Companies shape enterprise risk management to fit their culture
Most business leaders would agree that enterprise risk management (ERM) is an integral part of good management. But there’s less agreement on how to put it into practice.
The financial crisis, increasing globalisation and the proliferation of social media have heightened corporate and regulatory attention to ERM in the past three years. And along the way, corporate ERM approaches developed into somewhat customised efforts to assess, monitor or plan for risks that could get in the way of business goals.
“[ERM] is not cookie cutter,” said Tom Belt, vice president of Internal Audit at Advance Auto Parts, a Roanoke, Virginia-based retailer. “ERM has to be very adapted to the culture of your company.”
COSO’s 2004 “Enterprise Risk Management – Integrated Framework” describes ERM as helping “an entity get to where it wants to go and avoid pitfalls and surprises along the way”.
The Committee of Sponsoring Organizations of the Treadway Commission, also known as COSO, is a joint initiative of five accounting, auditing or financial management organisations that provide thought leadership and guidance on ERM, internal control and fraud deterrence.
Some companies have full-time enterprise risk officers who report directly to the CFO. Others have internal auditors whose responsibilities include ERM. In some companies, the board of directors sets aside one meeting per year to talk about ERM, while boards of other companies get ERM updates as part of other reports.
ERM experiences of multinational beverage maker Coca-Cola, which posted about $46 billion in annual revenue in 2011; Lockheed Martin, a defence contractor and aerospace research and development company with operations in more than 60 countries and about $46 billion in annual revenue; and Advance Auto Parts, a US retailer of automotive aftermarket parts with about $6 billion in annual revenue, highlight some of these differences. The following case studies are a compilation of presentations made at a March 16 summit organised by North Carolina State University’s ERM Initiative and interviews with the presenters.
The lessons learned and shared by these large companies can be adapted to fit the needs and budgets of smaller companies.
Coca-Cola’s “2020 Vision”
By 2020, Coca-Cola wants to double its business to about 3.5 billion servings sold per day, “a big, big goal,” said Phil Maxwell (right), the company’s director for ERM. Understanding and addressing the risks that could affect the ability to deliver on the goal is part of Coca-Cola’s strategy to fulfill what it calls the “2020 Vision”.
That led to a revamp of its ERM strategy about two years ago.
The company has had an ERM programme in place since 2003. Initially, it resembled the COSO framework. Following an evaluation of the programme by a consulting firm hired in 2006, Coca-Cola started to make changes to position ERM more strategically, said Maxwell, who joined the company as ERM director in 2010. One significant change was the amount of effort devoted to ERM. Where his predecessor spent about half of his time on risk management, Maxwell is one of two employees dedicated full-time to ERM.
The ERM programme moved from legal to finance, to better align the programme with business planning. Also, the programme was expanded in scope beyond the corporate suites in Atlanta in order to more effectively engage the business.
Coca-Cola’s Bottling Investments Group (BIG), one of six company groups comprised of company-owned bottling operations, was the first to sign on to the new ERM approach.
Starting last summer, Maxwell, his ERM colleague and a finance leader from BIG formed a deployment team that visited 14 of the group’s locations in 13 countries. Each visit lasted about a week and consisted of four phases. When he or his colleagues arrived each had in hand results of a risk survey with 300 questions that the senior leadership of the operation answered ahead of time. In on-site interviews, the deployment team calibrated the risks identified in the survey and helped boil the number down so that leadership could reach consensus on no more than 15 risks. Then, they helped senior leadership develop plans to proactively treat the top risks.
Each BIG location is responsible for managing and monitoring its top risks. Throughout the year, each location reports on how the risk-management plans are doing to BIG headquarters, which shares the information with Maxwell. Both advise the executive team, which then informs the board. Risks are discussed regularly at board meetings throughout the year and, once a year, the board meets to talk exclusively about ERM.
Over the next three to five years, Maxwell said he hopes to expand the revamped ERM programme across the entire company.
When leading an ERM programme, it is important to understand this question: “How well are we doing now, and where do we want to be?” he said.
Steeling Lockheed Martin’s defences
Lockheed Martin has a reputation for cutting-edge research and engineering. Lockheed Martin’s Advanced Development Programs, called Skunk Works, developed the F-117 Nighthawk, a stealth attack aircraft that the US Air Force retired in 2008, and its Aeronautics business is now working on the F-35 Lightning II, the first fifth-generation multirole fighter plane in the world. Lockheed Martin is also the largest IT provider to the US government, providing information systems to agencies from the Internal Revenue Service to the US Census Bureau.
“Our customers often go into harm’s way, so we better give them a product that works,” said Scott Williams (right), Lockheed’s director of ERM.
Williams reports to Lockheed Martin’s corporate audit executive. The executive leadership and the board of directors use risk information from this process in annual strategic planning.
