Skip to main content

Enterprise Risk Management

Managing risk is a complex and nuanced business discipline. Every strategic decision within an enterprise carries with it both risk and opportunity.

And because IBM’s business could affect our many stakeholders—our shareholders, clients, business partners and employees—it is critical that the company takes a strategic and disciplined approach to Enterprise Risk Management (ERM). This includes the consideration of risk in strategy formulation, anticipating risks associated with the execution of chosen strategies and managing risk in the operations of the enterprise. We believe that effective risk management is critical to helping protect and enhance the value of the company.

For example, the company has benefited from its investments over the past several years in growth markets. The focus now is on geographic expansion of IBM’s presence, and on creating markets and new business models to take advantage of the opportunities, while managing the risks. As we pursue our entry into specific markets, we inform our strategies with analysis of the attendant risks and strive to manage them in ways that are consistent with our economic, environmental and social responsibilities.

Another key element of the company’s strategy has been focused on becoming the premier globally integrated enterprise. In the early part of the decade, the company drove implementation of a consistent set of processes and standards worldwide to reduce inefficiencies and improve collaboration. With its processes integrated, the company then implemented a new operating model with work shared in global resource centers of excellence located where it made the most business sense.

The company is now embarking on the next generation of its transformation in which new capabilities and technologies such as business analytics and cloud computing will be rolled out to help drive performance. The proven principles of the globally integrated enterprise will be applied to all of the company’s spending to continue to drive additional productivity benefits in shared services, integrated operations and end-to-end process transformation.

In conjunction with our internal business transformation and global integration initiatives intended to improve quality and productivity and enable rapid scaling, we implement comprehensive risk mitigation strategies.

One of the most effective ways to manage risks in a global enterprise is to integrate a culture of risk identification, analysis and mitigation throughout the company. We began by infusing that culture into the business units, one of the most important dimensions since that is where risk may be taken for commercial gain, and subsequently focused on the geographic units and on the enterprise processes.

In 2011, senior management continued to be engaged in a collaborative approach to identifying, evaluating and managing enterprise-level risk. This included communication with the Audit Committee of the Board of Directors because an overall review of risk is inherent in the Board’s consideration of IBM’s long-term strategies and in transactions and other matters. In addition, our senior vice presidents, consistent with their accountability for managing risk to acceptable levels, have led the work for various identified risks. A key aspect of their leadership is the governance model and management system they put in place to foster collaboration and transparency in managing risk. This enterprise purview enables risk mitigating actions taken in one part of the business to be standardized and applied globally, across business units. And risk management is integral to our executive compensation, which is designed to motivate our leaders to deliver a high degree of business performance without encouraging excessive risk-taking.

Throughout the company, the approach we take to identifying and managing risk is based on the ISO 31000 ERM Standard. We consider and assess potential financial, operational, regulatory and other risks to our business. And setting the context is especially important. There are risks we encounter because of where we do business, how we do business and the nature of our offerings. It is particularly challenging to identify risks that have not been previously identified. We continue to try to enhance our risk identification process. In 2011, for example, we reviewed several sources to assist with identifying risks, including our peers’ 10K filings and industry surveys. We worked with leading consultants. And we conducted a rigorous self-examination that included several rounds of reviews with approximately 100 key executives. This effort resulted in some key changes to the set of enterprise-level risks that will receive senior executive focus in 2012. Benchmarking activity has shown that IBM’s ERM program goes beyond key standard elements to emphasize collaboration and meeting interdependencies.

Because the very nature of our business—information technology—changes so rapidly, we continually challenge ourselves to identify risks that we haven’t encountered before, or escalate the importance of existing risks due to changed circumstances. For example, the company’s approach on cybersecurity demonstrates its ability to adapt to a changing environment, as well as the depth and breadth of its global capabilities. IBM has implemented a multifaceted approach involving people, tools and process to identify and address cybersecurity risks. The company has established policies and procedures that provide the foundation by which IBM’s infrastructure and data are managed, which help protect IBM and client data.

We continue to drive a culture of risk management into all parts of the enterprise, in an effort to encourage our business and regional organizations, as well as process experts, to define and manage risk at increasingly granular levels.