Two years ago, Microsoft Corp. reviewed its risk management across its global operations and found it wanting. While it was deemed effective across key geographies and businesses, the Redmond, Wash.-based software pioneer determined there were opportunities for improvements and efficiencies to be gained. The method of reaping these rewards was an Enterprise Risk Management (ERM) system.

Although a latecomer to ERM, Microsoft already "has increased its visibility to enterprise-wide risk and strengthened accountability for managing risk within the business," says Brad Jewett, director of the company's new Office of ERM. Jewett's position, and the entire centralized ERM function, was developed by Internal Audit, which in turn was directed by the Board of Directors' Audit Committee to pursue and implement best practices in risk management. The committee's formal charter requires it to review the company's policies for risk assessment and risk management, and the steps management has taken to control risks.

Alain Peracca, corporate vice president of Internal Audit, formed the new Office of ERM and recruited Jewett to lead it. While Peracca built organization support for the new entity, Jewett established the core operating principles for success. A key consideration was that ERM would be an enterprise-wide framework and program where risks are identified, assessed, prioritized, and, if necessary, mitigated, monitored and controlled. "There is significant business and technological risk inherent in the software industry," Jewett. "Our mission is to help the board, the senior leadership team and management accomplish the company's core strategies by facilitating a programmatic and global approach to ERM, and establishing broad accountability for the most critical risks facing the company."