Triangulating Risk Profile and Risk Assessment: A Case Study of Implementing Enterprise Risk Management System

Abstract

Establishing an enterprise risk management (ERM) system is widely viewed as providing firms with the tools and processes needed to build resilience and expertise, enabling them to manage the consequences of crises that have led to the collapse of major firms across different industries globally. Intended for use in advanced accounting, auditing, and finance courses, this case study (of a true event) describes the development and implementation of an ERM system for a U.S. multinational nonprofit firm during the 2015–2021 period. The case study’s main learning objectives are several-fold. First, couched within the recent economic environment, it informs students on some of the more important academic and applied research on corporate risk management. Second, students will learn to analyze the content of a questionnaire designed to capture the integrated effects of the firm’s risk culture, risk structure, risk governance, and control for establishing its risk profile. Third, they will learn to create and apply multi-dimensional risk indices to measure and prioritize the firm’s risk exposures. Finally, the last learning outcome focuses on strategies to triangulate the firm’s overall risk profile and risk prioritization results to construct mitigation strategies that build resilience and create value through risk diversification, information signaling, the exploitation of natural hedges, and enhancing the board’s governing efficiency. The nonprofit nature of the firm in this case study introduces no methodological or conceptual constraints or limitations in applying the proposed risk management methodologies to for-profit or publicly traded firms.

1. Introduction

Beyond the disruptions from the 2007–2008 financial crisis and the recent COVID-19 pandemic, we continue to witness the demise of major firms across different industries resulting from known and unknown economic, social, and geopolitical risks. Recent evidence includes the collapse of the Silicon Valley Bank, the second largest bank failure in U.S. history after that of Washington Mutual in 2008, the failure of Bed Bath & Beyond, the fall of the Sears Holding Corp, and the acquisition of Credit Suisse by the Swiss investment bank UBS Group AG.1 In response, unprecedented levels of fiscal and monetary interventions have been introduced to protect the global economy from a total collapse. For example, in response to the economic challenges resulting from the recent pandemic, the U.S. Treasury was responsible for administering over USD 1 trillion in American Rescue Plan programs and tax credits to the industry and consumers during the 2020–2021 period. In tandem, the Federal Reserve aggressively maintained a near-zero interest rate policy, providing sustained liquidity for supporting economic activities. Similar arrays of monetary and fiscal policies were also implemented by other countries worldwide. While corporate risk management has been a popular topic in the academic and professional literature, the dynamics of the relationship between a firm’s risk profile and metrics to measure its overall risk exposure have received much less attention. There is a need for developing systematic approaches that triangulate such qualitative and quantitative characteristics, aiming to construct mitigation strategies that build resilience and create value through risk diversification, information signaling, the exploitation of natural hedges, and enhancing the board’s governing efficiency.

Based on an actual event, we provide a clinical case study to address this gap in the literature through the development, implementation, and post-implementation review of establishing an enterprise risk management (ERM) system for a U.S. multinational nonprofit firm during the 2015–2021 period. Despite this paper’s focus on a nonprofit firm, the proposed methodologies introduced in this case study are fully generalizable and scalable to any privately held or publicly traded firms. The firm is anonymized to protect the scope and scale of its operations, and its employees. The case study is designed to equip students in advanced accounting, auditing, and finance courses with the knowledge and tools to prioritize a firm’s risks and establish mitigation strategies, with their performance being reviewed post-ERM implementation. The key case-study learning objectives are listed below.

▪

Couched within the recent economic environment, it informs students on some of the more important academic and applied research on corporate risk management.

▪

Students will learn to analyze the content of a questionnaire designed to capture the integrated effects of the firm’s risk culture, risk structure, risk governance, and control for establishing its risk profile. In this sense, students understand that risk interactions and aggregations are key components of establishing an effective risk management system.

▪

Students will learn to create and apply multi-dimensional risk indices to measure and prioritize the firm’s risk exposures. These indices cover a wider range of relevant risk parameters, including the difference between inherent and residual risks and the dispersion in cognitive perception of different risk exposures within the firm.

▪

Finally, the last learning outcome focuses on strategies to triangulate the firm’s risk profile and risk prioritization results to construct mitigation strategies that build resilience and create value for the firm.

