Enterprise risk management

Share this page

Linked In

Striking the right balance between opportunity and risk is the backdrop against which IBM approaches every business decision. We believe that innovation and leadership are impossible to achieve and maintain without taking risks, but we have a responsibility to manage these risks wisely. Our key stakeholders — shareholders, clients, business partners and employees — and the communities where we do business are affected by our decisions.

IBM has developed a consistent, systemic and integrated approach to risk management to help determine how best to identify, manage and mitigate significant risks throughout the company.

The IBM Risk Management Framework aligns to industry standards and good practices, focusing on leadership, programs and practices, enablement, and effectiveness supported by a strong risk-aware culture.

In 2015, we continued to enhance our approach with a greater focus on collaboration, emerging risks, broadening risk awareness, and increasing use of analytics including IBM’s Watson cognitive system.

Leadership and collaboration

Senior management is responsible for assessing and managing IBM’s various exposures to risk on a day-to-day basis, including the creation of appropriate risk management programs and policies. This leadership team continued its collaborative process of identifying, evaluating and managing enterprise-level risks in 2015. This includes periodic reviews and interaction with the board of directors and the audit committee, which oversee the company’s enterprise risk management framework, program and associated processes. Risk management is also an element of executive compensation plans, designed to motivate our leaders to deliver superior business performance without encouraging excessive risk-taking.

A key aspect of senior management leadership in risk management is to identify and deploy a governance model and management system that fosters collaboration and transparency in managing risk across the entire enterprise. Our Enterprise Risk Management (ERM) Executive Council, comprised of 16 senior managers representing different units, functions and geographies, meets regularly to help improve the management of enterprise risks. Participants share risk-mitigating actions that are taken in one part of the business so that these best practices may be standardized and applied across units globally.

Programs and practices to address emerging risks

Throughout the company, the approach to identifying and managing risk is based on the ISO 31000 Enterprise Risk Management standard. In deploying this standard, IBM considers and assesses potential financial, operational, regulatory and other risks to our business, which could be driven by various factors such as where we do business, how we do business and the nature of our offerings.

Over the course of the year, we held in-depth discussions with leading consultants on emerging risks and conducted a robust internal study that included polling, surveys, and interviews of approximately 150 top executives. As a result, we updated our enterprise-level risk map and refined senior management focus for 2016.

In 2015, we enhanced our identification and management of emerging risks. The changing business context, including global expansion, integration and associated interdependencies has increased rapidly, changing the nature of the risk landscape. In response to these dynamics, we have established processes to identify emerging risks ahead of time, triggering analysis to better understand the potential exposure and initiate work on mitigation actions more quickly. After an initial implementation of these capabilities on global financial risks, we expanded to select countries in Asia, Africa, Latin America and Europe.



the approximate number of IBMers who collaborate in an internal social community, engaging on key risk stories, news and practices; identifying and connecting risk management experts; and participating in risk education.

Enablement through analytics

IBM is focused on applying technology, tools and analytics to support risk management. This past year we built upon the success of the award-winning Country Financial Risk Scorecard, which leverages big data automation to monitor trends and help develop intelligent and actionable insights. We also continued our focus-country risk summaries that provide just-in-time, robust, end-to-end views of situations of emerging risk. Analytics is the next big frontier for risk management, which, when coupled with the abundance of data, provides the ability to infuse insight into risk management. In 2015, we expanded the analytics to assess the risks to our business partners within their respective countries and to assist our country leaders in maintaining responsible business controls. Additional internal capabilities have been developed to assist in managing other areas of risk using IBM’s advanced risk solutions such as IBM Watson technology for reputation risk and Algorithmics® for treasury risk.

Effectiveness with more senior-level involvement

A risk management framework is most effective when it provides transparency, facilitates communication and monitoring of risks, and demonstrates success in mitigating enterprise-level risks. This level of effectiveness should ultimately lead to improved business performance and help the company protect its reputation while delivering on its social responsibilities. To measure the effectiveness of the risk management program and provide a guidepost to prioritization of activities, IBM continuously evaluates its ERM practices and in 2015 focused on more senior-level management, including its ERM council representatives. Additionally, we continued our benchmarking with other leading organizations.

Culture of broad awareness

The success of the framework is predicated on a strong culture of risk awareness, identification, analysis and mitigation. In support of this, IBM continued to expand its risk education and training, segmenting our population and providing customized resources for targeted audiences. For example, following risk workshops with geographic teams in Africa, Asia, Middle East, Latin America and Europe, we began holding sessions in 2015 with cross-geography business teams such as our sales hubs. We are also leveraging IBM’s social capabilities as a means to further ingrain risk management and risk consideration practices deeper into the fabric of the organization. For example, in 2015 we commenced regular video blogging to raise the general level of risk awareness to all employees.

External community engagement

IBM has engaged with academia, external risk management thought leaders and community organizations to help advance the risk management acumen of current and future business leaders. For example, we expanded our work with U.S. universities, enhancing curricula in risk analytics in order to help students develop advanced skills in the use of technology and developing materials to educate the next generation of business leaders.