David Whatley, vice president for risk management at Atlanta-based Home Depot Inc., spoke on March 24th to 130 business professionals at the second of three Spring 2006 ERM Roundtables. Whatley described Home Depot’s approach to managing risks at the world’s largest home improvement retailer.

Whatley emphasized that Home Depot’s method of enterprise risk management (ERM) has focused heavily on value creation by emphasizing an approach to risk management that encourages management to take calculated risks for stakeholder growth. That is, the goal is not always risk avoidance — as management makes strategic decisions, risks are factored into those decisions so that management takes action with risks always in mind.

An Embedded but Not Stand-Alone Approach

The company’s approach to ERM has been to integrate risk management activities throughout day-to-day decisions made by all employees of the company. In doing so, senior management has avoided creating the perception of ERM as a separate, distinct activity within the corporate structure. Instead, the focus has been on increasing employee awareness of risks facing the enterprise as they perform normal business processes. In fact, the term, “ERM,” is rarely used within management and board discussions and there is no separate ERM designated function, such as a Chief Risk Officer. Whatley summarized his description of ERM at Home Depot as “stealth ERM.”

One of Home Depot’s goals for embracing an entity-wide view of risks is to recover what many small businesses enjoy from their inception. Whatley noted that every successful small business has ERM, given that most successful entrepreneurs have a global view of that business. However, as small businesses evolve into larger operations, the ability for a single individual, like a small business entrepreneur, to see all aspects of risks facing an enterprise is weakened. Home Depot has worked on building employee awareness of risks and made risk a part of regular discussions at ongoing senior executive and board level meetings with the goal of bringing back that small business advantage in one of the world’s largest companies.

Top-Down Risk Culture

While the ERM processes are not separate, distinct functions, Home Depot’s approach to risk management starts with a top-down, enterprise view of risks threatening the company. The Board of Directors is responsible for the overview of business processes and sets overall risk tolerance levels for those processes. While there is no formal executive officer designated as the Chief Risk Officer (CRO), in essence the Chief Executive Officer serves in the role normally filled by a CRO. Home Depot’s team of senior executives serve as the Senior Leadership Team and that committee performs functions that other companies might delegate to a “Risk Committee,” although the company has no committee by that name. Detailed risk assessments within particular business processes are owned by key business process owners throughout the organization.

Foundations of ERM at Home Depot

Home Depot’s approach to ERM is built off the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management – Integrated Framework (see www.coso.org). The launch of its enterprise-wide view of risks first started with the company’s focus on compliance with company policies and related standard operating procedures. Whatley emphasized that starting with an emphasis on a need for compliance provided a unique foundation for expanded risk focus, given that a priority towards compliance was already a part of the company’s culture. Many of the company’s internal performance measurements and rewards were tied to compliance. Thus, as training and awareness about risks threatening compliance objectives were introduced, there was greater buy-in for the need for risk management as employees tied risk management to the internal incentive and reward system. Now, as risks are identified, employees and business unit process owners are evaluated on their risk management and process improvements designed to improve current operations and mitigate risks.

As the compliance focus on risk has evolved, management has developed a risk-based compliance monitoring mechanism to oversee risks arising across all aspects of the enterprise. Risk dashboards are now a regular part of the compliance risk oversight process, with assessments of risk levels against risk benchmarks included along with a low, medium, high “traffic light” reporting system that provides an efficient way of quickly determining the company’s individual risk status (whereby a green light represents low risk and a red light represents high risks). During the annual review process, management is expected to have a plan to move all yellow or red traffic lights back to a green status.

Risks Aligned with Strategy

Now Home Depot’s focus on risk is embedded in its “SOAR” processes. SOAR, which stands for the company’s Strategic and Operating Allocation of Resources, provides a focus on three major categories of the company’s core strategic objectives:

  • Objectives to Enhance its Core: Focus is on business processes that impact customer satisfaction, differentiated and innovative merchandise at great value, store readiness, information technology, and leadership development.
  • Objectives to Extend Business: Focus is on business processes that affect new store growth, new formats of business, company services and its Home Depot Direct brand.
  • Objectives to Expand Market: Focus is on is supply chain and customer base and international market expansion in Canada, Mexico, and China.

Whatley noted that the risk discussion occurs as they align their allocation of resources to these three categories of strategic objectives. As business processes are evaluated for resource allocation, risks are considered to determine the probability and impact risks might have on the achievement of these core objectives. That is, the discussion of business process alternatives inherently includes discussion of risks as management makes these strategic resource allocations. Once again, Whatley emphasized that the focus of risk is not stand-alone. Rather, the discussion of risks is embedded in all strategic decisions.