Enterprise Risk Management: Harvard Business School Working Knowledge

Oct 14, 2008

Enterprise Risk Management

A breakout session with Professor Robert S. Kaplan Tuesday, October 14, 2008

Professor Kaplan provides his perspective on why risk management plays an important role in firm performance. Panelists discuss the leading-edge risk management processes used at their firms.

James Colica Senior Vice President, GE Capital Services

M.D. Ranganath Chief Risk Officer, Infosys

Barry Zubrow Chief Risk Officer, JP Morgan Chase

Executive Summary

Overview

The global companies profiled in this session—Infosys, GE Capital, and JPMorgan Chase—highlight effective yet different approaches to risk management. The common elements include: having top management lead risk management; creating a culture of risk management where it is part of all decisions; setting clear risk parameters and having them broadly adhered to; having the discipline to make risk management a priority in good times and bad; and setting clear measurements for risk management and making managers accountable for these measures.

Context

Professor Kaplan provided his perspective on why risk management plays an important role in firm performance. These panelists then discussed the leading-edge risk management processes used at their firms.

Key Takeaways

There is great value in understanding risk management at the firm level.

Professor Kaplan explained that HBS doesn’t focus on public policy; it focuses on studying decisions and actions at the firm level. This firm-level focus is particularly relevant in examining risk management. Based on the companies in the financial sector that have gone under, been acquired, or fired their CEO, it does not appear that these firms adequately understood or managed the risks they faced.

While many firms in the financial sector lacked good risk management processes and practices, there are firms—in the financial sector as well as other industries—with good risk management practices that can be studied and learned from, including the firms represented on this panel.

Risk management is a key to sustained firm growth.

Professor Kaplan’s performance-management approach, the Balanced Scorecard, helps firms achieve the goals of sustainable growth and increased shareholder value. To date, the Balanced Scorecard has focused on achieving these goals through two levers: 1) revenue growth, i.e., selling more; and 2) productivity, i.e., spending less. However, it has become clear to Professor Kaplan that there is a third lever that affects firm performance: risk management. Firms need to figure out how to measure risk management and hold managers accountable for it, just as they do with revenue growth and productivity.

At Infosys, the most significant risks faced are scaling the company and staying relevant to customers.

Infosys has grown explosively. Between 2000 and 2008 the company’s revenue grew 20 times. Infosys, which now has 100,000 employees in 24 countries, hired 25,000 new employees in just the last year. This growth in the number of employees is necessary to address one of the company’s key risks, which is scaling to meet demand. As Infosys has grown and evolved, the company’s leaders have realized that the company’s most critical long-term risk is not just adding more employees; it is remaining relevant to customers. This means that as the company grows, it must add people with the skills and capabilities to truly understand the company’s customers and to help customers solve their business problems. Thinking about risks such as scalability and relevance are not new to Infosys. The company takes risk management very seriously and has adopted several core principles regarding risk management. These include:

Always think in terms of risk. For every decision, decision makers must think about the risks involved.

Have a risk committee. Infosys decided that risk management should be a separate, independent board committee and this committee should work in concert with a risk council and risk managers in each company business unit. (Infosys has found that their best risk managers come from line management. These individuals understand the value of risk management and the dangers of not having it; they understand compliancerelated issues; and they are taken seriously because of their prior experience.)

Focus on the business unit. Almost all types of nonfinancial risk, such as intellectual property risk or talent risk, are best handled within business units.

Project risk. Beyond risks at the business unit level, risks should be thought of for each project, as projects are the key unit of work.

Establish risk parameters. While risks are managed at the business unit and project level, it is necessary for a higher-level formulation of general risk parameters.

Measure the management of risk. As with other aspects of performance, it is necessary to devise measures for risk management and to hold managers accountable for risk management by embedding the measures of risk management into the firm’s performance management system. This is the case at Infosys.

Have the discipline to manage risk in all situations. Mr. Ranganath argued that risk management is best judged by whether it is taken seriously during boom times. Managers will focus on being careful and assessing risk during times of crisis, but only the best companies consciously manage risk during good times. At Infosys, since the company’s risks are related to growth, the company has managed risk by setting limits on expansion and concentration of revenue sources.

At GE, effective risk management is based on strong management processes and controls.

