CHICAGO—Integrating risk identification efforts across various business units is an essential part of the process as organizations devise their enterprise risk management programs and define their strategic goals.

Risk identification is an integral part of ERM, Jennifer McCallister, consulting leader of the internal audit consulting group for Humana Inc. in Louisville, Ky., said during the annual Enterprise Risk Management Conference last week in Chicago.

“We refer to ERM as a process...that we apply when setting our strategy. Whether that's at the organizational level or the business level, it's designed to identify potential risks to meet or exceed those business objectives,” she said during a session at the conference produced by the Marcus Evans Group.

Humana's internal audit group facilitates ERM workshops, starting with a business unit examining its strategic objectives and then identifying risks associated with those objectives, Ms. McCallister said.

Humana also tapped existing risk-related information that had already been developed by its various business units.

“That's key. Don't recreate the wheel. Build on what you've already got in the process,” she said, noting that risk identification included streamlining risks already identified by those various units.

Devising a risk framework or a risk catalog is another component of the risk identification process.

“What we use this for mainly is a thinking document or a brainstorming tool,” which Ms. McCallister said has facilitated Humana's identification of strategic, operational, financial and compliance risks.

“It all gets down to decision-making—making sure the business is using this information to make good decisions. It's not all about reducing risk. It's not all about mitigating the risk. It's about optimizing the risk, and this is a key part of our ERM program,” she said.

For example, Humana decided in 2003 that it would withdraw from certain Medicare markets as reimbursement rates were inadequate to cover costs in those areas. “It wasn't an ideal product line for us,” Ms. McCallister said.

However, better reimbursement benefits from the Medicare Modernization Act opened a potential opportunity for Humana in 2005.

“So we had to make the decision,” she said. “Do we continue with our original plan to exit the market or do we take the opportunity risk to get back into the Medicare line of business knowing that it is a very highly government-regulated business?”

“If we had not taken that opportunity risk, we would not have grown to the company we are today with $38 billion in revenue,” she said.

Ms. McCallister said Humana's ERM program has fostered an awareness of business objectives and relevant risks, increased management visibility into risks and mitigation efforts, enhanced risk management culture and validated top enterprise risks.

Other speakers at the conference stressed that risk identification needs to remain a function of management, leaving the board of directors independent and able to act when situations arise (see related story).

Identifying common risks across various business units can connect an organization's strategy to its ERM program, said Charles Westrin, director of ERM for Phoenix-based Apollo Group Inc., the parent company of the University of Phoenix.

When looking at the ERM and strategy processes, “we realized that there were a lot of common core elements that these processes have,” Mr. Westrin said, noting that ownership of key strategic initiatives and risk areas often overlapped.

The result of that exercise was integrating common strategy and risk processes as well as allocating ownership and resources to address and monitor potential risks, he said.

Under the process, Apollo was able to address numerous regulations targeting the for-profit proprietary university sector.

“ERM and strategy acted as the center of excellence that pulled in the data and did the qualitative and quantitative analytics,” making it possible to present to management operational concerns, the potential impact on students, and the impact to earnings per share, he said.

For in-depth coverage of this topic and related issues, visit our Solution Arc on Identifying and Measuring Enterprise Risks: Taking the First Steps Toward ERM