The committee reports to the company's audit committee, the COO and the chairman, Lawrence notes, and has four principal goals:

o Performing a comprehensive enterprise risk assessment in the first year which involves identifying major risks facing the company and then ranking those risks by both likelihood and sensitivity;

o Monitoring and reporting on progress at risk mitigation;

o Working with and improving ongoing audit procedures of various corporate control functions; and

o Connecting the dots of the various internal audit activities of the company.

In the case of the initial risk assessment, a process that has just been completed, Lawrence says that 30 senior executives at the company were asked first to identify 50 risks, such as inadvertent disclosure, lack of adequate training to manage growth and financial misstatement. Then, they had to rank them. From that data, the committee identified 20 risks that Lawrence says "warranted additional focus." Each of those risks was assigned to "a very senior executive" whose job it was to develop a mitigation plan. At this point, members of the enterprise risk management committee are meeting with each of those senior managers to evaluate their assessments. Explains Lawrence, "Otherwise, you could have risk owners who might whitewash an issue." Late this spring, the committee will report its findings to the audit committee.

Mitigation will be next on the Iron Mountain agenda, but Lawrence says that the assessment and prioritization process is already producing improvements in the risk profile of various company operations. He uses the example of ongoing audit procedures.

The ERM risk assessment concluded that conducting more random audits and adjusting the frequency of audits according to the results made the process more efficient and more likely to uncover problems. By staggering ERM audits with the company's ongoing safety and security checks, Lawrence is actually able to lift some of the burden from safety and security auditors, while at the same time improving the process. "We actually get better overall coverage," he notes.

OUTSIDE FORCES MATTER

Lawrence says that the decision to establish an enterprise risk management committee at Iron Mountain was not just in response to the Sarbanes-Oxley Act and other new regulation, although the new corporate reporting requirements are definitely part of any ERM mosaic. "You had a major change in the business climate at large, which is affecting us and our customers," explains Lawrence. "Risk management is all anticipatory–it's about needing to know what's coming down the road before it gets here. So if we're going to help our clients manage risk, we need to be anticipating our needs and [their needs] instead of just reacting."

That interpretation has meant that Lawrence and the committee cannot afford to look narrowly at risks within the company alone. "Risk assessment includes things like legislative changes," Lawrence asserts. Right now, there are a number of bills in Congress related to inadvertent disclosure; new regulation in this area would directly affect Iron Mountain's business and what it would be required to provide its customers. "So if we are going to need new products," he says, "we need to get on it now," not after the laws take effect.

Admittedly, Lawrence approached the ERM job with trepidation. "My biggest challenge going into this was a concern about this organization's ability to embrace this kind of project, because it's such a formal process," he notes. "My biggest surprise was how easily it was embraced."

Although Lawrence believes most treasurers are perfectly suited for the job of enterprise risk management, given their skills and responsibilities, he has a background that has made him unusually prepared. Lawrence joined Iron Mountain when the company had only 200 employees and $10 million in sales. Today, Iron Mountain has 15,000 employees operating in 26 countries, handling some 275,000 customer accounts, and Lawrence had a pivotal role in that exponential growth, overseeing much of the risk management and due diligence involved in Iron Mountain's many acquisitions over the years. "This company grew through acquisitions–150 over the past 10 years," he says, "and I created the techniques to control the risks of acquisition, and to integrate benefits, reporting and control systems for all those acquisitions."

In addition to that detailed work, Lawrence was also the project manager for Y2K compliance during a hectic technology-driven campaign at the turnover of the millennium. "It was that sort of window into operations that gave me a broad perspective on the key drivers of risk and value," Lawrence remarks now.

But regardless of which executive title a company chooses to head up its enterprise risk management effort, Lawrence suggests that there is one hurdle that must be cleared before any company can embark on a full-blown risk assessment: Every senior manager at the company must endorse both the concept of ERM and the executive designated to lead ERM. "You need to have a mandate that allows you to go anywhere you want to go in the organization with a blank sheet of paper," he says. "Otherwise, it's just a science project."