About four years ago, Paychex, the world's leading provider of outsourced payroll services to companies, realized it was vulnerable to significant operational risk. In the Paychex world, where more than 561,000 U.S. companies rely on the vendor to manage payroll and related employee benefits transactions and records, operating risk is when the payroll process and supporting services experience interruptions in the intended cycle. Since its operations were contingent on human beings entering appropriate payroll and tax information, the possibility of failed transactions was high.
Moreover, as this data was transmitted from one to another of Paychex' two dozen product systems, such as direct deposit, 401(k) record keeping and Taxpay tax processing services, additional operational risks were introduced. Individuals working in these product areas corrected the original incomplete and/or improper data, creating disjointed reams of information. The consequences for Paychex ranged from miffed clients potentially taking their business elsewhere to expensive tax penalties levied by authorities.
Unfortunately, no specific entity within Paychex was charged with identifying and mitigating the operating risk, with the various personnel responsible for addressing failures splintered across hundreds of departments and branches in the various product areas. The solution was clear--a single centralized department responsible for operational risk mitigation. It took Paychex three years to complete the phasing in of the new entity. "We now have a consistent approach to our operating risk and truly understand the key drivers in this regard," says John M. Morphy, Paychex senior vice president, CFO and secretary.
Prior to implementing the centralized ERM strategy, Paychex was beleaguered by both client and tax agency penalties and out-of-balance accounts, as the various product and process silos independently pursued resolution of human errors. When an underpayment to a tax agency was made, for instance, it typically resulted in a costly penalty. These extra expenses were then passed back to Paychex, siphoning profit from its bottom line.
To create a centralized ERM department to identify, measure, mitigate and report on operational risk, Paychex hired Frank Fiorille as the company's first ERM director. Fiorille had cut his teeth in the same capacity at PNC Corp. in Pittsburgh and had previously worked in Citibank's risk management department for 12 years. But Paychex lacked a risk management discipline. "The company grew rapidly and was wildly successful, but the culture was focused on revenue," explains Fiorille, who oversees a team with members who work for his shared services department as well as one of the various product groups.
The ERM strategy gave rise to the development of a penalty abatement center to document and track penalties--where they originated, who created them and whether they were systemic in nature or the result of human error. Interfaces were developed so field offices could submit respective penalty data, as well as monitor enterprise-wide data. A peer review process called P4 (for Paychex Peer Process Program) was created under ERM to provide independent evaluation of business risk processes and the policies, practices and reporting in place to manage them. "A team of objective 'guest reviewers' assesses the adequacy of controls and corrective actions, and reports its recommendations to senior management," Fiorille says.
The ERM strategy has paid off with the company successfully avoiding both penalties, with historical abatement figures northward of 95%, and overpayments. "Each division within the company can focus its efforts and talents in the appropriate vein," Fiorille explains, "while the risk-focused functions are fully maintained by ERM."