Nov. 1, 2004 Issue of CIO Magazine ENTERPRISE RISK MANAGEMENT Risk's Rewards Are you on board with enterprise risk management? You had better be. It's the future of how businesses will be run. BY SCOTT BERINATO What would you do if, two months after your company went public, one of the two major markets you sell products to simply vanished? If, in the span of seven days, $350 million in sales just disappeared? Would you throw your hands up and say, No one could have foreseen the events of 9/11, and then just stand by as the company tore off a half-dozen bad quarters? Would you just absorb the discomfiting cuts to your budget and your staff, and eschew any strategic plans you had set up to help the business grow, because, well, no one could have been prepared for such a catastrophe? Or, would you be like Rockwell Collins, the supplier of military and commercial aircraft parts, which suffered the precise fate described above and yet had a contingency plan in place within 10 days" Despite the fact that Rockwell's commercial market—20 percent of its business—vanished after 9/11, IT still contributed to the business's growth. No doubt you want your company to be like Rockwell Collins. So you ask, How did they pull it off? "Either we're the luckiest company in the world," posits Art Gemmer, the company's principal risk analyst, "or our enterprise risk management mind-set gives us insights that make us do better." Gemmer clearly believes not in luck, but in the power of enterprise risk management (ERM)—broadly characterized as a system of managing risk across an entire company. Gemmer says ERM helps companies prepare for events on the scale of a 9/11. More important, he says, it improves the way a company handles the more predictable risks that businesses face every day. ERM allows a company to avoid bad investments, and, conversely, make investments that might intuitively seem too risky. You're already trying to improve your IT decision making through better governance. ERM makes governance better. The few companies that have adopted risk management methodologies report fewer failed ventures and less damage from adverse events. For Rockwell Collins, ERM's value has been proven time and again. Several years ago, a project manager named John-Paul Besong implemented a bet-the-company SAP system using ERM principles. "Every decision became a risk decision," he says. The project went so smoothly that Besong was named Rockwell Collins's CIO shortly thereafter. There is no more persuasive metric at Rockwell Collins to demonstrate the effectiveness of ERM than this: The company has turned a profit every single quarter after 9/11. And in January 2004, Forbes called Rockwell Collins the best-managed aerospace firm in America. Make no mistake, ERM is hard. It changes how everyone does their jobs. It took Rockwell Collins the better part of a decade to become an organization governed by risk. And while it shouldn't take you that long, because much of the trail has been blazed for you, it won't be a six-month job either. Every risk expert we spoke with anticipated that you, the CIO, will resist ERM. "For some reason, it's like [CIOs] are snorting novocaine or something. They think they can avoid ERM," says Adrian Bowles, a risk expert with The Robert Frances Group. Bowles urges you not to be dissuaded. "The risks are coming to find you. Your job is at risk. The only defense is to be part of the effort to manage them." This mind-set is emerging not because risk management is a trendy buzzword being volleyed around TEAM AGAINST RISK: Enterprise risk management helps John-Paul Besong (left), CIO with aerospace supplier Rockwell Collins, and Art Gemmer, principal risk analyst, make better technology decisions.boardrooms—though lately it is—but because balancing risk is becoming the only effective way to manage a corporation in a complex world. "We're able to react [to that complex environment] because of our risk mind-set," says Besong. "With what happened to us, our agility was called to task. And we had the risk methodology in place to handle it." So, what is ERM? A good rule of thumb in IT is that the number of definitions for a concept rises proportionately to the concept's buzz. ERM, for which we collected no fewer than a dozen definitions, is no exception. We'll use James Lam's definition. Lam is an author and consultant who says he was the first chief risk officer at any company, a position that he pioneered at GE Capital. ERM, he says, is "the integrated management of business risk, financial risk, operational risk and risk transfer to maximize a firm's shareholder value." That is, making a company more profitable by creating a single view of all risks, internal and external, and an executive-level management strategy to deal with those risks. (For an example, see "Three Steps to Risk Assessment,") Some principles underlying Lam's (or anyone's) definition of ERM include: 1. An integrated view of risk. IT, HR, finance and every other "silo" uses standardized language, metrics and tools. Many finance departments already have processes for managing risk, so it's possible that such standards will come from there. Meanwhile, Bill Sharon, CIO of advertising agency McCann Worldgroup, has borrowed heavily from a risk system developed by Nobel Prize-winning psychologists, as described in the book Against the Gods: The Remarkable Story of Risk, by Peter Bernstein. 2. A pan-corporate view of risk. ERM is not collecting each silo's risks to its own silo. It's collecting each silo's risks to each other and the company. When Sherry Higgins took a position at the FBI to lead its IT modernization effort, called Trilogy, one of her first acts was to install an enterprise risk framework. Almost immediately, she realized her first deadline was only four months out and unrealistic. "The risk to the project was obvious," Higgins says. "But I was looking at the risks to the FBI. What does that mean for intelligence analysts not getting these systems on time? When you go to [Congress] and deliver this news, what does that mean to funding for the FBI as a whole? The goal of ERM is to get at these risks that span stovepipes or fall between them." 3. A bottom-line view of risk. Risks always get expressed in terms of their potential impact on the business as a whole, not in terms of their impact on any given silo. When Higgins decided she needed to hire professional project