Donna Miskin: I want to take a moment to explain about the Alexander Hamilton Awards judging because we had a lot of questions on it last night and yesterday afternoon. All entries are read by our panel of judges. This can vary from year to year, but this year, the panel of judges included Craig Jeffery, managing director of Strategic Treasurer; Jean-François Heitz, former treasurer and deputy CFO of Microsoft; Mike Gallanis, partner of Treasury Strategies; Marie Hollein, CEO of Financial Executives International, who was one of our moderators yesterday for the Technology Excellence panel; and Ed Liebert, former treasurer of Rohm & Haas and past chairman of the National Association of Corporate Treasurers.
The judges read each of the 70-some entries and then sent in their three top selections in each category. Those were discussed in a two-plus-hour conference call, where a consensus was reached and we came up with the rankings in each category. The competition was intense and very close in some instances. We really want to thank our judges for their time, effort and contributions in making the Alexander Hamilton Awards competition an industry leader in identifying best practices in corporate treasury and finance.
So with that, we move on to the Enterprise Risk Management category. Today we have three great projects: one from RTI International, one of the world’s leading research institutes,with more than 2,600 researchers in more than 40 countries working in a wide range of programs from helping establish local governments in Iraq to assessing literacy among American school children. We have Toyota Financial Services returning again to the podium, and as you know they provide financing and leasing for Toyota and Lexus owners as well as insurance and protection for vehicles. They went through two financial restatements in 2008, and reorganized their risk and oversight group. And then we have Paychex, also returning from last year to this particular category, as is RTI. Paychex took a different twist from viewing enterprise risk management as a form of protection to actually using ERM to generate revenue.
The bronze winner in this category is TFS, and here to accept the award is Amit Shroff, head of planning, market risk and international at Toyota Financial Services. He is currently focused on organizational and business unit planning, target-setting performance and risk management. He has held leadership positions at TFS in corporate finance, treasury, international operations, controllership and technology. Prior to Toyota, he was in Ernst&Young’s financial consulting practice. He holds an undergraduate and graduate degree from the McCombs School of Business at the University of Texas at Austin, and he is a CPA. He was also featured in Treasury & Risk’s top 40 Under 40 list. So Amit, bronze man, congratulations!
Amit Shroff: Good morning. Bronze is from the Italian word “bronzo,” and for the Olympics, they just started the bronze in the 20th century. Who would like to take a guess on when the bronze was instituted at the Olympics? It’s an even number in the 20th century. Come on, take a guess. It’s an even number.
A (unidentified audience member): 1900.
Amit Shroff: Very close. 1904. At the St. Louis, Missouri, Olympics is when they started the bronze. And in 1995, three Cornell social psychologists did a research study on Olympic athletes, and they found that bronze winners were very happy because just to get selected. The unhappiest were the silver winners because they thought they should have gotten the gold. So, I am going to start with the happiness theme.
Enterprise Risk Management 2010 Transcript
Our project wasn’t a project as much as it was an issue for the company. Prior to the financial crisis, the summer of last year, we had two back-to-back financial restatements related to the manual work that was being done in the treasury controllership area. Once you have a re-filing with the SEC, you need to declare material weaknesses in your control structure. And the impact is obvious, indicating an internal as well as external lack of confidence.
I was not in the treasury controllership area before I got involved in this. The day Lehman collapsed, on Monday, September 15, 2008, our CFO asked me to lead this group. Priding myself on my quick thinking skills, I quickly pointed out two or three of my peers who had far more controllership experience. But then I quickly realized that this was a transformation opportunity. It was not about fixing the accounting, it was really about fixing pockets of our organization. So I took the role.
Our objective was fairly straightforward: How do you restore confidence? To start, you have got to restructure the risks that you see today and mitigate those. And then long term, strengthen that framework that would then guide you in the future and truly mitigate the forward risk.
As far as our time line, it was September and we had second-quarter close coming up, then third-quarter close, and then our March 31 year end. We had two principal objectives. One was to have clean filings for the quarter and the year, and the second was to take material weaknesses off our filings as well as any significant deficiencies that we had reported. That’s where the difficult task was, because not only do you have to strengthen the structure, you need to demonstrate that the controls that you put in place are now working so that you don’t have to report a material weakness. You have to show performance in terms of the control. That performance requires time, and that’s where the pressure was.
