Enterprise Risk Management 2010 Transcript

From Treasury & Risk's 15th Annual Alexander Hamilton Best Practices Awards

MARIE HOLLEIN: Thank you, Donna. I’m very pleased to be here today. I’m actually one of the judges, too, and as Craig [Jeffery] said earlier, it gets better and better every year. It’s been very impressive to see the booklet this year with all the different proposals and really the best practices. Before we get started, I’d like to make mention that Adam Matteo will be replacing Kathleen Winters from Honeywell today.

Donna [Miskin] mentioned FEI: We have about 15,000 members, and we’ll be celebrating an 80th year anniversary next year. We have a research foundation as well, and I want to share with you something on ERM [from] one of our surveys that we’ve done among our members.

When we originally started looking at ERM, it was kind of sectional in who’s the owner of it, and where does it start? Often times it does start within the internal audit, but they may not be the ultimate owner in a company. And to do this an organization needs to ask itself how strategic risk can be analyzed on a quantitative level, and how operational data could be interpreted in a qualitative way. When companies look at risk, given the credit crisis over the past few years as well as the liquidity crisis -- I’ve kind of named the treasurer as the chief liquidity officer now because they’ve really been forced to look at risk in a different view, now the treasurer has a seat at the table -- you haven’t seen that traditionally, it’s been kind of an automated role.

ERM managers have generally reacted positively to various efforts that have been made to develop frameworks for ERM, in particular, the COSO framework from 2004. However, demands appear to be growing for this framework to be updated. And I could tell you as a side note, FEI is one of the founding member organizations of COSO, and we are currently looking to update that framework. So stay tuned on that. The ISO 31,000 also has been well received, albeit largely only as a basic introduction to ERM.

I think it’s very important to have those objectives defined up front to help drive and guide your process. One of the things that’s different, I believe, about our process [is that] we really have what we refer to as an embedded process, so we don’t have a separate risk committee of the board or chief risk officer or director of ERM. Our processes are really a part of our annual operating plan, our five-year strategic plan, our functional plans and processes, our operating goals and targets and metrics, etc. And so what that leaves you with is you still need a way to understand how well you’re addressing risk. Are you doing the right things? Are you looking at the right areas? So we do have an annual process where as I’ve described, we reach into these various other mature processes and pull out the results and information we’re looking for. And so we go through that with our SBGs, our segments, as well as our corporate finance folks.

And then the other area we obviously look to follow is some of the recent developments around ERM -- for example, the proxy rules that are coming into place.

A little bit about RTI. We are a multinational research organization, not-for-profit. We are 51 years old. We have a history in scientific research, technology development and international development. We have five different business units that operate within international development; social and statistical sciences; health solutions, which is our clinical trials data management; discovery and analytic sciences; and energy technology. We are a government contractor primarily, with about 82% of our revenue coming from the U.S. government. And we’re up last year from 3,800 professionals in 40 countries to 4,000 in 48.

Now one of the things we found out about enterprise risk management is it’s an evolving risk management process. And we realized -- especially over the last few years with incidents like [the] Virginia Tech [shootings] and the BP [oil spill] and Haiti’s earthquakes and the volcano [in Iceland] that I will not attempt to pronounce that happened earlier this year -- that there can be a great number of things that happen that you can’t see coming that are actually outside of your scope. So one of the things that we attempted to do over the last year was to try and take a better look at some of those higher-level risks.

Our next step will be to go do tabletop scenarios in which executives will essentially in their own head create a worst-case scenario and hand it over on a specified day. Then we will take and operationalize and do a tabletop scenario to see how we would respond if such an event were to occur.

Now for those of you who might have been here last year, I’m sure you’ll remember this was our dashboard that we were up here for. This is what it looked like. However, because again we believe that enterprise risk management is an evolution, we went through and did a redevelopment to make it a little more user-friendly. This was also based on feedback from our business unit leaders as well as our audit and board. We redeveloped it to make it a little easier to read, although probably not so much on this slide, but it’s a little easier to read. We integrated the top five business unit risks graph that we had developed into a part of the dashboard, and we also added a leadership commentary box, because one feedback that we received was that we were reporting on risk but we needed to allow the leadership to report on their view of the risk as well, to respond to whatever was assigned.

But if you think about it, Paychex is in the business of moving money, right? We move half a trillion dollars every single year, and it’s in activities as sensitive as people’s paychecks and their 401(k), so reputational risk is very profound in the entire organization, and we as ERM need to get our arms around that. Hence the Paychex peer-process program, P4, was born, and it’s borrowed from the medical and the accounting industries’ using cross-functional peers to go to different areas of the business to review them for risk and opportunities of all kinds. We stress that it’s never an audit, we’re never trying to get anybody in trouble, by any means. We’re really here to advocate for the needs of the business by partnering with the business unit at hand.


But the opposite side of risk, as you all know, is reward. So we’re always looking for reward opportunities as well. Since 2005, through a variety of revenue-generating recommendations P4 has issued, we’ve added over $8 million to the top line and, just like that, enterprise risk management can go from becoming a cost center to a value or a profit center.

So overcoming silos, providing insight across the enterprise and delivering results -- that’s the power of peer review. Thank you so much.

Q: My question is also for Erika. You had mentioned, I think, $8 million worth of results for your ERM initiative: How do you go about quantifying that number?

ERIKA MCBRIDE: That $8 million is actually a very easily quantifiable figure, because it’s revenue-generating activities that we’ve identified in possibilities there: So just how many clients are we billing now? Or how much has our investment income improved in that scenario, so it’s top line? I would agree that quantifying the bottom-line impact of risk mitigation measures is much more difficult, and I would certainly be interested in talking to Jennifer about the third dimension that she’s added to her heat map.

Page 2 of 8

Advertisement. Closing in 15 seconds.