Managing Enterprise Risk A Roundtable Overview
Managing Enterprise Risk Thought Leadership Roundtable on Digital Strategies An executive roundtable series of the Center for Digital Strategies at the Tuck School of Business The Americas Chapter of the Roundtable on Digital Strategies convened to share experiences and strategies for identifying, managing and mitigating enterprise risk. This Roundtable was hosted by Nike. CIOs were joined by executive colleagues responsible for enterprise risk management, legal, audit and security. Executives and academics participating were from Nike, Inc., Providence Health & Services, Sysco Corporation, Tenaris, Time Warner Cable, YUM! Brands, Inc., and the Tuck School of Business at Dartmouth. Key Insights Discussed in this Overview:
Leaders must identify and manage “unknown unknowns.” Turn business assumptions upside down. Run “what-if” tests to identify and tame potential “Black Swans”………….2, 3
The structure and governance of enterprise risk management can vary — but must be thought through deliberately, and aligned with your organization’s culture ....................... 3, 5
Manage — and enlist — the emotional dimension of risk to keep it current in employees’ minds. Here’s how to create a climate of anticipation ............................................. 4, 5, 6, 7, 8
Innovation invites risk — particularly as “big data” opens up big privacy concerns. But over-engineered risk management can dampen innovation. Plan, anticipate, manage, but never let fear of black swans kill the golden goose. ............................................. 5, 6, 8-10
Dig deepest and work hardest to minimize reputation risk — whether product-related, partner-prompted, or social media driven .............................................................................. 10
Risk management must be integral to strategy. Explicit or implicit, it will define what kind of company you’ll be in ten years .................................................................................... 11, 12
Prioritize. Here’s practical guidance for grouping, assessing, prioritizing and monitoring enterprise risk — and perhaps even creating “markets for good behavior” .............. 12, 13, 14
Build a resilient enterprise. Consumer expectations are a key driver, internal decision-making and communications are critical, and culture is the pivot-point ...................................... 15, 16
© 2012 Glassmeyer/McNamee Center for Digital Strategies, Tuck School of Business at Dartmouth The Thought Leadership Roundtable on Digital Strategies (www.tuck.dartmouth.edu/roundtable) publication series is edited by Hans Brechbühl, Executive Director of the Center for Digital Strategies.
1
Managing Enterprise Risk Yes, Everything is Your Problem The participants in this Roundtable were unanimous in their conviction that enterprise risk in any form, particularly reputational, can come from any direction — including partners, suppliers and customers — and need not stem from anything the firm itself might have done wrong. Sandra Carson, VP for Enterprise Risk and Compliance at Sysco Corporation, opened with a cautionary example. “What our customers want, we deliver,” she said. “So we had a scenario where a customer wanted a certain product from a certain supplier. It was only for them, and we agreed to do that. Then there was an outbreak of illness in a certain area, and that customer wanted to make this Sysco’s problem. “We had not altered the product at all,” she continued. “It really was box-in, box-out. But our name was all over the news. It was a big deal. It was on the CNN ticker tape, which our board members are not happy about. And we realized that we don’t have to have done anything wrong to suddenly reap seriously negative outcomes.”
How to Breed a Black Swan There are ways to deliberately anticipate the worst-possible outcomes, however, through what amount to carefully-structured and systematic thought experiments. Twila Day, Sysco’s Senior VP and Chief Information Officer, said “Sandra holds regular, structured risk management scenarios she calls ‘Black Swan Meetings.’ And the funniest part is that she holds them on Friday the 13th.” Sysco’s Carson explained: “This started when our board said, “Sure, we know you guys do risk in the weeds really well. But we want to know what you don’t know.” Initially, I’m thinking ‘Okay. I think by definition, we can’t tell you.’ But then we went to work, to effectively ‘What If’ the most fundamental business assumptions. We deliver goods by truck. So let’s say that suddenly the public highways weren’t safe, for instance — how does Sysco remain sustainable and maintain continuity? And then what are we going to do about that? I bring somebody from the outside into these meetings — I think that works best. And we’ll say, ‘Okay, what do we believe just innately about Sysco, what are our foundational business assumptions?’ And then we just turn them on their heads. ‘Okay,’ we say, ‘the opposite is true. What does that mean for us?’” “Our Black Swan workshops have been specific to an area or an idea, and it really is brainstorming with the executives about these things that we just aren’t thinking about, and forcing the thought process. I don’t mind doing quirky things to keep them in our executives’ minds. I don’t believe there will be ever again be a Friday the 13th when our executives don’t think about Black Swan. Providence Health and Services System Director of ERM and Chief Information Security Officer Eric W. Cowperthwaite endorsed this approach. “The visibility of the ‘What If’ is really important,” he responded. “And it becomes much more robust and tangible when it’s a cross-disciplinary group talking about it.”
