Enterprise risk management

At IBM, we believe that innovation and leadership are impossible to achieve and maintain without taking risks. Since almost all business decisions contain elements of both risk and opportunity, they must be managed prudently.

IBM’s business decisions affect our key stakeholders — shareholders, clients, business partners and employees — and thus by extension affect society and the communities where we do business. Senior management is responsible for assessing and managing the company’s various exposures to risk on a day-to-day basis, including the creation of appropriate risk-management programs and policies. IBM has developed a consistent, systemic and integrated approach to risk management to help determine how best to identify, manage and mitigate significant risks throughout the company. In 2014, we continued to enhance our approach with scenario planning, increased education and awareness training and analytics.

The IBM Risk Management Framework aligns to industry standards and good practices, focusing on leadership, programs and practices, enablement, and effectiveness supported by a strong risk-aware culture.



Senior management continued its collaborative process of identifying, evaluating and managing enterprise-level risks in 2014. This includes periodic reviews and interaction with the board of directors and the audit committee, which oversee the company’s enterprise risk management framework, program and associated processes. A key aspect of senior management leadership in risk management is to identify and deploy a governance model and management system that fosters collaboration and transparency in managing risk across the entire enterprise. This enterprise purview enables risk-mitigating actions that are taken in one part of the business to be standardized and applied across units globally. Risk management is also an element of executive compensation plans, designed to motivate our leaders to deliver superior business performance without encouraging excessive risk-taking.

Programs and practices

Throughout the company, the approach to identifying and managing risk is based on the ISO 31000 Enterprise Risk Management (ERM) standard. In deploying this standard, IBM considers and assesses potential financial, operational, regulatory and other risks to our business, which could be driven by various factors, such as where we do business, how we do business and the nature of our offerings.

We held in-depth discussions with leading consultants on emerging risks and conducted a robust internal study that included polling, surveys and interviews of approximately 130 top executives. As a result, we updated our enterprise-level risk map and refined senior management focus for 2015.

In 2014, IBM introduced a structured assessment approach for risk scenario planning. The changing business context, including global expansion, integration and associated interdependencies, has increased the risk landscape. In response to these dynamics, we are using this practice to evaluate the implications of a range of plausible future conditions so that we can be better prepared to adapt IBM to meet society’s changing needs.


IBM is also focused on applying technology, tools and analytics to support risk management. This past year we built upon the success of the award-winning Country Financial Risk Scorecard, which leverages big-data automation to monitor trends and help develop intelligent and actionable insights. We introduced focus-country risk summaries to provide just-in-time, robust, end-to-end views of situations of emerging risk. These summaries combine financial insights with actions taken by crisis management, business continuity, supply chain and finance to help reduce the likelihood of our impact on IBM's clients and operations. Together, these leverage IBM’s analytics solutions, such as Cognos and SPSS, to integrate more than 120 internal and external inputs, which can provide an integrated view of country and regional risk on a near-real-time basis for more than 160 countries. Analytics is the next big frontier for risk management, which when coupled with the abundance of data, provides the ability to infuse insight into risk management. Additional internal capabilities have been developed to assist in managing other areas of risk using IBM’s advanced risk solutions, such as OpenPages® for IT risk and Algorithmics® for treasury risk.


A risk management framework is most effective when it provides transparency, facilitates communication and monitoring of risks, and demonstrates success in mitigating enterprise-level risks. This level of effectiveness should ultimately lead to improved business performance and help the company protect its reputation while delivering on its social responsibilities. To measure the effectiveness of the risk management program and provide a guidepost to prioritization of activities, IBM raised the bar on its evaluation of its ERM practices and focused on more senior-level enterprise risk, business unit and country representation in 2014. Additionally, we continued our benchmarking with other leading organizations.


The success of the framework is predicated on a strong culture of risk awareness, identification, analysis and mitigation. In support of this, IBM continued to expand its risk education and training, segmenting our population and providing customized resources for targeted audiences. For example, following the risk workshops with teams in Africa, Asia and the Middle East, we held sessions in 2014 with teams in Latin America and Europe and extended our employee risk certification process. We are also leveraging IBM’s social capabilities as a means to ingrain risk management and risk consideration practices deeper into the fabric of the organization and build institutional knowledge, strengthening the risk culture.

External community engagement

IBM has engaged with academia, external risk-management thought leaders and community organizations to help advance the risk management acumen of current and future business leaders. For example, we worked with a US university to enhance curricula in risk analytics in order to help students develop advanced skills in the use of technology to solve complex business and financial risk problems. In another example, IBM collaborated with the Resilience Action Initiative to develop a framework to apply a resilience lens for enterprise risk management.


the approximate number of IBMers who collaborate in an internal social community, engaging on key risk stories, news and practices and identifying and connecting risk-management experts