.”
It was a good learning experience for the NC State Jenkins graduate students as well, Krawczyk said. He reported that a key takeaway for the team was learning to expect that many organizations might be afraid of sharing – with someone outside of the entity – information about some of its potential risks and the things that could possibly put the organization out of business or severely cripple it financially.
“I am grateful that the Y was so open with us about their risks and were willing to allow students to come in and interview the risk owners and gain a first-hand look at how a successful organization is implementing enterprise risk management practices in its daily operations,” he said. “I can now see how valuable an ERM system can be to an organization and expect many more organizations to implement ERM in their decision making process.”
Zhao, who is completing the MAC program this fall and expects to graduate in December, also said she appreciated the opportunity to work with individuals in an organization implementing ERM.
“Outside perspective can be really enlightening to an organization,” Aronin said. “When we were interviewing the risk owners at the Y, there were a lot of ‘aha’ moments during our discussion. Just having a conversation with someone looking in from the outside, and asking new questions and highlighting new insights, gave the risk owners new direction when considering their risks,” she said.
Aronin said she has found the background helpful in her work as a business operations professional as well. “Although I am not working directly in risk, having the understanding of risk on an enterprise level is critical to being successful in my role,” she said.
About Enterprise Risk Management at Poole College
Professor Beasley has been involved with enterprise risk management since 2001, when the Committee of Sponsoring Organizations of the Treadway Commission (COSO) asked him to serve on its advisory council which was then embarking on ways to improve oversight of risks from all across the enterprise. At the time, there was little if any best practice guidance, he said, and COSO was developing the initial principles-based framework on enterprise risk management and launched The Enterprise Risk Management – Integrated Framework in 2004. He has continued his involvement with COSO by serving for seven years on the COSO board and then assisting COSO with its 2017 update to the 2004 framework.
Beasley and colleagues in Poole College established the Enterprise Risk Management Initiative – which conducts research and presents professional development seminars – in early 2004, in response to the growing importance of thought leadership regarding ERM. They began offering the ERM practicum course, open to MAC and MBA students, in 2011.
“The world we live in is only becoming more complex with increasing uncertainty,” Beasley said. “That means the volume and complexity of risks that businesses face will only continue to increase. Students who seek to eventually be in key management positions are expected to be good at foreseeing and managing emerging risks. Thus, it is in the best interest of our students to develop an understanding and skill in identifying, assessing, and managing risks so that they are better prepared to meet the growing expectation that they are effectively “owning” the risks in their areas of responsibility.”
Poole College students are able to attend the professional development sessions presented by the ERM Initiative, he said. “This allows them to hear directly from business professionals about issues related to the management of enterprise level risk. We believe that exposure to the real-world issues is incredibly valuable to our students. The business professionals love seeing our students at the Roundtables. Often they tell the students, ‘I wish I had this kind of opportunity when I was in college.’”
The embrace of ERM has continued to evolve and grow, and the percentage of entities implementing ERM continues to grow over time. Most large companies and most publicly traded companies are doing some form of ERM, he said.
“We are also seeing more and more private entities, not-for-profits and government agencies implementing ERM. ERM is becoming an expected best practice and most boards of directors now expect management teams to be engaged in ERM activities and are pinpointing individuals to lead the ERM function, which is creating career opportunities for people,” Beasley said, noting that the ERM roles typically go to the more senior and experienced staff.
The Practicum Process
Students in the ERM practicum serve as consultants under the supervision of a Poole College faculty member. They work with the company to understand the organizational structure, key products, geographic influence, and the strategic plan. Then, the students build upon that to develop a series of questions that they ask in face-to-face meetings with members of the company’s senior executive team, drawing out risks that are on the minds of those executives.
The students then compile that information to generate an inventory of the top risks and work with management to have management rank-order the risks from most critical to less critical, to help the entity develop what constitutes the entity’s Tier 1 risks (top 10 risks) and their Tier 2 (11 – 20 risks). They also help management see how those risks might impact the strategic success of the enterprise. Finally, the students generate a formal report and present it to the organization’s senior management team