When the Securities and Exchange Commission added risk oversight to the responsibilities of corporate boards, Paychex assembled a novel enterprise risk management strategy that involves a review of business risks by what the payroll services provider calls "guest reviewers."
Since 2005, more than 300 analysts, supervisors and managers at the company have participated in the Paychex Peer Process Program, or P4. The 45 risk reviews that have been conducted have resulted in more than 1,200 recommendations on how to mitigate and manage diverse business, operational, financial and other risks. Seventy percent of the suggestions have been put in place or are presently being implemented.
This atypical approach is similar to processes in the medical and accounting industries, where peers from different disciplines assess each other's work and projects.
"A peer review process in the business world is unique," says Frank Fiorille, director of enterprise risk management at Rochester, N.Y.-based Paychex. "You don't often see people in the trenches of their day-to-day jobs auditing the risks in another business unit, department or management function. But we've found it to be an inexpensive and very effective process."
Not that the strategy didn't raise eyebrows at first. Fiorille acknowledges that the company's senior management was initially skeptical, concerned that the approach would send a message to units and departments that their head count and other expenses were being audited, which wasn't the case.
"Senior managers admittedly were unsure how it could work--how a rag-tag team of folks not versed in risk discipline could provide value," Fiorille explains. "As a result, expectations were very low. No specific benchmarks were set, and the sky was the limit."
The P4 risk reviewers perform an independent evaluation of the business risk processes within a particular segment of the company, assessing the adequacy of current policies, practices and reporting methodologies. Each team includes employees from across the organization. To date, most reviewers have come from risk management and IT, although others were drawn from field operations, HR, finance, product management, sales and elsewhere.
"We try to put about seven or eight people who would represent a good cross-section of the company on the multifunctional teams, dependent on the particular area that is being reviewed," says Erika McBride, Paychex's risk review manager.
The team conducts a five-day onsite review. Each reviewer is assigned specific topics to evaluate. He or she conducts research, collects relevant documents, observes processes, and then interviews employees with insight on the assigned topics. The reviewer documents his or her findings, describing and quantifying the realized or potential impact of the risks uncovered, and makes specific, actionable recommendations to mitigate the risks, in discussion with managers engaged in the area under review.
The entire team then aggregates their findings, assigns a score to the comprehensive topics under analysis, and publishes their conclusions in a report Paychex calls the "Gold Book." The report alerts senior management to significant risk issues that have been identified and the measures designed to address them. The status of these recommendations is then evaluated each quarter in a meeting with senior management.
Since its first tentative steps, the P4 process has become embedded into Paychex's risk management culture. The 45 reviews to date have fostered significant top-line enhancements, leading to $8.4 million in revenue gains, although the initial investment for the program was only about $100,000.
Senior management is no longer dubious about P4's value. Says Fiorille: "There is now immense appreciation for it."