Despite its educational focus, the case study also contributes to the existing literature by advancing powerful statistical approaches for analyzing the dynamics of qualitatively based questionnaire data. Specifically, as discussed in more detail in Section 4, these techniques are applied to measure the convergence and implied informational content of different sets of questions in the questionnaire.

In the balance of the paper, Section 2 provides an overview of the studied firm’s operations and financial performance and the evolution of its risks in recent years. The literature on the institutional development and valuation implication of enterprise risk management (ERM) is provided in Section 3. Sample selection and the development of the questionnaire are discussed in Section 4. Methodologies to analyze the questionnaire data are explained in Section 5. Information on the observed drivers of risks and their influence in developing established mitigation strategies are provided in Section 6. Finally, the conclusion and the case requirements are detailed, respectively in Section 7 and Section 8. Detailed instructor’s notes are discussed in Appendix A.

2. Background on the Firm

The firm is a U.S. multinational nonprofit established in 1990 focused on developing and delivering educational, training, and student exchange programs for the public and private sectors in Asia, the Middle East, and North Africa, collectively serving over 100 countries. The firm’s total full-time and part-time staff comprise over 5000 people, distributed over 200 field offices throughout the world. With an annual revenue of USD 500 million in 2015, the firm has been consistently increasing its impact and revenue sources globally. Government and non-government grants, tuition fees, program administration fees, fundraising, and investment income have traditionally been the primary sources of revenue. The period from 2015 through 2017 highlighted the growing impact of different risks that diminished profitability and market share. As shown in

Table 1. Consolidated statement of revenues and expenses: 2015–2017 (USD millions).

Revenues	2017	2016	2015	2015–2017 Change
Government Grant	275.0614	295.4502	313.2000	−12.18%
Non-Government Grant	22.0650	23.6250	25.0000	−11.74%
Tuitions	92.1876	98.7053	104.4500	−11.74%
Administrative Fees	41.9235	44.8875	47.5000	−11.74%
Fund Raising	1.8700	2.2500	2.7500	−32.00%
Investment Income	3.2500	2.2900	1.5000	116.67%
Other Income	4.9426	5.2920	5.6000	−11.74%
Total Revenues	441.3000	472.5000	500.0000	−11.74%
Expenses
Student Exchanges	143.0067	147.2570	156.8825	−8.84%
Program Expenses	153.1890	169.8350	170.8000	−10.31%
Salary and Pension	88.6176	92.2720	98.2000	−9.76%
Depreciation and Amortization	2.2654	2.2700	2.3846	−5.00%
Repair and Maintenance	1.2180	1.3100	1.4329	−15.00%
Transportation	33.1757	37.2810	43.3500	−23.47%
Taxes	1.1900	1.3000	1.2000	−0.83%
Miscellaneous Expenses	5.9378	6.5250	8.7500	−32.14%
Total Expenses	428.600	458.050	483.000	−11.26%
Net Surplus (Deficit)	12.7000	14.4500	17.0000	−25.29%

, overall, government grants (accounting for approximately 60% of annual revenues), tuition income, and administrative fees were sharply reduced by approximately 12% during the 2015–2017 period. More broadly, the total revenue declined by 11.74% in the same period. Currency volatility increased the FX risk and the inability to maintain adequate levels of liquidity constrained operational efficiency. Restrained regulatory environment, enhanced visa restrictions, supply chain bottlenecks, and other geopolitical developments in the U.S. and abroad put further pressure on financial performance. Student-related data and other types of proprietary information were breached. As a result, overall activities were sharply reduced, destroying the firm’s net surplus by approximately 25.29% for 2015–2017. The need to establish a more formal approach to managing the firm’s exposures was emphasized by its board of directors in 2017.

3. ERM Literature Review

In early 2000, a coordinated regulatory and institutional effort in the U.S and Canada (Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Toronto Stock Exchange Dey Report, the Risk Management and Insurance Society, and several global rating agencies, including Moody’s and Standard & Poor’s) introduced processes and metrics to increase the maturity of ERM systems.2

Academically, beginning with Miller and Modigliani (1958)’s classic article in 1958, there has existed an extensive literature in corporate finance that assumes a perfect market environment in which to analyze firm behavior. One logical conclusion of these perfect market analyses is that a firm’s debt-to-equity decision and, by implication, its risk management decision, is irrelevant and has no impact on firm value. While this “perfect market” analysis provides useful insights into the behavior of corporations, it has the disturbing feature of denying, by assumption, many of the features (“imperfections”) of financial and economic activity that give rise to corporations in the first place.

