October 3, 2008
Director, Enterprise Risk Management
H. J. Heinz Company
Jim Traut, Director of Enterprise Risk Management at H. J. Heinz Company, spoke at the October 3, 2008 ERM Roundtable about the company’s approach to overseeing entity-wide risks with the ultimate goal of protecting the Heinz reputation and shareholder value. The Heinz approach to enterprise risk management (ERM) is positioned to be value-adding by focusing their ERM efforts to support long-term sustainability of the organization. This focus is evident in the company’s published mission statement and values that focuses on results that balance both short-term and long-term value-drivers. The ERM program at Heinz is formally known as “Enterprise Reputation and Risk Management (or ER²M). Heinz’s ER²M helps enable the company to meet two primary reputation-related goals: to further support doing the common thing uncommonly well and to help Heinz become the most trusted packaged food company.
Strategic Focus of Risk Oversight
Building on its nearly 140 year history, H.J. Heinz is now a $10 billion player in the packaged food industry with 15 $100MM Brands, including its world famous Heinz, Ore-Ida, Classico Sauces, and Bagel Bites food brands, in addition to its licensing of Weight Watchers, Boston Market and T.G.I. Fridays brands. Like many large organizations, H.J. Heinz has a global footprint with approximately 55% of its sales generated outside the United States, 75 production facilities spread around the globe, and over 16,000 products and 30,000 employees worldwide. Thus, overseeing the plethora of risks that may arise from most any part of globe is a significant management challenge.
Risk at Heinz is defined as “anything that can prevent the company from achieving its objectives.” In formalizing an ERM process, Heinz identified risks and events the company experienced or may experience and divided those risks into two main areas: operational risk areas and non-operational risk areas. Operational risk areas include product quality, environmental & sustainability, employee health & safety, facility and product security, business continuity and asset conservation. Non-operational risk areas include strategic and market, corporate governance and ethics, financial, legal, information services and human resources.
Heinz’s approach to ERM is to enable the leaders across the organization to be risk aware, not risk averse, with a primary focus on protecting and thereby maximizing enterprise value and brand equity. ERM is viewed as a way to achieve competitive advantage by engaging in risk oversight activities that preserve or enhance the company’s reputation. ER²M is not positioned as a compliance reaction to regulations.
There have been five main ER²M priorities Heinz has focused on to date:
- Establishment of ER²M structure
- Development of Heinz ER²M methodology
- Conducting top-down risk assessments
- Mitigation of top risks
- Standardization and measurement of operational risk areas globally
Establishment of ER²M Structure
In response to the audit committee’s desire for improved risk oversight, Heinz’s management team established in May 2006 an Office of Risk Management at their world headquarters in Pittsburgh. The Office of Risk Management consists of the Chief Quality Officer, Director ER²M and Director Operational Risk Management & Sustainability that reports directly to a Senior Vice-President in the company. In addition to the Office of Risk Management, the company also has a Risk Council comprised of senior leaders in each functional risk area. The members of the Office of Risk Management interact with the audit committee, disclosure committee, and corporate internal audit among other internal groups. These interactions help ensure global risk ownership, ongoing risk oversight, input into annual report risk factors, identification and prioritization of risks, linkage of key risks and resources, alignment of risk appetite with controls, input into the annual audit plan and continuous improvement.
Heinz adapted its own definition of ERM that best fits the application for the company. Within Heinz, ERM is positioned to provide a unified, global, cross-functional approach to identify, prioritize, measure, and manage key business risks. Key components of this approach to ERM are that ERM will drive global facilitation, best practices, compliance, and continuous improvement; accountability for and ownership of risks and mitigation plans at the appropriate management level; and a common integrated global process to manage risks and mitigation activities across all risk areas.
Development of Heinz ER²M Methodology
There are six steps in Heinz’s ERM methodology for global and business unit level risk:
- Maintain awareness of existence of events that could prevent the company from achieving its objectives
- Develop and analyze measures of the likelihood and impact of events in a disciplined way
- Prioritize events with cross-functional and enterprise-wide rankings
- Take action to mitigate risks by preventing or reducing probability and impact of an event or by purchasing insurance to reduce financial impact
- Integrate mitigation processes into ways Heinz conducts its core business
- Seek to continuously perform the other five steps
Again, the goal of ER²M at Heinz is to develop a risk aware versus risk avoidance culture. Thus, some risks will remain after each of the above steps is completed. As part of the six-step process, management is continually evaluating the level of residual risk that remains.
Heinz’s risk governance framework classifies risks into three major risk areas: management leadership, operational or supply chain, and foundation functional. All of these risk areas are within the larger reputation risk area, which is impacted by every other risk. Therefore, reputation risk is always a consideration. An important part of this framework is that every risk is owned by somebody.