As far as strategy, we did a comprehensive assessment of the area and learned that there was a shell-shocked accounting organization. There were folks who knew what this meant, and had the competence to be part of the solution. There were folks that knew what it meant, but didn’t have the competence to be part of the solution. And then there were of course folks who didn’t know what it meant, and didn’t have the competence to be part of the solution. There was a mismatch between the treasury practice and the competence and aptitude with the controllership area. And there was a lack of transparency, whichfor some of us tenured Toyota folks was probably the most disappointing part. And there were pockets in the organization that did not espouse Toyota’s values.
As far as a strong perspective, some of it was imposed on us initially as we were looking at this. We had Price Waterhouse as our external auditors, then what I call the Price Waterhouse Special Forces. When you have a restatement, they bring in their real experts. We had Booth Company, and we had KPMG, which our parent company hired. We had internal audit and our parent company’s external-internal audit. There were about 17 folks looking in. And there were four to six permanent staff doing the work and addressing the issues.
We needed to take a broad focus. From my point of view and the team’s, this was probably the most important realization, that this was not a treasury controllership problem, it was a company problem. It required a cross-organizational response, and it would require some restructuring within the area.
Enterprise Risk Management 2010 Transcript
Last but not least was communication; we wanted to inculcate a climate of really open risk communication. We thought that it was necessary in terms of the health of not only that area, but the areas it interacted with. A linkage between accounting and the folks in treasury also was needed so that there is a level of transparency and business ownership of the results that folks in treasury can see of [accounting’s] activities, and have that dialogue.
In terms of execution, I will start with the organization. There is obviously a natural focus on governance. We created a project management framework, and what I mean by that is establishing some sort of vision for “What do you want to do? Where are you? What are the gaps?” And we created a daily mechanism to evaluate what the risks are and what our actions are to mitigate those, and to have that visible to all folks internally as well as externally. Basically, we created what we call a heat map, essentially one document that would govern our path.
As for aligning staff competencies and roles, it really was about how the process needed to be visible and clear again to the participants as well as the people outside, whether it’s internal audit or external audit. And then we established forums, disclosure committees, a 360-degree view of open risk issues, where different participants could come together on a standard rhythm and discuss what the issues were and how to address them.
In terms of the results, we really achieved no material weaknesses as of our March 31 filing. We actually even achieved no significant deficiencies, which are internally reported to the audit committee.
In terms of confidence, this takes time. I think that we have restored confidence to a large degree, but you really have to have performance over multiple reporting periods to get back to the level where confidence should be. In terms of strengthening the ERM infrastructure, I believe we did.
But the most important point is the last one: that there is now, within the pockets of the organization that didn’t exist before, this cultural mind shift with a focus on governance and an understanding of the implications of the lack of governance. This was a cross-organizational effort with folks from risk management, treasury, internal audit, planning, the treasury controllership area and human resources. All sorts of folks were involved in this effort. We were able to move the dial in terms of the cultural mind shift, and that’s what I am actually happiest about because I think that part is sustainable. If those things work out, then that’s the sunrise view. But without the governance, you don’t get that view.
Donna Miskin: And the silver award goes to Paychex. Paychex serves the tax payment needs of more than 500,000 payroll clients. Last year it won the bronze award as well. This year we have Erika McBride, the risk review and reporting manager within the enterprise risk management team at Paychex. Her responsibilities include oversight of the management information system (MIS) reporting function as well as management of the peer review program, which leverages cross-functional objective teams of peers to access risk throughout the company. This initiative has resulted in millions of dollars contributed to the bottom line. Erika joined Paychex in 1997 as an accountant and worked her way up through the ranks in various leadership capacities in financial and risk management roles. Prior to Paychex, Erika was a staff auditor with a regional public accounting firm as well as a member of a regional HMO finance team. She also has an MBA in management from the Rochester Institute of Technology and a BS in accounting from SUNY Geneseo, and she obtained her CPA designation in 2001.
