The drivers that lie behind the establishment of an ERM program may be classified as the following: the proactive decision; a reaction to events, whether it's internal or external; and the requirements and expectations of regulators and other external bodies. I would also say that there's a widespread belief that the new SEC proxy disclosure enhancement rule, that would be the SEC rule 33-9089, is the biggest single driver of the current interest in ERM.

Now the overall ERM approaches adopted by companies may be classified according to the categories of risk that they mainly intend to be within the scope of ERM, the predominant approach that they adopt for the management of these risks, and in general, ERM programs tend to fall into one or the other of two types of programs. One takes a mainly strategic view of risk and manages it in a qualitative way, and the other would be programs that take on a more operational or a financial view and manage risks through quantitative control. Now it could be argued by some ERM managers that the two approaches may be differentiated according to whether the view of risk is fundamentally enterprise level or enterprise-wide, and then most organizations are really making an effort to take a more holistic approach, more integrated.

When we originally started looking at ERM, it was kind of sectional in who's the owner of it, and where does it start? Often times it does start within the internal audit, but they may not be the ultimate owner in a company. And to do this an organization needs to ask itself how strategic risk can be analyzed on a quantitative level, and how operational data could be interpreted in a qualitative way. When companies look at risk, given the credit crisis over the past few years as well as the liquidity crisis — I've kind of named the treasurer as the chief liquidity officer now because they've really been forced to look at risk in a different view, now the treasurer has a seat at the table — you haven't seen that traditionally, it's been kind of an automated role.

ERM managers have generally reacted positively to various efforts that have been made to develop frameworks for ERM, in particular, the COSO framework from 2004. However, demands appear to be growing for this framework to be updated. And I could tell you as a side note, FEI is one of the founding member organizations of COSO, and we are currently looking to update that framework. So stay tuned on that. The ISO 31,000 also has been well received, albeit largely only as a basic introduction to ERM.

 When you look at operationalizing ERM, most ERM programs operationalize at around five activities and that's gathering and organization of risk intelligence; cross-function risk discussions; risk scoring and prioritization; risk response; and reporting. The graph here depicts a broad overview of the process. Most of the ERM programs we see begin with a top-down approach to gathering intelligence on the risk, with senior management taking the first cut at defining the risk universe. That's why we've seen — with companies I have worked with in the past and continue to see through our membership — how do you [determine] what are all the risks? How many companies really focused in the past on operational risks, as an example, or reputational risks? So [this is] looking at it from the overall broad organization.

Cross-functional risk forms are considered essential in most ERM programs because they bring together the insights and inputs from across the businesses and therefore play a critical role in ensuring truly enterprise-wide engagement. Essentially the four choices open to a company are to accept the risk, share it, mitigate or reduce it, or avoid it, but all can have pretty serious implications. And so a risk response may itself create another risk event elsewhere through risk correlation or the law of unintended consequence.

One of the things, too, is the risk-scoring tools. A lot of companies that have gotten into ERM are doing these heat maps, which involves a risk scoring and prioritization setting and that's what that is. Most of these programs use the heat maps for this risk analysis with the axis defined according to the likelihood and severity of the risk, and some organizations also take into consideration the effectiveness with which the risk is addressed. However, some ERM managers consider heat mapping to be insufficiently robust and have developed sophisticated alternatives by which the monetary value is attached to every risk. Whichever model is used, compromises often need to be struck since it's often not possible to compare apples with apples.

There were eight submissions for ERM, and it was a pleasure, as I mentioned, to be on as a judge and to read all the papers and see such alignment among the broad trends that we've seen in our own FEI studies. It was obviously very tough to narrow the field, but I'm pleased to introduce the panelists and award winners for this category.

First the Bronze Award winner, Honeywell International, and accepting for Honeywell will be Adam Matteo; Adam is actually an FEI member as well. I have Kathleen's [information] here, but let me give you a little bit on Adam. Adam is the assistant corporate controller at Honeywell. He's responsible for SEC and management reporting, SOX and technical accounting, and he's been at Honeywell for four years. Prior to that, he worked 10 years at the national office of Deloitte in M&A and audit. I would like to welcome Adam to say a few words, if you will.