Mr. Calico explained that GE’s culture emphasizes decision making based on well-defined processes and thorough analysis. In managing risk, the key processes include establishing clear parameters around underwriting and risk taking.

Risk management policies and parameters at GE Financial Services are centrally developed and decentrally executed. Each person at each level of the company understands the defined parameters, the processes, and the guidelines; everyone knows their jobs and degree of authority.

This approach to risk management is consistent with GE’s history, culture, and overall management approach. Specifically, as an industrial company, GE is good at managing large physical assets and has had a strong and disciplined finance function for over 100 years. The risk function was created to emulate the finance function. The risk function has a dual reporting status to both the general manager of a particular business and to the chief risk officer. This reporting structure is designed to give risk managers power in the organization, which they use to set firm risk parameters and establish firm guidelines.

At JPMorgan Chase, the key elements of risk management are structure and culture, incentives, risk strategy and analytics, and “plumbing.”

Mr. Zubrow explained that JPMorgan Chase views the keys to effective risk management as: – Structure and culture. Risk management starts with the tone set at the very top by the CEO and board. At JPMorgan Chase, the company has established a directors’ risk policy committee that is involved in setting overall policy and approaches to risk management. However, this board does not go so far as to set actual risk management practices.

In addition, a culture of collaboration is important, with risk managers sharing information with each other and with line management.

– Incentives. Risk management must have sufficient stature in the organization so it is taken seriously. It can’t be viewed as a back office function; it must be viewed as critical in shaping the organization’s strategy and must be involved in making all key decisions.

Those in risk management must have an attractive career path and must be well compensated. In addition, risk management should affect each manager’s compensation. It is not good enough for managers to deliver good results; if these results expose the firm to undesired risks, this should affect executives’ compensation.

– Risk strategy and analytics. At JPMorgan Chase, analytics around risk are important, but pure quantitative measures do not replace the need for adherence to basic underwriting standards that conform with historical practices. Stress tests and scenario analysis are also important to understand the amount of risk a firm or business is willing to assume and how to manage through the worst scenarios if they come to pass.

– Plumbing. This is perhaps the most important part of risk management in any organization. It includes

:

  • Timely measurement and reporting of exposures. Timely reporting is essential to know a firm’s risks. As the saying goes, “If you can’t measure it, you can’t manage it.” At JPMorgan Chase, firm-wide consolidated exposures are calculated daily across all businesses. Surprisingly, many financial institutions can’t do this.
  • Documentation and legal agreements. It is important for a firm to have an accurate picture of what its legal rights are, with a systemized way of accessing its legal documents.
  • Collateral management. Good plumbing involves a well-organized system of managing collateral agreements. Such a system allows JPMorgan Chase to know exactly where it stands relative to credit and counterparty risk.
  • Close-out drills and “what if” scenarios. This entails practicing analyzing how to respond to the failure of a counterparty.
  • Robust information about consumers and their credit. This gives JPMorgan Chase information to use in interacting with consumer in working through issues, such as repayment.

Other Important Points

  • Not just financial services. Professor Kaplan invited Infosys to participate in this panel to demonstrate that risk management applies not just to financial service firms, but to all industries, including an IT services firm. It is telling that Infosys’s annual report has extensive voluntary disclosure about their risk management practices.
  • Role of the board. Mr. Zubrow explained that his firm’s board is not responsible for setting the risk parameters or risk strategy—this is the responsibility of the company’s management, in particular the risk management group. The board is responsible for understanding what the risk management strategy is and making sure it is consistent with the overall corporate strategy.

Speaker Biographies

Robert S. Kaplan (Moderator)

Baker Foundation Professor

Robert Kaplan is Baker Foundation Professor at HBS and chairman of Professional Practice at Palladium Group. He came to HBS in 1984 after 16 years on the faculty of the business school at Carnegie Mellon University, where he served as dean from 1977 to 1983. Kaplan received a BS and MS in electrical engineering from MIT and a Ph.D. in operations research from Cornell University. He has received honorary doctorates from the universities of Stuttgart (1994), Lodz (2006), and Waterloo (2008).

