Brian Warren was the featured speaker for the January 25, 2008 NC State Enterprise Risk Management Initiative Roundtable.  Mr. Warren serves as Director, Risk Management with Microsoft Corporation and spoke to the Roundtable audience about Microsoft’s approach to ERM and specifically on the role of the Microsoft Treasury Group in the overall risk management activities of the company.

Microsoft anticipates 2008 revenue of $60 billion and net income of $18.5 billion.  With operations in 103 countries around the world, Microsoft faces significant risk management challenges in conducting its day-to-day business.  To facilitate the management of the business, Microsoft has organized the company along three broad dimensions:

  • Platform Products and Services Division
  • Business Division
  • Entertainment and Devices Division

Microsoft has also identified a “risk universe” that provides a common framework for identifying, assessing, and monitoring risk exposures company-wide.  The risk universe is organized along four categories—strategic risks, operations risks, legal/compliance risks, and financial/reporting risks.  Within each of these categories, or “risk buckets,” subcategories have been labeled to facilitate the identification and monitoring process.  These are:


  • Business Model
  • Strategic Investments
  • Market Dynamics
  • Business Model Disruptions


  • Product Development
  • Sales & Marketing
  • Services
  • Supply Chain
  • People
  • Information Technology
  • Business Continuity
  • Corporate Physical Security


  • Corporate Governance
  • Legal Compliance
  • Legal
  • Regulatory


  • Planning & Resource Allocation
  • Treasury
  • Financial Reporting
  • Tax
  • Investor Relations
  • Mergers, Acquisitions, and Divestitures

The Microsoft Treasury Group has global cash management responsibilities that include settlements in over 100 countries involving over 25 unique currencies.  They manage almost 1,000 individual bank accounts—with half that total managed daily.  Monthly transaction volume exceeds $40 billion.  The risk group housed in Microsoft Treasury is responsible for providing an independent check on portfolio risk and performance as well as to provide risk advisory services for investment decisions.  The group generates risk metrics and reports that include VaR, stress tests, scenario analyses, and evaluations of counterparty risk.  Daily “green zone” reports developed by Treasury risk management personnel provide senior management a dashboard-style overview of risk positions and trends.

ERM at Microsoft began with the roll-out of risk maps and development of a risk “knowledgebase” in the late-1990s.  In 2005, Microsoft initiated a project to compare their then-ERM program to the COSO ERM framework.  In 2007, the current ERM infrastructure was developed and implemented.  At Microsoft, “risk resiliency” is a primary goal.  Risk resiliency encompasses the anticipation of “black swan” (low probability/high impact) events and the development of strategies to cope with these events through retained capital, lines of credit, insurance, and an evolving business structure with an emphasis on agility and flexibility.  A stated goal is to maintain a cash cushion equal in amount to one year’s operating expenditures for the company.

The Treasury risk group at Microsoft has developed an internal business decision support tool termed “Project Atlas” designed to help quantify the economic impact of loss scenarios.  This tool delivers scalable and repeatable quantitative risk estimates and provides loss scenario reports to aid in decision-making.  Atlas was developed and refined over a series of steps:

  • Nearly 300 interviews
  • Identification of catastrophic risk categories
  • Business group-specific loss scenario development
  • Agreement on common cost elements
  • Creation and use of reliable data and credible assumptions

The quantitative tools supported by Atlas include actuarial approaches such as exposure, frequency, and severity analysis; decision theory approaches such as decision trees and Monte Carlo simulations; and Six Sigma approaches such as failure modes effects analysis.

Click below to download presentation

Link: View Full Article

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2008-01-25