February 11, 2020
David Fox

On August 19, 2019, the Business Roundtable (BRT) announced a new Statement on the Purpose of the Corporation that noticeably expands the point of focus regarding the purpose of today’s corporation to be well beyond merely serving shareholders.

NC State University’s ERM Initiative Advisory Board composed of ERM leaders from major corporations recently contemplated BRT’s Statement on the Purpose of a Corporation with a notion of sharing ideas for balancing the interests of all stakeholders in the pursuit of value.

Financial Management Magazine

"Daring to Adapt a Brand"

December 1, 2015

To successfully tap consumer markets around the world, companies may have to risk changing their brands. Enterprise risk management offers tools to help deal with the challenge.

Financial Management Magazine

"The 5 Biggest Global Business Risks"

January 28, 2015

Financial and economic crises are no longer the world’s biggest threats. In 2015, geopolitical tensions and societal instability dominate the World Economic Forum’s list of top global risks.

Multinational companies especially are likely to factor the shift in the global risk landscape into their forecasts, annual operational objectives, and strategic plans, said Jim Traut, CPA, CGMA, an enterprise risk management consultant and president of Traut Consulting.

As former head of enterprise risk management at a Fortune 100 company, Traut regularly distilled the WEF’s annual list of top global risks into a briefing for the multinational’s board of directors. Boiling down the 2015 list in a similar way, Traut zeroed in on how he sees the changes affecting business.

Journal of Accountancy

"Saving Face in the Facebook Age"

October 1, 2013

Businesses are focusing more on reputational risk today than in the past. But many companies do not vigorously monitor social media and lack processes to calculate the financial impact of not managing reputational risk.

Seventy-six percent of the 1,300-plus CGMA designation holders who took part in a recent survey said businesses in their industry are putting more focus on reputational risk than in the past. Market demands for transparency, reputational failures at other businesses, and the rise of social media were the top reasons cited for the increased global focus on reputational risk.

CGMA holders and their companies appear to be keenly aware of the effects a damaged reputation can have on their companies:

  • Twenty-two percent said their organization had experienced a reputational failure.

  • Forty-four percent said they or their organizations had rejected a project that made financial sense because the reputational risks were too great.

  • Nearly two-thirds (65%) said the financial implications of reputational risk are considered always or often in their organization.

Financial Management Magazine  

"What’s the Risk? Survey Shows Increased Focus on Reputation"

August 1, 2013

A substantial majority of businesses are focusing more on reputational risk today than in the past.

But many companies do not vigorously monitor social media and lack processes to calculate the financial impact of not managing reputational risk, a new CGMA survey shows.

Seventy-six per cent of CGMA designation holders who took part in the global survey said businesses in their industry are putting more focus on reputational risk than in the past. Market demands for transparency, reputational failures at other businesses or leading companies, and the rise of social media were the top reasons cited for the increased global focus on reputational risk.

Enterprise reputation and risk expert Jim Traut, CPA, CGMA, said companies with strong brands that have direct relationships with consumers have been leaders in protecting their reputations. But Traut, the former vice president of enterprise reputation and risk management and ethics and compliance at global food company H.J. Heinz Co., said companies without direct customer contact and even small businesses and sole proprietors need to focus on reputational risk.

“Think about the great restaurant that you keep going back to, year after year,” Traut said. “Why do you go back? Because they’re managing their reputation. Every day, every meal, they’re managing their reputation.”

Brand reputation is built through all of an enterprise’s relationships, Traut said. Survey respondents ranked relationships with customers as most important, followed by relationships with employees, regulators and investors.

Ernst & Young  and Tapestry Networks

InSights for North American Audit Committee Members

"The audit committee journey continues to a higher-functioning committee"

January 2011

Over the past decade, audit committees have expanded their oversight from a review of the financial statements to also overseeing a broad array of accounting, compliance, risk and reporting matters. Board members and external stakeholders view the audit committee as the undisputed workhorse of the board.


Yet, audit chairs worry whether their committees are truly effective. With continued pressures from regulators and investors to do more, and given the upcoming challenges of overseeing major forthcoming changes to US GAAP, many feel they need to find new ways to boost their effectiveness. Unfortunately, the annual review of performance, which typically involves checking the year’s activities against the committee charter, offers little guidance. Does a good performance review really mean nothing can be improved? Few audit chairs believe they have exhausted the opportunity to add more value to their committee and to perform their duties more ably.


