BY MARY PETER

Risk impacts a companys profits, people, and strategic objectives.

And, how risk is viewed and managed is constantly changing,

particularly in challenging business climates like construction.

HOW DOES YOUR COMPANY VIEW RISK:

AS A COST OF DOING BUSINESS OR AS A

COMPETITIVE ADVANTAGE?

Risk Management Evolution

Adverse risk is common in construction injuries, property loss, cost of materials, security, natural disasters, etc. Often the focus is on tangible assets and those that can be insured, with most efforts focused on
loss prevention and compliance.
The evolution of risk management has moved to look at a universe of risks and how they are connected,
both internally (operationally driven) and externally (regulatory and market driven). This concept, known
as enterprise risk management (ERM), takes a proactive, forward-looking view of how risk can impact
your companys strategic objectives, both positively and negatively. ERM has been defined by RIMS, the
risk management society as:
a strategic business discipline that supports the achievement of an organizations objectives by
addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.1
Exhibit 1: Evolution of ERM illustrates how familiar construction risks (i.e., insurable financial risks) now
include more broad categories such as operational, strategic, and reputational risk.
From this vantage point, risk management has become an important strategic tool that allows your company to be more nimble in response to the changing risk environment.
By providing key risk data that supports strategic planning, ERM illuminates opportunities to focus on
your companys key strengths.

September/October 2015 CFMA Building Profits 23

How Do You Implement ERM?

must come from the top down, with management facilitating

discussions to identify, assess, evaluate, and monitor significant
A value-added ERM process is a proactive approach to risk
risks to the company and its strategic objectives. A collaboramanagement, where your companys culture and strategy
tive, open, and cooperative risk culture must exist for innovacome together to drive innovation and performance and protive action
to be designed and implemented successfully.
Exhibit 1: Construction
Riskplans
Universe
vide a competitive advantage. ERM moves risk management
A company that is aware of its risk universe is more adaptable and responsive.
into a new strategic direction so that efforts are focused on the
And, the fiduciary responsibility of advisory committees or
most important risks and opportunities your company faces. MARKET
external board members can lend strong support to ERM.
Their support,
guidance, and inputExternal
can be very valuable if
New Competition
Product Demand
Capital Availability
External
Many contractors are practicing ERM
withConsolidations
various levels
Industry
Socio-Political
Energy/Fuel Costs
used appropriately.
Bad Real
Estate Loans
Commodity
Price Material Costs
of maturity. As shown in Exhibit 2, ERM
implementation
is
Pricing Pressures
Project Financing
Assign an ERM Leader
a six-step process, with ongoing communication pulling it
together. These steps are similar to how a successful conSelecting
an internal ERM leader is one of the most imporFINANCIAL
GOVERNANCE
REGULATORY
HAZARDS & THIRDstruction job is planned a repeatable process
that encourLiquidity/Credit
Governance
tant
roles
to
establish and keep ERM
effective, and susPARTYalive,
ACTIONS
Anti-Trust
Accounting/Tax
Legal
ages learning Communications
and improvement throughout
the
journey.

Natural
Events/Catastrophes
tainable.
This
individual
must
be
able
to
communicate
about
Budgeting/Planning
Code of Conduct
Security
Terrorism
Capital Structure
(Ethics
i.e., Bid Rigging,
ERM
to
leadership,
management,
third
parties,
and
everyone
Trade Customs
War
Bank
& Surety Support
Tax Issues)
Step 1: Establish
a Strategic ERM F
oundation
Labor Practices
Piracy/Counterfeiting
working on the jobsite and in the
office.
Cost of Capital
Pension
Fraud
Just as a strong
solid foundation is essential for any construc Product Safety
Lawsuits
Internal
This person
is typically in a managerial
tion project, its
crucial
that
the first step toOPERATIONS
ERM starts with
Health
& Safety
(OSHA)
Reputation or higher level posiSTRATEGIC
Procurement
Injuries/Accidents
Change Management
Strategy
& Initiatives
tion
with access
to the strategic
objectives, and is knowlyour companys
culture. The following important
aspects are
Government Support &
Value Chain
Mergers & Acquisitions
edgeable
about
how
policies,
procedures,
and controls
often overlooked.
Funding
Sales & Marketing
Investor Relations
Environment
Recruiting/Retention
Stakeholders
work
within
the
company.
Common
ERM
leaders
have job
Tax
Product
Bid Process
Obtain Support
functions
in
risk
management,
but
are
not
solely
focused
IT
Contract
Compliance
Solid governance enables an ERM initiative
to become
part of
on safety. Consider appointing the COO or an operational
your companys way of doing business. Support of this effort
manager to lead the charge and someone else to manage and