Roundtable on Digital Strategies
2
Managing Enterprise Risk Governance of ERM: Structure or Bureaucracy? Participants described a wide range of governance models for ERM. Christian Nolke, Senior Manager, Information Risk Management for Nike, Inc., defined clear overriding goals for governance, whatever its form. “The two things that we end up striving so hard for, and working so hard for, are efficiency and relevance. We have to be efficient with senior management’s time and efficient in how we communicate risks, their impact, their likelihood and so forth to them — and then also, the risks have to be relevant. We’re trying to clock it and get it right. But the problem is in the process, and we’re always at risk of creating fatigue. So those to me are the two Holy Grails of the governance processes that I’m trying to build — relevance and efficiency.” Some organizations frame risk management governance from the top down, while others have taken a more decentralized approach. Sysco’s Carson said “Our definition of enterprise risk really is topdown. Specific risk updates go to the senior leadership team — first our operational risk committee, who have different functional roles, then to the senior leadership, where we’re really challenging the senior leaders to challenge each other.” It can be pretty controversial. We’re bringing up hard issues and it’s not necessarily going to be their favorite topic of the day, right?” Eric Cowperthwaite responded, “ Providence Health Systems has grown by acquisition, to 33 hospitals, each with a chief executive. At an operational level, they each know the risks they face — the guy running the hospital in Torrance or Anchorage has a much better grasp than we do in Seattle. But at the same time, we knew that enterprise risk management wasn’t going to go very far or mean much if it didn’t get driven from the top down. So we’ve really tried to create a structure where we’re both top down from a board and senior executive council, but it’s also democratized where we’ve got about 100 senior leaders across the organization telling us what the risks are.” “Back when we had an ERM ‘star chamber’,” he said, “with the CxOs and the head of Audit sitting in a room deciding what the big enterprise risks were, everybody ignored it — because it bore no resemblance to what the operators were actually facing.” Similar challenges were shared by David Christman, Senior VP and Deputy General Counsel of Time Warner Cable, who said, “Back when we first got started with ERM, we effectively said to ourselves, ‘We manage risks every day, all we need to do is write it down somewhere.’ ” “While it was the easy answer at the time, he continued, “I think it took us down the wrong path. As if ERM is really just about papering it with templates from Deloitte. The subtext could be viewed as, ‘This is hoop-jumping, a drain on you operational people, so don’t really worry about it.’ But now we’re getting to a point where we’ve started to recognize that there’s a lot of value that you can add if you do this right.” Hilary Krane, VP, General Counsel and Corporate Affairs at Nike, described a much less top-down orientation to ERM governance. ”There’s much more collaboration on the risk side now than there’s ever been here,” she said. “But do you ever see ‘enterprise risk management’ on a lot of documents? No. Are you going to see it with a steering committee associated with it? No, but is it actually highly sophisticated, covering everything from what happens if the euro goes to parity, to Roundtable on Digital Strategies
3
Managing Enterprise Risk what if there is no more cotton available, to what if Indonesia ends up under water for environmental reasons?” “I actually see a lot of the work being done is as, or more, sophisticated than I’ve ever seen anyplace else, but it’s not integrated structurally. You’ve got to be really careful to get your goal clear and then accomplish it in a way that doesn’t feel like it’s bureaucracy.” Nike’s Nolke added, “I just struggle to envision a centralized method of measuring information security, privacy, compliance with SOX, everything together, and doing it in an authentic bureaucracy-free way. I have a terrible time envisioning that kind of centralized ERM governance function because, honestly, a lot of information security is about doing IT right, doing it fundamentally right. And if you don’t have the right people — sometimes even the people who are doing the work, assessing themselves, you aren’t being genuine about how big the risk is or how big of a problem you have. You just get an auditor affect.” Day of Sysco responded, “But that’s exactly where we started. I mean, that’s perfect. We started with this phrase “information security.” And then when we got into the room and started drilling through what does that mean, and we ended up with exactly what you just went through. There’s all these different components that go underneath information security, right? Sysco’s Carson said, “when we look at it from an enterprise risk standpoint, that top-down view versus how we do it every day, we saw that we had huge gaps in our program. We had a fragmented approach. Nobody was responsible across the risk, so nobody got the full view.” “Because we’re so decentralized,” added Day, “without this framework and without this process, we never would have taken action on a lot of these things.” Dickie Oliver, VP of Global Information Technology for YUM! Brands, Inc., described a governance structure somewhere between those of Sysco and Nike. “We have an audit group, he said. We have IT and what they’re doing with disaster recovery. We focus on business continuity planning. Being a very decentralized, federated model, with four divisions with their own IT staffs, presidents and GMs — we have pushed that down to them with some know-how to say, ‘You must think about your business in the context and the framework and the geography that you manage today and come up with your own mitigation plans around the risk you’re willing to accept.’”