 ADAM MATTEO: Thank you, Marie. Thank you very much. It's my pleasure to be here today. I want to share a little bit about Honeywell's ERM process and how we view ERM and risk. As you've probably realized by now, I'm not Kathleen Winters. I do work with Kathleen in the areas that Marie mentioned, as well as many of our ERM processes and, as you all know, many of us struggle with how to define ERM, how to define risk. And so what I shared here is a couple of what we at Honeywell view as our key objectives from ERM.

I think it's very important to have those objectives defined up front to help drive and guide your process. One of the things that's different, I believe, about our process [is that] we really have what we refer to as an embedded process, so we don't have a separate risk committee of the board or chief risk officer or director of ERM. Our processes are really a part of our annual operating plan, our five-year strategic plan, our functional plans and processes, our operating goals and targets and metrics, etc. And so what that leaves you with is you still need a way to understand how well you're addressing risk. Are you doing the right things? Are you looking at the right areas? So we do have an annual process where as I've described, we reach into these various other mature processes and pull out the results and information we're looking for. And so we go through that with our SBGs, our segments, as well as our corporate finance folks.

And then the other area we obviously look to follow is some of the recent developments around ERM — for example, the proxy rules that are coming into place.

The earlier slides hit one of our key items right on the head in terms of heat mapping: The risk factors listed here to the right are our 10-k risk factors. We do go through a fairly robust process of surveying and scoring these factors — monetary impact as well as likelihood of occurrence. We'll take these risks and we'll filter them through some art and science — so the takeaway for us here is we use this as a tool to filter our risks through to try to draw out the significant items, but it's not a black-and-white process that we go through and say, 'We're just going to look at these factors.'

This next page gives a hypothetical example. One of the other areas we really look at is liquidity, obviously of great importance to us, and what is the potential drag that we have as a result of risk factors? Obviously [we are] looking not just at the risks but at mitigation strategies, and really the illustration here is intended to drive toward looking at a five-year window that coincides with our strategic plan, and really with a goal of taking the potential liquidity drain from risk factors and minimizing and converging that over our five-year strategic plan period.

The question is that nice idea, does it really work? And so one of the examples I would share with you is if you look at Honeywell's results in prior recession vs. the most recent, we really had a much steeper and more precipitous decline in our revenue, down 15% in one year. However, if I look at our net income, [during] the prior recession we lost money two years in a row [and,] while [it's] certainly nothing [we] can necessarily pat ourselves on the back [for,] being down 23% year over year clearly [indicates] a lot better mitigation this time around. And then if you look over to our free cash flow, [we] really manage to preserve and even improve upon both our gross cash flow and our conversion rate.  So I like to think that that's in no small part attributable to some of the ERM and risk mitigation factors that are embedded in our process. Thank you.

     HOLLEIN: Thank you, Adam. That was very impressive.

Next is our Silver Award winner, and that is RTI International. Jennifer MacKethan, senior manager of ERM, is here to represent RTI. Jennifer has more than 16 years of risk and credit management experience. She implemented a successful COSO-based enterprise risk management system across RTI which includes ongoing comprehensive organization-wide risk management — risk assessment and gap analysis, mitigation-based action planning and development of multilevel risk dashboards. In addition to ERM, Jennifer has recently been given the responsibility of implementing RTI's corporate sustainability program, which is also becoming another very hot topic. Prior to focusing her career path on ERM, she worked extensively in the banking industry with a focus on commercial loan risk analysis and credit underwriting. Let's please welcome Jennifer. Thank you.

     JENNIFER MACKETHAN: Good morning. I want to thank everybody for being here. I want to thank Treasury & Risk for having us up here. This is our third year in a row on this stage, so we are very pleased to be here. We are here for the hat trick, so to speak. I would like to acknowledge my chief risk officer, Ward Sax, who was not able to stay; he needed to fly back this morning. But he is one [of] the Treasury & Risk Top 100 Most Influential People in Finance from 2009, and I'm actually kind of glad he left because then we don't have to argue [about] who gets to keep the trophy, so that worked out nicely.

