When Computer Sciences Corp. decided to get more aggressive with compliance, ethics and enterprise risk management, Chris DePippo found himself holding a job title he never expected.

A new slate of senior leadership at CCS decided in 2009 in the midst of the financial crisis that it was time to revisit the corporate strategy and implement a robust compliance, ethics, and risk management process. The new market environment meant there may be not only risks but also opportunities the company needed to identify, explore, and address, DePippo said during a presentation at Compliance Week 2011.

DePippo had joined the company the year before to take charge of some specific aspects of the compliance program, and he assisted the company's general counsel in making a case to the board of directors to adopt a comprehensive ERM program in conjunction with compliance. When the board agreed to the recommendation, it also appointed DePippo to lead both the compliance program and the ERM initiative under a single umbrella. “I didn't know this was going to happen, and I can tell you I was panicked when it did,” he says.

DePippo is the ERM director and chief compliance officer for CSC. He went to work to put in place a year-one plan to establish the core risk management principles that would govern such a converged approach to compliance and ERM. It was his job to bring all the elements of both programs under one reporting structure, or “throw a tent over it and call it a circus,” as he described it. CSC chartered an executive oversight body and gave it the responsibility to operate an integrated ERM process.

The company is now two years into its integrated approach, and it's finding success with the process it established, said DePippo. Key to that success, he said, was establishing and adhering to those core management principles at the outset. The company agreed it needed to be “risk intelligent,” establishing a common framework, common processes, common skills, and a common language around value and risk. It needed to be transparent to empower decision makers in strategy, operations, compliance, and reporting. It needed a strong tone at the top and clear executive ownership of risk, and it needed to be validated by third-party sources to give confidence that management's assurances about risk were reliable.

DePippo said he built consensus for critical compliance and ERM spending by defining the total cost of risk as equal to the cost of failure plus the cost of risk management. Cost of failure might include any direct losses due to business failures as well as the cost of any response, recovery, or correction that might be necessary to clean up the mess.

Heading into the third year of the program, DePippo said he's hoping to move beyond the start-up issues into some more mature concepts. One such initiative includes migrating the company to a governance/risk/compliance technology platform to develop a more automated library for assessing and reporting risks.

“I have, by no means, become an expert,” he said. “I'm someone who was asked to do something that I was initially uncomfortable with, but we stuck with it, asked a lot of questions along the way and achieved some success. I'm just seeing myself through a situation I didn't expect.”