To Maintain Focus on ERM, Enlist Emotion The executives discussed many challenges in keeping risk management current and choice in employees’ and stakeholders’ minds — effectively creating a climate of anticipation around risk. Frank Boncimino, Senior VP and Chief Information Officer for Time Warner Cable, noted, “When British Petroleum had their big oil spill and CNN was on it every day, our CEO started walking around asking, ‘So, what’s our BP moment?’ It forced a lot of our executives to stop and think. Then they actually ran a tabletop exercise with the whole senior team throwing out different Roundtable on Digital Strategies
4
Managing Enterprise Risk scenarios: ‘Okay, we just lost X number of credit card files.’ Which did show us that we really are prepared as an organization to communicate with each other during a BP moment.” Roland Paanakker, Chief Information Officer and VP, Lean Business Solutions at Nike, asked, “When you have those Black Swan or Friday the 13th kind of conversations, how do you make the risk real enough? If it’s too close by, it doesn’t move the needle, and if it’s too far out, people don’t connect to it.” Oliver of YUM! Brands said, “The struggle we’re having is that people get it, but it’s as David described, where they think, ‘Oh, I have to jump through this hoop because corporate’s asking me to.’ ” Hans Brechbuhl, Executive Director of the Center for Digital Strategies, captured the tension between systematic governance and emotional engagement. “When you formalize ERM,” he noted, “you can risk losing everything into reporting cycles. How do you keep it fresh?” For many in the conversation, keeping people keyed into risk had, at times, entailed the threat of sanction. Providence’s Cowperthwaite noted, “If you’ve made it onto the enterprise risk watch list, that’s a horrible thing to be on, right? You want to get off the watch list by fixing the risk. We ask you to create a specific action plan — but we limit it to one page. Tell me what the risk is, tell me the three to five things you’re doing to manage the risk, and tell me the three to five measurements, and that’s all I want to know. So we try to limit the bureaucratic side of it.” Turf issues were seen as an inevitable dimension of risk management — one that to be managed directly, to be effective. Said Sysco’s Carson, “There are people trying to keep territory. That’s a natural response. There’s a lot of emotion. And I think it is Enterprise Risk’s responsibility to try to remove all that, and say ‘What are we really left with?’ People are protective. You’re in their sandbox. It’s hard stuff. There really were some areas that we were protecting as holy ground,” she said, “that we really shouldn’t have been.”
How Innovation Invites Risk Given the many risk management “disaster stories” shared by participants over the course of the roundtable, there was wide-ranging recognition of the many ways that generating value can court unexpected exposure. By way of example, Time Warner Cable’s David Christman said “We closed this big three-party deal in 2006, where we were going to get Comcast out of Time Warner Cable, acquire assets from Adelphia, swap others with Comcast, and go public by giving Adelphia creditors Time Warner stock. It was a very complicated transaction. Among the crown jewels were that we were going to consolidate a leadership position in the L.A. market, which had been fractured.” “But we tried to do too much, too soon there operationally and we didn’t properly gauge the risk in that…The biggest thing you can do wrong in the cable business is irritate customers and make your phones ring, because once they start ringing you can’t take orders — and the unhappier people get, the more they call, which creates a death spiral, which came pretty close to happening. It took us a while to pull it back together, which we did.” Roundtable on Digital Strategies
5
Managing Enterprise Risk Added TWC’s Boncimino, “All our executives are very bright. But identifying and extracting risk from everyone’s minds can be a very hard process.” Innovation on the social media front was seen as a prolific source of new risks to be managed — particularly as the cloud and “big data” open up big privacy concerns. Said YUM! Brands’ Oliver, “We had a request from one of our Divisions to create a Facebook group with not only internal employees, but all of our franchisees and international population and some suppliers as well — because they believe that's where people are comfortable, and we need to go out there and have a conversation with them. So we're in the middle of a lot of conversations about brand reputation and exposure. So divisions have got to make the call, with YUM weighing in how much risk we want to address.” “And once you make that call,” added Nike’s Christian Nolke, “you can't go back.”
Innovation, Privacy and Security Sysco’s Twila Day said, “The risk for IT is that, while everything used to be inside your walls, now there's a real blurring between what's being done in the office and what's being done outside of the office, and it’s all always accessible. I think that certainly has made life much more complicated from our perspective in regards to risk. Before, if someone tried to print out your whole item file with all the pricing, it was going to be kind of bulky, right? Now they don't have to. They've got it all right on their device. So there's a lot more exposure from the data perspective than what we've ever had before.” Roland Paanakker of Nike concurred. “I like to think in terms of the IT intensity that any company has to sort through rapidly when running the business, and how that creates new opportunities for risk that didn't exist before. It’s an exponential curve, one that investments will never keep up with. So if you think about information security, I think it has to be as much about organizational awareness and behaviors as it is about capabilities. I can try secure any device, but if our people don’t understand why it is the way it is, they’ll figure out a way to do something they shouldn’t, but just do it differently.” “I think we're at a point now,” agreed TWC’s Boncimino, “where the technology has progressed where we could have a good balance between accessibility and security. What's complex about it is where the data is. It could be in other cloud computing companies, like SalesForce.com, or other partnerships that we have. And so to me, the big billion dollar risks are in the massive breach of that data, wherever that data is. I think we all have third-party relationships, and everyone running into all of these issues. I'm actually more trusting of my environment than I am of all those other environments. But if you just asked our business folks,” he said with a smile, “I think they would actually say they're more trusting of the other environments than they are of mine.”