When perfect market assumptions are relaxed, different types of analytical and economic issues arise. The existence of market imperfections, such as corporate taxes, implies that financing decisions may affect the value of the firm through the risk–return tradeoffs inherent in the use of debt versus equity capital (Miller and Modigliani 1963). The differential personal taxes on interest versus dividend income provide a different picture of the risk–return tradeoffs in the use of debt versus equity capital (Miller 1977). Bankruptcy costs, costly information, external capital costs, and agency costs yet provide a strong incentive for a firm to search for an optimal debt-to-equity position by actively managing both its systematic and unsystematic risk exposures (Kraus and Litzenberger 1973; Ross 1977; Leland and Pyle 1977; Froot et al. 1993; Jensen and Meckling 1976).

At the level of the enterprise, researchers have argued that the evaluation of risk and return at the project level does not allow for optimization at the corporate level as risk diversification and correlations are ignored. Furthermore, risk interactions and aggregation are expected to improve internal decision-making, ultimately contributing to the firm’s value through more efficient capital allocation (Nocco and Stulz 2006; Rosenburg and Schuermann 2006; McShane et al. 2011; Hoyt and Liebenberg 2011). More specifically, Lindberg and Seifert (2011) and Farrell and Gallagher (2014) find a highly significant 25% value effect for firms that are considered mature in their ERM approach. Other sources of value creation through effective risk management include lowering a firm’s overall cost of capital (Samanta et al. 2004; Hoyt and Liebenberg 2011; Shad et al. 2022), signaling the firm’s overall risk profile (Hoyt and Liebenberg 2011), optimizing executive compensation (Grace et al. 2014), enhancing risk diversification, benefiting from natural hedges, and improving governance of the enterprise’s risk (Nocco and Stulz 2006; McShane et al. 2011; Hoyt and Liebenberg 2011; Beasley et al. 2005), among others. More recently, Hristov et al. (2022) used semi-structured interviews with a total of 75 senior and middle managers from 25 different Italian companies to provide an approach to integrate enterprise risk management (ERM) and a performance management system (PMS). They find that PMS processes, built on a specific set of key risk indicators (KRIs), could enable the companies to achieve economically and environmentally sound performance. Focusing on the oil and gas industry in Malaysia, Shad et al. (2022) find that an increase in the maturity of ERM implementation reduces the cost of capital, which they argue is a possible mechanism through which ERM increases firm value. Focusing on actual cases, Harrington et al. (2002) documented the risk management program at United Grain Growers (UGG), a Canadian agricultural services company. Their study shows that the company identified and prioritized its exposure to risks including environmental liability, weather-related effects, counterparty, credit policy, and commodity prices. The mitigation strategy also included a general integrated loss and liability insurance contract offered by Swiss Re-insurance. In a different case study, Aabo et al. (2005) described the risk management program at Hydro One, a large publicly traded Canadian utility company. Hydro One adopted an integrated approach to examine its overall risks in response to deregulation, emerging competition in the energy sector, and increased scrutiny on corporate governance. Further evidence on ERM maturity was developed by Fraser and Simkins (2010) and Fraser et al. (2014).

4. Sample and Questionnaire Data

As shown in

Table 2. Plan of action to develop the enterprise risk management (ERM) program.

Sample of Risk Owners	Identify a representative and diverse group of functional risk owners (managers/executives in field offices with major P/L responsibilities), senior executives, and board members.
Education	Develop and deliver a short educational module for the sample group to create a uniform level of understanding on the dynamics and application of ERM.
Questionnaire	Administer and analyze a focused questionnaire covering multiple risk management areas including risk culture, risk recognition, risk organization, risk governance, risk control, and risk measurement.
Synthesis and Risk Assessment	Synthesize and compile the results obtained from the questionnaire. Develop a detailed multidimensional risk table identifying and prioritizing the existing and potential risks.
Mitigation	Develop mitigation strategies for the top risks.
Review	Review and assess, on an ongoing basis, the effectiveness of the proposed risk management system.

