Rob Rolfsen, Director of Global Risk Management at Cisco Systems, Inc., was the featured speaker at NC State’s ERM Roundtable on March 23, 2007. Rolfsen highlighted Cisco’s ERM program and processes, described ERM plans for 2007, and provided description of one of Cisco’s ERM success stories to an audience of over 150 business professionals.
Cisco’s ERM Organization
ERM at Cisco is led by Chris Kite, Vice President of Global Risk Management/Workplace Resources, who is based at the company’s headquarters in San Jose, California. Kite and her ERM team are supported directly by two corporate executive sponsors – the chief operating officer (COO) and the chief financial officer (CFO). The ERM team meets regularly with the executive sponsors and with Cisco’s Risk Review Group, which consists of representatives of the information technology, finance, human resources, and supply chain functions. Members of the ERM team are not full-time in ERM. Rather, the ERM team consists of a multi-disciplined global team representing processes related to insurance, operational risks, financial risks, and legal liability processes. Each team member has other direct responsibilities in addition to their involvement in ERM activities. Kite and her team also have dotted line reporting responsibilities with Cisco’s board of directors, with reporting access to the audit committee and investment committee.
Launch of ERM at Cisco
Expectations related to more effective corporate governance processes at Cisco led to the creation of an explicit ERM focus in late 2004. ERM was launched from the company’s efforts related to Sarbanes-Oxley Act compliance and activities related to managing operational risks. Customer expectations are also driving the focus on ERM at Cisco. As customers consider Cisco as a core provider of IT network related operations, they are seeking greater amounts of information about how Cisco manages their own risks to consider how that might impact risks for the customer’s operations.
Philosophy about ERM at Cisco
The goal of ERM at Cisco is to find opportunities to take advantage of risks. The company views effective ERM as one that is a business enabler designed to help the organization more effectively achieve and exceed corporate objectives. Risk at Cisco is viewed as an opportunity. ERM is designed to provide leadership in identifying how things could be done differently to improve the likelihood of organization success by taking greater advantage of risk opportunities in a risk intelligent way.
ERM at Cisco is heavily dependent on multi-disciplinary collaboration. Employee motivation for collaboration in ERM efforts is directly affected by a bonus system that is tied explicitly to the employee’s demonstration of collaborative efforts.
Linkage of ERM and Strategy
The focus on ERM at Cisco is directly connected to the corporate strategy. Cisco’s ERM framework consists of three interrelated actions designed to support the corporate strategy. The framework emphasizes to employees (which exceed 48,000 globally) three main risk management objectives and areas of focus:
- 1. Protect: “How do I reduce business risks?”
- 2. Optimize: “Is my current risk level in control?”
- 3. Grow: “How do I take more intelligent risks?”
ERM at Cisco seeks to embed risk management as part of the company’s core DNA.
Cisco’s ERM Framework
The launch of Cisco’s ERM framework occurred in 2005. The initial goal of the embrace of ERM was to integrate ERM in corporate compliance and governance activities. ERM sought to integrate key risk processes and systems that were already underway related to Sarbanes-Oxley Act compliance, internal control assessment, finance and planning analysis, and overall risk management. Cisco created a Risk Review Group to increase multi-disciplinary risk education, awareness, and information sharing and worked to help each of these functions understand the company’s risk appetite and to sustain a risk-based approach to improving and managing corporate compliance and governance.
Cisco’s ERM Process
ERM at Cisco has evolved into several core processes that provide a structure for ERM deployment company-wide. The process begins with the Risk Review Group and board of director determination of risk priorities for ERM. For key risk area to be assessed, an executive sponsor is identified to help communicate the importance of ERM engagement and to encourage collaboration between key business function personnel and the ERM team representatives. Often this is demonstrated by emails from the business function lead executive to employees likely to be involved in ERM analysis. This executive support lays a strong foundation that culturally reinforces collaboration with the ERM team so that insights of key function employees about key risk issues are identified.
ERM personnel begin their risk analysis within a risk area by conducting interviews of key executives in multiple functional areas. These interviews are designed to identify perceptions of key risks facing the company and to obtain key employee assessments of the probability, severity, and current management effectiveness at managing the risk. The interviews are not scripted. Rather, the interview process is designed to be open-ended and more free-flowing to allow for more descriptive discussions.
Once key interviews are completed, the ERM team consolidates the interview results, identifies key risks and reports back to the executive sponsor to collect feedback.
Once consensus is reached about identified risks, the ERM representatives facilitate discussions and risk workshops with risk owners to describe decisions about responses to identified key risks. As risk responses are identified, progress towards response implementations are tracked via operational reviews and by the Risk Review Group. Responses are also explicitly integrated with business planning documents and processes. The ERM group shares the final report on the risk analysis within a business function with the corporate executive sponsors and the audit committee.
Assessment Criteria: Probability, Severity, and Management Effectiveness
To strengthen its enterprise-wide approach to risk management, the ERM function at Cisco uses consistent measures for assessing risk probabilities and severities company-wide.
Risk probabilities are based on a 4.0 scale assessment where a
1.0 = remote occurrence
2.0 = possible occurrence
3.0 = probable occurrence
4.0 = almost certain occurrence
Severity measures are based on the impact to Cisco’s annual profitability. Similar to probability, the severity scale is based on a 4.0 system as follows:
1.0 = Insignificant severity where impact is < $35 million to profits
2.0 = Minimal severity where impact ranges from $35 million to $150 million
3.0 = Significant severity where impact ranges from $150 million to $1 billion
4.0 = Catastrophic severity where the impact exceeds $1 billion
In addition to defining probability and severity measures, Cisco has also developed a 4.0 scale for assessing management’s effectiveness in risk mitigation:
1.0 = Risk assessment not complete; mitigation not in place and reporting and monitoring not in place
2.0 = Risk assessment completed; however, mitigation is not in place and reporting and monitoring are not in place
3.0 = Risk assessment completed; mitigation is in place, but reporting and monitoring of risk mitigation not in place
4.0 = Risk assessment completed; mitigation is in place along with reporting and monitoring.
Risk Inventory Framework
In addition to developing probability, severity, and management effectiveness scales, Cisco has also developed a risk inventory framework to improve consistency in the approach to risk management enterprise-wide. The risk inventory framework includes specific risk drivers that are external to Cisco, specific risk drivers that are internal to Cisco and specific risk drivers related to industry. Among internal drivers, Cisco has also specified risk categories among three dimensions: strategic, operational, and financial. Operational risks are further subdivided into operational process, management information, human capital, integrity, and technology related risks.
ERM Plans Going Forward
The goals for ERM at Cisco are to enhance the understanding of risks and drivers of those risks affecting its global operations. For example, as part of Cisco’s overall strategy, they are seeking business in developing countries. Due to unique risks associated with business in these developing markets, ERM is focusing on risks specifically related to safety, security, and ethics and incorporating those assessments into the overall decision-making process.
ERM also seeks to raise the level of ERM awareness and education within Cisco and externally and they seek to integrate risk management within existing processes, such as investment management, strategic planning, and business development.
The ultimate goal of ERM at Cisco is to be able to allocate resources more effectively and to answer the question of “in which countries should the company be devoting which resources.” Thus, at the end of the day, ERM at Cisco is directly tied to adding strategic value.