Enterprise Risk Management 2010 Transcript
Erika McBride: Thank you so much for having us here today. I can assure you that my fellow panelists are not unhappy silver winners. We are very pleased silver winners. It’s great to be here among so many treasury and risk contemporaries as well as on this distinguished panel. I would like to thank everyone for this opportunity to represent the professionals of Paychex, particularly those who joined us here today: Susan Deasy, our MIS and portfolio manager who pulled together all the metrics and worked very hard on this submission, and Frank Fiorille, the director of enterprise risk management. Without his strategic vision, projects such as these would not be possible.
Paychex is a leading national provider of payroll and human resource outsourcing solutions for the small- to medium-size business market. The company has received numerous accolades over the years for its financial performance—(you can check us out on the Nasdaq)—as well as for its dedication to employees, training and ethics. Enterprise risk management, in particular, has received quite a bit of recognition on the national stage, with magazine appearances, conference presentations and forums such as this. It’s a team that I am very proud to be a part of, and hopefully by the end of this presentation you will all be able to see why.
All right, now it’s time for a very fun conversation! We are talking about money. Everybody here knows about money, so we’re here to talk about how understanding and appreciating the balance between risk and reward can deliver dollars to your company.
For those who don’t know the risk-reward secret, folks may think that the introduction of enterprise risk management (ERM) principles may present a roadblock or hindrance to revenue generation. Paychex, honestly, was no exception.
When these principles were first introduced in 2003, folks got a little bit nervous. It made sense when we said, “Hey, how about we put some controls in place so that we minimize the likelihood of a fraudulent person coming onto our payroll service?” That they understood. But when we said, “Hey, what about clients that are struggling or trying to run a million-dollar bonus payroll? Maybe we should take a second look at those transactions as well,” folks got a little bit nervous about that because it represented a departure from the business-on-a-handshake culture that had enabled Paychex to grow to a $2 billion dollar company with 500,000 clients.
Through tremendous partnerships with our field and sales organizations, we were able to reduce our bad net losses by 60% in the first year alone, just by the introduction of credit and ERM principles. We have been able to keep that number low despite a tumultuous economy and increases in exposure. Our success in this arena allowed us to have the confidence and credibility to go after an even bigger prize: expanding our risk role from merely protecting the bottom line to delivering value by adding to the top line.
By wearing this new pair of glasses with this more expanded focus, all the agents within enterprise risk were empowered to look for revenue opportunities,the first ones being byproducts of typical risk endeavors. The credit risk factors that we put in place that led to our bad debt success also enabled us to keep clients on the service that we would have otherwise kicked off for being, for lack of a better term, too risky. We obtained additional revenue from those clients—millions of dollars in the first year alone. As the organization encompassed expertise well beyond credit risk, additional opportunities began to emerge, in some cases with enterprise risk merely generating the ideas while in other cases being fully responsible for execution and maintenance.
For example, the collections group said, “Hey, we can assess the NSF??—spell out fees and scale date fees as well on some of our checks.” The dollars that we are collecting for secured funding have lent us additional float revenue.please check this sentence In addition, we had a modeling team develop a target retention model that enabled our operations folks to deliver more targeted retention efforts. Again, more dollars to the top line.
Enterprise Risk Management 2010 Transcript
With our peer review team, we were going to different segments of the business looking for risk. Here we found additional revenue opportunities as well. Again, we added millions of dollars to the top line. The operating risk team jumped on board as well, identifying situations where our tax moneys that we hold and then remit on behalf of our clients could be held onto a little longer. Back in those days, when folks were actually earning float, we were able to get a few more dollars on that.
Then we developed a targeted sales model where our telemarketing group could be more productive with the same number of dials. As for our compliance folks, you normally don’t think about compliance as a revenue generator. They provide their real value by keeping your name out of the papers, right? But our compliance group got in the act and said, “Hey, based on some legislative changes, we see opportunities to increase revenue.”
And I want to talk more about those initiatives, like EGTRRA. EGTRRA is not the most recent low-calorie egg substitute. It’s actually the Economic Growth Tax Relief Reconciliation Act of 2001. It was designed to help stimulate the economy after 9/11 by reducing taxes and increasing incentives for saving and education expenses. Our folks on the retirement panel yesterday are certainly very familiar withEGTRRA because it mandated the restatement of all planned documents for 401(k) plans across the country.
Paychex, as a leading 401(k) record keeper, certainly would be very impacted by that. In the past, Paychex would have offered restatements of this type at no cost, but our compliance team raised the flag and said, “Hey, we can probably charge for this as some of our competitors do.”
