Launching ERM:  Lessons from Highwoods Properties

Jeff Miller, Vice President – General Counsel and Secretary of Highwoods Properties, spoke at the February 19, 2010 ERM roundtable about the launch of ERM in Highwoods and lessons learned throughout its implementation.  He focused on the importance of creating a risk culture and awareness unique to each company for success in ERM.  Their approach involved both a top-down and bottoms-up approach.

About Highwoods Properties

Highwoods Properties is a Raleigh-based real estate trust company founded in 1978 that focuses on the leasing, management, development and construction of office buildings in the Southeast United States with over $2.8 billion in assets and $450 million in revenues, This NYSE registrant has customers spanning over 11 cities and 8 states with local management teams in each area to meet customer needs.  Highwoods employs about 400 employees.

Strategic Plan

Jeff noted that the first necessary element that a company must have in place to implement ERM is a focused strategic plan that tells the employees and management what direction the company is moving. Until management and employees know what they are trying to achieve, its hard for them to identify the most important risks.

Highwoods has recently focused its strategic plan on enhancing shareholder value through focused channels:

• Improving the balance sheet by selling non-core assets to pay down debt, reduce interest and increase fund development.
• Improving the portfolio of assets by building infill locations and acquiring strategic assets.

• Improving people and communication through training and initiatives to promote excellence.

ERM at Highwoods

At Highwoods, one of the most difficult aspects of ERM was simply getting started with some basic ERM processes.  Acknowledging that there is no right or wrong way to build an ERM system, management at Highwoods knew it was important to make sure whatever ERM processes were implemented fit with the culture and management processes already in place.  While some organizations have outsourced ERM by engaging outside risk professionals, Highwoods chose to leverage the skill, experience and dedication of the entire employee base and keep a sharp focus on embedding risk management within the culture of the company.  Most importantly, Highwoods ensured a tone at the top that supported and embraced ERM through immersion of ERM in strategic planning and continued analysis of risk performance.  Early on ERM was supported by both the CEO and board.

To begin building the ERM processes at Highwoods, Jeff, in conjunction with the Highwoods CFO, first utilized a top-down approach by bringing together top officers and the board (about 28 people) to evaluate a list of 15 core risks.  Before prioritizing these core risks, management and the board engaged in discussions to make sure everyone understood the nature of each of the core risks presented.  Then, each person independently (via anonymous voting technology tools – “clickers”) rated each risk’s probability (on a 1 to 5 scale) and each risk’s impact (on a 1 to 5 scale). 

In addition to this top-down approach, Highwoods also utilized a grassroots effort by having each department brainstorm about their own risks and rank-order those risks using a 1 to 5 point scoring guide with definitions of probability and risk.  Human Resources had done this analysis as a pilot.  Thus, the results of their experience were shared with Group Department heads as an example to help them get started.

Here is how they defined probability:

1. Remote – the likelihood of a deficiency is remote, meaning less than 10%
2. Unlikely – There is a minimal likelihood of a deficiency, meaning 10-35%
3. Possible – There is a reasonable likelihood of a deficiency, meaning 35-65%
4. Likely – There is a substantial likelihood of a deficiency, meaning 65-90%

1. Definite – The likelihood of a deficiency is almost guaranteed, meaning greater than 90%

Here is how they defined magnitude (impact)

1. None – It’s hard to imagine that a deficiency would have any negative consequences.
2. Nominal – Even if a deficiency occurs, it does not result in any costly or long-term damage, typically does not require senior management attention and can be remedied without much effort.
3. Moderate – A deficiency that could result in up to $X of unexpected costs to the company, requires notification of senior management, but can typically be remedied in less than three business days without a whole lot of effort.
4. Significant – A deficiency that could result in more than $X in unexpected costs to the company, requires some concentrated amount of senior management attention, could result in negative publicity if not fixed and/or cannot be remedied in less than one week.

1. Severe – A deficiency that could result in greater than $Y in unexpected costs to the company, requires some concentrated amount of senior management attention, could result in negative publicity if not fixed and/or cannot be remedied without lots of effort and diversion of employee attention (typically more than two weeks).

Using the data collected through these departmental risk identification and assessment processes, Jeff then created a risk matrix.  The first step in the matrix was to map specialized risks (referred to as “vertical risks”) that were germane to the business unit.  The second step involved a horizontal analysis whereby they linked risks that resided across functions.  The third step was to gain greater awareness at the senior management level and board regarding the bottoms-up identification of both vertical and cross-functional risks to obtain a company-wide analysis.

Lessons Learned

One of Jeff’s main points was that an ERM process is never finished.  Instead, ERM must be embedded in the culture or way of life which allows both risks and opportunities to emerge and be evaluated over time.  Listed below are several of the lessons that Jeff learned throughout the process about how companies should approach risk and risk management.

• Always ask why business processes are done the way they are, don’t rest on tradition.
• Prepare for a worst-case scenario, it will most likely lessen the chances the event will happen and increases your chances of survival.
• You can’t stop every problem, but you can lessen the chances of it happening or find a way around it.
• Identifying bottlenecks can indicate both missing opportunities and missing risks.
• Don’t bet the business on a single point of failure – have alternative processes and strategies.
• ERM encourages management to look forward towards emerging risks to strengthen the board and management’s “peripheral vision.”
• Always keep the big picture of overall strategy in mind, don’t just focus on the small things.
• It’s critical to make sure you have the right employees doing the right jobs.
• Operate in silos, but break down communication barriers by integrating departments through the sharing of information so that major risks don’t fall between the silo gaps.
• Don’t ERM your business to death- some risks still need to be taken to succeed.
• Don’t ever talk yourself into thinking that things can’t get worse, they always can.
• Don’t overcomplicate ERM.

• There is no finish line in business; therefore there is no finish line in ERM.

Click below for Roundtable Presentation.