Exhibit 1:

HAZARD RISK MANAGEMENT

Insurable financial risks

ENTERPRISE RISK MANAGEMENT

Operational, strategic, financial,
reputational, and insurable risks

Focus on preservation of
TANGIBLE ASSETS

Recognition of the value of

TANGIBLE AND INTANGIBLE
ASSETS

SILO APPROACH
Each department/function
manages its risks independently

HOLISTIC APPROACH
Coordinated at the highest level
within the organization

Risk Management =
SEPARATE FUNCTION

Risk management is a corporate-wide

DAILY CONCERN AND IS
EMBEDDED IN THE OPERATIONS

RISKS ARE THREATS

Focused on avoidance of
negative events

Risks can be THREATS AND

OPPORTUNITIES

INTEGRATED RISK MANAGEMENT

24 CFMA Building Profits September/October 2015

TODAY

HISTORICAL VIEW

EVOLUTION OF ERM
Exhibit 2: Evolution of ERM

coordinate the day-to-day ERM efforts. Without support and

commitment at the executive level, ERM is difficult to launch,
implement, and engage.
Leveraging third-party relationships can provide excellent
resources. However, even though a facilitator or ERM consultant can provide guidance on an ERM program, you must
own it this is your enterprise!

Educate Employees
All employees, especially executives and those on the ERM
project team, must be educated on why ERM is being implemented, how it will improve operations, and what is in it for
them. Be sure to stress that this is a cross-functional project,
and they will not be penalized for openly discussing risk to the
company.
Develop a Common Risk Language

Exhibit 2:

Exhibit 3: The ERM Process

THE ERM PROCESS
STEP 1:
Establish
the ERM
Foundation

STEP 2:
Identify
Risks

STEP 3:
Assess
Risks

STEP 4:
Evaluate
Risks

STEP 5:
Execute Risk
Response
Plan

STEP 6:
Monitor
ERM

ONGOING COMMUNICATION
The ERM leader should maintain enterprise level information
in one place. This information can be designed in Excel in
order to customize the ERM processes and should include:

Detailed descriptions of risk,

The category of risk,
Policies and controls that manage or mitigate
the risk, and

How the risk relates to the companys risk

appetite and strategic plans.
Other information to consider includes:

The effectiveness of the controls,

Action plans to improve the mitigation of the
companys key risks to the company, and/or

How an opportunity can result from establishing

a better response to a particular risk.
The ERM leader should control who has access to this matrix
since the nature and amount of risk and strategy that it contains should be confidential. A risk administrator position
may also be established to streamline the data input and
reporting tasks as the ERM program matures.
Software programs are also available to organize and manage
this information; however, gather this information in Excel
first to determine the level of sophistication needed.

Risk is typically viewed as a threat, and risk

management is seen as managing claims
and loss control. When developing an ERM
program, your company must agree on
what risk, controls, risk management, and
ERM mean so there is a clear and common
language.

