Skip to main content


Managing risk,
maintaining trust

IBMers recognize that offering and delivering smarter planet solutions is no ordinary business. These solutions are becoming part of our social infrastructure. They are supporting our businesses, our schools, our hospitals and our highways. They are helping to manage our food, water and energy supplies. And they are aiding our law enforcement agencies.


Any company that provides these solutions should have high standards of conduct, integrity, transparency and risk management. Working as we do within a global and complex ecosystem of clients, business partners and suppliers, IBM is dedicated to high achievement and constant improvement in these areas. Our business depends on it.

In 2009 we focused on strengthening our practices around Enterprise Risk Management (ERM), embedding a strong culture of risk awareness throughout the company. And we extended IBM’s core value of trust and responsibility to thousands of business partners.


Enterprise Risk Management

We understand that taking risk is a normal part of business and that the market rewards those who manage risks well. IBM thus takes a strategic and disciplined approach to ERM throughout the company; risk consideration is explicit as are decisions regarding which risks to take, how to manage them to acceptable levels, and how to avoid taking uncompensated risk. We do this not only because it’s good business, but also because our clients, employees, shareholders, business partners and other stakeholders depend on us to make strategic and operational decisions that will keep the business strong.

Our approach is set in the context of our business strategy and operational model. It looks across the enterprise in an effort to find ways to take advantage of the scale and scope of IBM’s globally integrated enterprise to improve performance through enhanced identification and management of enterprise risks. And it uses a well-defined and rigorous methodology for identifying and understanding the causes of risk, and measuring and monitoring the results of action taken to mitigate that risk.

In 2009, we set out specific goals for the ERM function in the company:

  • –  Integrate enterprise risks with business unit strategy and execution
  • –  Increase the rigor of risk management
  • –  Institutionalize ERM knowledge

We have made measurable progress in each of these areas. But perhaps the most important accomplishment of 2009 was the embedding of our risk management approach into the individual business units. The logic behind this is simple: Risk is taken by the business units in pursuit of economic gain, and explicit consideration of risk will lead to better decisions. Throughout the year we saw strong adoption of risk management processes by the business units. The business units have been focused on improving the identification and analysis of risk, devising risk management strategies to monitor the effectiveness of actions taken, and making it part of their strategy and execution planning. And of course risk management is a factor in executive compensation.

Throughout 2010 we will continue to drive risk management deeper into all areas of the business, and work closely with strategy executives to make ERM part of the fabric of the company, addressing changes to the external environment and business operations.


The Corporate Trust and Compliance website was launched in February 2009, to serve as a resource to help IBMers cultivate a culture of trust and personal responsibility. From May 1 through December 31 the site saw nearly 30,000 visitors.


Privacy and Data Security

IBM believes that the benefits we hope to realize from a smarter planet depend on strong security and privacy for our clients, our employees and society at large. Our dedication to high performance and leadership in this area is deep and broad, starting at the core of our business: our internal operations, and the solutions and services we provide to our clients.

We draw extensively upon IBM’s full range of capabilities to protect our extensive, and global, physical and digital infrastructures. For example, IBM X-Force®, a market-leading team of security experts, continuously analyzes external threats and provides up-to-date information to the company’s Chief Information Security Office (CISO). The CISO is responsible for interpreting this information, evaluating the potential impact, and determining the appropriate response across IBM’s network of 120,000 servers and 500,000 endpoints.

We maintain comprehensive online security and privacy resources for all IBMers, including a global privacy risk program for process leaders that is supported by on demand self-assessment tools and databases. And since 2008, we have emphasized more than ever before personal responsibility for data protection among all IBMers because of our belief that in a world in which data is widely distributed, the security measures that protect that data must also be distributed.

IBM’s Data Protection Awareness Week is a company-wide annual effort to raise awareness, educate, and equip IBMers to handle information responsibly, and that supplements tailored training provided to employees via their business units. It consists of a five-day program that includes: executive messages; online tutorials and games; posters; and on-site events and training. In 2009 we also created a dedicated course on the responsible use of social media, which the company made available for free public use.

A Data Privacy and Security Steering Committee maintains an enterprise-wide view of data security and privacy risks, overseeing as part of its charter key actions and indicators of progress, and facilitating interlock with other key components of IBM’s closed-loop management and governance.

A Security Executive Board, supported by a Security Architecture Board comprised of some of the company’s leading technical experts, coordinates IBM’s work to develop, manufacture and bring to market security-enabling technologies and solutions.

The success of these collective measures is reflected in our consistently high ranking in the Ponemon Institute’s annual Most Trusted Companies for Privacy Study. In February 2010, for the third consecutive year, IBM was ranked first in the IT industry and second overall in the study, and was the only business-to-business company in the top 20. As well, IBM was recognized in March 2010 as “Best Security Company” by SC Magazine, a security trade publication that annually conducts one of the industry’s leading awards programs*.

Trusted Company Ranking

Most Trusted Companies for Privacy Study February, 2010 by Ponemon Institute (based on a survey of more than 6,500 U.S. consumers).

