As the top risk manager at Reynolds American, Susan Wilson has had plenty of risks to be concerned about. Starting in 2004, there was the integration of the second and third largest U.S. tobacco companies, R.J. Reynolds and Brown & Williamson Tobacco, to form Reynolds American. Litigation with the states and individual plaintiffs continues. Last year, Congress gave the U.S. Food and Drug Administration new regulatory authority over tobacco products. And imploding credit markets and a severe recession have socked nearly all of corporate America.
It was the merger, however, that prepped Reynolds American to deal with later events. Wilson, who had just been promoted to general auditor at R.J. Reynolds, was tasked with examining the merged company's integration risk, an analysis that took her into every nook and cranny of its business units.
"It was the first time we took a very holistic view--put everything in one place--to view what the primary integration risks were," says Wilson, who joined R.J. Reynolds in 1988 as a financial analyst and previously ran her own financial planning firm.
Under Wilson, the general audit has evolved from a historical and controls-based function to one that includes risk management, ensuring FDA compliance, and compliance services, an internal consulting arm. In 2005, Wilson headed the effort to extend risk management not only within each operating company but across the enterprise and into each of its business processes, from marketing to operations. "I wanted to evolve internal audit to have a more value-add and forward-looking focus." she says.
That paid off after Lehman Brothers' collapse in September 2008, when credit all but froze. Reynolds American, with more than $8.4 billion in sales last year, was already calling customers and vendors on a weekly basis to assess its credit risk exposure, and mitigate it when necessary.
"One of our risk metrics is surprise-risk events, and we didn't have any," Wilson says.
Reynolds American has defined three levels of risk, starting with five broad risk categories in the following priority: business strategy; marketing and business; financial performance; operations; and compliance, financial reporting and fraud. The next level comprises 35 types of risk, such as a catastrophic event or fire, that fall under the category of operations risk. A third level defines 60 even more detailed risks.
That's the "top down" risk universe that comes with a pre-established set of risk management tools. The "risk owners" who head up the functions in each of the subsidiaries--the head of operations at American Snuff Co., for example--also define risks specific to the functions they oversee.
Wilson calls support from the CEO and board of directors essential to creating an effective risk management program. She recommends sustaining a holistic program by avoiding too much detail and complexity. Risk management should also be integrated operationally into the company's business processes, and not just an occasional check-the-box exercise. Another challenge is to focus not just on internal risks but external ones, such as potential political and regulatory risks.
For the top risk manager, that means understanding the "personalities" of each business unit and its managers, since they understand best where the risks lie.
Wilson says she left financial planning--where it's imperative to understand clients' life goals and convey the importance of a financial plan to minimize their risks--because she didn't like the sales aspect. That training, however, has been very useful. "You have to understand your company's culture, the clientele in the company you're dealing with," she says, "And you have to be able to sell them the benefits" of risk management.