They pulled together a cross-functional team consisting of the 401(k) operations folks, product management and finance to determine the appropriate fee in a phased-out approach. Low and behold, our collectibility of that fee was better than we had ever anticipated. We beat the original estimates by 40%. Millions of dollars to the top line at Paychex!
By everyone contributing their ideas and innovation, the ERM revenue portfolio has continued to grow, allowing us to contribute tens of millions of dollars to the top line in fiscal 2009. This quest is not over. Revenue generation ideas are explored throughout the organization every day as ERM is expanding into a revenue channel in its own right. Through these methods, ERM is not only the conscience of the company, but the contributor of the future.
Donna Miskin: Thank you, Erika. At this time I would like to present the gold. It goes to RTI, and Jennifer MacKethan is here to accept the award. Jennifer has more than 15 years of experience in banking and risk management and is currently the senior manager of the enterprise risk management project for RTI International. Prior to joining RTI International, she worked in risk management at Progress Energy and in commercial loan management at Wachovia. She received her MBA in 2002 from North Carolina State University and is very active in her community. Jennifer was also listed in Treasury & Risk’s 40 Under 40 future leaders feature.
Jennifer MacKethan: Good morning, and thank you. I want to tell you what a privilege it is to be up here again. We were up here last year as the gold winner for ERM, and my boss Ward Sax, if you can stand up for one second, and be recognized. He is the leader of our ERM program, and he has also been named as Treasury & Risk’s Top 100 Most Influential People in Finance. Last year when we won, we had a little bit of a scuffle over who would get to keep the trophy, because we have two offices. I made him a deal that if he would let me keep it in my office, I would come back next year and get him one. I kept my bargain.
Enterprise Risk Management 2010 Transcript
I want to tell you a little bit about RTI. We are an independent nonprofit research organization. Our mission is improving the human condition. We have roughly 3,800 individuals in over 40 countries. So you can imagine that we have quite a bit of risk that we look at. Some of the working groups, or business units, that we have in international development are clinical data trials, or clinical trials data management=,and social and statistical sciences. Interestingly enough, listening to the keynote speech from Cardinal Health, we both looked at each other because we would have been willing to bet money that the statistics on obesity research were probably from our organization. We also have our scientific groups.
Last year we won the gold award for our development and implementation of ERM, and the process that we put into place. So the challenge was what to do next. Once you have the basic foundational principles in place, how do you move past the implementation? How do you avoid getting stuck in a rut? We decided to take on the failures of our traditional risk management model, to be able to monitor, detect and communicate the emerging risks for our organization. We wanted to develop a framework that focused on our leading key risk indicators and create a predictive and proactive tool for addressing those risk areas.
We came up with a three-part solution, the first of which was our key risk indicator dashboards, which are both qualitative and quantitative. When we get to them, I will go into more detail about that. We then had our risk management network, which is where we brought together key risk holders from across the organization to increase and enhance our ability to share knowledge and manage our risks. Then finally, because the tone from our top was “we need to know what we need to know, and not all the details behind it,” we came up with risk area reports that provided executive level summaries for the key information that our leadership teams needed to be aware of.
Our risk indicator dashboards are a tool we developed with an external consultant to help us provide a way for us to look at our emerging risks, to be able to drill down within the organization and take a look at what we needed to know. Through the process of holding roughly 100 meetings across our organization, we identified 60 key risk indicators. I will show those as we go to the dashboards. We do work that includes controlled substances; we work with the personally identifiable information of hundreds upon thousands of individuals. We have a considerable number of risks that we have to keep our eye on, so this was no small task to be able to identify the key risks that we felt were the most important to the organization. We also wanted to find a way to put the metrics behind it, predictive metrics that would allow us to move forward as opposed to being reactive.
These are the actual key risk indicators, or KRIs. I don’t believe this is every one of them, but this is our basic KRI model. You can see that we address things such as bench strength, foreign banking, our payroll, our taxation, subcontracting, insurance, ethics and security. These are all the areas that our executive leadership team (ELT), the management across the institute and the people who are in the trenches doing the work discussed as the areas that bore the most risk for the institute.