, a plan of action was developed to determine the firm’s risk profile and establish an integrated risk management system. Key elements of the plan included the selection of a sample of risk owners, administering a risk management questionnaire, prioritizing potential risks, and, finally, constructing mitigation strategies. Specifically, a group of 30 participants was selected, representing senior executives (40%) and board members (10%), with the balance of 50% representing the field managers globally.

To identify the firm’s risk profile and measure the impact of its overall risk exposure, a questionnaire was developed addressing risk culture (14 questions), risk recognition (9 questions), risk organization (8 questions), risk governance (9 questions), and risk control (10 questions),

Table 3. Key areas determining the risk profile.

Risk Areas	Definition
Risk Culture	The questions in this segment are designed to elucidate the interplay between the organization’s strategy, goals, decision-making processes, risk appetite, and risk management philosophy.
Risk Governance	The questions in this segment focus on the board structure, processes, and levels, and the effectiveness of the board’s involvement, knowledge, and transparency in devising strategies to carry out risk management decisions.
Risk Organization	This section focuses on the administrative and operational nature of capturing, communicating, reporting, monitoring, and compliance related to risk management actions.
Risk Recognition	This segment is designed to elucidate the organization’s ability to identify risks, distinguish risks from opportunities, recognize risk metrics, and increase awareness of fraudulent activities.
Risk Control	The questions in this segment have been designed to gauge the firm’s level of existing control regarding overall risk exposure.
Risk Assessment	Devise and implement consistent multi-dimensional risk indices, which are used to assess and prioritize potential categories of risks.

. Both verbal and coded responses, using the 5-level scale from the RIMS RMM (

Table 4. The Risk and Insurance Management Society’s five-level risk maturity model: RIMS RMM ^a.

Maturity (Level)	Maturity-Level Characteristics
Ad hoc (1)	This implies an extremely primitive level of ERM maturity, where risk management typically depends on the actions of specific individuals, with improvised procedures and poorly understood processes.
Initial (2)	Risk is managed in silos, with little integration or risk aggregation.Processes typically lack discipline and rigor. Risk definitions often vary across the silos.
Repeatable (3)	A risk assessment framework is generally in place, with the Board of Directors being provided with risk overviews. Approaches to risk management are established and repeatable.
Managed (4)	Enterprise-wide risk management activities, such as monitoring, measurement, and reporting, are integrated and harmonized, with measures and controls established.
Leadership (5)	Risk-based discussions are embedded at a strategic level, such as long-term planning, capital allocation, and decision-making. Risk appetite and tolerances are clearly understood, with alerts in place to ensure that the board of directors and the executive management are made aware when risk thresholds are exceeded.

^a Adapted from Lindberg and Seifert (2011), and Farrell and Gallagher (2014).

), were requested. Furthermore, following the example of Aabo et al. (2005), the respondents’ input was continually circulated to arrive at an optimal level of consensus and a convergence of opinion.3 In addition, exploratory factor analysis (EFA) and Cronbach’s alpha (α) test (Fabrigar et al. 1999) were used to establish the internal consistency of the risk data (Jalilvand and Moorthy 2022).

Focusing on risk assessment, a set of 10 structural risk categories (

Table 5. General risk categories.