1 American Express
3 Johnson & Johnson
4 Hewlett-Packard
5 eBay
6 U.S. Postal Service
7 Procter & Gamble
8 Amazon
8 Nationwide
10 WebMD
11 Intuit
12 Apple
12 Disney
13 Google
14 Verizon
15 U.S. Bank
15 Charles Schwab
16 Weight Watchers
17 Yahoo!
18 FedEx
19 Walmart
20 AT&T
20 Dell

Business Partner Charter

IBM does business with nearly 100,000 business partners. Those partners are a critical component of the company’s business ecosystem, interacting directly with thousands of clients and accounting for as much as 30 percent of IBM’s revenue. Our shared values serve as the guidelines for our work together.

In 2009 IBM updated its Business Partner Charter, the principles by which all interactions between IBM and its partners are managed. The updating was meant to reflect business realities of the 21st century, and reinforce IBM’s commitment to the success of its business partners.

The Business Partner Charter’s six guiding principles are:

  1. IBM Business Partners are vital to IBM’s business.
  2. Our relationship is a collaboration of equals.
  3. We invest in IBM Business Partners’ success.
  4. We strive to provide the industry’s best Business Partner experience, in all respects.
  5. We work with our Business Partners to seize the opportunities presented by a smarter planet.
  6. We ground our relationships in the core values of IBMers.

The following are the key aspects of the updated charter:

  • –  Mirrors today’s business environment, with an emphasis on the importance of the mid-market opportunity, delivery of solutions, and industry expertise.
  • –  Acknowledges Business Partners’ key role in IBM’s success; makes it clear that mutual collaboration toward delivering superior client value will help IBM and its partners win in today’s challenging economy.
  • –  Dedication to building a smarter planet with Business Partners to jointly drive innovation, collaboration, and smarter solutions.
  • –  Extension of IBM corporate values to relationships with Business Partners.

The Charter closes with a statement of IBM’s three core values:

* Dedication to every client's success
* Innovation that matters, for our company and for the world
* Trust and personal responsibility in all relationships
“There are clear benefits to both business and society when companies have a strong social purpose at the heart of strategy and operations. Values and principles, which include respect for people and concern for the environment, contribute to numerous business capabilities: sensing opportunities and innovating; enhancing customer success and value for end users; making effective acquisitions and integrating them successfully with consideration for culture; attracting and motivating top talent; working collaboratively to react or change quickly; and tapping the potential of an extended family of business partners for new ideas or market reach. As IBM demonstrates, the centrality of purpose and values constitutes a new paradigm for business that can stand beside financial performance and even enhance it.”
Rosabeth Moss Kanter Ernest L. Arbuckle Professor of Business Administration, Harvard Business School; Author of SuperCorp: How Vanguard Companies Create Innovation, Profits, Growth, and Social Good, Cambridge, Massachusetts

Governance of Corporate Responsibility

Web Exclusive

IBM Senior Management is ultimately responsible for our economic, environmental and social performance, as well as compliance with the law and our various codes of conduct. The IBM Board and its Committees oversee these efforts and review performance and compliance periodically.

Corporate citizenship at IBM is integrated across the business through the following two forums:

Corporate Citizenship Steering Committee: Our Corporate Citizenship Steering Committee is comprised of senior executives from functional areas across the business and chaired by the vice president for Corporate Citizenship. The Committee meets periodically to provide leadership and direction on key citizenship issues. Each functional area is responsible for the development of its own corporate citizenship goals and strategy, with organizational-wide goals approved by the Steering Committee. Corporate Citizenship Working Group

Our Corporate Citizenship Working Group consists of representatives from 11 functional areas (including global representation) and meets at least monthly to manage IBM’s corporate citizenship activities, reporting and stakeholder engagement across the company. The Working Group reviews key policy and strategic decisions with the Steering Committee throughout the year.

On a day-to-day basis our activities are managed in an organization called Corporate Citizenship & Corporate Affairs, which reports to the senior vice president for Marketing and Communications.

Stakeholder Engagement: At IBM, we view stakeholder engagement as much more than communications and consultation. For us, it is about partnership and collaboration—working shoulder to shoulder with communities, governments and the social sector. Here are a couple of examples:

  • –  Jams, our large-scale electronic conversations, garner stakeholder input and engagement on a scale previously not possible in real time—accelerating the development of new business and societal solutions to problems such as water quality or healthcare.
  • –  We use a variety of social media to help us more deeply engage with our extended IBM workforce and community. This includes our retirees through the IBM On Demand Community, our online system of community engagement, and a range of in-depth social partnerships as we beta test technology breakthroughs with community organizations, teachers, students and parents worldwide.

We also actively seek out organizations that are taking similarly innovative, global, open and collaborative approaches to corporate citizenship and sustainability. Our memberships include:

  • –  AmCham-China CSR Committee
  • –  Boston College Center for Corporate Citizenship (IBM is a Board Member)
  • –  Business for Social Responsibility
  • –  China Corporate Citizenship Committee
  • –  Chinese Federation for Corporate Social Responsibility
  • –  Confederation of Indian Industry National Committee on CSR
  • –  CSR Europe (IBM is a Board Member)
  • –  Electronic Industry Citizenship Coalition (IBM is the Chair)
  • –  European Academy of Business in Society (IBM is a Board Member)
  • –  Global Leadership Network (IBM is an initiator and founding member)
  • –  World Business Council for Sustainable Development
Next Section: Public Engagement