A little bit about RTI. We are a multinational research organization, not-for-profit. We are 51 years old. We have a history in scientific research, technology development and international development. We have five different business units that operate within international development; social and statistical sciences; health solutions, which is our clinical trials data management; discovery and analytic sciences; and energy technology. We are a government contractor primarily, with about 82% of our revenue coming from the U.S. government. And we're up last year from 3,800 professionals in 40 countries to 4,000 in 48.

Now one of the things we found out about enterprise risk management is it's an evolving risk management process. And we realized — especially over the last few years with incidents like [the] Virginia Tech [shootings] and the BP [oil spill] and Haiti's earthquakes and the volcano [in Iceland] that I will not attempt to pronounce that happened earlier this year — that there can be a great number of things that happen that you can't see coming that are actually outside of your scope. So one of the things that we attempted to do over the last year was to try and take a better look at some of those higher-level risks.

We are charged by our audit committee to take our ERM program to the next level, to develop state-of-the-art practices that focus on our emerging strategic risks, catastrophic impact with low probability risks, and some of the known unknowns — again, things that are known to people within the organization but may not be known to everybody or even the people that really should be aware. One of the things that we added as a sort of third dimension to this standard heat map and risk graph is the concept of risk velocity. Not only have we looked at our risks in terms of what their probability was — and severity — but we looked at the velocity, and that was the speed with which the adverse impact would be felt in such an event.

Now this is a very small spreadsheet and I won't challenge you to try to read it too much. We polled our executive and senior leadership teams. The three boxes along the top are the probability, velocity and impact, with our definitions of how we rank them, and then the organization name. Then in the middle call box to your left, we asked them to put in their own words what their top five risks to their business unit would be. We then took those and assigned a key risk indicator to capture that. So for that one, I believe it's the freezing of government funding might impact our ongoing opportunities. That was translated into a key risk indicator of the U.S. government market. This allowed us to apply a common lexicon across all of the risks and allowed us to aggregate them into one single viewpoint. We then took and graphed them based on the number of leaders that provided them and then as well as the probability, the impact and the velocity. Now this is the organizational view, and it's a picture of what our total key risk picture is from the top down.

Then for each business unit we took and looked at their top five and sort of compartmentalized for each individual business unit what their specific risks were. Now this is listed as operational; however, this is what became the foundation for the executive vice president's strategic risk planning sessions. These are the areas that they were asked to focus on for their strategic risk planning.

Next we took a look at this from the catastrophic level and, again, [we have a] similar graph. But one of the things we decided [was] to take a look at our catastrophic risk potential, because as we kept seeing these things pop up in the news, one of the things that we were not impressed with was the notion, 'We never thought this could happen.' As an organization, we decided that [this] was not a valid response and that we needed to be prepared whenever possible.

So if you look at some of these, they're fairly standard, they're ones that any organization could face: environmental pollution, natural disaster, pandemic or a security incident that involved serious injury. Then, again at the leadership level, we assess the top five for the organization. Beyond this, we then formulated working groups to assess what we had in place to deal with each one of these risks in the event, however unlikely it may be, that they occurred, and what we should have in place and where our gaps were.

Our next step will be to go do tabletop scenarios in which executives will essentially in their own head create a worst-case scenario and hand it over on a specified day. Then we will take and operationalize and do a tabletop scenario to see how we would respond if such an event were to occur.

Now for those of you who might have been here last year, I'm sure you'll remember this was our dashboard that we were up here for. This is what it looked like. However, because again we believe that enterprise risk management is an evolution, we went through and did a redevelopment to make it a little more user-friendly. This was also based on feedback from our business unit leaders as well as our audit and board. We redeveloped it to make it a little easier to read, although probably not so much on this slide, but it's a little easier to read. We integrated the top five business unit risks graph that we had developed into a part of the dashboard, and we also added a leadership commentary box, because one feedback that we received was that we were reporting on risk but we needed to allow the leadership to report on their view of the risk as well, to respond to whatever was assigned.