In that context, Tapestry Networks investigated what leading audit committees are doing to enhance their effectiveness. Tapestry Networks spoke with approximately 60 audit chairs of Fortune 500 companies and with a diverse range of 24 subject-matter professionals, including investors, analysts, legal counsel, internal and external audit executives, controllers, academic experts, standards setters and more. The result is the current issue of InSights, which also draws on research by Tapestry Networks on evolving practices in large-bank governance and risk management. (For a full list of the subject-matter professionals who participated, see the appendix, on page 16.)

Treasury & Risk

"The 100 Most Influential People in Finance"

June 2010

Tough times can be a proving ground, and the common thread that runs through this year’s list is the extraordinary effort made by many of these finance executives, regulators and elected officials to get businesses or the broader economy back on track in the wake of the financial crisis. Whether the recovery is already under way, is sustainable, or will falter in some parts of the world is still uncertain. But without a doubt, the financial crisis revealed just how close the world’s economic ties are and that there’s no going back on going global. Guts, gumption and a global mind-set are the three main themes of Treasury & Risk’s 100 Most Influential People in Finance, even as regulation and risk management loom large ahead.

NC State Poole College of Management Enterprise Risk Management Initiative
"ERM Roundtable Summit - Panel Discussions on ERM:  Lessons Learned & ERM:  Directions for the Future"

March 12, 2010

On March 12, 2010 the NC State University ERM Initiative hosted a half-day ERM Roundtable Summit in Charlotte, NC that involved a series of two 90-minute panel discussions. Our first panel focused on “ERM:  Lessons Learned,” while the second panel focused on “ERM:  Directions for the Future.”  Both panels consisted of real-world ERM experts who are heavily involved in leading ERM efforts within their organizations or who are providing significant ERM leadership roles at a national level through organizations such as COSO, Standard & Poor’s, and Grant Thornton.  Both panels engaged in lively discussions about real-world experiences and lessons learned from their leadership in ERM implementation process at their companies.  Read summaries of each panel’s discussion below.

Ernst & Young and Tapestry Networks

Southeast Audit Committee Network VantagePoint

"Leading risk management practices"

February 1, 2010

On January 11, 2010, members of the Southeast Audit Committee Network (SEACN) convened in Atlanta for their 15th meeting. Network members, who sit on the boards of more than 25 large-, mid-, and smallcap companies between them, discussed leading risk management practices. Members were joined by Jim Traut, director of enterprise reputation and risk management at H. J. Heinz Company. Over dinner, members were also joined by Michael Smith, a partner at King & Spalding, to discuss director liability as it relates to risk management. This document summarizes the key points raised during the meeting, along with some additional perspectives that members shared before and after the meeting.

Executive Summary

Members agreed that understanding and benchmarking specific risk management techniques across a broad range of companies and situations would help directors fulfill their risk oversight responsibilities. Members shared examples of effective practices in a spirit of appreciative inquiry. The discussion covered five broad areas:


Designing an effective enterprise risk management (ERM) process (Page 3)

Meeting participants distinguished two primary approaches to the design of risk management processes. The first is a bottom-up approach, whereby risk management is embedded in the operations of the company. The second is a top-down approach, whereby risk management is initiated by executive management and the board through the strategic planning process. The strengths of the one are the weaknesses of the other: the bottom-up approach does not always fully integrate risk management with strategy, while the top-down approach often struggles to operationalize ERM in the company. Members differed on what constitutes an appropriate role for the internal audit function, with some questioning whether their internal auditors can overcome their reputation as policemen and others saying that internal audit plays an invaluable role as the key drivers of the process.  


Identifying and prioritizing key risks (Page 5)

Members agreed that an effective risk management program should identify and assess a comprehensive list of all significant risks. Ways of identifying them include building on the risks listed in the 10-K, brainstorming risks during the annual strategy off-site meeting, holding risk workshops, and conducting scenario planning. Members reported that more often than not, risk identification is “much more qualitative than quantitative.”

Mitigation and reporting (Page 7)

Meeting participants agreed that identifying risks is much easier than mitigating them. Members repeatedly emphasized that the most effective mitigation tactic is to ingrain risk management in the day-to-day functioning of the business. Beyond the standard heat chart and probability matrix, members expressed discontent with the fact that it often feels like they are being “reported to death.” Members pointed out that the audit committee can play a role in making sure these reports are more helpful.


Ensuring effective oversight of risk management (Page 8)

While all members agree that the ultimate responsibility for risk management oversight lies with the full board, a handful of members stated that they are still struggling to engage the full board. Regardless of the level of full board engagement, members acknowledge that detailed risk management oversight work is done in committees. From there, members described four different approaches to handling risk at the committee level: the audit committee drives the process and monitors risk; the audit committee monitors financial risks and allocates responsibility for other risks to the other committees; a stand-alone committee is formed to take on the primary risk related to the company‟s business (such as a technology and quality committee spearheading the effort at a medical devices company); or a separate, stand-alone risk committee may be established to oversee risk. The last option was not a popular choice for non-financial businesses.


