By Bryan Richardson
Harley-Davidson’s award-winning ERM program grew from a rigorous risk-management focus.
Exactly 100 years after Harley-Davidson (H-D) was founded in 1903 the company established an internal audit department and hired Rob Gould to lead the effort. This was at a time when Sarbanes-Oxley (SOX) compliance was rolling out to corporate America and every public company in the country was deploying armies of consultants and employees to document “key controls.” However, one of Rob’s early assignments in his new role was to also audit risk management.
In 2009, when the financial crisis was having an impact on the company, it and its board decided to implement a rigorous risk-management focus. It put Mr. Gould in charge to begin developing the enterprise risk management program and by February 2010 the company was providing ERM reporting to the board of directors.
Harley-Davidson does approximately $6 billion in annual revenue, selling about 265,000 bikes through 1,435 independent dealers in 95 countries. That is a lot to get one’s arms around but Mr. Gould has a model that allows his small staff to incorporate the ERM program into the IA department. The ERM function at H-D falls under the responsibilities of IA, versus a dedicated function; and IA updated its charter to reflect the new ERM responsibilities.
The guiding theme for the IA-ERM role is that they facilitate the process while the BUs and functions are responsible for understanding and managing their risks. Unlike for many other ERM programs, IA does not conduct surveys. They simply provide risk templates to the BUs with a due date.
The ERM program is well-documented and structured
H-D defines enterprise risk as follows: Any significant event or circumstance which could impact the achievement of the business objectives, including strategic, operational, financial, and compliance risks. Aside from the ambiguity that inherently resides in ERM, there is nothing ambiguous about the ERM program at H-D, including executive support, expectations and process. The program’s foundation was laid in 2010, including a process for Black Swan risks, with continued enhancements every year since.
The program includes 16 different risk categories and, like many ERM programs, compartmentalizes risks into four quadrants based on severity and likelihood. Requirements for management and mitigation vary by quadrant, but all risks that are thought to be threats to the business plan are reviewed quarterly. Reporting includes a dashboard that highlights the risk, risk owner, last assessment date, risk to the plan, strategic impact, and views on future impact.
Risk over Time
The ERM program breaks risks into three time horizons. The three-year horizon focuses on risks that represent a threat to the annual operating plan. The three-year horizon focuses on those risks that are not an imminent threat but have the potential to be significant and therefore warrant monitoring. The final horizon of 10 years takes a long-term and broad view of the possible risks that could be catastrophic, also known as Black Swan risks. But by definition, Black Swan risks deviate from normalcy and are extremely difficult to predict. Mr. Gould summarizes Black Swan risks as “not a disaster but primarily things you cause yourself because you are not looking.” The company doesn’t try to focus on things they can’t control.
There is a strong “tone-at-the-top” endorsement of the program that gives support to the risk management policies and communicated responsibilities. While this is certainly helpful, Mr. Gould is fortunate that there is an overall receptivity to the program and its value throughout the organization. The latest enhancement to the program is establishing and maturing the role of “Risk Liaison” within the business units. This role will be well-versed in the ERM processes and expectations and are the interface between IA and the BU. This role is expected to create a stronger linkage between strategy and risk. According to Mr. Gould, “this role has taken on a life of its own outside of the biannual process. There is conversation going on throughout the year.”
The CFO is an ERM Fan
And speaking of “tone-at-the-top,” John Olin, Harley-Davidson’s CFO was the company controller when the ERM program began and viewed it as being about “turning risk into opportunity.” The company embraced the program because at the time the company and entire global economy was in a severe downturn. According to Mr. Olin, ERM discussions were happening pre-crisis but the crisis accelerated them.
Mr. Olin believes it was important to keep the program very simple and not over-engineer it in order to get maximum engagement. The company already had a robust project management process; for instance, Capex requests had to include a risk summary.
The Black Swan portion, which intimidates most people, was actually the best part, according to Mr. Olin. The approach was to consider what makes H-D great: (1) their dealer network—what if an alternate distribution model emerges with bikes? (2) air-cooled engines—what if that is regulated away? The goal was to consider how H-D could lose its competitive advantage without seeing it coming.
As so many ERM leaders say, “It’s all about the conversations.” “The program is about the process of getting to the outcome and the outcome goes to the board,” Mr. Olin noted.
Risk-Scenario Workshops for BCP
Among The NeuGroup’s Corporate ERM Group, almost no one uses risk-scenario workshops as a tool for identifying new risks. This is primarily due to the difficulty in coordinating schedules for all of the required participants and the risk the exercise might not prove fruitful enough to justify the time commitment. But, not being easily intimidated by a challenge, the H-D ERM team decided that this tool, which they refer to as “tabletops,” was especially appropriate for a major company-wide project, and, common to many large organizations, an SAP rollout. H-D developed the tabletop exercises out of concern over disruption associated with the implementation rollout of SAP and ongoing operations following the rollout. H-D wisely considered how it should respond if a specific cut-over failed or what its protocol should be if SAP failed once it was up and running, i.e, nailing down its business continuity plan (BCP). H-D identified eight key business risks, such as the inability to build bikes, send shipments, receive payments, etc., and also identified how many areas of the company would be impacted by each of the eight risks.
The result was 78 scenarios for which they developed a BCP. To get to the 78 BCPs, three tabletops were formed to cover the eight risk areas. Their assignment was as follows:
- Remind participants of purpose of contingency planning and tabletops
- Review the planned cutover/outage timeline
- Discuss corporate and project communication plans
- Review key points in contingency plans
- Follow the “tabletop script” document
Activity Deliverable
Actions to be taken, owner and due date
This exercise proved so successful that they are now looking to utilize the approach for a refresh of their review of Black Swan risks.
Key Success Factors
Mr. Gould and Mr. Olin highlight a few key success factors:
- Strong audit committee support
- CFO sponsor and advocate for ERM
- Repeatable deliverables for risk maps, mitigation plans, situation analysis
- Keep the process simple to get maximum engagement and acceptance
And the success of their program has garnered some public acknowledgment. In 2013, the H-D ERM program received the RIMS (Risk and Insurance Management Society) ERM Award of Distinction.
Harley-Davidson has taken a near-textbook approach to implementing their ERM program, starting with the CFO taking executive ownership of the program and setting a tone at the top. Moving full bore into it with quickly establishing processes, tools, expectations and accountability communicated that this was serious and here to stay. Staying committed to the program through the hard parts of development and the early years of execution eventually bore fruit with an award-winning program. The H-D approach to ERM is one to use as a model.