So our result was pretty much what we believe to be a holistic look at the risk of our organization. We built on our existing award-winning tools, and we created a multi-tiered approach to cover our risk from the lowest of our operational to strategic, catastrophic, local and global impact events. We integrated risk assessment into our strategic planning at the executive level and created working groups to assess risks and develop our organization's risk management response plans.

Once again, I want to thank everybody for allowing us to be here. We greatly appreciate the award.

 HOLLEIN: Thank you, Jennifer. That was great.

And now the Gold award winner is Paychex Inc., and Erika McBride, risk review manager from Paychex, is here to accept the award today. Erika is aligned within the enterprise risk management team and oversees a team of data-mining experts while also facilitating cross-functional objective teams of peers to assess risk throughout the company. Erika joined Paychex in 1997 as an accountant and worked her way through the ranks in various leadership capacities in financial and risk management roles. Prior to [working for] Paychex, Erika was a staff auditor with a regional public accounting firm as well as a member of a regional HMO finance team. Please welcome Erika.

ERIKA MCBRIDE: Thank you so much for having Paychex here once again. I believe it's our fourth appearance on the ERM panel, and we have certainly shared it with RTI and Honeywell in the past, so we are very honored to be here today to talk about the peer-review program at Paychex. If it's something that you're going to be interested in applying in your own organization, I'm hopeful that today's presentation will give you the information that you need, but, as we move forward, if you have any questions about how you could implement similar programs in your organizations, please feel free to reach out to me.

Marie started us off very well. Whether it's COSO or ISO, whatever ERM framework you are using, one idea is fundamental — that risks must be strategically managed and understood across the enterprise — which has been echoed by SEC pronouncements giving boards the responsibility for risk oversight. But whatever industry we are all in, be it financial or manufacturing or service like Paychex, organizational alignment can get in the way of that enterprise-wide viewpoint. If you're aligned by product lines, profit centers, cost centers, or what have you, that enterprise-wide view is difficult to achieve, and Paychex has been no exception.

A little about the company. We were founded in 1971, and we are a leading national provider of payroll and human resource outsourcing solutions for small to medium-size businesses. We went public in 1983, trading on NASDAQ with a record of steady growth. Market cap is around $9.8 billion, service revenues last year were over $2 billion. We have about 500,000 clients across the country served by 100 branches. We've been recognized on the national stage for excellence in ethics, training, being a great place to work, as well as for our accomplishments in risk management.

Paychex has the organizations that you would probably expect from a payroll service company. We have IT, field operations, human resources, sales and finance. We have a variety of organizations all aligned under different leadership, and as enterprise risk management began to evolve, we certainly brought in to the ERM organization credit and collections risk areas, compliance risk, as well as operating risk.

But if you think about it, Paychex is in the business of moving money, right? We move half a trillion dollars every single year, and it's in activities as sensitive as people's paychecks and their 401(k), so reputational risk is very profound in the entire organization, and we as ERM need to get our arms around that. Hence the Paychex peer-process program, P4, was born, and it's borrowed from the medical and the accounting industries' using cross-functional peers to go to different areas of the business to review them for risk and opportunities of all kinds. We stress that it's never an audit, we're never trying to get anybody in trouble, by any means. We're really here to advocate for the needs of the business by partnering with the business unit at hand.

Here's how it works. We choose a topic that we want to review, either by reviewing emerging risks across the landscape or possibly senior management might ask us to conduct a review, or in some cases managers of an area will come to us and say, 'Hey, I really need your help getting an understanding of the risks in my organization.'

So we choose the topic, then we start getting the review team together, and ideally it's a combination of analysts, supervisors and managers from basically every organization throughout the company. And we would like people on the team that might know something about the topic but are not married to it, because we want them to be independent and objective for sure.

So the very first day of the P4 field work, the sponsor of the review will conduct a dog-and-pony show — they'll tell us everything they can about the topic at hand, their process flows, business plan and what risks they see.