Enterprise Risk Awareness: Emotional and Cultural Many in the group were thinking about programs to drive greater internal awareness around data privacy as a risk priority — foremost among them Nike. Roundtable on Digital Strategies
6
Managing Enterprise Risk Stated Hilary Krane, “We're hiring essentially outside advertising agencies who speak Nike's language to have our employee as the consumer in mind, and deliver the message to them in a Nike look and feel, in a way that's respectful and fun and honors sport and engages them as part of the team.” As an example, she said, “‘Would the coach leave the playbook on the subway? No. Why would you?’ We're about to launch into what's going to be a multi-month and probably multi-year internal marketing campaign.” Added Christian Nolke of Nike, “It has to be so genuine. It has to be compelling, to be real, in order to be consumed.” To which Nike’s Krane responded, “And then the lawyer in me has to speak out and say all of this has to be combined with some public hangings for people who violate the rules they’ve agreed to as employees. What a lot of people say is, ‘Well, that’s their culture, they’re young, people share things, they want to be hip.’ And I’m thinking, ‘They work for a Fortune 500 company. They can learn. We fire people if they steal from us, so why do we have more respect for physical property than we do for intellectual property? People have to learn that with possibility comes responsibility.” Eric Johnson, professor at the Tuck School of Business at Dartmouth, offered an example from one global corporation, which “does nighttime walkthroughs of work areas,” he said, “to look for two things: people who've left their machine logged in and gone home at night, and people who've put stickies all over their desk with the passwords on them.” “They issue a paper ticket,” he continued. It looks very scary and official, and they attach it to the workstation. It might sound like a slap on the wrist, but they said that it does elicit quite a strong response and that people will really get upset when they come in and see tickets waiting for them.” Said Sysco’s Twila Day, “It's not easy, though. It's not — and it's ever-changing, so you have to keep at it. You're not going to just do it once and then you're done with it. You've got to have a process to continue to continuously evaluate it.” Added Nike’s Krane, “And you need shared buy-in on the concept of who needs to know what.” David Christman said, “Privacy is one of those areas at Time Warner Cable where as soon as somebody says, ‘And then we’ll take the customers information and do this with it,’ someone else says ‘Hold the phone,’ which is great. People are really, really sharp on that. But it does impede the pace of decision making around business choices, too. How can we anonymize this data? How can we involve, if we have to, a third party? What would we need to do to make all that work?”
Privacy Risk and the “Creep-o-Meter” “On the legalities of it,” said Nike’s Krane, “first of all, it’s a muddy floor. You have no idea of what’s going to be acceptable today or tomorrow, but some place above what’s legal, there is a line as to what the consumers feel is creepy, and that’s where your brand comes into play. Somebody Roundtable on Digital Strategies
7
Managing Enterprise Risk who’s responsible for the brand has to be monitoring the ‘creep-o-meter’, because there are a lot of things that you can do, but you don’t want to do.” Said YUM! Brands’ Oliver, “There’s a Target example where they were using buying patterns of consumers to guess what their next purchase would be, and they were sending a 16-year-old girl coupons around maternity items because she had been buying items around pregnancy, and the father got involved and went to the store and ultimately got to Target’s headquarters. They’re apologizing profusely. Then he actually came back around and apologized because, in fact, she was pregnant. He didn’t know it, but Target knew it before he did. “That’s the creepy factor,” said Nike’s Krane. It’s 100 percent legal what Target was doing. The best minds out of Carnegie-Melon figured that out for them. They thought they were oh-so- clever. Now they’re still doing it, but they’ve figured out if you just throw in a lawn mower, some Scott’s lawn protector in the same circular with all the baby stuff, that people react less. So now it’s all about disinformation. And I’m sure once that becomes more obvious, people aren’t going to like that a whole lot better, but that’s what they’re doing right now, to effectively obfuscate it. “We heard this great example from an IT VP at Lowe’s,” said moderator Mark Lange. “She was talking about share-of-cart analysis, how they make inferences based on purchases. If you buy a kitchen faucet, they infer you’re doing a kitchen remodel and send you a coupon for a backsplash. Those little solar walkway lights weren’t selling well, because they’d thought of them as a ‘lighting’ product. But then they did the cart analysis and saw they’re most often bought by people buying potting soil and gardening stuff. Once Lowe’s started putting up end caps with those lights out in the garden displays, they really started moving units. The potential with all of this is immense.” Added YUM! Brands’ Oliver, “The airlines could do so much more with the data they have than they do — because they’re worried about the creepiness factor. You’re sitting there waiting on a flight, and there’s another you could pick up. But they don’t use the data. That’s value to the consumer, a ton of value that could be driven to your organization by using it correctly.” “The other big factor here,” said Nike’s Paanakker, “is that the whole playing field is highly dynamic, right? The consumer thinks it’s creepy, today, but tomorrow it’s different. How are our partners using data? Every part is moving, right? So we need to define what level of flexibility we need to create some of the capabilities and infrastructure, contractual infrastructure, relationships and technology that let us move as people’s minds move. Frank Boncimino of TWC said, “It’s the IT people who should be the ones letting the data go. Maybe what’s needed is a more formal governance process around customer data usage in the company and with partners, monitoring and sensing and evolving as time goes on.” Said Sysco’s Twila Day, “Actually, I don’t want any of the data to go out anymore. I would rather have them come in and access the information that they need, because I can control that better than sending all this data out. I actually think there’s a problem with the whole model of us continuing to send data out to all these third parties that are not the customer. If the customer wants their data, that’s fine. But it’s going get out of control very, very quickly. Asked TWC’s Boncimino, “What about software as a service — that’s where the tide is going?” Roundtable on Digital Strategies
8
Managing Enterprise Risk “I know,” answered Day, “the software in the cloud is one thing. But my data leaving and going to all these replicated places to me is a danger because I don’t know that you’ll ever be able to truly audit it and assure that your stuff is really going to be as secure as what you’re going to want it to be. We have regular audits with Sales Force, but, I guarantee you they are using our data along with other people’s data to derive new data. They’ve admitted that they’re doing that. We don’t even need a contract. We got into this because the business units decided they wanted this relationship and they exposed the data. It’s a problem. It’s a really big problem.” Hilary Krane offered a framework for data usage, saying “We’re trying to put it through the filter of saying, ‘What is the value to the consumer?’ And if there’s demonstrable value to our consumer in a way we can articulate, we’re good with it. If it’s just about driving more revenue and you can’t come up with something that’s good for the consumer, be a little bit wary.”