Operational Risk	Risks resulting from inadequate or failed procedures, systems, processes, or policies. It includes employee errors, business interruptions, fraud or other criminal activity, equipment failure, logistical bottlenecks, third-party liability, employee safety, timeliness, and accuracy.
Financial and Market Risk	Risks resulting from a shortfall in revenues and/or cost escalation, accumulated losses, diminished liquidity, problems in meeting financial obligations, diminished credit rating, forecasting and valuation errors, audit problems, portfolio losses, and poor hedging against market volatility (interest rates, exchange rates, and stock prices).
Regulatory and Legal Risk	Risks resulting from lawsuits and unpredictable changes in the local and global regulatory environment and from noncompliance with statutory and accreditation rules.
Strategic Risk	Risks resulting from poor articulation and communication of goals and strategies, misalignment of the strategic plan and corporate governance, an uninformed board, and a lack of established and effective review processes.
Human Resources Risk	Risks resulting from problems in employee recruitment and retention, low labor productivity, and a sub-optimal compensation system.
Innovation Risk	Risks resulting from inertia in identifying and implementing new products and services in local and foreign markets in response to political, macroeconomic, and market changes.
Geopolitical Risk	Risks resulting from political changes, sanctions, travel bans, economic and political retaliation, and the nationalization of foreign assets and establishments.
Credit Risk	Risks resulting from competition, economic slowdown/slow recovery, supply chain disruption, embargoes, customer attrition, changes in customers’ expectations and demand, and changes in customers’ financial capacity.
Informational/Security Risk	Risks resulting from cyber security attacks and hacking, using outdated and inefficient information systems (technology obsolescence), and communication system failure.
Reputation Risk	Risks resulting from a decline in or lack of brand and image, the loss of customers’ trust, negative publicity, recruitment challenges, and fundraising problems.

) was considered: operations, financial and markets, regulatory and legal, strategic, human resources, innovation, geopolitics, credit, information security, and reputation. Identifying 3–5 risk events in each of the 10 risk categories, data on estimates of the likelihood of occurrence, impact on annual revenue growth, and the level of existing control were collected (

Table 6. Risk assessment metrics: likelihood, impact, and control ^a.

Panel A. Likelihood (P) Control (C) a
Very Low p < 0.15	Low 0.15 < p < 0.3	Medium 0.3 < p < 0.5	High 0.5 < p < 0.75	Very high p > 0.75	Ad hoc	Initial	Repeatable	Managed	Leadership
Panel B. Impact on Revenue Growth (G) b
Very Negative −25% < G < −50%		Negative 0% > G < −25%		Neutral 0%		Positive 0% < G < 40%		Very Positive G > 40%

^a Risk and Insurance Management Society five-level risk maturity model: RIMS RMM; ^b mid-point ranges for likelihood and impact are used to calculate the expected values.

).

5. Risk Profile and Risk Assessment

The returned questionnaires (100% response rate) were all usable. Following the example of Jalilvand and Moorthy (2022), for internal consistency and relevance, the questionnaire was further streamlined, resulting in 7 questions for risk culture, 5 questions for risk recognition, 6 questions for risk organization, 6 questions for risk governance, and 6 questions for risk control. Coded responses to questions were averaged across all respondents using the 5-level scale from the RIMS RMM,

Table 7. The questionnaire’s results.

Risk Areas	Average Score	Sectional Average
Risk Culture
Overall, is the firm willing to take any magnitude of risk in order to achieve strategic objectives?	2.37	2.70
How are the critical competencies of the firm structured, in a range from “Operational” to “Entrepreneurial”?	2.61
How do you describe the reward structure of the company, in a range from “Margins and Productivity” to “Milestones and Growth”?	2.63
Is the organizational culture:	2.98
-“Efficiency, Low Risk, Quality, Customers”,
-“Risk Taking, Speed, Flexibility, and Experimentation”, or
-somewhere in between?
Rate the leadership role from being “Authoritative and Top Down” to “Visionary and Involved”.	2.77
How would you rank the strategic and related objectives defined by the organization, in a range from “Unclear and Unfocused” to “Planned and Transparent”?	2.82
Based on the reflection above, rate the firm’s overall risk management culture.	2.75
Risk Recognition
What type of forces, internal and external, impact the risk management culture described above, in a range from “Entirely Internal” to “Entirely External”?	2.85	2.85
Rate the organization’s ability to distinguish risk vs. opportunity.	2.19
What are the most relevant assessment metrics for quantifying significant measurable risks and incorporating them into the decision-making process, in a range from “Entirely Qualitative” to “Entirely Quantitative”?	3.05
How susceptible is the firm to fraud? Which areas are most susceptible to the same?	3.45
Based on the reflection above, rate your department’s overall risk recognition capabilities.	2.69
Risk Organization
How effective is the organization in capturing risk information and communicating it to various constituencies (government, donors, clients, staff, and the board)?	1.82	2.70
Do communication barriers exist within the organization when addressing risk?	3.42
How often do you think the senior management involves the board and staff during the strategy-setting process, including when making decisions to accept or reject risk factors?	2.93
Rate the activities of writing down, prioritizing, and disseminating risk.	3.56
Rate the risk monitoring and reporting system within the organization.	2.36
Based on the reflection above, rate the firm’s risk management organizational capacity.	2.12
Risk Governance
Rate the board’s understanding of the organization’s priority risks and how those risks should be addressed.	2.37	2.47
How much do the senior executives involve the board in the assessment of strategic risks?	3.07
Rate the frequency with which the company revisits its risk assessment to determine whether the circumstances and conditions have changed or whether there are new emerging risks.	2.56
How confident are you about the organization not taking significant risks without the board’s knowledge?	1.79
How effective do you consider the organization’s risk management culture and governance functioning to be?	2.73
Based on the reflection above, rate the alignment between risk management and governance at the firm.	2.32
Risk Control
How well-defined are the risk management goals in terms of ongoing strategic activities: in a range from “Unclear and Unfocused” to “Planned and Transparent”?	3.12	3.10
How do you rate the quality, reliability, and relevance of the risk reporting?	2.76
How effective are the ongoing monitoring activities (e.g., compliance monitoring, risk management group, board monitoring, etc.)?	2.93
Rate the risk measuring methodology adopted by the firm when each risk is measured, on an individual level.	3.20
Rate the risk measuring methodology adopted by the firm when each risk is measured, on an enterprise level.	2.09
Does the company have a rising learning curve with regard to its risk assessment and management process?	4.47

