Talking ERM And Auditing Overlap At Sun

No comments

In the latest of our monthly Q&As with governance and compliance executives, we talk to Kevin Hoskinson, director of enterprise risk management solutions for Sun Microsystems. An index of previous conversations can be found here.

Hoskinson

Kevin Hoskinson is the director of enterprise risk management solutions for Sun Microsystems. He has responsibility for Sun’s global insurance placement, captive management, business continuity, crisis management and enterprise risk management. He received his Bachelor's degree in Risk Management from the University of Wisconsin in 1989 and currently holds ARM and CPCU designations.

COMPANY BASICS

Company

Sun Microsystems

Headquarters

Santa Clara, Calif.

Employees

38,000

Industry

Software

2006 Revenue

$13.1 Billion

Describe the ERM operation at Sun: its size, what functions it handles...

I lead a team called Enterprise Risk Management Solutions. Embedded within that is risk management, risk transfer—both insurance and other financing mechanisms—global business-continuity planning, crisis management, emergency response. Within our broader group, we have a dedicated person who spends most of their time focusing on developing the broader ERM framework and tools. Realistically, all of the people in the group work on either specific projects or other aspects of ERM.

That group in its current form has existed since last July 1; our efforts in ERM have been going on for much longer. We’ve been working on ERM in various forms for the last three or four years.

How much has this been a trial-and-error process? What have you learned along the way?

In the early days we spent a lot of time developing the framework and the tools we needed that could really help us get beyond the theory. We felt we needed to build a body of evidence that could demonstrate the value and results of ERM. In conversations, we have been trying to get beyond that point of, “Well, I understand it at a high level, but show me how it works.”

It was—and absolutely continues to be—a trial-and-error process, and we’ve come to understand that it’s not something that will be the same for every company or even every executive. It continues to evolve.

I think we’ve learned to put it in simple terms. I think Sun tends to be a non-bureaucratic environment, and for senior management in particular, it can’t be completely theoretical. It has to be, “What is the value of this?” …

Do your ERM processes overlap with the internal audit function?

I definitely believe there’s overlap with IA. At Sun there is a solid partnering of ERM and IA to give a broader approach to issues. There’s a lot of debate on it in the industry around who owns it and what “it” is. Where I think we try to differentiate is that we really focus on bringing solutions and quantifying risk. Where ERM tends to have more interest on external risks, IA tends to be auditing a process or an issue which tends to be more compliance-driven and internally focused.

We have collaborated on many risk areas, such as supply-chain risk. They look at it from, “What is our vendor management process?” or “How do we ensure things aren’t going to happen from not complying with process?” We look at it as, “Yes, they have business continuity plans, but how good are they? Do we have monitoring of vendor financial health on an ongoing basis? How do we quantify the risk?” We spend a lot of time quantifying the risk. Combined, it is a much more comprehensive approach than either group working in a silo.

How do you conduct a risk assessment and quantify your risks?

At the highest level, we let the executive-management group, consisting of the top executives of the company, do that. They do the prioritization exercises, then we do the risk-mapping. The quantification piece is a tough one because in many cases it’s really difficult to do. We’ve implemented a number of ways to do that. One is the simple voting of these top 30 to 50 risks that have been identified by the executive team, and cull those down to the top 10. Sometimes you can spend too much time on quantification, and it can often be a black hole. If you just get agreement that a risk is big and you don’t want it to happen, oftentimes that’s plenty.

One of the foundations of this work is we in ERM don’t own the risks; it’s really the business that owns them. They’re the experts and have the most at stake. We consult, certainly help, but oftentimes it’s, “OK, we’ve identified the risk and talked about how to deal with it—but now the business needs to take ownership.”

We’ve also focused on executives further down in the organization, people who are very knowledgeable on a particular subject. We take them through a situation of what could happen, and if it did, how bad could it be.

An example is the supply chain. Sun is 95 percent outsourced on manufacturing. That’s very key, so we have spent a lot of time monetizing that exposure. We’ve also done modeling analysis around contractual risk. What is the exposure if we have a privacy breach? With any area the key question there is: Is there data that you can actually use? Coming up with hard physical data is often hard.

What happens then? Who comes up with remediation plans against those risks?

In most cases it’s the business itself. One of the foundations of this work is we in ERM don’t own the risks; it’s really the business that owns them. They’re the experts and have the most at stake. We consult, certainly help, but oftentimes it’s, “OK, we’ve identified the risk and talked about how to deal with it—but now the business needs to take ownership.”

Do you ever decide, “No, this remediation is too expensive; we’ll just live with the risk?”

It’s not a consistent process, but typically it’s the business. We may differ with the business as to the level of a risk after it’s been thoroughly examined. If the outcome is that it’s too expensive and the business decides to just live with it, in some case we’ve “up leveled” the issue and said, “We don’t agree.” For the most part, people want to do the right thing.

In a perfect world, 100 percent remediation would be the solution, but in real life that’s often not the case. Take the example of the supply chain. In a perfect world you would have at least two suppliers with low risk correlations who could immediately replace the capacity of the other. The business reality is you won’t achieve a competitively priced product because the competition is using the economic advantage of focusing its spending dollars with a single supplier. So then, maybe it’s reasonable to have two weeks of buffer inventory or to check that suppliers have detailed business-continuity plans.

How often do you re-assess risks?

At the senior level, we currently do it once a year. On more junior levels, it’s ongoing. As we continue to make progress in the program, more people understand what the group does and our capabilities, and we start getting more opportunities.

Is ERM fully implemented at Sun? Or when might that happen?

No, I don’t consider ERM fully implemented partly because I’m not sure what full implementation would look like. “ERM Nirvana” is not a real place, but one that’s out there in the distance, acting as a guide to lead us further down the path. Maybe someday I’ll view it differently.

For certain industries, like financial services, maybe you can get to the point where you’re there, I think, because the business is built around risks. If you look at a banking institution, what do they do? Take risks, make loans, have interest-rate risks. Those are integral and very measurable and reportable. Not to say that they don’t have others, but for instance in technology, some of the things we do we are much less able to provide rigorous metrics and analysis on.

What are your priorities for the next 12 months?

Right now we’re in the midst of our round of risk assessments. We’ve partnered up with IA, doing the interviews on a combined basis. Our next step is trying to build ERM into the planning process of the corporation, rather than just having this annual identification process, so that as we develop our goals we also develop the risks, the owners and all that along with it. I view that as another step along the path.

Thanks, Kevin.

No comments

Talking ERM And Auditing Overlap At Sun

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.

Related articles

Report: ERM Sinking Into Directors’ Heads

Proof That Cos. Can Go From SOX to ERM

Measuring Non-Financial, Intangible Risks

No comments yet

Only registered users can comment on this article.

“For tracking litigation, enforcement, and regulatory developments, Compliance Weekshould be your prime source.”

Talking ERM And Auditing Overlap At Sun

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor. googletag.cmd.push(function() { googletag.display('div-gpt-ad-B'); });

Related articles

Report: ERM Sinking Into Directors’ Heads

Proof That Cos. Can Go From SOX to ERM

Measuring Non-Financial, Intangible Risks

No comments yet

Only registered users can comment on this article.

“For tracking litigation, enforcement, and regulatory developments, Compliance Week
should be your prime source.”

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.