Silver Lining

Mark Stuart: How does your system go beyond Sarbanes-Oxley (SOX)?

Bruce Nolop: Where SOX is focused on processes, procedures and accounting, we’ve developed an enterprise risk management [ERM] solution, taking a much broader look at the overall risks facing the company, many of which are non-financial. While SOX was legislated and has 800 pages of rules, ERM is far more flexible.

The tone in ERM is different as well: while SOX is about compliance and ticking very detailed boxes, ERM is a more proactive system that concentrates on adding value: it takes the point of view of the board of directors or the shareholder and asks, ‘how can we maximise advantages and minimize risk?’ Where SOX was led by accounting firms, our project is led by the company, and that’s a key difference. This is a management tool, not a compliance project.

One of the problems with SOX is that it is a net-cost project; there’s little tangible benefit to the company.

That’s right – with SOX, it’s about the 1,700 or so clauses. But with ERM, there’s no doubt that is creating benefit, as it focuses on determing the right level of risk. Eliminating all risk is not necessarily the right outcome – you might overinsure, if you follow that policy. Instead, it’s about using risk for competitive advantage. It’s a strategic, director-led issue.

For example, how much risk are you willing to take on in contractual terms with customers? Say there’s a problem with customer data that went to the wrong place. What potential liability do we want to assume? When you consider a mitigation programme for this, you have two approaches. You can limit the risk contractually or you can do everything in your power to ensure that your processes and procedures prevent any issues with customer data ever occurring. The art lies in finding the optimal point somewhere between the two extremes.

How do you structure the risk management system?

The company parses out individual risks to the executive who can most effectively mitigate them, while simultaneously establishing clear accountability for ongoing risk management in the future. We have 15 risk categories and specific risks within those categories. The risks are identified and assessed; we analyse each category and each risk in terms of the probability of something occurring, and then the severity if it in fact occurred. Then we monitor and measure what the mitigation programme should be at this point.

How do you implement the programme?

We have a risk steering committee composed of staff and operating people, and we have people in all of the business units who are involved in monitoring and measuring risks in their particular areas. They give regular reports to the senior management team, and to the board.

Something else we’ve introduced, which I think is unique, and has worked well, is to assign the risk categories to various committees of the board. This ensures broad-base understanding throughout the board.

How do you decide how often you need to meet and what should be discussed? I imagine there are things you know you don’t know and things you don’t know you don’t know.

There are eight members of the group and they meet about once a month for three or four hours. We review a couple of risk categories at each meeting and the risk owners give an update, discuss what else we should be doing and explain the current state of mitigation.

And we find that we uncover new risks just by holding these meetings. We had originally identified 77 specific risks but as a result of the meetings; we now have over 100. For example, in the supply chain area, we had identified risks to vendors and now we’re identifying risks to the vendors of the vendors – any weaknesses that might be in their system, for instance, or compliance issues they might not have in place.

What about global risk – terrorism, pandemics, natural disasters? How does the group assess and take action on these areas?

They all come under the general category of business continuity. The question we ask ourselves is, are there ways to take advantage of what seem to be perilous areas? If you’re prepared for something and you can prevent business interruption, there’s potential competitive advantage to be gained. We look at business interruption not only to protect our own facilities, but in terms of what we can offer to customers to give them confidence that they can maintain their business.

Climate change, for instance, could have major impacts on the future running of businesses. How are you tackling this?

Clearly, more people are focusing on climate change than before. But I would say we would always consider climate change in the context of what the implications are for Pitney Bowes. We don’t spend time debating whether or not climate change is actually happening, or the extent to which it’s taking place. We’re concerned with what the potential implications are to us as a company and what we can do about it, and of course on how it might affect our brand reputation. If we’re perceived as a company with good corporate responsibility credentials, that can enhance the business.

Although risk management is a director’s responsibility, there’s far too much information for a director to spend looking at. How do you find the balance between what the director does and doesn’t need to see?

For each category in the risk template, we try to summarise what the risks are in an easily understood narrative format. Then we describe what the mitigation programme is, and we decide on the appropriate level of mitigation.

We supplement these risk templates, which would typically be two to four pages long, with a graphical display of the risk category.

Each specific risk is placed on a graph to show the severity of risk and the probability of occurrence. Then we colour code the risk to show what level of mitigation we have. As a result, a director can easily see in brief what the status of a risk category is.

Of course, a director will focus on a coding that’s suboptimal and on items that lie in the high-severity/high probability quadrant.

How do the risk assessments filter down to specific actions?

Every year as part of the process, we have a plan of what the objectives are for the next year. This is built into the strategic architecture of the company – it affects compensation and bonuses for the people who are accountable for these areas. This means that the board is actually participant in the process of being sure we’ve got action plans in place.

Did you develop the governance system personally?

Like all such projects, there are a lot of people who’ve contributed to it. I’ve led the team, and we’ve worked closely with the chairman of the audit committee in designing it. It’s unusual in that it’s a collaboration between the board of directors and the management team.

The chief risk officer reports to me, but it’s a team effort and it’s been successful because the ownership of the programme is widely dispersed. People feel a sense of accountability and have committed to what the project is trying to do. That’s vital you need full buy-in from the board and from business unit people if programmes of this nature are going to work.

Tell me about your own job as CFO. How would you describe your role?

It’s a broad role and getting broader all the time. What’s fascinating is that the areas that appear to be quite different from each other actually all interrelate. And each individual area is also broadening at an increasing speed.

For example, in accounting you’ve got more regulatory requirements than before and more focus on compliance. At the same time, you have a much more demanding

shareholder base that is seeking more strategic direction and communications; that whole area has been steadily growing. On the operational side, you have more requirements than ever to produce growth, which is difficult in a moderately growing economy. One of the big questions for me is, how do you stimulate organic growth? The other element that keeps me on my toes is the fact that you’re constantly refocusing, from looking at the big picture to day-to-day compliance, then back to a worldview.

What other responsibilities do you have?

Marketing comes under my overall purview. This has more fit that many people might expect because communications is becoming more important than ever to the CFO role. You have to have consistency of message to investors, customers, and employees – to every stakeholder, in fact. We have to make sure we have a message that makes sense, and that our action plans are consistent with our messaging.

We discussed brand reputation earlier in the context of risk management; developing and communicating our brand is a rich subject, and discussions about what we can do to enhance it and mitigate risks against it is a dialogue that should be carried out at the highest level. What might seem a small issue could end up having massive implications for your brand equity and on bottom line profits if an issue escalates into a boycott or gets national press coverage.

As the job broadens and increases, how do you maintain a work-life balance and prevent the role consuming more and more of your time?

My view is to get the right organisational structure in place and then get the right employees. Although the job itself broadens, you can’t possibly do everything yourself, and that’s more true today than ever.

That’s why there’s now more of a premium on those two factors – organisational structure and people. So the job doesn’t necessarily become more difficult as it becomes broader; it’s just different. The skill sets keep changing; that’s something other CFOs will be very conscious of. Trying to evolve with the changing nature of the job can be a challenge. For example how does changing technology impact on your role?

Also, in the past I managed more areas that are now outsourced and vendor-managed. You still have the same objective in mind – but you need a different approach to manage vendors than you would to manage an operation.