Evolution of risk management (Page 10)

Meeting participants concluded their discussion by reflecting on the future of enterprise risk management. Members pointed out that risks do not occur sequentially and raised questions about the challenges of handling multiple, simultaneous risks. Members also highlighted the need for board directors to keep up with the risks and opportunities created by the rapid pace of change in technology.

NC State Poole College of Management Enterprise Risk Management Initiative

"Enterprise Reputation and Risk Management at H.J. Heinz"

October 3, 2008

Jim Traut, Director of Enterprise Risk Management at H. J. Heinz Company, spoke at the October 3, 2008 ERM Roundtable about the company’s approach to overseeing entity-wide risks with the ultimate goal of protecting the Heinz reputation and shareholder value. The Heinz approach to enterprise risk management (ERM) is positioned to be value-adding by focusing their ERM efforts to support long-term sustainability of the organization. This focus is evident in the company’s published mission statement and values that focuses on results that balance both short-term and long-term value-drivers. The ERM program at Heinz is formally known as “Enterprise Reputation and Risk Management (or ER²M). Heinz’s ER²M helps enable the company to meet two primary reputation-related goals: to further support doing the common thing uncommonly well and to help Heinz become the most trusted packaged food company.

Strategic Focus of Risk Oversight

Risk at Heinz is defined as “anything that can prevent the company from achieving its objectives.” In formalizing an ERMprocess, Heinz identified risks and events the company experienced or may experience and divided those risks into two main areas: operational risk areas and non-operational risk areas. Operational risk areas include product quality, environmental & sustainability, employee health & safety, facility and product security, business continuity and asset conservation. Non-operational risk areas include strategic and market, corporate governance and ethics, financial, legal, information services and human resources.

Towers Perrin

"Untangling Operational Risk: Creating Order from Chaos"

May 2008

The complexity of operational risk can be intimidating, but burying corporate heads in the sand is never the right response. Operational risk management involves preventing, controlling and managing risk, none of which is possible without support from the top down.


Precisely because operational risk can seem impossibly tangled and chaotic, companies often misdirect their attention toward smaller risks that are easier to grasp — just when they need to be taking on strategic, big-picture risk assessment. When faced with such an enormous challenge, how can companies sort out and address their operational risks?



Risk management is a process of measurement, prioritization, action, integration and, ultimately, building ERM into the culture of your company. One reassuring recommendation — from companies, like H.J. Heinz, that have gone through this cultural transformation themselves — is to begin building an operational risk program by narrowing your company’s focus to areas that will be key to your success:

  • culture

  • governance

  • collection of risk data

  • unraveling and analyzing the data

  • determining the risk information and communicating its importance.

Ernst & Young and Tapestry Networks

InSights for Audit Committee Members

"The CRO's Perspective"

June 30, 2006

Enterprise risk management is increasingly commanding the attention of both directors and management. Certain sectors, such as financial services and utilities, have historically formalized risk management practices because of their specific regulatory compliance requirements. Now, public companies across all sectors are increasingly formalizing their approach to risk management. To oversee these activities, some companies are instituting a chief risk officer (CRO) role to coordinate enterprise-wide risk management processes. Throughout InSights, we use the term CRO to refer to this role rather than to a position with this title.


This issue of InSights has been developed to help audit committee chairs gain a deeper understanding of:

  • The evolution of the CRO role

  • Methods and frameworks for enterprise-wide risk management

  • The governance of risk management

Reach out if you would like to explore

how RISK TRANSPARENCY principles and practices

can be leveraged in our fast moving and highly disruptive world.

April 3, 2021
Jim Traut

While a number of organizations have embraced the concept of enterprise risk management (ERM) over the past couple of decades, the discipline of ERM is still relatively new.  Many organizations are realizing tremendous strategic value from their ERM efforts, and they continue to innovate their risk oversight processes over time. Unfortunately, other organizations have experienced “fits and starts” to their ERM processes, often struggling to gain the traction needed for ERM to be helpful in business decision making.

In this video interview, Mark Beasley, KPMG Professor and Director of the ERM Initiative, interviews Jim Traut, founder of Risk Transparency, Inc., about his views of how organizations can elevate the strategic value of their ERM processes.  Building on his prior experiences of leading the ERM efforts at H.J. Heinz and Clemson University, Jim offers insight about practical next steps business leaders can consider to elevate the strategic value of their risk governance.