Risk Management

Enterprise Risk Management at Microsoft

This is a brief writeup from an Enterprise Risk Management class that I took back in 2013. The case describes Microsoft from the mid to late 90’s and its efforts to implement an Enterprise Risk Management group. The case mentions former head of treasury Brent Callinicos, who went on to become a regional CFO at Microsoft and the CFO for Uber.

For those who are interested in the case details, check out “Making Enterprise Risk Management Pay Off: How Leading Companies Implement Risk Management” by Thomas L. Barton, William G. Shenkir & Paul L. Walker.

Introduction

Historically, the technology sector has always been subjected to swift, rapid changes. Microsoft has always tried to anticipate new threats and technology advances (i.e. dealing with both existing risks and unanticipated risks). Back in the late 1990’s, technological changes due to the rise of the internet provided Microsoft a different landscape from the historical era of the unconnected, standalone PC. In Microsoft’s 1999 annual report, the first item discussed under “issues and uncertainties” is “rapid technological change and competition”[1].

Additionally as the mid 90’s era Microsoft launched new products, it also ventured into new business models. The launch of Expedia in 1996 positioned Microsoft as a player in the travel agency business and its Home Advisor product made the company a licensed mortgage broker. These novel business models exposed the organization to a new set of risks, which in-turn exposed the risk management group to new challenges.

Moving to an Enterprise-wide Risk Management Approach

Microsoft has always competed in a very competitive landscape replete with technologically savvy competitors and condensing product life cycles. As a result, an enterprise wide commitment to risk management was a necessary and prudent choice to remain competitive in the company’s markets.

The momentum that triggered a more enterprise wide view of risks at the company was the establishment of the risk management group in 1997. Prior to 1997, there was no such group to start the process of implementing an ERM framework. Within the treasury group, the risk management group head Brent Callinicos (also notably the eventual CFO of Uber) set out to develop a consolidated risk identification, measurement and management approach.

The treasury group started with finance risk management changes by increasing the complexity and effectiveness of VAR analyses. Furthermore, treasury presented a paper to the finance committee of the board of directors that analyzed the derivative losses of several major companies. This report precipitated a more integrated approach to the various financial risks handled within treasury. The creation of Gibraltar (a treasury information system) allowed the company to view all of its risks “holistically rather than on a silo basis” [1].

From a business risk perspective, the risk management group worked closely with business unit managers in order to develop risk-financing plans and to aid business units with appropriate quantitative risk modeling. This evangelist approach was an effective method for gaining buy-in regarding the risk management group’s aims.

Microsoft’s Enterprise Risk Management Structure

Microsoft’s risk management group is nestled within the treasury function of the organization. The leader of the risk management group is the corporate treasurer who reports directly to the CFO. Treasury manages somewhere in the neighborhood of $80 billion for the software company [2]. Business risk is divided into worldwide products, worldwide sales & support and worldwide operations. The company does not have a CRO as it decided that a CRO would not be practical.

In my opinion, I believe that Microsoft housed their risk management under the treasury function because they viewed a standalone risk organization under a CRO as duplicative. Treasurers concentrate primarily on managing financial risks but by nature must also be generalists with respect to many types of risk. In a multinational technology company such as Microsoft, various market currency risks exist that require appropriate anticipation and response.

Microsoft is inherently technologically driven. The company has very smart, knowledgeable people naturally embedded into its lines of business. These smart people understand the risks of their technological products and desire to see these products succeed. To the benefit of the organization, the embedded personnel have an inherently risk minded mentality. Therefore the job of the risk management group is to partner with and support the lines of business and various operations groups by adding “incremental value”; i.e. information that the business units may not have considered.

“Microsoft is first run by the product group, then maybe by sales, and finance and risk management will come after that. The risk management group or treasury group will not run the company”[1].

Microsoft previously looked at risk in separate silos. In order to look at risk holistically, the risk management group had to step back and take a strategic assessment, which is a much more challenging endeavor. With this holistic approach, the grouping or correlation of risks are considered as opposed to dealing with one specific risk at a time. For example, Microsoft considered property insurance as the legacy best way to manage the risk of building damage in an earthquake. With a new scenario analysis approach employed by the risk management group, additional risks must be considered that are correlated to property damage. This new correlation mentality required partnering with multiple areas of the company to incorporate additional risks for an appropriate risk assessment.

Use of Scenario Analysis

Scenario analysis is used to understand the risks with respect to situations where it is very hard to quantify or measure the precise impact to the organization. Sequences of events regarding severe earthquake damage or severe shocks to the stock market are risks that are difficult to quantitatively measure and thus scenario-based tactics are applicable to try and gauge the fallout. Additionally, Microsoft uses scenario analysis to conduct stress testing which consider hard to measure impacts of political and geographic circumstances. An order of magnitude approach is used in scenario analysis as opposed to an exact measurement approach. Microsoft uses qualitative language such as, “..the quantification of business risks is not exact…”  and , “Does this feel about right for this risk” in their scenario analyses.

Once the risk management group has identified the risks associated with each scenario, it then partners with other business units to understand impacts. The risk group will also investigate other external organizations that have experienced similar events in order to learn how these organizations weathered their experiences.

The Main Benefits of Enterprise Risk Management

One substantial benefit for Microsoft in moving to an ERM approach is that the company can view and assess its risks holistically as opposed to assessing risks in an independent/uncorrelated fashion. This is evident in initiatives such as the company’s Gibraltar treasury system which provides an aggregated view of market risks.

Another benefit is that the risk management group works across the organizational footprint and can provide input to various groups so that each group can “stay current on what is happening in the business” [1]. The risk management group can diffuse information across the organization by working closely with business unit managers. Face time with product and operations managers allows the risk group to understand risks across the enterprise which contributes to a holistic understanding.

This approach is mutually beneficial for both groups as the risk group gains understanding of new risks (continuous cataloging of risks) and the business units gain insight into risks they may not have previously considered.

“By having the business units educate us on the intricate details of their business, the risk management group can be aware of perhaps 90 percent of the risks facing Microsoft”[1].

Closing Thoughts

At Microsoft, the risk management group doesn’t necessarily have to posses the all-encompassing best risk solution for every line of business. Risk management considers the product managers and the respective lines of business as the most knowledgeable sources of risk within their own domains. The risk group is on hand to provide additional insight for incremental improvement and to enhance or build upon the risk knowledge already contained within the lines of business.

This approach makes sense for a technology company that is teeming with very risk aware and knowledgeable personnel at the operational levels who are designing or working with complex products.

In my work experience at a traditional bank, the risk group was assumed to have the best procedures, templates and analyses with respect to handling credit, market and operating risks.  From Microsoft I have learned that highly efficient and capable risk management can also be a synthesis of understandings from risk management proper and the lines of business.

References:

[1] Barton,T., Shenkir,W., Walker, P. (2002). Making Enterprise Risk Management Pay Off.

[2] Groenfeldt, T.  (Nov, 2013). Microsoft Treasury Wins Best Risk Management Award. Forbes. http://www.forbes.com/sites/tomgroenfeldt/2013/11/19/microsoft-treasury-wins-best-risk-management-award/#4fcade2124ed

Copyright: mrincredible / 123RF Stock Photo

Advertisements