IF THE ECONOMIC DOWNTURN HAS DEMONSTRATED anything, it's that some companies were not as effective at risk management as they thought. When the global economy took a rapid turn south, many businesses were hit by risks that they simply hadn't foreseen. Of course, nobody can predict the future; the unexpected will always happen. But as the world regains a degree of normality after last year's crisis, it's clear that the risk management practices at some companies withstood the shock better than others.
Take, for example, Bristol-Myers Squibb, the US $20 billion pharmaceutical company based in New York City. "We've had no surprises here, which means our approach to risk management has passed the ultimate test," says its chief audit executive (CAE), Sandra Cartie. The resilience of the Bristol-Myers approach to risk is not a matter of luck. When the clouds of economic gloom gathered back in 2007, the company's senior management realized it needed to strengthen its approach to risk management. It brought in Cartie and, under her leadership, made some fundamental changes.
Internal auditors can learn a lot from the actions of Cartie and a few like-minded peers at other organizations. The key insights: keep your approach simple, make it personal, and avoid bureaucracy. In the coming post-downturn environment, risk management needs to be different.
THE HEAT MAP
Bristol-Myers created the CAE position and appointed Cartie to the role in late 2007 to improve its risk management activities. The company transferred her to the position after outside consultants reviewed Bristol-Myers' risk management practices and discovered a siloed approach that was not based on leading practices.
Cartie was tasked with transforming the audit function using a risk-based approach that included building a new risk management process. First, she rationalized the company's risk functions, bringing them under one roof and creating new work areas to cover gaps. Then she created a heat map--a simple three-by-three grid that maps all of the company's key risks, plotted by likelihood and impact.
Every category of risk appears on the map: from financial and operational risks, to environmental and reputational risks. Each Friday, the company's management council--comprising top executives who individually "own" the risks of the heat map--sits down to discuss key risks, ensuring that each item on the heat map is discussed on a periodic basis. They determine the risk tolerance for each item and confirm that a solid mitigation plan is in place for each risk. They also look at whether any new risks need to be considered or monitored. If there are any, they confirm who will take personal responsibility for managing the risk.
Bristol-Myers' CEO is a member of the council and reports key risks on the heat map to the company's board of directors. Each of the company's business units has a risk coordinator, and they liaison with internal auditing to discuss how risks are being managed. Additionally, Cartie has her own frequent talks with the chief financial officer to discuss risks in the business. They consider whether any risks need to change position--maybe the impact of one has increased--and the audit committee reviews the process every year. It's a very dynamic process, she says. "We are making adjustments to the heat map all the time, and it is a key driver in determining our audit plan."
Because those senior executives are looking at the key risks so frequently, and adjusting their mitigation plans as necessary, the company has a much better handle on emerging risks, Cartie says. "We have been able to put in place preventive controls, detective controls, corrective controls, and mitigation plans, so that if any of these events were to occur we would be prepared." Earlier this year, for example, just about everyone on Cartie's audit team was working on a...