One thing worth noting is that we focused on trying to provide some metrics to support these KRIs. They were both qualitative and quantitative. Revenue, for example, very easily provided quantitative metrics to go underneath. We were able to do that.
But there were also areas that did not really go very well with any kind of quantitative metrics, for example, domestic security. Our domestic security group had a number of metrics that they tracked: how many security incidents they had on campus, how many times they escorted people to their car, things that they did to enhance security. None of these things, we felt, were very predictive. However, the information that was predictive was the intelligence that they gathered from the FBI and other local law enforcement agencies. Those were things we couldn’t put numbers around; we were unable to put a hard number around it. We have a very qualitative approach, understanding that not all risk can be measured with numbers.
This is what our sample risk dashboard looks like. Now what’s worth noting is that this is essentially our summary level. This sits on top of all the other dashboards. Underneath this, there is a dashboard for each one of our five business units as well as one for the aggregated risks in the GNAunidentified acronym area. We have a basic stoplight format of red, yellow and green. We wanted to make it colorful and pretty. It also has a number of notational items that help somebody who is glancing at this determine what’s going on with the risks across the organization. An up arrow indicates that the risk level for that area is increasing. It has gone from a green to a yellow or from a yellow to a red. Conversely, the down arrow means movement from either a red to a yellow, or a yellow to green. We also use stars to indicate where there has been change on a business unit level that didn’t actually impact the overall risk profile of the organization. So while one business unit may have had an increase in security risk, for some reason it didn’t impact the entire organization.
Enterprise Risk Management 2010 Transcript
This is a snapshot of what our ERM organization looks like. What we have created here, to the far left, is the risk management network. These are the individuals that we identified that lead international security, insurance, our contracts group, our ethics group, our export compliance. We identified the people that run, manage and own these risk areas. We then report in to ERM, and our ERM group reports in to our risk management committee, which is made up of our executive leadership team and assorted individuals and serves as an advisory group to our CEO. Our approach is that our risk management committee does not make any decisions. We advise the CEO, and the CEO as the ultimate person in accountability has the final decision.
With our risk management network, we have these 31 subject matter experts. They are the ones who handle the day-to-day monitoring. Additionally, they provide the dashboard data. On a quarterly basis they provide the information to us that drives the dashboard, the colors and the changes.
We meet on a monthly basis so that everybody across the organization can share information. Those meetings have proved invaluable. We found that somebody in one group may mention something they’re working on, and it turns out that the individual in taxation needs to know about it. Or domestic security individuals needed to know about it because this new project might heighten risk in a certain area.
Now one of the other things that this group is particularly empowered to do is to set the risk levels. What that means is that if somebody in taxation says that one of our business units has a medium tax risk, then it’s a yellow. And when those dashboards are forwarded out to the executive leader team and those business unit leaders, they have a chance to opine on them. They have a chance to disagree; after all, it is the risk of their business unit. If they disagree, then we come together and we have a discussion.
But the executive leadership team has agreed, and has done a wonderful job of being supportive, of allowing the people who actually own the risk to set the risk ranking. They will not go back and lower a risk without having the buy-in from the owner. They can heighten the risk on their own. They may decide that they know of a pending project or something going on that they feel increases the risk level, but they will not decrease the risk level without the understanding and consent of the person who owns the risk area.
These are the risk area reports. Originally, our dashboard had this and I was very proud of it. I wish I could tell you how impressive it was. It was this five or six page per dashboard Excel spreadsheet with multiple cells in it. It looked very much like that grape line that we all kind of glazed over. It was even more complicated than that. The first time we provided that to the executives, they looked through it and went, “No, no,that’s just too much.”
We had to find a way to make it provide the information that drove these risk indicators and the colors, but was easy to understand, and could be in bigger fonts, and was more user friendly. So we came up with our risk area reports. And in there you can see we have our metric ranking section that shows where the specific metrics go that drive the KRIs.
Then there is an area for graphs. Some of them are monthly trends. But our main area is the blue call-out box. It is simply where we encourage all of our risk owners to look at the risk across their group, and tell us what the executive leadership team, the risk management committee, the board and the audit committees need to know. Also, I tell them to use it as their brag box. Don’t wait until you have a risk that you need to talk about, talk about what you are doing to prevent risks. This is where they also put any risk management initiatives that they are working on.
