But not all of Zumwalt's colleagues are seizing the opportunity. "Chasms are opening up between treasurers fulfilling their duty on internal controls," says Craig Jeffery, managing director of Atlanta-based treasury consulting firm Strategic Treasurer. "A lot are abdicating more than they should."

That is certainly not the case with Jennifer Ceran, treasurer of eBay Inc., who recognized the growing importance of risk assessment even before ERM suddenly became something companies knew they needed to be talking about. To effectively deal with the conventional risk areas under treasury's domain, including insurance, Ceran argues that treasury needs to understand the broader risks and their interdependencies. She contends that playing a principal role in the company's ERM initiative will help treasury better manage its traditional role of risk mitigation and make treasury more strategic. "We didn't hire a risk manager to buy insurance," she says. "We wanted someone to understand our risks and determine the best solutions to manage that risk. [The] single metric for performance is to reduce the long-term total cost of risk for our company."

PROACTIVE, NOT REACTIVE

Ceran found that risk manager in George Redenbaugh, director of corporate risk management at eBay since mid-2003. "Organizations measure themselves on their ability to perform crisis management," Redenbaugh says, but contends that it's better to avoid crises rather than have a process to react to them. He observes that in some companies, "as audit and Sarbanes-Oxley teams drive the ERM initiative, the risk manager is being left out. The sole job [of the risk manager] is to manage residual risk, and the function gets marginalized." But for treasury, the risk of irrelevance has an immeasurable cost, he says.

Given the regulatory pressure and importance placed on controls, Tarek Anwar, senior vice president for global treasury management at Bank of America Corp., agrees that treasury's involvement in ERM is essential and that treasury is already well positioned, having cultivated internal business partners: "An ERM [framework] should tie directly to the stability of financial performance and send a strong signal [of assurance] to investors and other stakeholders. I see ERM as a natural extension of treasury's responsibility for protecting corporate assets and the treasurer's role as one of change agent and catalyst."

Anwar views ERM as a way to institutionalize best practices across the organization. "Rather than relying on a hero culture, good leadership should enhance the structure," he says. "Treasury is an excellent starting point for an ERM initiative."

So what does it take for a risk manager to successfully expand focus to enterprise-wide risk? Redenbaugh cites the ability to understand academic principles and be comfortable with a fluid view of risk. It also requires a tolerance for unique solutions rather than one-size-fits-all risk coverage. "What's the point in having insurance if you don't have the risk? Or maybe we're hedging a unique financial exposure and need to develop a unique risk-transfer contract," he says. "Treasury's role is to manage residual risk in line with corporate risk appetite."

Redenbaugh honed his ERM skills during his tenure at Hewlett-Packard Co. where he served in several roles, including director of risk for HP's consumer store. He says getting top officers to adopt ERM boils down to showing them how it links to their management objectives and key operational metrics.

The company is finalizing its first self-assessed enterprise risk study, which solicited opinions on key risks and their interdependencies through 50 interviews and 150 e-mail surveys. Now, eBay's cross-functional risk management working group–in which both Redenbaugh and Ceran participate–is formulating the results. Redenbaugh, who has also enlisted external resources for the study, says one essential was to find partners to translate the initial assessment into dollars: "There are a couple of specialty houses out there that are very good. They can provide actuarial capabilities to quantify risk and the anticipated benefits of mitigation. What is the [return on investment] over a given period?"

Treasury Strategies is also currently at work on a set of metrics for quantifying enterprise-wide risks. "If you can quantify the risk profile, it would be powerful," says Baird, who believes the new ERM framework developed by the Committee of Sponsoring Organizations (COSO) falls short of providing the kind of quantitative approach to analyze the aggregate effect of various risks on a company's cash flow.

At Symantec, Zumwalt and her risk counterparts were already in the process of establishing a formalized risk council when the company's audit committee came to Symantec's management team to ask what the company was doing about ERM. Symantec is now launching its guided self-assessment approach, the ultimate objective of which is to identify the company's top five enterprise-wide risks.

As for lessons to date, Zumwalt reflects on the council's first meeting, which included the chief security officer (i.e., digital security), the director of physical security, the vice president of accounting (responsible for Sarbanes-Oxley compliance) and Zumwalt. "We quickly realized that we had a tiny representation of the organization," recounts Zumwalt. "We were all wearing our risk management hats. We identified the risks we already knew about, but what were we leaving out? It's not just the risk you know. It's the risks you don't know. We forgot the 'E' in ERM. I think that's why companies are challenged. It's important to attach the 'E,' to go beyond traditional risks."

GETTING A GLOBAL PICTURE

The group quickly widened its participation and reached out across the organization to solicit input. Symantec also engaged its insurance broker, ABD Insurance and Financial Services, as a resource to help conduct interviews. Zumwalt says the group wants to push individuals to identify risks besides those that immediately come to mind.

Zumwalt and team have found similar themes underlying how people throughout the organization define its biggest risks–even across its international staff. Zumwalt believes inclusiveness is the key to overcoming any silo legacy. For instance, both Symantec and eBay stress the importance of their international staff in helping to assess risk. Ceran views the bulk of eBay's risks to be international as the company brings its unique business model to new jurisdictions. Some risks are undefined, such as how other countries will view eBay's proprietary system of electronic payment, verify ownership of items on the site or regulate posting material on a Web site without the equivalent of the U.S. First Amendment. All of these risks are above and beyond the normal exposures associated with rapid growth.

As for next steps, eBay will present its findings from the self-assessment to its audit committee and then meet with the risk owners to decide on how to act and how to measure for results. At Symantec's audit committee meeting in April, the global risk council will present its findings–Symantec's top five enterprise-wide risks. While both companies see a quarterly self-assessment on top ERM risks as the ideal, with a more general risk review on a yearly basis, they agree it is an ongoing, ever-evolving process.

Where will the ERM function ultimately reside? Zumwalt doesn't believe it needs to belong to treasury or finance. She contends that if you want people to see ERM as beyond traditional risk management, it must be in another part of the organization altogether. But that placement doesn't translate into treasury's role shrinking. On the contrary, according to Zumwalt, ERM has expanded what Symantec considers treasury's responsibilities in risk: "Being part of Symantec's global risk council has enhanced my own views of risk and has created an opportunity to take part in addressing our top risks."