Two years ago, Microsoft Corp. reviewed its risk management across its global operations and found it wanting. While it was deemed effective across key geographies and businesses, the Redmond, Wash.-based software pioneer determined there were opportunities for improvements and efficiencies to be gained. The method of reaping these rewards was an Enterprise Risk Management (ERM) system.
Although a latecomer to ERM, Microsoft already "has increased its visibility to enterprise-wide risk and strengthened accountability for managing risk within the business," says Brad Jewett, director of the company's new Office of ERM. Jewett's position, and the entire centralized ERM function, was developed by Internal Audit, which in turn was directed by the Board of Directors' Audit Committee to pursue and implement best practices in risk management. The committee's formal charter requires it to review the company's policies for risk assessment and risk management, and the steps management has taken to control risks.
Alain Peracca, corporate vice president of Internal Audit, formed the new Office of ERM and recruited Jewett to lead it. While Peracca built organization support for the new entity, Jewett established the core operating principles for success. A key consideration was that ERM would be an enterprise-wide framework and program where risks are identified, assessed, prioritized, and, if necessary, mitigated, monitored and controlled. "There is significant business and technological risk inherent in the software industry," Jewett. "Our mission is to help the board, the senior leadership team and management accomplish the company's core strategies by facilitating a programmatic and global approach to ERM, and establishing broad accountability for the most critical risks facing the company."
The Office of ERM has been vital to controlling risk at Microsoft. In the first year of operations, Jewett and his team identified, quantified and ranked 128 "micro-risks," as he calls them. Year two pinpointed another 161 micro-risks. These potential financial exposures were consolidated into broader macro risk definitions--18 in year one and 20 in year two--and action plans were developed for the macro risks deemed most critical. Tangible benefits were immediately apparent. For example, the action plan for a macro risk scenario involving the security and protection of "High Business Impact Data" culminated in a 600 percent return on investment.
With a nod to the protracted economic calamity and the timing of the new ERM strategy, Jewett says, "The current economic conditions increase the need for diligence and review of those areas (at Microsoft) that might be affected."