A driving force behind the company’s ERM programme is David Burritt, former CFO of Caterpillar, who became an outside, independent Lockheed Martin director in 2008 and is now the chairman of the board’s audit committee. In 2009, he helped formalise a risk-management programme of controls, reviews and compliance that Lockheed Martin had in place. As a result, a three-member ERM team was established, and the full-time position of ERM director was created.
Today, Lockheed Martin has an ERM toolbox at its disposal that includes interviewing executives, monitoring news trends, hunting for black swans (highly improbable events) and checking whether assumptions made are still valid. Twice a year, business leaders are surveyed to gain a sense of the current risk environment and receive a written report of the survey results.
The survey results reflect the risks that are high on Lockheed Martin’s watch list, Williams said. Typical watch areas include the global economy, global security, political changes, federal budgets and changes in acquisition policy.
Persistent threats like cybersecurity and natural disasters also rank high among Lockheed Martin’s risks, as does the need to constantly attract, develop and retain a highly skilled workforce. And there is the everyday challenge of keeping up with the speed of change.
One top-ranked risk inspired Williams to use the phrase “neon swan” for a blazingly obvious risk, for which nobody is planning. A potential neon swan for a defence contractor such as Lockheed could be sequestration – an automatic, across-the-board US federal budget cut that would take about $400 billion out of the US Defense Department budget over the next 10 years.
The Advance Auto Parts way
Advance Auto Parts doesn’t have the international reach of large multinationals such as Coca-Cola and Lockheed Martin, and the retailer’s ERM programme isn’t as far along. Advance Auto Parts has two team members with part-time ERM responsibilities. Tom Belt (right), vice president of Internal Audit, who champions the company’s ERM programme, is one of them. He also oversees internal audit, the whistleblower hotline and corporate aviation.
In the past two years, Belt has begun to educate leaders of Advance Auto Parts’ retail districts on ERM principles. During his internal audit visits, which take about one day per store, he talks to the district leader and one store manager. He asks them about their objectives and risks that could get in the way of the objectives.
About every two years, the risk universe is refreshed during discussions with company leaders. The risk universe is always kept current for emerging risks.
Belt met Coca-Cola’s Maxwell in 2008, and Maxwell related the Coca-Cola programme, which included some features that were not in place at Advanced Auto Parts, Belt said. Since then, he has continued to tweak the Advance Auto Parts programme, based on key lessons obtained from conferences and seminars, by reading about ERM and by meeting other ERM practitioners.
Currently, the ERM process keys on mitigation programmes that address strategies that have already been developed. In the future, Belt would like to see ERM principles used in the beginning of the strategy-setting process.
—Sabine Vollmer (svollmer@aicpa.org) is a CGMA Magazine senior editor.
Ratings agencies take a close look at risk-management oversight
Companies customise enterprise risk management to fit their culture, so how do credit rating agencies such as Standard &; Poor’s separate the wheat from the chaff when they evaluate a company’s ERM programme?
“What we’re really looking for is the quality of oversight of risk management as evidenced by the actions of management and the board,” said Laurence Hazell, S&;P’s director of Governance, Corporate &; Government Ratings, in March at North Carolina State University’s ERM Roundtable Summit in Atlanta, where he, for the first time, publicly discussed S&;P’s proposed scoring factors in four key categories. The four categories are strategic positioning, risk management/financial management, organisational effectiveness and governance.
Take for example a pharmaceutical company that encounters problems with delivering a time-sensitive medicine for use in hospitals. The medicine reaches the operating room after its potency has diminished. The company loses lucrative business after costly research and development and has to invest further in fixing this problem. Earnings decline and the medical professionals’ confidence is lost.
The failure to anticipate such a problem and have adequate delivery practices and processes in place to deal with it is a red flag, Hazell said, especially if industry peers are notably better at managing that kind of risk.
Credit ratings are a forward-looking opinion on creditworthiness. How ably management responds to an event like that, if it occurs, is an important ratings consideration.
Evidence of responsiveness grounded in a good risk-management programme, which may well have detected this problem at the outset, will be key factors in forming S&;P’s opinion on the quality and effectiveness of managers and boards across the ratings spectrum going forward, Hazell said.
The credit rating reflects S&;P’s overall scoring of management and governance as either strong, satisfactory, fair or weak. The first three categories are scored as either positive, neutral or negative. Because governance does not constitute credit enhancement under the S&;P criteria, it has either a neutral or negative score applied to the governance subfactors. In the risk-management category, capabilities that aren’t fully developed earn management a neutral score. The existence of a basic set of risk tolerances that is moderately conservative and operational performance standards that are achievable and similar to industry norms also receives a neutral score.
Neutral scores in risk management are the minimum requirement for a company to be considered strong or satisfactory in S&;P’s proposed scoring of management and governance.