The guest reviewer team then brainstorms a list of what it is that we think we need to explore over the course of the five days that we're together — what risk points do we want to understand further. We divvy the list up amongst the team members and they spend the next couple of days looking at data, talking to people, going through scenarios, doing whatever they need to do to get an understanding of the topic they're assigned. They identify the risk, determine the impact upon Paychex, either potential or realized impacts, and then we as a team develop a specific actionable recommendation to mitigate that final risk point.

We have a closing meeting with the sponsors, the guest reviewers go back to their normal lives, and then the P4 analysts and I take all their findings and combine them, consolidate, edit into a report, very simple gold-book report that goes to senior management as well as the sponsor of the review, who then takes the flag and carries it forward with implementing the recommendations. So this gold book represents an advocacy tool for our clients, our employees and our company.

To implement the program in 2005, we had to build up some goodwill. So the first couple of reviews were really close to the areas that we were comfortable in. But over the next 45 reviews that we've conducted we've greatly expanded our footprint and we have greater sponsorship by organizations throughout the company. And some of the most profound topics may represent the enterprise-wide risk, such as vendor management, caller ID protocol and fraud.

So not only are we spreading the risk message by conducting the reviews, we've also had over 300 people participate on these P4 teams, and they overwhelmingly recount the greater understanding of risk principles that they are now able to apply to their day-to-day operations. We've had 20-year Paychex people say this is the best week they had ever spent at Paychex from a developmental perspective.

So that's all great feel-good stuff, but what about the results? What's to keep the managers of the area from just throwing our gold book in the drawer and saying, 'Thanks, have a nice day'? Well, we've issued over 1,200 recommendations to this point, and every quarter we get together with senior leadership and the sponsors of the reviews and we'll go through their recommendations saying, 'What's the current status of that?' Through those updates we found that almost 70% of the items that we suggest are completed or are in progress at any point in time. Only about 15% are not pursued, which is a very encouraging statistic when you consider that there's no senior management band aid of any kind to take these recommendations and implement them. We've got teams of people who are not experts in the area, they're not risk experts, we only have them for five days, so the fact that 70% of the items we suggest are actually implemented is very encouraging to us. And these are recommendations that mitigate compliance risk, reputational risk, any type of risk in the portfolio.

But the opposite side of risk, as you all know, is reward. So we're always looking for reward opportunities as well. Since 2005, through a variety of revenue-generating recommendations P4 has issued, we've added over $8 million to the top line and, just like that, enterprise risk management can go from becoming a cost center to a value or a profit center.

So overcoming silos, providing insight across the enterprise and delivering results — that's the power of peer review. Thank you so much.

HOLLEIN: Thank you, Erika. Adding $8 million to the bottom line is very impressive.

I'd like to see if there are any questions from the audience, but let me start with a question to the group first. How long have you been doing ERM because it is an evolving process? Where did it initially start — and I think you mentioned internal audit? And who is the ultimate owner of it now? So if could ask each of the panelists to respond.

MATTEO: Sure. Honeywell's been doing ERM in terms of separate reporting to the audit committee and the board for about seven years now. It originated when, things like rating agencies began using ERM, and the audit committee really drove their initial recommendation to first put it in place and continue to improve upon it. The ultimate ownership, as I said, is really embedded in our ongoing processes, but in terms of the oversight in the reporting, it's really shared between the finance and the legal functions.

HOLLEIN: Great. Thank you.

MCBRIDE: At Paychex I would say ERM really began when our director of ERM, Frank Fiorille, joined the organization in 2004. He came from a banking background, so he was very well versed in the ERM discipline, and it continues to evolve. At this point we are a stand-alone organization reporting directly to the CEO.

JENNIFER MACKETHAN: RTI has had an ERM function for five years now; it was added it at the behest of the audit committee and the board. And while we have myself and Ward Sax, the chief risk officer, and we are the party of two that make up our ERM function, we believe that risk management responsibility and actual ownership is aligned responsibility, so we act as an advisory committee, an advisory team. But ultimately the leaders of the business units and ultimately our CEO are the ones that are the holders of the risk.