.

The risk measurements are reported in

Table 8. Risk matrix: the average expected impact is the product of the average probability by average impact for each risk category. Opinion convergence (expected impact) is the ratio of the standard deviation of expected impact for each risk category, adjusted by its mean. Opinion convergence (control) is the ratio of the standard deviation of average control for each risk category, adjusted by its mean.

Risk Category	Average Probability	Average Impact	Average Control	Variance Expected Impact	Variance Control
Strategic Risk	46.46%	−0.3444	4.23	0.0129	0.3085
Innovation Risk	54.26%	−0.2764	4.30	0.0036	0.2987
Information and Security Risk	61.67%	−0.2270	4.00	0.0107	0.3263
Geopolitical Risk	51.30%	−0.2924	3.95	0.0089	0.3177
Financial Risk	48.10%	−0.3534	4.05	0.0023	0.1781
Credit and Product Risk	57.14%	−0.3325	3.76	0.0094	0.2324
Operational Risk	44.81%	−0.3571	3.76	0.0057	0.1273
Regulatory and Legal Risk	45.56%	−0.3073	3.95	0.0009	0.2349
Human Resources Risk	53.33%	−0.2813	3.65	0.0020	0.1871
Reputation Risk	42.08%	−0.3802	3.35	0.0092	0.1844

. These variables are the result of two averaging processes across 30 respondents and more than 10 risk categories, resulting in a range of 900 to 1500 observations for each variable. Furthermore, two new qualifying indices were added to the mix to provide measures of the convergence of opinion among respondents regarding likelihood, impact, and control, respectively, calculated as the ratios of the standard deviation of the expected impact on annual revenue growth and average control, divided by their means. Large values of these ratios signal a lack of convergence of opinion (the presence of input noise) among the respondents, thereby qualifying a particular risk category as being ranked low in the hierarchy of risk areas.

A conventional practice to depict the hierarchy of a firm’s risk exposures is to develop a risk map: a two-dimensional graph of likelihood and impact. While informative, the information contained in the risk map is quite limited. That is why the case requirement in Section 8 asks students to rank the ten risk categories by multiple criteria: expected impact, an equally weighted index of expected impact and average control, and an equally weighted index of expected impact and the two opinion convergence indices.

6. Mitigation Strategies

The board finally decided to focus on a subset of the ten risk areas (strategic, innovation, information and security, geopolitical, financial, and regulatory and legal). The statement of revenues and expenses in Table 1, the streamlined questionnaire results, and the quantitative risk metrics in Table 7 and Table 8 provided the key qualitative and quantitative information to establish a series of mitigation strategies for the top six risks selected by the board and review their effectiveness over time. Specifically, the consulting firm established mitigation strategies that were influenced by some observed drivers of risks in each category, which are listed below.