Kaplan’s research, Executive Education teaching, and consulting focus on linking cost and performance management systems to strategy implementation and operational excellence. He has been a codeveloper of both activity-based costing and the Balanced Scorecard. He has written or cowritten 14 books, 17 Harvard Business Review articles, and more than 120 other papers. Recent books include The Execution Premium: Linking Strategy to Operations for Competitive Advantage, his fifth Balanced Scorecard book cowritten with David Norton, and Time-Driven Activity-Based Costing with Steve Anderson. His previous books with Norton include Alignment; Strategy Maps, named one of the top 10 business books of 2004 by Strategy & Business and Amazon.com; and The Balanced Scorecard: Translating Strategy into Action, which won the 2001 Wildman Medal from the American Accounting Association for its impact on practice. He also cowrote Cost and Effect; Implementing Activity-Based Cost Management; and Relevance Lost: The Rise and Fall of Management Accounting, which received the American Accounting Association Seminal Contributions to Literature Award in 2007.

In 2006 Kaplan was elected to the Accounting Hall of Fame and received the Lifetime Contribution Award from the management accounting section of the American Accounting Association (AAA). In December 2004, he received the Telecom Italia Prize for Leadership on Business and Economic Thinking. The Financial Times included him in its 2005 list of “Top 25 Business Thinkers.” The Accenture Institute for Strategic Change named him, in 2002 and 2003, among the top 50 thinkers and writers on management topics. Kaplan received the Outstanding Accounting Educator Award in 1988 from the AAA, the 1994 CIMA Award from the Chartered Institute of Management Accountants (UK) for outstanding contributions to the accountancy profession, and the 2001 Distinguished Service Award from the Institute of Management Accountants for contributions to the practice and academic community.

Kaplan serves on the boards of Evergreen Energy, Acorn Systems, and the Technion Institute of Management.

James A. Colica

Senior Vice President of Global Risk Management, GE Capital Services

Jim Colica is the senior vice president of global risk management at GE Capital Services. Since joining GE in 1983, Colica has held management positions of increasing responsibility. His first job was manager of corporate financial reporting and practices in the Office of the Controller. In 1985 he was appointed manager of federal tax operation at the company headquarters in Fairfield, Connecticut. Colica moved to GE Capital, the financial-services unit, as vice president and controller and later became vice president, manager of finance, in the Office of the EVP. In 1991 he assumed his current position. In 1996 Colica was appointed a vice president of General Electric Company, and in September 2002 he was elected to the GE Capital board of directors.

Before joining GE, Colica was a member of Peat Marwick’s professional audit staff, based in New York City. He served in the U.S. Army for two years and is a 1969 graduate of Fordham University College of Business Administration.

M.D. Ranganath

Chief Risk Officer, Infosys Technologies

Ranga has over 17 years of experience in banking and IT services industries. In his current role as chief risk officer of Infosys Technologies, a leading global IT services company, he is responsible for the enterprise risk management program. Earlier, Ranga executed senior leadership responsibilities within Infosys. Before Infosys, he worked in the corporate finance and treasury functions of ICICI Bank, the largest private-sector bank in India. Ranga has an MBA from the Indian Institute of Management Ahmedabad and and a master’s degree in technology from the Indian Institute of Technology Madras.

Barry L. Zubrow

Chief Risk Officer and Executive Vice President, JPMorgan Chase

Barry Zubrow is chief risk officer and EVP of JPMorgan Chase and a member of its operating committee. Zubrow also serves as chairman of the New Jersey Schools Development Authority, which is responsible for an $8.6 billion effort to rebuild the state’s schools infrastructure, and advises Governor Jon Corzine on a broad range of fiscal and policy matters.

In 2004 Zubrow left Goldman Sachs after a 26-year career there. He served as the firm’s chief administrative officer, headed its operations and administration division, and coheaded the operations, finance, and resources division. Zubrow also cochaired the risk committee and the space and credit committees and was a member of the partnership, commitments and finance, and technology advisory committees. He also served as a director of Goldman Sachs International. From 1994 to 1999, Zubrow was the firm’s chief credit officer. Before that, he was a partner in the investment-banking division, where he provided strategic and corporate financing advice to major Fortune 100 companies.

Zubrow is cochairman of the board of managers of Haverford College and a member of the boards of the Pingry School in Martinsville, New Jersey, the Juvenile Law Center in Philadelphia, and Temple Har Shalom in Warren, New Jersey.

Zubrow received his BA in 1975 from Haverford College, an MBA in 1979 from the University of Chicago Business School, and his JD in 1980 from the University of Chicago Law School. He resides in New Jersey with his wife and their two sons.