Don’t Let Risk Management Kill Innovation. Amid all of the innovation and new risks being enabled by information technology, there was also a sense that heavy-handed risk management efforts could themselves introduce risk — by discouraging innovation. Risk management, it appears, must be consonant with culture. “How do you make sure you don’t overcompensate,” asked Nike’s Hilary Krane, “and actually kill the goose that laid the golden egg because you’re so busy trying to tie down all the risks? Here we’re allergic to bureaucracy. I mean just allergic to it. I think we’re in a transitional moment as a company in terms of increasing our level of sophistication around enterprise risk, but it’s very fragile because the biggest true risk to our enterprise is squelching innovation.” “This is a company that’s completely driven on creativity and innovation,” she continued. “And the consumer connection and the ability to do the unusual and the unexpected, and to go places people wouldn’t think about going, are among the most important elements of the secret sauce that makes Nike successful. So you realize that the heaviness of enterprise risk management itself is a big enterprise risk.”
But Don’t Try to Eliminate Risk Organizations have to take risks to reach goals and generate value, of course. But the participants seemed conscious of the fact that risk doesn’t necessarily correlate with revenue — and that the cost of risk management should never exceed the benefit. Said Nike’s Roland Paanakker, “As a company, we understand what the enterprise risks are. But am I going to go out and invest against all of them? How big is the tax — in insurance, in inefficiency, in lack of innovation — that we are really willing to pay?” And in cases where the risk is unavoidable — and the risk tax, too high — other participants have elected to exit lines of businesses entirely. Asked whether BP’s Deepwater Horizon disaster focused the minds at Tenaris, Carlos Pappier answered, “I wouldn’t say so, because we were always very aware of the risk involved in our Roundtable on Digital Strategies
9
Managing Enterprise Risk activities. Actually, when you take a look at the BP report, it actually devotes about 80 pages to our pipes and connections. And the results were very good. But we always knew that we were involved in risky activities. So for several years, we have had an enterprise risk committee. And I think we have been effective in terms of getting the concept into day-to-day operations.” “I say this,” he continued, “because we’ve pulled out of businesses that on a non-risk-adjusted basis were very profitable, but then you’d take a look at the risk involved and said, ‘This is not working.’”
Talking ‘bout my Reputation: Dig Deepest and Work Hardest to Minimize Risk to Brand Whether product-related, driven by social media, or both, any risk to brand equity was widely regarded by the participants as the most critical to mitigate. Sandra Carson of Sysco said, “The areas where we most aggressively manage risk are where there are reputational effects. And we’re realizing we’re only as good as our partners are, on either side of us. If customers aren’t going to come back after a crisis, it won’t matter how well we executed in every other way.” Her colleague Twila Day added, “If they’re going to look back at you or the organization, then it is going to be your risk — because it’s your reputation that’s going to be on the table there. So I think that’s where it broadens into issues and mitigation strategies that you might not initially think you should have to worry about. Hilary Krane of Nike agreed. “We have suppliers who are so far out — we don’t make our goods — but the world holds us responsible for it. We’ve been chastened over the years to learn it does not matter. It’s all about your reputation, and you’d better look at it through your consumers’ lens or you’re going to get hurt. That to me is the fundamental bottom line.” “So we’re embracing radical transparency,” she continued. “We were the first to put all of our factories out there on the web. Now you can go to an interactive website, look at any country in the world, go right to each factory in that country, and figure out whether they’re producing footwear or apparel. The theory is that policing ourselves is not the most effective thing in the world. We’re saying, ‘Here’s every place we go. Here’s what we ask of our partners. Here is what we’re trying to do to make sure it happens right.’ And then, we’re just honest and fast if we find out something’s wrong. And we’re finding, actually, that it’s been pretty effective — although a lot of people would say that behavior in itself is too high-risk. We’re finding that there’s more benefit than there is harm. Tuck’s Eric Johnson agreed, saying “Secrecy just breeds more brand damage in the end, more distrust, all these kinds of things, than letting people in and letting them see what’s really going on.” “In risk management for universities,” he said, “it’s the boundary issues that can be really, really tough. We have all of these young people that are doing stuff all the time, but are they doing it under the auspices of the university? Is it official? In Indonesia during the earthquake, we had students that ended up in the hospital after a tsunami because they were all there for spring break. Were they there under our flag or not?” Reflecting widely shared concern about reputational risk as Roundtable on Digital Strategies
10
Managing Enterprise Risk a priority, he concluded, “The bottom line is that when they write about you in Rolling Stone, it is your risk.” Nike’s Krane concluded, “We were slow in the beginning, when labor issues came up back in the ’90s, because we didn’t own the factories. We wanted to say ‘Hey, we’re not the growers. We’re not the manufacturers. You’re barking up the wrong tree.’ But we spent a little while in that frame of mind, and the pain got pretty intense, and people here realized that whether we think that way or not, the world doesn’t think that way, so it doesn’t really matter what we think.”
