As part of our occasional series of conversations with corporate governance and compliance officers, this week we conclude our two-part interview with Richard Suminski, deputy general counsel and chief ethics and compliance Officer of Tyco Electronics. Part one, published on May 4, 2010, focused on Tyco’s efforts at ethics and compliance training for its 78,000 employees. Part two, below, talks about establishing a risk-management program.

Readers can also visit our archive of Q&A interviews.

DETAILS

Suminski

Rich Suminski is vice president, deputy general counsel and chief Ethics and compliance officer of Tyco Electronics Corporation (TE), a $12 billion company that manufactures a diverse range of electronics and electrical systems and employs approximately 70,000 people in over 60 countries. Suminski has supervisory responsibility for the global commercial and compliance legal, real estate and trade compliance functions within TE. He manages a staff of over 40 professionals worldwide.

In addition, Suminski chairs TE’s Compliance Committee, leads the company’s annual enterprise risk assessment process, is counsel to TE’s Board of Directors’ Nominating,

Governance and Governance Committee and is a member of its Financial Disclosure and PAC Committees. He directly supervises all significant domestic and international commercial law litigation and product liability claims and oversees the Ombuds Office, compliance investigations and compliance training programs. Suminski works closely with TE’s senior management team and the Board in providing legal counsel and advice on complex ethics/compliance issues and high-level business issues and transactions.

COMPANY BASICS

Company:

Tyco Electronics

Headquarters:

Schaffhausen, Switzerland

Employees

78,000

Revenue

$10.2 billion

Website:

tycoelectronics.com

Tell us about how Tyco Electronics got its enterprise risk management program up and running.

When Tyco International changed management back in 2002 [after former CEO Dennis Kozlowski resigned and ultimately went to prison], enterprise risk management became a key focus of the company, and I had the opportunity to be involved in all enterprise risk assessment programs. So I had a very good foundation from Tyco International as to how the process works.

Right around the time Tyco Electronics separated from Tyco International, I began discussions with senior management as to how we were going to do our own enterprise risk assessments as a standalone company. We had a long period of time to think about this. It’s always been my philosophy that to do something very well, it’s important to thoroughly plan and take your time the first time. For us, the process was easier, because we could tap in our prior experience. It also went quicker and smoother because we had a strong foundation, and we better understood the process.

We started by taking with the senior leaders in the company and reviewing the risk assessments from when we were part of Tyco International. We discussed what, as a new public company, may be missing from those assessments and how we could improve upon them for Tyco Electronics. Based upon those discussions, I formed a steering committee, made up of people who I knew could work well together, and who came from various disciplines in the company.

Who was on that steering committee?

On the steering committee we had a head of internal audit, a head of security, a risk manager, somebody from HR. I represented the legal and compliance function.

How did that work out?

Among the steering committee members, we identified what we saw as the biggest potential risks within each functional area. We then worked together for about three months discussing categories of risk that we thought could most impact the company.

Initially we came up with 12 categories of risks. This list was further narrowed down to 10 risks. We started to develop and fill out a chart where we had those categories, or buckets, of risks. We further classified the risk by the likelihood of the risk occurring and the effect if it did occur. We then formed 10 separate teams in which they went out and added other professionals and other expertise from around the world to really debate and discuss all the risks that should be identified under each category. The teams then came back and reported to the steering committee. The result was a lively discussion over several months.

Finally, we refined all the information down to 9 categories of risk. The whole process took about a year. It involved forming the right team with the people who had the expertise, global knowledge and wanted to contribute to the group effort. In the end, we had a truly enterprise global risk assessment of the whole company that took into consideration many people’s viewpoints across the disciplines. Having completed all those steps—consolidating, discussing, and refining in a thoughtful manner made it a good robust process.

Did the steering committee have anything else on its agenda?

While talking about enterprise risk assessment, we realized that we needed to be better prepared for other unpredictable global situations. The recent events in Iceland following the volcano eruption, for example, does show that you can have the best risk management process, but when Mother Nature interferes or makes Her power known, are you prepared to deal with that?

For us, the event was the swine flu in Mexico going back a couple of years ago. We have very good safety and emergency response processes in place, when a plant has an event that may hold production temporarily. What we didn’t have in place was a plan for when the whole country gets shut down—as was the case in Mexico, where we have six plants. It’s a little more difficult to rely upon a neighboring plant when the whole country is shut down. So we took a look at that, and we’re still working it through. So you can have processes in place for an individual plant, but you also need to coordinate that both regionally and globally.

Another big category to come out of our most recent enterprise risk management assessment was emerging markets. We’re a global company, and long-term emerging markets—places like the BRIC [Brazil, Russia, India, China] countries—are probably where we’re going to see more growth. But those countries are obviously different than the United States. You have different cultural issues. The legal systems in those four countries are vastly different than in the United States, and you need to understand all that. So with the understanding that more business growth is going to happen in these emerging markets, you need to better understand the cultural nuances, the potential problems there, and be better prepared to mitigate or address those risks long term.

What was the next step, after all the risks were identified?

We created a document with a dashboard of the categories of risk and a detailed listing of the types of risk within each category. Supplementing the dashboard is a more detailed document addressing the steps the team identified to mitigate the risks.

Once the risk assessment was compiled, it was presented to the senior management of the company. A month later, we presented it to the board of directors. Both of those presentations were interactive with good feedback and questions.

What was senior management’s role in all of this?

From the beginning, we had tremendous support from the CEO, CFO, and general counsel. They pointed us in the right direction and provided good guidance. When I would meet with the nominating governance and compliance committee of the board of directors, they lent their perspective and gave good advice on ERM, as well.

I think what made our enterprise risk management process successful is the support from both the board of directors and senior management. Our senior management team was very involved, took this seriously and saw the value in doing this so their guidance and encouragement filtered down to the whole organization. We believe in the process and its outputs, which is why it is successful for Tyco Electronics.

Thanks, Rich.