David Fox, the Director of Risk Management at KBR, Inc., based in Houston, Texas, spoke at the April 24, 2009 ERM Roundtable about the rollout of ERM at KBR and its evolving role in the company. He emphasized the importance of culture and the need for communication and judgment for risk oversight to be effective and sustainable.
KBR, while part of the larger Halliburton Inc. organization for many years, officially became an independent company in April 2007. KBR is a Houston-based leading global engineering, construction and services company supporting the energy, petrochemicals, government services and civil infrastructure sectors. With revenues exceeding $11 billion, this New York Stock Exchange registered company is comprised of six business units with operations around the world. This diverse operational and geographic presence along with its infancy as a stand-alone company gave KBR the potential to realize significant benefits from ERM implementation.
Reasons for ERM Implementation
There are several reasons why an ERM initiative was started at KBR. KBR, as a result of its separation from Halliburton, was dealing with some legacy issues, culture changes, and a new management team. Additionally, the New York Stock Exchange governance rules, which require audit committees to discuss how the company handles risks and the steps management takes to monitor and control those risks, was a significant driver in starting ERM efforts. Rating agencies’ proposed use of in-depth ERM criteria for rating companies also created some impetus to launch ERM at KBR.
The ERM effort started in 2007 with a desire by KBR to be best-in-class at risk awareness. This has evolved over the past two years so that KBR’s current focus is on best-in-class risk awareness as well as expert and timely perspectives about emerging and strategic issues.
KBR’s Rollout of ERM
The approach to implementing and facilitating ERM at KBR comes from the perspective of having a primary goal of trying to promote a conversation about risk among senior management and the board. Fox stressed the importance of tone at the top in implementing ERM at an organization. KBR has strong support for ERM from executive management and the board of directors, which helps to create a culture in the organization that is accepting of ERM. Executive buy-in also helps in gaining the necessary support from others within the organization that may have some reluctance towards change. ERM’s importance at KBR is evident as their desire for best-in-class risk awareness is one of the key values identified in the mission, vision, and values of the company.
The first step in implementing ERM was to develop an ERM strategy, which was done in collaboration with the internal audit and financial controls functions. The next step was then to identify the risks facing KBR. In July 2007, and then annually thereafter, an ERM survey was sent out with about sixty questions, asking people to assess the impact and likelihood of different risks based on their cumulative effect on profits or cash flows over the following three years. These assessments were made based on the controls that were currently in place in the organization. Structure was provided to assist in providing some consistency in the assessments of risk probability and risk impact. The impact scale was from 1, significant, to 5, catastrophic, and the likelihood scale was also from 1, highly improbable, to 5, probable.
After risks had been identified, they were assessed using a heat map reflecting the rank-ordering of risks based on the survey responses. Risks were assessed by executive management, senior management, and business unit management, and groups would often rate risks differently. Furthermore, individuals within each group often rated risks very differently as well. Alignment of these risks through dialogue and discussions among management helped to gain a more unified perspective on risk across the company and helped individuals and groups to gain an understanding across functions about the risks seen by other functions.
Fox believes the most effective way to implement ERM is by using tools already in place in the company and packaging and promoting all corporate risk management processes, including responsibilities in different groups, into one risk narrative. KBR already has strong governance, compliance, and quality, health, safety, and environment processes in place that provide the foundation for its ERM program. KBR’s Project Risk Management Group provides existing tools that analyze projects using a risk breakdown structure, risk register, and risk management system. KBR also has a Business Development Oversight (BDO) Group that looks across all projects to facilitate greater risk awareness, provide a portfolio view of risk and return, and ensure smooth handovers from sales to operations. BDO actually looks at the commercial, execution, financial, and contractual risks of each project to build a risk premium into the price of every deal. The ERM program then builds on all of these existing processes to look forward with a multi-year view to consider risks that will affect KBR as a whole, probing the periphery in an effort to detect early indicators of impending threats or potential opportunities. Thus, ERM acts as an instrument to try and discover emerging risks and increase the awareness of those risks across the company.
Based on his experiences in the first few years of implementing ERM at KBR, Fox shared several lessons learned. Simplicity is key to being able to further ERM efforts in an organization. The ERM process should involve familiar tools, presentations should be designed to promote dialogue, and the ERM effort itself should avoid using a lot of resources. ERM should be approached from a qualitative perspective, concerned with socialization and probing for emerging risks, not metrics. ERM should also be part of a separate effort and conversation whenever possible instead of an add-on as part of another effort or meeting. Finally, time horizon should be considered as agility is important and there should be a pipeline in place to surface immediate concerns. The time horizon also needs to be matched with the orientation of the audience, talking about more strategic issues with the board of directors and more operational issues with management. By following these approaches, ERM will have the chance to evolve slowly through an organization, and through this evolution a buy-in and understanding of the processes necessary to keep ERM going will also develop.
Click below for roundtable presentation.