At IBM we are committed to building a better world through innovation and transformative leadership. While this approach offers significant opportunity, it is impossible to achieve and maintain without taking risks. We have a responsibility to manage these risks since our actions affect our key stakeholders — shareholders, clients, business partners and employees — and the communities where we do business.

IBM has developed a consistent, systemic and integrated approach to risk management to help determine how best to identify, manage and mitigate significant risks throughout the company.

The IBM Risk Management Framework aligns to industry standards and good practices, focusing on leadership, programs and practices, enablement and effectiveness supported by a strong risk-aware culture.

IBM Risk Management Framework

In 2016, we continued to enhance our approach with a greater focus of the cognitive era and our strategic imperatives, collaboration across lines of defense, identification of emerging risks, broadening risk awareness and increasing our use of analytics, including IBM’s cognitive technologies.


Leadership and governance

Senior management is responsible for assessing and managing IBM’s various exposures to risk on a day-to-day basis, including the creation of appropriate risk-management programs and policies. This leadership team continued its collaborative process of identifying, evaluating and managing enterprise-level risks in 2016. This includes periodic reviews and interaction with the audit committee of the Board of Directors, which oversees the company’s enterprise risk management framework, program and associated processes. Risk is also an element of the executive compensation program, designed to motivate our leaders to deliver a high degree of business performance without encouraging excessive risk-taking.

A key aspect of senior management leadership in risk management is to identify and deploy a governance model and management system that fosters collaboration and transparency in managing risk across the entire enterprise. Our Enterprise Risk Management (ERM) Executive Council, comprised of 16 senior managers representing different units, functions and geographies, meets regularly to help improve the management of enterprise risks. In 2016, we refreshed the ERM Council with six members rotating off and six new members replacing them. Participants share risk-mitigating actions that are taken in one part of the business so that these best practices may be standardized and applied across units globally.


Addressing emerging risks

Throughout the company, the approach to identifying and managing risk is based on the ISO 31000 Enterprise Risk Management (ERM) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM guidance. In adapting these, IBM considers and assesses potential strategic, financial, operational, regulatory and other risks to our business, which could be driven by various factors, such as where we do business, how we do business and the nature of our offerings.

15,000

The approximate number of IBMers who collaborate in an internal social community, engaging on key risk stories, news and practices; identifying and connecting risk-management experts; and participating in risk education.

Over the course of the year we held in-depth discussions with leading consultants on emerging risks and conducted a robust internal study that included polling, surveys and interviews of approximately 150 top executives, and in 2016 began to collect insights from our millennial corps socially. As a result, we updated our enterprise-level risk map and refined senior management focus for 2017.

15,000

The approximate number of IBMers who collaborate in an internal social community, engaging on key risk stories, news and practices; identifying and connecting risk-management experts; and participating in risk education.

In 2016, we enhanced our identification and management of emerging risks, increasing the focus on the new cognitive era and related strategic imperatives. We also established an approach for scenario planning to enable better identification of emerging risks, and trained leaders around the world to utilize the method.


Enablement through analytics and cognitive

IBM is focused on applying technology, tools and analytics to support risk management. This past year we continued to build upon the success of the award-winning Country Financial Risk Scorecard, which leverages big-data automation to monitor trends and help develop intelligent and actionable insights. We also continued our focus-country risk summaries that provide just-in-time, robust, end-to-end views of situations of emerging risk. Analytics is the next big frontier for risk management which, when coupled with the abundance of data, provides the ability to infuse insight into risk management. In 2016, we co-developed and piloted with IBM Research a cognitive-based tool to automate the identification of emerging storylines and risks and project possible future scenarios and implications. The tool enhances our global leaders’ risk awareness and ability to improve local resiliency to risks.


Benchmarking effectiveness

A risk management framework is most effective when it provides transparency, facilitates communication and monitoring of risks, and demonstrates success in mitigating enterprise-level risks. This level of effectiveness should ultimately lead to improved business performance and help the company protect its reputation while delivering on its social responsibilities. To measure the effectiveness of the risk management program and provide a guidepost to prioritization of activities, IBM continuously evaluates its ERM practices. In 2016, we expanded coverage to emerging strategic imperatives to better reflect the future, and we aligned the evaluation content to industry standards.

Also in 2016, we collaborated with Internal Audit and Business Controls to enhance IBM’s approach to identifying and addressing key risks within business processes, in order to improve support for risk-based controls and assurance. Lastly, we continued our benchmarking with other leading organizations to provide insights to good practice and emerging risks.


Expanding risk education

The success of the framework is predicated on a strong culture of risk awareness, identification, analysis and mitigation. In support of this, IBM continued to expand its risk education and training. In 2016, we began deploying education modules in agile video formats and continued to provide awareness and transparency through global video blogs and “day in the life of a risk manager” case study videos. Thousands of IBMers from around the world view risk awareness material monthly.


Advancement through community engagement

IBM continues to engage with academia, external risk-management thought leaders, and community organizations to help advance the risk management acumen of current and future business leaders. For example, in 2016 we participated on five ERM councils, including advisory board membership for two university ERM programs.

Download the 2016 report