Make Risk Management Integral to Strategy Whether identified and managed explicitly or implicitly, risk and the way your enterprise responds to it will define what kind of company you’ll be in ten years. Christian Nolke explained, “When I do quantitative risk analysis, I have to look at the fact that Nike’s a very young company. How we operated ten years ago is not how we operate today. How do we expect to operate in ten years? It’s amazing to imagine how different we’ll be then than we are today, from the basic supply chain to how we design shoes and how we interact with our customers. “For us,” he said, “our strategy, our innovation strategy, needs to go to the next place, to generate more value. For instance, what’s the type of risk we have with customer information? I have to look not only in direct financial cost, and what would it cost to protect people’s consumer information, but also assess a column called strategic impact. Whether or not the way your business is run today is threatened, how do you analyze that, assess that, or balance that, find the ROI there, versus how do you assess, balance, and find the ROI value in assessing and mitigating future risk or risk to your strategy?” David Christman of Time Warner Cable said, “I think that’s a great question. And it’s very hard to put on the real future glasses. It has to extend beyond ERM. Our organization does spend a fair amount of time thinking about and talking to young consumers about how what they’re doing now differs from what our average consumer is doing today.”
Monitor Monitoring Itself Added TWC’s Frank Boncimino, “You know what’s interesting? I’ve been writing down speed and impact and all these other attributes we’re tracking. But it’s almost like there’s another thing to measure that’s almost starting to coalesce in my mind as a key indicator: How well do you have your executives communicating and collaborating, talking about risk? It’s almost like a maturity model measurement and heat map on ERM and monitoring itself.” Eric Cowperthwaite of Providence agreed. “That’s awesome,” he said, “because my boss and I just yesterday were saying to each other that we need to figure out how to measure the ERM program on our dashboard. We have a good ERM program itself, but how well are we monitoring how robust and mature it’s becoming?” Roundtable on Digital Strategies
11
Managing Enterprise Risk Prioritize The participants offered practical guidance for grouping, assessing, prioritizing and monitoring enterprise risk — and perhaps even creating “markets for good behavior.” The challenge of prioritization was felt across organizational contexts. Nike’s Paanakker explained his view, “Prioritization has to be embedded in how you run the business, right? It becomes part of whatever your cycle is — annual, quarterly. What am I doing to run my business — which includes managing the prioritized risk. So there is no distinction, right? And that’s, I think, how you keep it alive. Now periodically, you need to do your Black Swan exercise or whatever. But then it would seem that in whatever business plan it is that you’ve executed, in the operational cadence, running the business implies managing the risk that we have prioritized.” Cowperthwaite responded, “It does. But the reason we do what we do is because what we’ve experienced from the past is that the things that were really significant risks weren’t managed, because they crossed the whole company in this way. There was nobody who took accountability for these horizontal systemic risks. So as part of how we run the company, we needed to assign accountability for horizontal systemic risks.” Tenaris’ Pappier said, “I agree completely. We don’t establish priorities on risk factors. We have a program once a year, we review all the different capital expenditures and projects that we’re going to undertake, and then we see the impact of these same projects and different options. So all these programs, how much is for increasing the top line, how much is cost containment, how much is new products and services, how much is risk reduction? So we review the whole portfolio, not just the risk actions in terms of prioritization.”
Prioritizing a Slow Leak Sysco’s Carson pointed out an entirely different risk profile. “We’re all focused here today on the highly improbable, catastrophic risk,” she said. “But sometimes what you have is a slow leak — a gap that grows slowly and quietly over time. We felt it in the form of a kind of disintermediation, where a distributor, as we are, could be cut out of the supply chain. And that’s where we identified it, through interviews and market diligence. It was a slow leak over time. “Eventually,” she said, “it would have hit us and we’d have woken up and said, ‘Holy crap. How did we not see the threat?’ So we went to the executives and had a prioritization workshop. ‘Here’s the ones we want you to focus on first,’ they said. And then we just spent the next year and a half understanding each one of them, took chunks of time, got outside experts in each of the different subject matters to come look at what we were doing and what the risk was, and then brought that back, and then started scoring them against each other. Really, for us it was moving from key performance indicators, the way we measure what we’ve done in the past, to the indicator saying something was changing. We’re still in our infancy stages of doing that.” Nike’s Krane asked, “What’s the appropriate level of diligence? Is it possible to do the diligence the outside worlds expect of you, and does it really add any value?”