HOLLEIN: Great. That gives you an example of how a few companies have done it. I've seen one other company that I'm familiar with, a large insurance firm, where they've actually taken one senior person from each of the major functions or departmental functions and formed an overall risk department. They actually recently had a disaster, a simulated disaster, which was pretty interesting, and told so many people to stay home and they had to respond, so that's on the leading edge.

Let me open it to questions from the audience. If you have any questions for our panelists, we'd like to hear them.

Q: Erika, can I ask, first of all, how you came to adopt the idea for the peer process? And then I'm also wondering whether you find employees of any particular department to be more adept at participating in this process or more kind of intuitively able to identify risks?

MCBRIDE: So your first question, I believe, is where did this idea come from, right? Well, I believe that Frank managed this program when he was at the bank prior to coming to Paychex. They had a similar program, a bit different in terms of greater accountability and more of a compliance feel to it, whereas [at] Paychex it's truly a partnership between ERM and the business unit.

And the second part was do we find certain team members more adept at identifying risks? Certainly we've had a lot of participation from ERM personnel exclusively, so that would mean they are at least versed in risk nomenclature, etc. But if we look throughout the entire enterprise, I would say we're just looking for fast learners, out-of-the-box thinkers that can grasp these topics really quickly. So those are the kinds of folks that we really request to have on the teams.

HOLLEIN: Any other questions? Yes?

Q: My question is also for Erika. You had mentioned, I think, $8 million worth of results for your ERM initiative: How do you go about quantifying that number?

ERIKA MCBRIDE: That $8 million is actually a very easily quantifiable figure, because it's revenue-generating activities that we've identified in possibilities there: So just how many clients are we billing now? Or how much has our investment income improved in that scenario, so it's top line? I would agree that quantifying the bottom-line impact of risk mitigation measures is much more difficult, and I would certainly be interested in talking to Jennifer about the third dimension that she's added to her heat map.

HOLLEIN: I'd like to ask Jennifer and Adam, what are your quantifiable or qualitative benefits that you both have seen from your end? We've heard from Erika.

MATTEO: I'd say, in terms of hard items like you mentioned, we struggle a little bit with that. One of our biggest challenges is having an embedded process. We don't have some of the really fantastic tools and reports to continuously update and provide feedback to management. But I'd say the benefits that I've seen come more on the qualitative side, as we get into a number of our information gathering and processes and speaking with folks that have shared feedback in terms of looking at things differently because of the process, having that ah-ha moment from time to time. But I will say that [with] some of the risk management that's embedded, for example, in our annual operating plan I see businesses very adeptly and quickly and with minimal financial impact react to unforeseen circumstances — and largely, because of good risk management. We had volcanic ash and earthquakes in Mexico and floods in New England all in the same week this year, and seeing businesses react very well to that, there are certainly some hard-dollar abilities there.

MACKETHAN: At RTI we do have some areas that are quantified; a lot of the financial areas do have certain metrics that are measured. But we believe with the ERM, a lot of the areas you just really can't put a number around. For example, one of our key areas is international security because we are in 48 different countries, post-conflict countries such as Iraq and Afghanistan: You can't really put a number around that. If you were to try and tie it to events, well, that's event measurement, it's not risk measurement. Our risk measurement that we look at is what we basically refer to as your defensible gut. We have our director of international security; he has on-the-ground intelligence with individuals within various countries and so he provides his ranking on the area based on his information and based on his intelligence, and we always have them prepared to be able to explain where that ranking came from. But we do a very simple red, yellow, green — low risk being it's manageable and where we're comfortable with it; yellow means it's moderate and we're trying to keep an eye on it; and red means we should be doing something about it. It's really that simple. We looked at a lot of ways of trying to put numbers around things, but we actually found that there are just things you can't put a number around. But it didn't mean that those areas didn't have a significant amount of risk.

HOLLEIN: Okay. Are there any other questions before we close this session?

I'd like to again congratulate our panelists and thank them for participating, and I'd like to thank Treasury & Risk again for the opportunity and doing this award, and congratulate all the other winners as well. Thank you.