By B.G. YOVOVICH, who has written for national trade publications for more than 20 years
Like many other ERM efforts, Cisco's program arose in response to board-level interest and began with a significant emphasis on assisting with compliance requirements. When it was launched in 2005, the initial objective was to integrate an ERM component into the company's Sarbanes-Oxley compliance and governance activities, which included risk processes and systems for internal control assessment, finance and planning analysis, and overall risk management.
Soon, however, the ERM initiative branched out beyond a purely compliance-and-oversight role.
"We wanted ERM to be seen as a very strong business partner that was trying to help Cisco to operate better," said Philip Roush, who leads the ERM team as vice president of Internal Control Services at Cisco.
"We wanted people to feel that we were going to help them with their business rather than just someone who was going to check over their shoulders," he added.
How did Roush's team accomplish this?
"You have to have some wins, you have to demonstrate some value," he said.
EARLY WINS AND BEYOND
At Cisco, a key early opportunity arose when the ERM team was able to provide insight regarding the supply chain. In brief, the very first Cisco ERM assessment in 2004-5 found that the company was particularly dependent on one specific chip that was manufactured by one plant in Taiwan. If that plant went down, it would disrupt the Cisco supply chain for three months.
"Senior management realized that, although it would cost us money to have redundancy, it was not an acceptable risk," recalled Roush.
Building on the credibility that it earned from that and other early successes, the ERM program has been broadening its role as a business enabler that can add value by helping the organization more effectively achieve corporate objectives.
For example, one ERM initiative involves helping the Cisco sales team analyze the risks connected with plans to expand into often-risky emerging markets.
"There are many emerging markets around the world that have benefited from the rising price of oil but that are not very advanced from an infrastructure standpoint, including IT, communications and networking gear," said Roush.
"However, there also is a lot of risk in getting into some of these markets, whether it is political instability, oil-price volatility or how you deal with government agencies."
To help the Cisco sales team make its decisions about which opportunities to pursue, the ERM department puts together a tool that gives them a "risk lens," explained Roush.
"It includes about 20 different indices, along the lines of, 'Here are the things you need to think about as you think about Uzbekistan or some of these other countries,' " he said.
The tool provides shared data and an analytical method to analyze that data when the sales team tries to prioritize Cisco's expansion plans.
GOLD MEDAL SUCCESS
Cisco's ERM team also applied its expertise to address the risks connected with the company's recent sponsorship of and involvement with the 2008 Olympics.
"The Olympics provided us with potentially big brand exposure, but there also was a big brand risk if the Cisco-run network went down and the Olympics TV or Internet coverage was cut off all over the world," said Roush.
"We did a deep dive into, 'What are the risks?' And based on findings from our ERM process, we identified critical areas that needed to be addressed, which led to changes in some of the things that we were going to do," he continued. "This included, for example, making sure that we had certain replacement parts in country and that we had critical stock levels on hand."
Cisco even has been looking for ERM input from outside the enterprise. For instance, Cisco's channels group is going to do a "channels risk assessment." The company also is just beginning an initiative that will gather information about how industry analysts see Cisco's risks.
"There are 31 analysts who follow Cisco and who have a lot of opinions about us, and we are going to put together a series of questions and interview them about their view of risk for Cisco to get an outside-in perspective," said Roush.
January 19, 2009
Copyright 2009© LRP Publications