▪

Lack of transparency, possible mission drifts, and weak alignment among mission, vision, and future strategies seemed to characterize the nature of the firm’s strategic risks.

▪

Strategic projects, particularly non-governmental ones, were not competitively and commercially selected.

▪

Project valuation techniques did not adequately account for the market and country-specific risks involved.4

▪

Strategies for maintaining specific financial flexibility and liquidity were also lacking.

▪

The global technology network was outdated and prone to information breaches.

▪

The consequences of political, regulatory, and social changes in many regions of operations were poorly understood, and existing insurance policies were not optimally designed to cover the expected losses.

▪

The firm was not fully taking advantage of the country risk information provided by global agencies such as the International Monetary Fund (IMF) and the World Bank (WB).

▪

In early 2020, the COVID-19 pandemic significantly slowed down the pace of economic and social activity around the world. It seriously affected the operations of field offices, threatening the viability and continuity of upcoming contracts and existing programs, as well as the health and safety of participants and employees around the world.

7. Conclusions

Intended for use in advanced accounting, auditing, and finance courses, this case study, a true event, underscores the need for equipping students with an understanding and knowledge of developing effective risk management systems that identify, prioritize, and mitigate a firm’s overall risk exposures. The case details the development and implementation of an enterprise risk management (ERM) system for a U.S. multinational nonprofit firm during the 2015–2021 period. Students will learn to establish the firm’s risk profile through questionnaire-based data that capture the integrated effects of its structure, culture, processes, governance, and control. In this sense, students understand that risk interactions and aggregations are key components for establishing an effective risk management system. Students will also learn to create and apply multi-dimensional risk indices to measure and prioritize the firm’s risk exposures. These indices cover a wider range of relevant risk parameters, including the difference between inherent and residual risks and the dispersion in cognitive perception of different risk exposures within the firm. Finally, the last learning outcome focuses on strategies to triangulate the firm’s risk profile and risk prioritization results to construct mitigation strategies that build resilience and create value through risk diversification, information signaling, the identification of natural hedges, and creating board governing efficiency.

Beyond its educational focus, the case study also contributes to the existing literature by advancing powerful statistical approaches for analyzing the dynamics of qualitatively based questionnaire data. While the relatively small sample size of the risk owners and the focus on a nonprofit firm may have been a limitation of the case study, the proposed methodologies introduced in this study are fully generalizable and scalable to any for-profit or publicly traded firms. In fact, the nonprofit nature of the case-study firm introduces no methodological or conceptual constraints or limitations in applying our proposed framework to the risk management decisions of other types of firms.

8. Case Requirements

Assume you are a member of the consulting firm and that you are familiar with the plan of action for the ERM process (Table 3) and have had access to the information discussed in Table 7 and Table 8. You are asked to prepare a report that addresses the following issues.

• Using the average coded responses to selected questions in each of the five risk areas in Table 7, provide a 500-word summary of the firm’s risk profile.
• Complete the risk matrix in

  Table A1. Risk Matrix.

  Risk Category	Average Expected Impact	Opinion Convergence (Expected Impact)	Opinion Convergence (Control)
  Strategic Risk
  Innovation Risk
  Information and Security Risk
  Geopolitical Risk
  Financial Risk
  Regulatory and Legal Risk
  Operational Risk
  Credit and Product Risk
  Human Resources Risk
  Reputation Risk

  , below, by using the input measures from Table 8: average of likelihood, impact on annual revenue growth, and level of control, along with variance of the expected impact and average control.
• Based on the results in Table 8 and Table A1 above:
  • rank the ten risk categories by (i) their expected impact, (ii) by an equally weighted index of expected impact and average control, and (iii) by an equally weighted index of three indices: expected impact, opinion convergence on expected impact, and opinion convergence on control.
  • create an equally weighted consolidated ranking of the above three rankings and re-rank the ten risk categories.
• Develop a risk map of all ten risks identified for the firm.
• Using the input in Table 1, the questionnaire results, and quantitative risk metrics in Table 7 and Table 8, along with the discussion on key sources and drivers of risk in Section 6, propose mitigation strategies for the top six risks selected by the board.