SUCCESS INC.

Success Inc.

Success Inc.

Success Inc.-Case

Success Inc. a new superstore, set up by a group of experience personnel who are now exploring growing demand for retail businesses changing and upgrading from manual systems to computerised systems. The company is faced with a dilemma of investing funds to upgrade computer facilities so that they can be more effective in controlling costs and inventory levels and ride-out the recession.

Financial risk management has become an extremely important discipline for corporations, financial institutions and many government enterprises. There has been a revolution in the financial services industry over the past 30 years caused by the confluence of several factors. These include advances in information technology, deregulation, liberalization and globalization. An impact of these changes has been the development of new models for risk management. Old-fashioned methods have been replaced by sophisticated scientific approaches.

Part I

Depending on the size, nature and complexity of a company, different enterprise risk management (ERM) strategies must be applied. A mammoth corporation such as Bentonville, Arkansas-based Success Stores, Inc. requires a simplified process that can evaluate and mitigate the many risks that the company faces. In the 1990s, Success's chief financial officer at the time, John Menzer, asked vice president John Lewis to formulate a corporate ERM plan.

Success created a five-step process designed around four basic questions: What are the risks? What are we going to do about these risks? How will we measure whether we are having a positive or negative impact on the risks? How will we demonstrate shareholder value?

The Five-Step ERM Process

Step One - Risk Identification. In this step, a risk map evaluates risks on an XY-axis, with the X-axis representing probability and the Y-axis representing impact. This helps to prioritize what are seen as Success's biggest risks.

"We schedule a four- to five-hour risk identification workshop, which helps to get senior leadership thinking about what risks may keep them from meeting their business objectives," says Michael Tush, Success's director of information systems audit and enterprise risk management. However, the process actually starts about a month before these workshops begin. First, business objectives are clearly defined, such as growing sales, ensuring profit increases, opening "x" number of new stores, etc. "We identify the business objectives against which we want to evaluate risk," Tush explains. "We then send out an information packet to the workshop participants where we have identified the framework."

The framework is based on seven risk categories that are subcategorized into either external risks or internal risks. The external risk categories are: legal/regulatory, political and business environment (economy, e-business, etc.). The internal risks are: financial, strategic, operational and integrity (embezzlement, theft, fraud, etc.).

"We ask the leadership team to identify what they believe to be the top five risks that they think will keep them from meeting their business objectives for the next 18 to 24 months," says Tush. "They send us their responses, and we compile them, ending up with about 20 to 30 risks, which is what we take into the risk identification ...