The risk management model at Heinz was leveraged off an already embraced health and safety prevention pyramid model widely known across the company. The company’s core values provide the foundation for the risk management model. Phase 1 focuses on identifying preventative processes, divided across operational and non-operational risk areas. Phase 2 addresses emergency planning and response. Phase 3 is crisis planning, communication, and response. Phase 4 is contingency planning and business continuity management. The model helps focus all risk management activities on what is important for Heinz – preserving and enhancing the company’s reputation in the packaged food industry. The model helps management ensure that it is prepared and ready for most major risk events that might affect the company’s reputation oversight, given their acknowledgement that a major reputational impact would likely negatively impact the brand. Market share is very important for Heinz and management knows that reputations are hard to gain but easy to lose.
Conducting Top-Down Risk Assessments
Heinz has gone through two top-down global risk assessments since May 2006 and plans to continue this process annually. This process refines the risk inventory for each functional area from a brainstorming list to the top three to five critical risks based on analysis of risk data, control activities, risk ranking scores, and recommendations for filling gaps. An important component of this assessment is that each functional risk is reviewed from a strategic perspective with a 3-year time frame, again emphasizing Heinz’s focus on the long-term horizon. The findings are validated with the executive risk owner in each functional area and then the validated list is reviewed with the Risk Council. These top risks and mitigation efforts are then reviewed with senior management. The result of this process is that Heinz has a list of the top risks of the company for that year, along with the actions being taken to address those risks and the global owners and process owners of each risk. Top risks facing the company along with action plans are presented to the audit committee.
A Risk Gap Score is developed as part of this analysis process. The Risk Gap Score is a net risk score that equals the level of control effectiveness minus the risk score. The risk score is the average of the likelihood and impact ratings. Control level effectiveness, risk likelihoods and impacts are all measured on a five-point scale that includes quantitative and qualitative ranking criteria. If there is a positive Gap the controls are deemed to be adequate, and if there is a negative Gap the controls should be reviewed. Heinz uses the Resolver Ballot™ technology to capture assessments of control effectiveness, risk likelihood, and risk impact.
For each identified critical risk, Heinz identifies if there is a gap between the current mitigation processes and insurance in place and the acceptable residual risk. If a gap exists, it should be filled with new or improved processes or insurance coverage.
Mitigation of Top Company Risks
Heinz also has a risk appetite management model that defines the company’s willingness to accept risk after mitigation, with risks falling into higher, medium, and lower risk appetite categories. If the risk assessment indicates a difference between the residual risk and risk appetite, mitigation efforts should be adjusted to match the level of controls with the risk appetite. However, there is no risk appetite or tolerance for health, environmental, food safety or worker safety risks, which are immediately addressed when identified.
Heinz has also begun an effort to provide a Risk Classification Summary to its business units. Each risk is assigned a functional area classification (e.g., management leadership, supply chain, security, quality, health and safety, financial, sales and marketing, among other categories) and described briefly. That information is sent to the business units as a reminder of the important risks to consider in daily management.
The functional areas risk management process at Heinz is very formalized and rigorous. The process starts with standards that define what should be implemented at all global facilities to mitigate risk. The risk mitigation process for the functional areas starts with an accountable person. Then, there is a risk assessment which leads to an additional controls plan and additional controls implementation. Implementation includes ways of working and training. Then there are inspection, compliance, adherence, and review components, which allow for transparency in the process.
Each of the other steps in the process is part of the continuous improvement activities. Each year there is an independent assessment at each facility to determine compliance with the standards and a score, called the Risk Control Rating, is generated. After the assessment is complete, a prioritized improvement plan in generated that includes the standards a site needs to work on. A target Risk Control Rating is included in the site management’s objectives. This is a critical piece because to have an effective risk management process, improvement efforts need to be integrated into the performance and incentive structure at the business unit level. Throughout the year, the site works to implement the improvements and maintain the controls they already implemented. Each year the site completes a formal end of year review.
From Heinz’s entry into ERM, Traut shared these lessons learned:
- Board of Director and executive level support is critical for success
- Establish risk management ownership by functional area
- Encourage open discussions of “what keeps people up at night”
- Convert initial lists of “worries” to actionable risks
- Respect and protect anonymity of risk assessment participants
- Communicate regularly, thoroughly, and top to bottom to ensure support for ERM efforts
- Measure risk mitigation efforts via scorecards
- Customize ERM to your culture and ways of working
- Develop mindset that ERM is a cultural journey rather than a project destination
- Position ERM to drive synergies as the whole will be greater than the sum of the parts
Traut concluded by reminding the audience that ERM’s goal is to ensure that Heinz continues its 140 year history of “doing the common thing uncommonly well” so that the company’s sustainability is ensured throughout the next century.
Click below to download presentation.