Two years ago, Microsoft Corp. reviewed its risk management across its global operations and found it wanting. While it was deemed effective across key geographies and businesses, the Redmond, Wash.-based software pioneer determined there were opportunities for improvements and efficiencies to be gained. The method of reaping these rewards was an Enterprise Risk Management (ERM) system.
Although a latecomer to ERM, Microsoft already "has increased its visibility to enterprise-wide risk and strengthened accountability for managing risk within the business," says Brad Jewett, director of the company's new Office of ERM. Jewett's position, and the entire centralized ERM function, was developed by Internal Audit, which in turn was directed by the Board of Directors' Audit Committee to pursue and implement best practices in risk management. The committee's formal charter requires it to review the company's policies for risk assessment and risk management, and the steps management has taken to control risks.