We have a fairly broad reporting structure, and our reporting tools that we have developed cascade down. On an annual basis, we meet before the board of governors, which is essentially our board of directors, and we provide them with our year-end high-risk summary dashboard. We are on hand to answer any questions and provide any information on any of the key risks over the last year. Bi-annually we report to our audit committee and we provide not only the high level dashboard, but also the business unit level dashboards and that supporting information. Quarterly to our risk management committee, we provide the whole package. Which is the dashboards, the business unit dashboards, our risk area reports and also our departmental update information. Then we have our monthly risk management report meetings, where the risks are actually calculated on a monthly basis for discussion.
On top of all that we have our normal day-to-day risk management practices. This is on top of the e-mails that we get with the questions that people have about “what happens if I want to do a project in this country?” Or, “we are looking at doing this project but it has all of these regulatory concerns.” And as I mentioned with our organization, that is quite considerable.
Enterprise Risk Management 2010 Transcript
So what we are looking at going forward is additionally refining our reporting capabilities, and ideally, creating more of an automated approach to this. We admit that this is largely a manual procedure, where we get the information, and they are not particularly sexy reports. They are all mostly Excel and Power Point.
I mentioned last year that I would be up here talking about our dashboards, so I will go ahead and throw this out there: I hope next year I will be up here telling you about how we aligned ourself with internal audit.
Questions and Answers:
Q: This is for all the panelists. To what extent did you use supportive consulting firms in your engagements?
We actually hired an accounting expert on a part time basis.It was a very focused assignment that he had in looking at the accounting for capital markets transactions. It worked out, in terms of, it was much more cost effective then hiring one of the national consulting firms.
MacKethan: We engaged Marsh Consulting for their ERM capabilities to come in and assist us with developing a baseline model for what became our risk dashboards. They were extremely helpful. But again, we are a unique organization, so after they came in and provided the baseline model, we took it and mutated it tremendously for the final result.
McBride: At Paychex, I would have to say that our use of consultants in ERM is extremely minimal, almost nonexistent. The models that are built are totally built in our garage.
Q: This is a question for Jennifer. How do you gather the information for the 60 risk indicators across your organization? Is it via e-mail?
MacKethan: I harass people. Like I said, it is a very manual process. The executive leadership team provides some input. For example, they provided the ranking for bench strength, retention and markets. The business unit leaders are the ones who provide the rankings on their markets. And of course they have to defend it if our CEO or board disagrees with their assessment.
The other ones are provided by those 31 area managers. At the end of the quarter, I usually give people about two to three weeks just to get through whatever they get through at the end of the quarter. Then they get out their initial e-mail that says: Here is the deadline for this quarter’s reporting. I send them out their prior quarter’s submission so they don’t have to build from scratch and say, “Here is what you did last quarter, please go in and update.” Then I set a deadline to get it back.
At that point, I also send out a simple spreadsheet for the executives to fill out their various rankings and supporting information. I then ask for them to get it back by a certain time. When the deadlines pass, I begin to send lots, lots and lots of e-mails. They are all really responsive. We have developed a good tool, so unless there is significant change, or some incident that does require an extensive amount of updating, it’s fairly simple to do.
Q: You mentioned automation in the next phase. What type of technologies are you looking at to update this automated process?
MacKethan: I believe we have looked at 360 Compliance. We looked at OpenPages. But we decided at this phase that we wanted to develop a simple internal tool because we just weren’t ready to take on a huge technology solution when we didn’t even have our process quite developed.
Now that we have, we are probably going to go back around and take a look at those. I know OpenPages is something that is being looked at by another group, so we may see about that. Maybe something like SharePoint. Again, that’s something we are in initial discussion stages about in terms of cost and resources.
Q: I was just wondering if you could say how broadly the dashboards are distributed. Who gets to see them?
MacKethan: The dashboards go to our board of directors, our audit committee and the executive leadership team, which is also our risk management committee. In addition, on our risk management committee we have our chief medical officer, our vice president of internal audit, and Ward Sax are the only ones who get the full report. Now, if the business unit leader wants to share their dashboard with their business unit that is up to them. It really is a senior management level tool. When we have our risk area meetings, when the network gets together on a monthly basis, they share that information in that forum. But the aggregated form only goes from the risk management committee up.