Pragmatic adaptation of the ISO 31000:2009 enterprise risk management framework in a high-tech organization using Six Sigma

• Date: 05 October 2015
• DOI: https://doi.org/10.1108/IJAIM-12-2014-0079
• Pages: 364-382
• Published date: 05 October 2015
• Author: Bennie Seck-Yong Choo,Jenson Chong-Leng Goh
• Subject Matter: Accounting & Finance,Accounting/accountancy,Accounting methods/systems

Pragmatic adaptation of the

ISO 31000:2009 enterprise risk

management framework in a

high-tech organization

using Six Sigma

Bennie Seck-Yong Choo

Cummins Inc., Singapore, Singapore, and

Jenson Chong-Leng Goh

School of Business, SIM University, Singapore, Singapore

Abstract

Purpose – This case study aims to present a viable solution to how organizations can adapt and

customize the ISO 31000:2009 enterprise risk management framework to suits its needs and

requirements.

Design/methodology/approach – Approach used for this case study is via adopting Six Sigma

DMAIC (Dene, Measure, Analyze, Improve and Control phases) methodology.

Findings – Key nding is the importance of stakeholders’ feedbacks which are taken into

consideration during the designing of the new customized enterprise risk management framework,

integrated with all supporting processes, tools and resources.

Originality/value – The ISO 31000:2009 enterprise risk management framework dictates that it is not

a one-size-ts-all. Rather, organizations who wish to adapt this framework need to customize

accordingly, but there is no indication on how organizations can do it. This case study presents a viable

solution to this challenge.

Keywords Six Sigma, DMAIC, Risk management,

ISO 31000:2009 enterprise risk management framework

Paper type Case study

1. Introduction

In recent times, the inadequate management of enterprise risk management (ERM)

practices by Toyota (Shecterle, 2010) and General Motors (Slezak, 2014) had resulted in

several high-prole recalls of their vehicles. These events demonstrate the importance

and challenges in developing and maintaining effective ERM practices in an

organization. In today’s global business environment, an organization is constantly

facing heightened volatility from globalization, deregulations and increased

competitions. This volatility has increased an organization’s exposure to risks. A failure

to proactively identify, assess, mitigate, report and monitor these risks may result in

signicant damage to an organization’s reputation and revenues (Gorzen-Mitka, 2013;

Hogan and Lodhia, 2011).

The traditional approach that many organizations take in risk management is a

reactive one and does not take into consideration the dynamics of changes in its business

The current issue and full text archive of this journal is available on Emerald Insight at:

www.emeraldinsight.com/1834-7649.htm

IJAIM

23,4

364

Received 15 December 2014

Revised 27 March 2015

Accepted 30 March 2015

InternationalJournal of

Accounting& Information

Management

Vol.23 No. 4, 2015

pp.364-382

©Emerald Group Publishing Limited

1834-7649

DOI 10.1108/IJAIM-12-2014-0079

environment (Gorzen-Mitka, 2013). It often emphasizes on detecting and mitigating

risks rather than preventing the occurrences of risk. Many organizations’ risks,

especially multi-national corporations, are also managed in a silo manner, where an

individual business unit focuses on its own risks and the risks that cut across the entire

organization are largely left unattended. Therefore, there is a growing need for an

organization to take on ERM effectively to hold risks in check and protect itself from the

volatility of its environment (Gorzen-Mitka, 2013).

The ISO 31000:2009 ERM framework was developed by a group of international

technical experts to address the challenge of a lack of frameworks and principles in the

area of ERM. The framework provides a conceptual approach to develop comprehensive

ERM practices in an organization (Gjerdrum and Salen, 2010). Practitioners were

expected to “adapt and not adopt” the ISO 31000:2009 ERM framework according to

their organizations’ risk management needs (Frigo and Anderson, 2014). However, the

ISO 31000:2009 ERM framework has been criticized as being overly abstract and is

confusing in many of its terms and denitions in ERM by both practitioners and

researchers (Gorzen-Mitka, 2013;Leitch, 2010). The industry’s drive toward ERM is also

being “viewed as a still developing process” (Frigo and Anderson, 2014). This makes

adaptation of the ISO 31000:2009 ERM framework a challenge for most organizations.

In this case study, we attempt to present a possible solution to this challenge. We will

demonstrate how the Six Sigma DMAIC (Dene, Measure, Analyze, Improve and

Control) approach is being used to help a business unit of a large high-tech organization

adapt the ISO 31000:2009 ERM framework successfully. We believe our paper will

answer to the call by practitioners and researchers to shed more insights into the ways

to enact effective ERM practices in an organization (Frigo and Anderson, 2014;Knight,

2010). We also believe our approach, while will require some forms of contextualization,

can serve readily as a guide for practitioners when adapting the ISO 31000:2009 ERM

framework into their organizations. We think this is of signicant contribution to both

the researcher’s and practitioner’s world.

2. Case background

The case organization that we had selected is a Fortune 500 company, headquartered in

the USA. The organization was founded in 1919 and pioneered the development of diesel

engines and promoted diesel fuel as a reliable source of power. The organization has a

global presence in more than 190 countries and territories. As at end of 2013, the

organization has around 48,000 employees employed at its various worldwide entities

and has an annual revenue of around US$17 billion. Today, the organization is a

recognized market leader in the diesel engine industry. The organization develops,

designs, manufactures and services engines and related technologies in six continents.

Due to the large cultural changes that are required in an organization during an ERM

initiative, the literature recommends to rst start an ERM initiative within a business

unit before proliferating it to the rest of the organization (Frigo and Anderson, 2014).

Therefore, one of the business units within this organization is selected to apply our Six

Sigma DMAIC approach to ERM.

The selected business unit within this organization is the distribution arm of the

organization. The business unit drives a comprehensive global distribution strategy

and channel management through more than 120 global distributors, as shown in

Figure 1. Through this extensive distribution network, well-trained personnel sell and

365

ISO

31000:2009

enterprise risk

management