Roundtable on Digital Strategies
12
Managing Enterprise Risk Prioritizing Big Risk in Small Packages Oliver of YUM! Brands responded, “We’re taking more of a ‘Get your own house in order’ philosophy first. We have franchisees that own two stores, and others that own 1,500 stores. So how can you go in with a standard of ‘here’s the amount of risk’? What we’re doing is letting each division handle it because it’s their business to run. They own that relationship with the franchisees, with their own suppliers and distributors to really think through.” “Those trade-offs in my mind are so hard,” observed Nike’s Krane. Day of Sysco added, “If it’s a smaller supplier that doesn’t have all the sophistication, then that means that we probably need to have QA in there inspecting on a more regular basis than we do. So it’s more about recognizing there’s a potential risk, and then determining what to do about it based on the likelihood and the severity and impact.” Nike’s Nolke said, “We’ve been to the ends of the earth trying to manage our restricted substances list. With a shoe like Pegasus or Air Force One, we’re making millions of pairs of these shoes every year. But every once in a while, we do 200 pairs of shoes. They’re expensive. Can we go through all of that diligence around a piece of leather that we’re only going to make 200 pairs of shoes from? So we have to draw the line somewhere. For certain styles, there’s more due diligence. ‘Who’s going to receive these shoes? What factory are you using? How much leather is in them?’ We’ve got chemists with doctorates analyzing everything. But we are still held accountable for decisions made and actions taken somewhere in our supply chain.” Eric Johnson of Tuck elaborated on this point. “That’s close to what happened to Mattel in the toy recall. They were doing some special little cars. They’d produced hundreds of millions of Hot Wheels cars in Penang and Shanghai and Bangkok with no problems, for 20 years. But there was a little special from the movie Cars, low volume, subcontracted a couple of levels deeper into the supply chain. This was not just some toy company that outsourced stuff and just got bit. I would have called them world-class vendor managers. But something had subtly changed. After 20 years their supply chain had grown up indigenously bit by bit — designed for the world 15 years ago. Known vendors were being replaced by indigenous vendors, slowly. And the risk was growing — which was a real failure for them, that they just didn’t catch.”
Create Markets for Good Behavior There was great interest among the participants in the idea of enlisting market dynamics to support better risk management practices and outcomes. Said Nike’s Krane, “We’re actually moving to the next level, which is trying to move away from punitive sanctions for a bad audit, to providing training, value added services, and more orders for companies who score better. You can use the economics of it to create incentives. We have bronze, silver, and gold standards. Bronze is a minimum, but if you’re silver, you’ll get more orders. We try to use market dynamics to drive people to better performance, and then make them pay for it so it stops being a burden on us, and they start internalizing it as their own cost of doing business, because that’s where we think it ought to be.” Roundtable on Digital Strategies
13
Managing Enterprise Risk In other words, instead of audit and risk management functioning as revenue prevention departments, they might actually have the potential to generate some aspirational lift. Observed Christman of TWC, “Of course, you do have to balance that against cost, too.” “Absolutely,” answered Krane. “There has to be enough juice in the squeeze for the manufacturers. But at the same time, people can rise to the challenge. I think we’ve found trying to create market dynamics to change behavior rather than simply think about policing is going to be the way to go. Our size and scale require that we do that.”
How to Keep Your Board of Directors Informed about Risk The means and metrics for reporting on risk at the board level were as various as the approaches to managing it operationally. Carson of Sysco relayed, “Our CEO, at every board meeting, gives an ERM update, and it’s short and concise and to the point. There’s a dashboard, with just three components: a heat map; those same risks in a graph format, showing exposure, tolerances and goals; and then third, the section where the executive sponsor says they’ll have their risk management plan in place, and when we expect the exposure to actually change.” As Sysco’s Day put it, “It’s more of a ‘We’ll give you the information ahead of time, and if you have any questions, we’ll be there to answer them. Otherwise we’re going to assume you’re fine with where we are, and we’ll move on.’ ” Christman of TWC said, “We report to our audit committee twice a year on the ERM program, and what we’re doing. We remind them of what the key risks are. We’ve in the past used this pinwheel approach which is functional, identifying which group is responsible for what risk. But we’re now trying to move away from that, because we recognize there are a lot of cross-disciplinary risks. So one of the things we’re trying to engender is more communication and collaboration on multiple risk owners around the set of risks. There was also agreement that, since concision pays with boards, communicating what has moved or shifted is more important than absolute metrics. As Sysco’s Sandra Carson put it, “Where a risk has changed since the last meeting, we highlight that — particularly if the speed of onset changes. We’ll call that out.”
