Enterprise Risk Management
At IBM, we believe that innovation and leadership are impossible to achieve and maintain without taking risks. Since almost all business decisions contain elements of both risk and opportunity, they must be managed prudently.
IBM’s business decisions affect our key stakeholders—shareholders, clients, business partners and employees – and thus by extension affect society and the communities where we do business. Senior management is responsible for assessing and managing the company’s various exposures to risk on a day-to-day basis, including the creation of appropriate risk-management programs and policies. IBM has developed a consistent, systemic and integrated approach to risk management to help determine how best to identify, manage and mitigate significant risks throughout the company. This approach continues to be refined and various enhancements were introduced to the framework in 2012.
Senior management continued its collaborative process of identifying, evaluating and managing enterprise-level risks in 2012. This included periodic reviews and interaction with the Audit Committee and Board, which oversees the company’s enterprise risk management framework, program and associated processes. A key aspect of senior management leadership in risk management is to identify and deploy a governance model and management system that fosters collaboration and transparency in managing risk across the entire enterprise. This enterprise purview enables risk-mitigating actions that are taken in one part of the business to be standardized and applied globally, across other units. Risk management is also an element of executive compensation plans, designed to motivate our leaders to deliver superior business performance without encouraging excessive risk-taking.
Programs and practices
Throughout the company, the approach to identify and manage risk is based on the ISO 31000 Enterprise Risk Management (ERM) standard. In deploying this standard, IBM considers and assesses potential financial, operational, regulatory and other risks to our business, which could be driven by various factors such as where we do business, how we do business and the nature of our offerings.
IBM continued to enhance its risk identification process in 2012 by reviewing risk information sources, including our peers’ 10K filings with the Securities and Exchange Commission and external industry surveys. We also conducted in-depth discussions with leading consultants on emerging risks and conducted a robust internal study that included extensive interviews with key executives. As a result, we updated our enterprise-level risk map and increased senior management focus in early 2013. Benchmarks have shown that IBM’s risk management practices exceed typical standards, including more emphasis on collaboration and consideration of risk interdependencies.
One of the most effective ways to manage risk in a global enterprise is to consistently promote a culture of risk awareness, identification, analysis and mitigation. IBM continued to expand its risk education and training in 2012; for example, we held risk workshops with teams in Africa designed to improve local practices. IBM is also focused on applying technology, tools and analytics to support risk management. One example is the Country Financial Risk Scorecard, which combines big-data automation to monitor trends and develop intelligent and actionable insights. By leveraging IBM’s analytics solutions, such as Cognos and SPSS, we were able to integrate over 100 internal and external inputs to produce an integrated view of country-level risk on a near-real time basis for over 160 countries. IBM was recognized by CIO Magazine with an award for the Country Financial Risk Scorecard’s innovation and leadership. Additional internal capabilities have been developed to assist in managing other areas of risk using IBM’s advanced risk solutions, such as OpenPages for IT risk and Algorithmics for treasury risk.
A risk management framework is most effective when it provides transparency, facilitates communication and monitoring of risks, and demonstrates success in mitigating enterprise-level risks. This level of effectiveness should ultimately lead to improved business performance and help the company protect its reputation while delivering on its social responsibilities. To measure the effectiveness of risk mitigation actions, IBM continued to enhance the way it defines and communicates its key risk indicator metrics across the risk lifecycle in 2012, including leading indicators, and action, effectiveness and outcome metrics.
External community engagement
IBM has engaged with academia, external risk-management thought leaders and community organizations to advance the risk management acumen of current and future business leaders. For example, we worked with a US university to enhance curricula in risk analytics, in order to help students develop advanced skills in the use of technology to solve complex business and financial risk problems. In another example, IBM hosted a program for CFOs of nonprofit organizations to coach and demonstrate how to leverage commercial risk management practices to address their community challenges.