ERM Starts at the Top at IBM

December 3, 2019 Leave a comment
July 07, 2010

By Bryan Richardson

At IBM, enterprise risk management begins at the top and goes to the performance appraisal as well.

Despite a good decade of hype, enterprise risk management (ERM) is perhaps one of the newest disciplines inside of corporate America. In fact, it is so new that most non-financial companies have no program, much less an effective one. And those that do have a program continue to labor at getting their arms around what it should look like, how it should work and how to educate the broader company on the concept.

However, a small number of companies have fully embraced the ERM discipline and successfully worked to incorporate it into the cultural DNA of the organization. IBM is one of those companies.

Having begun its focus on ERM only three and a half years ago, at the end of 2006, IBM had brought its program from a simple thought to a high-level team of three, led by a VP of ERM, that ensured ERM accountability throughout the company.

IBM began its initiative by researching ERM at other companies, defining its approach and establishing the initial ERM staff. In 2007 the company went further by establishing an ERM Steering Committee which supported the development of risk assessment methods that were tested in a pilot. In that same year, the company also created its first enterprise-level risk map, which was developed through interviews with senior executives throughout the company.

The company continued to build the ERM infrastructure through 2009 with a focus on driving the concepts into the operations of the business.

from the top and personal

2009 was a defining year for the Risk Management program. It saw several key developments:

  • New ERM Positions. To help drive the commitment to risk management, IBM created two new positions: Chief Financial Risk Officer (CFRO) and Vice President of Financial Risk Assessment (VPRA). The CFRO is responsible for the ERM program, the oversight of enterprise financial risks (pension, tax, credit and treasury) through the Financial Risk Management Board reviews, and acts as an advisor and resource to the business units and senior management on ERM risk practices and strategies. The CFRO reports to the CFO.

For a company outside of the financial industry, IBM has developed a unique ERM structure.

The VPRA, who reports to the CFRO, “is responsible for shaping the financial risk strategies and practices for IBM and leading the implementation of tools and methodologies for assessing financial risk,” according to Natalia Ruderman, VP of Risk Assessment for IBM, who presented the IBM story on Risk Management to The NeuGroup’s Corporate ERM Group in May. Ms. Ruderman acknowledged that outside of the financial industry this is an unusual structure, “I did a lot of research of other companies with established risk management programs and didn’t find one with this type of structure. This structure is important in IBM where the organization is multi-layered and complex. It was important to retain accountability for risks at the business unit level,” she said.

  • Performance Objectives Enhanced. Also in 2009, IBM communicated its commitment to risk management across the company by including risk management as a component of annual PBCs (IBM terminology for performance appraisals known as Personal Business Commitments) for all business unit senior vice presidents.

The PBCs focus on the enterprise-wide risks that could emanate from the particular business and include metrics, mitigation and opportunities around those risks. While this may sound like an ominous move if you are a business unit executive, in actuality the risk culture at IBM is not about risk avoidance or consequences for taking risks, but rather about understanding the risks a business faces, taking appropriate risks and managing them well.

“The point of risk management is not to avoid risk,” according to IBM’s Chief Financial Risk Officer Jesse Greene. “The market rewards companies that understand and manage well the risks associated with their pursuit of growth opportunities.”

Indeed, two other companies at the May meeting of The NeuGroup Corporate ERM Group, a global energy firm and global manufacturing firm, cited movement toward adding ERM as a component to executive performance appraisals.

ERM Integration

Risk management is an integral part of IBM’s risk and controls framework as evidenced by its management oversight. Ms. Ruderman described three key components to management oversight including:

  1. Corporate Compliance: led by the Chief Trust & Compliance Officer and the CFRO.
  2. Multiple Oversight Steering Committees: including senior vice president forum, operational risk management, financial risk management board, and the ERM steering committee.
  3. Independent reviews, investigations and audits by internal and external auditors.

but just what is enterprise risk?

IBM defines enterprise risks as “significant risks that may impact competitive position, reputation or long-term enterprise value within an 18 month period.

Category examples include:

  • Emerging markets and political stability
  • Government policies and regulations
  • Competitive landscape
  • Acquisition realization of expected benefits
  • Financial and economic environment.

Financial risks may be different. Much like companies centralize foreign exchange or interest-rate risk within treasury and take ownership away (or share it) with the businesses, additional risks that are principally financial in nature or where risk mitigation is conducted via financial instruments or other financial market mechanisms arguably should follow suit.

These financial risks, not owned entirely by the businesses, both call for a “chief risk officer” and do not violate the first ERM principle that business risks should not have owners outside the business. The financial risk owners can offer advice and counsel on non-financial risks, in order to better mitigate them, but they should not own the risks.

The risk school

Many companies have developed training and education modules to bring managers and executives up to speed on how to identify, assess, manage and mitigate risks. But IBM is taking training one step further to connect with future risk managers by working with universities that have MBA programs focused on risk management. “The teams working on this are very excited about it,” according to Ms. Ruderman.

Within IBM the Risk Management team targets different groups to train on risk management concepts. Ms. Ruderman cited an example of 60 people being trained on pricing. As a result of the Risk Management team’s influence, the curriculum now includes risk management and how that can help identify enterprise risks associated with the pricing process.

next steps

While IBM has made significant strides toward rolling out Risk Management into the infrastructure of the overall organization, more effort remains with several priorities for 2010 beginning with improvements to the risk assessment methodologies and tools. The particular objective is, “to create metrics that drive proactive responses rather than reactive ones,” stated Ms. Ruderman.

The company also wants to see risk management more integrated into business strategy and execution, particularly as it relates to emerging risks. Finally, the Risk Management leadership wants to see risk management knowledge become so institutionalized that it is integrated with business performance management.

All this is ambitious, but achievable in IBM’s view. It also underscores how non-financial companies can move forward fast with ERM programs that few others can top.

Drawing the Risk Lines

One of the challenges for any organization grappling with ERM is determining what authority and accountability should exist for different types of risks and different locations of risk.

The conventional thinking is that all risk accountability should be held by the risk owner. The role of the ERM team is simply to educate those owners on how to identify and manage those risks and to develop and deploy tools that optimally enable those activities. But, what authority should the ERM team have over risks they deem are not being dealt with adequately?

An example was posed by one of the members of The Corporate ERM Group to Ms. Ruderman. “If Human Resources is having a serious talent retention problem in another country, can they approach the CFRO for consultation?” the member asked. Answer: “Yes, but the general manager and HR team of that country ultimately owns that problem,” as Ms. Ruderman said.

“Should the CFRO flag the problem if no one else does?” the member asked. Ms. Ruderman replied: “If it is an enterprise risk, the CFRO has the authority to request the risk owner to review the risk at an ERM steering committee meeting or to even recommend to the CFO that the risk be presented to the audit committee or in some cases the full board. But if it’s not deemed an enterprise risk, the CFRO will not call it out.”

Leave a Reply

Your email address will not be published. Required fields are marked *