This article, authored by Neil Baker, notes that the recent economic downturn led to the failure of many risk management systems across companies. Organizations found that the traditional silo-based approach to risk management did not effectively identify emerging risks in a timely manner. However, Bristol-Myers Squibb and The Home Depot provide two examples of companies who were prepared as the result of simple, but highly effective risk management systems that are able to find a balance between bureaucracy and personalization.

After external consultants informed Bristol-Myers Squibb that their traditional silo approach to risk management was ineffective, they created the chief audit executive (CAE) position. The company hired Sandra Cartie for the role, who developed a straightforward outlook that can easily be replicated: “Keep your approach simple, make it personal, and avoid bureaucracy.”

Cartie’s simple approach to risk management involves just a few steps. First, she rationalized the company’s risk functions and created a heat map to display all the company’s key risks, along with their likelihood and impact. Each week the company’s management council, including the CEO, meets to discuss these risks and consider whether any of the risks have changed position on the heat map. The frequent dialogue allows Bristol-Myers to adjust plans as necessary to handle emerging risks before they become an operational surprise. In addition, the simple approach avoids the use of complicated risk management software, saving costs and complications.

The Home Depot uses a risk management method similar to Bristol-Meyers. Kelly Barrett, vice present of internal audit and corporate compliance, states that risk identification “relies not on complex bureaucratic systems, but on personalization – people talking to each other.” The enterprise risk council at The Home Depot meets quarterly to discuss the top ten risks facing the company. Prior to 2007 The Home Depot had two functions, internal audit and compliance, which carried out their own risk assessments. In order to create more value and waste less time, the company combined the two functions with Barrett as the leader. As a result, two separate functions are no longer performing overlapping risk assessments, but instead are working as a team to improve the risk management process throughout the whole company.

Julian Birkinshaw, a professor at London Business School, recently researched the effects of the economic downturn on the risk management process. He also found that an effective risk management approach requires a balance between bureaucracy and personalization. The beauty of bureaucracy is that it can help create a well-functioning process; the issue is that bureaucracy often causes people to focus more on their individual role than the big picture. This often leads to individuals who do not remain accountable for their actions because they simply rely on the “system” to tell them what to do.

The economic downturn has revealed how complicated systems of risk management can fail. Bristol-Myers Squibb and The Home Depot, along with the research of Birkinshaw, illustrate that simple is sometimes better. While complicated systems may provide great benefits, it is important to recognize their limitations. Relying more on personal judgment and conversation than a complex system just may be the way to go.

Click below to read the full article.

Link: Baker, Neil. “A New Direction.” Internal Auditor. December 2009.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2009-12-01