Enterprise Risk Management

Enterprise Risk Management

At IBM, we believe that innovation and leadership are difficult to achieve and maintain without taking risks. Since almost all business decisions contain elements of both risk and opportunity, they must be managed prudently.

IBM’s business decisions affect our key stakeholders—shareholders, clients, business partners, and employees—and thus by extension can affect society and the communities where we do business. Senior management is responsible for assessing and managing the company’s various exposures to risk on a day-to-day basis, including the creation of appropriate risk-management programs and policies. IBM has developed a consistent, systemic, and integrated approach to risk management to help determine how best to identify, manage, and mitigate significant risks throughout the company. In 2013, we continued to enhance our approach, including broader communication, increased education, and social collaboration.

Enterprise Risk Management chart


Senior management continued its collaborative process of identifying, evaluating, and managing enterprise-level risks in 2013. This included periodic reviews and interaction with the Audit Committee and Board, which oversees the company’s enterprise risk management framework, program, and associated processes. A key aspect of senior management leadership in risk management is to identify and deploy a governance model and management system that fosters collaboration and transparency in managing risk across the entire enterprise. This enterprise purview enables risk-mitigating actions that are taken in one part of the business to be standardized and applied globally, across other units. Risk management is also an element of executive compensation plans, designed to motivate our leaders to deliver superior business performance without encouraging excessive risk-taking.

Programs and practices

Throughout the company, the approach to identify and manage risk is based on the ISO 31000 Enterprise Risk Management (ERM) standard. In deploying this standard, IBM considers and assesses potential financial, operational, regulatory, and other risks to our business, which could be driven by various factors such as where we do business, how we do business, and the nature of our offerings.

We conducted in-depth discussions with leading consultants on emerging risks and conducted a robust internal study that included a survey and extensive interviews to approximately 100 top executives. As a result, we updated our enterprise level risk map and increased senior management focus in early 2014.

In 2013, IBM introduced a structured assessment approach designed to improve our preparedness to address “black swan” disruptions, therefore better protecting ourselves, our stockholders, and our clients. The past few years have seen an increase in the frequency and severity of extreme events—known as black swans—that can affect business. The changing business context, including global expansion, integration, and associated interdependencies, has increased the risk landscape from such events. In response to these dynamics, our structured assessment approach can help us reduce vulnerability and impact through thoughtful planning in the form of improved preparedness, resiliency, and flexibility.


One of the most effective ways to manage risk in a global enterprise is to transform into a culture of risk awareness, identification, analysis, and mitigation. IBM continued to expand its risk education and training in 2013. For example, following the risk workshops with teams in Africa in 2012, we held sessions in 2013 with teams in Asia and the Middle East designed to improve local risk practices. We are also leveraging IBM’s social capabilities as a means to help ingrain risk management and risk consideration practices deeper into the fabric of the organization and build institutional knowledge, strengthening the risk culture. IBM is also focused on applying technology, tools, and analytics to support risk management. One example is the Country Financial Risk Scorecard, which combines Big Data automation to monitor trends and help develop intelligent and actionable insights. By leveraging IBM’s analytics solutions, such as Cognos and SPSS, we were able to integrate more than 100 internal and external inputs to produce an integrated view of country-level risk on a near-real-time basis for over 160 countries.

“I think we are just scratching the surface. We consider analytics the next big frontier for risk management. If you can leverage analytics to identify risk and take actions ahead of your competition, you are essentially turning a hazard into an opportunity.” Luis Custodio, chief risk officer, IBM

Additional internal capabilities have been developed to assist in managing other areas of risk using IBM’s advanced risk solutions, such as OpenPages® for IT risk and Algorithmics for treasury risk.


A risk management framework is most effective when it provides transparency, facilitates communication and monitoring of risks, and demonstrates it can mitigate enterprise-level risks. This level of effectiveness should ultimately lead to improved business performance and help the company protect its reputation while delivering on its social responsibilities. To measure the effectiveness of the risk management program and provide a guidepost to prioritization of activities, IBM expanded the evaluation of its ERM practices to include enterprise risk, including business unit and country representation in 2013.

External community engagement

IBM has engaged with academia, external risk-management thought leaders, and community organizations to help advance the risk management acumen of current and future business leaders. For example, we worked with a US university to enhance curricula in risk analytics, in order to help students develop advanced skills in the use of technology to solve complex business and financial risk problems. In another example, IBM hosted a program for CFOs of nonprofit organizations to coach and demonstrate how to leverage commercial risk management practices to address their community challenges.


the approximate number of IBMers who collaborate in an internal social community, engaging on key risk stories, news, and practices. The community also helps IBMers to identify and connect risk-management experts.