Determine Risk Appetite & Tolerance

Leadership, owners, and the board must clearly set and communicate how much risk the company is willing to accept
in the pursuit of successfully achieving its strategic objectives (risk appetite) as well as the absolute limit of risk the
company expects to take (risk tolerance). The appetite can
equate to dollar amounts, IT or customer service downtime,
and/or reputation guidelines.
Customize Your Risk Universe
As shown in Exhibit 3: Construction Risk Universe on page 26,
both external and internal risks are defined and segmented into
seven categories: Regulatory, Market, Hazards & Third-Party
Actions, Operations, Financial, Governance, and Strategic. This
top-down view outlines interrelated risk categories and may
impact your companys strategy as a whole.
Several of these risks are common and ever present, and
some are new or emerging and may be considered game
changers in the construction industry. Key risks facing the
construction industry today include:

Skilled workforce availability

Fast-paced technology changes
Economic changes
Subcontractor liability
Bid rigging
September/October 2015 CFMA Building Profits 25

The construction risk universe chart should be customized to

reflect your companys own risk universe and is a great tool to
facilitate discussions on how risk is viewed by people in different positions and functions. Sometimes its easier to identify
risks outside of ones own department, and many leaders also
find that it helps to identify risks as opportunities.
While these parameters are likely used in current decisionmaking, they are not usually defined in a statement or metrics
without an ERM process in place. Setting these parameters
will allow the ERM team to evaluate a risk they believe is
significant, but may not be as material to the overall company.
Communication through cross-functional teams, with top
managements support, creates the most value throughout
the process.
Step 2: Identify Enterprise Risks
Strategic Objectives

that Impact

Your

Do you have a niche market, location, supply chain, or

a diversity of skilled workers? Where is the competitive
advantage in your risk management efforts that accelerates
achieving your strategic objectives? Are your complex risks
increasing?

Answering these questions will help your company tackle

the complexity and value of effective risk management.
Using your customized construction risk universe, determine
the enterprise risks that your company faces. What are the
biggest concerns? Where are the most opportunities? Open
conversation in a facilitated ERM team meeting can help identify and streamline the most concerning enterprise risks. Think
about the events that cause risk or issues that competitors may
have experienced that you want to avoid in your company.
As one example, consider the skilled labor shortage. If your
skilled labor is not currently fulfilled or is prohibiting your
company from maximizing its performance, then its a risk
to your company. To turn this risk into an opportunity, you
could implement a relationship with a trade school for education of special skills and on-the-job training efforts to learn
about the benefits of working in construction. This proactive
element may bring new workers to your company before
they consider joining your competitors.
Highlighting skilled labor shortage opportunities can lead to
discussions on succession planning, retaining top employees,

Exhibit 3

CONSTRUCTION RISK Exhibit

UNIVERSE
1: Construction Risk Universe

A COMPANY THAT IS AWARE

OF ITSthat
RISK
UNIVERSE
ISuniverse
MORE isADAPTABLE
ANDandRESPONSIVE.
A company
is aware
of its risk
more adaptable
responsive.

External

REGULATORY
Anti-Trust
Communications
Security
Trade Customs
Labor Practices
Pension
Product Safety
Health & Safety (OSHA)
Procurement
Government Support &
Funding
Environment
Tax

MARKET
New Competition
Product Demand
Industry Consolidations Socio-Political
Bad Real Estate Loans
Commodity Price
Pricing Pressures

FINANCIAL

Liquidity/Credit
Accounting/Tax
Budgeting/Planning
Capital Structure
Bank & Surety Support
Cost of Capital

OPERATIONS

Change Management
Value Chain
Sales & Marketing
Recruiting/Retention
Product
IT
Contract Compliance

Capital Availability
Energy/Fuel Costs
Material Costs
Project Financing

GOVERNANCE

Governance
Legal
Code of Conduct
(Ethics i.e., Bid Rigging,
Tax Issues)

Internal

STRATEGIC

Strategy & Initiatives

Mergers & Acquisitions
Investor Relations
Stakeholders
Bid Process

26 CFMA Building Profits September/October 2015

Exhibit 2: Evolution of ERM

External

HAZARDS & THIRDPARTY ACTIONS

Natural Events/Catastrophes
Terrorism
War
Piracy/Counterfeiting
Fraud
Lawsuits
Reputation
Injuries/Accidents

and identifying future leaders early to further develop progressive strategic risk management methods. With a proactive, forward-looking view, the solution for what seemed like
a risk can turn into a competitive advantage.

from the enterprise risk appetite perspective; impact of the risk

(financial loss, down time, people, or price volatility) appears
on the vertical axis and the probability of the risk (rarely,
potentially, possibly, expected) occurs on the horizontal axis.