The Resilient Risk Management Enterprise On the wide range of risk factors and responses discussed over the course of the day — from basic mitigation and response, to business continuity planning — it was clear that no matter how thoughtful the planning, not every risk can be planned for. To that end, toward the end of the day the participants’ discussion pivoted toward developing real resilience in any risk environment.
Roundtable on Digital Strategies
14
Managing Enterprise Risk Tuck’s Hans Brechbühl outlined a framework for thinking about this based on concepts from Yossi Sheffi’s book The Resilient Enterprise: Chart: Preparation/Response Strategies
* This matrix comes from “The Agile and Resilient Enterprise” (p. 8), an overview of a 2007 Roundtable on Digital Strategies, and is based on concepts and charts in Yossi Sheffi’s book titled The Resilient Enterprise (MIT, 2005)
“For instance,” he explained, “if a risk is highly likely, some degree of redundancy may be appropriate, whereas, if it’s not very likely, perhaps building flexibility into the process and context will more effectively support resilience than simple redundancy would.” Participants reflected their own thinking on these dimensions of resilience, noting that consumer expectations are a critical driver, internal decision-making and communications discipline are key, and culture is ultimately a vital pivot-point. Said David Christman of Time Warner Cable, “We are, and have to be, more alert to the possibility of the unexpected — especially with the prevalence of social media and consumer response. For instance, about a year and a half ago word leaked that we were going to do a trial where we we’d charge customers based on their usage of high-speed data. There was an unbelievable spiral that went from the blogosphere lunatic fringe complaining about it, all the way up to Chuck Schumer announcing that he’d introduce legislation.” “We solved that problem,” he continued, “through a new consumption-based billing package supported by everybody from the Electronic Freedom Foundation to the FCC, with zero controversy. But the fundamental experience of the story getting out and going completely out of control — we can’t plan for everyone one of those things. The world’s more unpredictable in terms of the response to what you’re doing.” Krane of Nike responded, “Our biggest learning from the Japan earthquake is that as long as you identify and enlist the right decision-makers, things just happen. You’re always prepared for the Roundtable on Digital Strategies
15
Managing Enterprise Risk last crisis. What happens the next time there’s a nuclear disaster on an island nation isn’t really likely the next thing. So the next best thing you can do is say, ‘How’s the flow in the process? How good are the communication and collaboration and clarity around decision-making?” Time Warner Cable’s Boncimino reinforced this form of clarity in service to resilience, whatever the crisis. “I know my role in the plan,” he said. “For instance, I’m not going to be talking to press or government agencies. I know who to refer them to. It’s my job to make sure that in a time of crisis I know my role, and I know what other people’s roles are. We give the right accountability to the right people. That’s very important.” Carson of Sysco said, “I love this question. What is resiliency? For me, it’s the organization at the highest level. It’s not just enterprise risk management. It’s the organization. And that means you have to be hitting on all cylinders. You have to be a company that makes a deliberate effort to see things coming, with a clear plan for response.” “We have emergency management plans,” she continued. “Those plans got to be so long, with so many of them, that we shifted to what is called the ‘all-hazards’ approach, where 80 percent of your plans are the same. You’ve got a core plan that handles 80 percent of your response to an emergency, and then you’ve got these appendix or hazard-specific kinds of things that you just add when it’s a certain thing — for example, what makes a tornado different than a roof collapse different than a reputational risk.” Carson also offered the intriguing possibility that, if an enterprise is prepared and resilient, even a black swan can be turned into a golden goose. “As we’ve evolved on the risk front,” she said, “we’ve made money in time of emergency, if we were prepared. So it wasn’t simply the right thing to do. That’s when we realized there’s real value here. Years after we had a big incident we were able to show that it really changed our profitability through times of emergency. Resilience in the face of risk isn’t easily captured in one area. It’s comprehensive, integrated, and ultimately cultural.”
Roundtable on Digital Strategies
16
Managing Enterprise Risk
Participant List Managing Enterprise Risk 24 May 2012
Frank Boncimino
Senior VP and CIO Time Warner Cable
Hans Brechb端hl
Executive Director Center for Digital Strategies Tuck School of Business, Dartmouth College
Sandra G. Carson
VP, Enterprise Risk Management and Compliance Sysco Corporation
David Christman
Senior VP and Deputy General Counsel Time Warner Cable
Eric W. Cowperthwaite
System Director and CISO Providence Health & Services
Twila Day
Senior VP and CIO Sysco Corporation
M. Eric Johnson
Benjamin Ames Kimball Professor of the Science of Administration Director, Center for Digital Strategies Tuck School of Business, Dartmouth College
Hilary Krane
VP, General Counsel & Corporate Affairs Nike, Inc.
Mark Lange (moderator)
IT and Enterprise Venture Advisor
Christian Nolke
Senior Manager, Information Risk Management Nike, Inc.
Charles R. (Dickie) Oliver
VP, Global IT YUM! Brands, Inc.
Roland Paanakker
CIO and VP, Lean Business Solutions Nike, Inc.
Carlos Pappier
CIO Tenaris
Roundtable on Digital Strategies
17