Step 3: Assess Enterprise Risks

The risks in the upper right (i.e., high impact, high probability) are most concerning and need quick attention, while
risks in the upper left (i.e., high impact, low probability;
referred to as black swans) should be closely monitored and
may require immediate attention if the risk moves fast and
increases in nature.

With your companys risk appetite as a guide, assess risks

for impact and probability to the overall company. Using the
companys budget, determine the amount of loss that the
company can sustain or the reputation risk it can handle
before it impacts the companys ability to gain new, profitable work; it is a view from the top. However, many find it
difficult to look at the material risks from an enterprise-wide
perspective.
Plotting the risks on a heat map provides a visual of where
these enterprise risks fall. In the Construction ERM Heat Map
(page 28), both the impact and probability of a risk is displayed

Consider an example: What would happen if a natural disaster

occurred where your company has the highest concentration of ongoing projects? While the situation is unlikely, the
impact to your business could be extremely high in terms of
lost workdays, materials, and completion dates. This could
also create a reputation risk if your company was perceived as

INDUSTRY LEADING CONSTRUCTION SOFTWARE

THAT INTEGRATES WITH YOUR ACCOUNTING SYSTEM.

Estimating

Dispatching

Safety

Equipment
Maintenance

Fuel Tracking

Used by 40,000 construction professionals

World-class 24/7 instant customer support
Construction-friendly desktop & mobile apps
Proven processes for implementation
Low riskSoftware comes with a 12-month money back guarantee!

www.HCSS.com

GPS

Job Costing

Mobile
Apps

Innovative

Software

for the Construction Industry

800-683-3196

September/October 2015 CFMA Building Profits 27

unresponsive. As climate or concentration of projects change,

this risk may move to a more likely possibility, and greater
focus on the risk response plan would become more urgent.
Conversations about resource allocation should occur at this
point in the ERM process. Would the cost for implementing
more safety measures or oversight toward a significant risk
be less than one that represents a low-impact risk make
sense based on your companys strategy? Which risks are
you most comfortable taking on to gain more reward? Which
risks are you very comfortable handling (perhaps better than
your competitor) that can open up new revenue streams?
For example, as illustrated in the heat map below, your company may be too focused on the low-impact, low probability
risks such as property loss or material costs, when it may
actually need to focus more on the high-impact, high probability IT security or subcontractor risks.
Your risk management options and concerns may become
clearer and aha moment(s) may occur. Everyone may not
be singing Kumbaya together, but at least the ERM team
may gain a better understanding of your companys enterprise strategic risks and opportunities.

Step 4: Evaluate Enterprise Risks

This is where the information created and gathered in the
first three steps comes together. When evaluating risks,
determine:
1) Direction: How are they trending
increasing, decreasing, or holding
steady?
2) Velocity: How fast are they moving
slow, moderate, or fast?
3) Effect on Strategy: How is your ERM
strategy impacted directly, indirectly,
or not at all?
Once you have discussed and determined these factors,
rank your companys top or key risks and strategic objectives. This has been referred to as a Top 10 list, but should
include no more than 25.
Using the strategic plan to prioritize enterprise risks, in
addition to the impact and probability, will provide an
increased understanding of your risk exposure.
Heres a sample of what might be included:
1) Underbidding; ineffective bid
process

Exhibit 4:

Exhibit 4: Construction ERM Heat Map

CONSTRUCTION
ERM HEAT MAP
6

2) Expansion plans
3) Subcontractors ability to
perform quality work

BLACK SWANS
SWIM HERE

IT SECURITY

4) Skilled labor shortage

REGULATORY

IMPACT

4
SUBCONTRACTORS

PROPERTY LOSS
BID PROCESS

6) Proper customer credit

review

SURETY SUPPORT
HR LABOR ISSUES

5) Breach of company
or customer data

7) Third-party vendor contract

and insurance gaps

MATERIAL COSTS

8) Economic market fluctuation

(e.g., interest rates, available
capital)

PROBABILITY
28 CFMA Building Profits September/October 2015

9) Technology demands
10) HR documentation
enforcement

Step 5: Create Enterprise & Strategic Risk

Response Plans
Once the top risks are prioritized, risk response plans can be
determined. A proactive strategic response identifies potential key risks and enables your company to respond when a
risk event occurs.
Equally important is to know your company is effectively
managing or controlling risks, and that resources are focused
on its most concerning and significant ones. For example,
will you plan to:

Avoid a risk in the future by eliminating the use of certain

materials?

Mitigate a risk by purchasing new equipment to streamline a routine function on the jobsite?

Prevent a risk by implementing more stringent subcontractor prequalification policies and procedures?
Create an action plan and obtain additional support for those
key risks that impact ERM strategy the most. Set a deadline
and assign risk owners to create accountability and dedication
from the leadership to improving strategic risk management.
Once standard operating procedures (SOPs) are determined
around the risks to be managed, turn those SOPs into the
way you do business. For example, if there are a number of
items each of your PMs should employ on every job, set up
your accounting or project management processes (including through software) to require completion of those items
before they can move on to the next step.
The real value of ERM comes from implementing successful
response plans to change how risk is viewed, identified, and
handled. Each employee has a role once the ERM concept
is implemented; it becomes part of your companys strategic
and competitive edge.
Step 6: Monitor Risks & Response Plans
Establish a communication plan that provides consistent
reporting on the risks, risk assessments, risk response plans,
and the impact to strategic objectives to establish continuous
ERM communication. Hold regular meetings to add new or
emerging risks, and assess risks and your strategic objectives
as they change.

An effective way to accomplish this is to assess your companys overall ERM risks and response plans annually, conduct monthly ERM team meetings, provide update reports
monthly, and conduct new risk assessments quarterly. To
truly bring about change, provide incentives for those who
achieve improved results or implement the most important
ERM improvements; consider making compliance with ERM
strategies part of compensation decisions.

Benefits of Strategic Enterprise Risk

Management
Knowledge of the most important, concerning risks and the
corresponding risk response plans allow all employees to
improve the workplace culture and strengthen their commitment to strategic objectives.
Many companies have a clearer view of their risks and opportunities as a result of implementing ERM. They realize that
developing a link between risk and strategy leads to improved
performance on all levels. Remember, ERM is an ongoing
process that is continually flexed to address the complexity of
risks and maximize your companys opportunities. n
Endnote
1. www.rims.org/ERM/Pages/WhatisERM.aspx.

MARY PETER is the Director of Enterprise Risk Management

at Eide Bailly LLP in Minneapolis, MN, where she consults, designs, and implements ERM programs to identify,
assess, respond to, and monitor both risks and opportunities. She develops ERM methodologies, training materials,
and deliverables to respond to regulatory requirements
and strategic objectives of her clients.
She has more than 25 years experience in the risk management and insurance industries, including 10 years in
corporate risk management and seven years in ERM consulting. She is a member of the U.S. Technical Advisory
Committee for ISO 31000 Risk Management Standard;
the founder of an ERM roundtable in the Minneapolis/
St. Paul area; and a frequent presenter on ERM and
other risk management topics at national, state, and local
industry conferences.
Phone: 612-253-6662
E-Mail: mpeter@eidebailly.com
Website: www.eidebailly.com
September/October 2015 CFMA Building Profits 29