At Google, the adoption of a new employee benefit required innovation on the part of internal staff on the corporate risk management and benefits teams, and on the part of the company's insurers. Google began to offer "survivor income" to U.S.-based employees in 2012. The program supplements the company's life insurance benefit in the event of an employee's death. But because it is unusual, bringing it to fruition outside the United States has required risk managers to think creatively and leverage their relationships, both with other internal functions and with insurance companies around the world.

"Google is a great place to work," says Dan Smedley, senior manager in Google's business risk and insurance group. "As a company, we want to have world-class benefits. By all working together, we've been able to innovate in the benefits space similar to how we approach consumer product innovation."

Meanwhile, the internal audit team at Harley-Davidson implemented an enterprise risk management (ERM) program that consolidates information into an enterprisewide view of risk, then distributes that information to executives and board members in a way that's easy for them to digest. Director of internal audit Rob Gould says the project was successful because project managers kept its scope manageable.

"Too many ERM programs fall apart because they become bureaucratic, because the administration takes too much time, and because they're going into too much detail," Gould says. "Make your program simple and practical, and people will embrace it."

ERM takes hard work, but it's well worth the effort, Gould adds: "When you think through these kinds of issues in a careful and intentional way, you can better anticipate these events, you can make better choices, and you can have more confidence that you are making the right choices because you've really thought through the implications."

That, after all, is the whole point of corporate risk management. Congratulations to Harley-Davidson, Google, and Health Care Service Corporation for doing it so well.

A Treasury That's Prepared

Be prepared. That's the motto of the Boy Scouts, and it could just as well be the motto of the treasury operations group at Health Care Service Corporation (HCSC), the nation's fourth largest health insurer, which operates Blue Cross and Blue Shield plans in five states.

HCSC headquarters are located in downtown Chicago, where business disruptions can be caused by political events, by weather, by power outages, and by transportation issues. "We're located near Grant Park and Millennium Park," explains Forrest Vollrath, HCSC's executive director of treasury operations. "There are sometimes protests in the area that make it tough to get to the office. A few years ago, when Chicago hosted the G-8 Summit, our building was shut down because of the influx of people into this part of the city."

But more than 15 million health plan members rely on the company to pay medical claims and prescription costs in a timely manner. Regardless of what may be happening in the external environment, treasury must make sure all of HCSC's accounts are adequately funded at all times.

Several years ago, HCSC treasury conducted business continuity planning (BCP) exercises a couple of times a year. Employees would work from home, using their personal computers, and get their jobs done as best they could. "It involved dialing into bank portals to get information and using Excel spreadsheets to consolidate information and try to generate cash positions and reports," Vollrath explains.

In 2012, HCSC's risk management team conducted a companywide business risk analysis to determine the impact on the business of a potential catastrophic event. They identified treasury and investing as two primary priorities for the company, and determined that the treasury function needed to beef up its BCP activities.

"Treasury has to be available at all times, to make sure the company has sufficient working capital to pay claims, so that members can continue to receive the services and medications that they need," Vollrath says. "Member experience is key, and it's up to us to make sure the funds are where they need to be."

Thus, business continuity planning became a treasury priority. The company issued every employee in treasury operations a secondary laptop computer to keep at home. Each laptop has all the same applications as the employee's office computer. "It's an identical copy," Vollrath says. "We ask them to log into the mainframe a couple times a month to get updates and so forth, but it stays at home so that it's there if the employee needs to work from home."

Connectivity to the company's software-as-a-service (SaaS) treasury management system is identical on the home laptops as on desktops in corporate headquarters. A couple of managers who travel frequently were issued iPads that also have the same functionality.

"On the process side, nothing changes, regardless of whether you're sitting in the office, sitting at home, or sitting anywhere else with an Internet connection," Vollrath says. "The processes for determining the daily cash position, and all the reporting, are exactly the same."

Treasury staff use a messaging application to communicate in real time when they're working remotely. The company also set up a call forwarding service for treasury staff so that if someone calls an office phone and the employee doesn't answer, the call will automatically be routed to his or her mobile phone. "It's seamless," Vollrath says. "No matter where you are, you can answer the phone as if you're sitting in your office."

Perhaps most important, the treasury operations team increased the frequency of their BCP exercises. Every month, Vollrath selects one day during which his entire staff will work from home. "Typically, I let my managers know at 7 or 8 p.m. the night before that the next day we'll have our BCP exercise," Vollrath says. "They will then start notifying their teams via phone, text, and email, and employees will confirm that they've received the message."

The next day, treasury operations employees dial in to a staff conference call in the morning and another in the afternoon to confirm that all systems are working well and to address any issues that may have arisen. Otherwise, it's business as usual—except from home.

Occasionally, Vollrath will even wait until an off time such as 4 a.m. to make his BCP notifications. "I don't do that often," he says, "but we want to simulate a catastrophe as much as we can."

By performing this exercise once a month, HCSC treasury managers gain confidence that all systems and staff members will be prepared in the event of an actual disruption. "Holding BCP activities once a month ensures that everybody's technology is up to date," Vollrath says. "If we held these exercises once or twice a year, then in an emergency we might each have to spend hours on software updates to bring our laptops up to date. And because employees are frequently logging into our systems remotely, we're confident that no one's going to have problems with passwords or other issues accessing the systems.

"In addition to the technological reasons," he adds, "we don't want people to get out of practice working remotely. Now they are very comfortable with dialing in and logging in remotely to the workstation, and doing all the reporting remotely. I think it's a good idea to do BCP exercises at least once a month."

In February 2014, all this preparation paid off when a major snowstorm, coupled with severe cold, led to public transportation stoppages around Chicago. "We knew it would be difficult to get everybody into the office, so we decided to conduct a business continuity exercise," Vollrath says.

"It was seamless," he adds. "As with our other BCP exercises, there were people we work with—both internally and externally—who had no idea we weren't in the office. Claims got paid, the company ran just fine, and there was no reason from a working capital perspective for members to even know Chicago was shut down." In fact, HCSC's risk management function has pointed to the treasury operations group as a model for other departments wanting to conduct business continuity exercises.

Vollrath says two keys to his team's success with business continuity planning are keeping technology up to date and focusing on communication. "Communication is probably the most important," he says. "If the technology fails, we can go back to manual processes, but it's imperative that we be able to get in touch with one another right away when we can't just walk down the hall. We pride ourselves on the fact that nobody outside of treasury is aware when we're outside the office. To achieve that, we have to keep all lines of communication open at all times."

Revving up Risk Management

Harley-Davidson is known for producing powerful motorcycles that rumble their way down the road. What, then, might be the effects on the Harley brand of increasingly strict emissions requirements? How might consumers view the company if it begins to produce a line of smaller motorcycles for developing markets, or a line of quiet electric bikes?

A decade ago, the company was not well prepared to answer these types of questions, and it had no framework for managing risk at the corporate level. "Our risk management processes were fairly informal and ad hoc," says Rob Gould, director of internal audit. "There was some identification of key risks and occasional reporting to the executive group and the board, but it was not a regular cadence. There wasn't a standard format or forum of dialogue, and when there was management turnover, the reporting often wasn't sustained."

Moreover, because no one had a bird's-eye view of risk across the entire enterprise, some risk mitigation efforts were duplicated by multiple departments, while other exposures were likely not being monitored by anyone. "In some cases we were probably taking on more risk than we realized, while in other areas we ended up being less aggressive because we didn't have the information that would have given us confidence around risk-taking," Gould says.

With an eye toward improving risk management decision-making, the internal audit team performed a gap assessment comparing Harley's practices with COSO principles. It found that the company had no formal process for risk identification, evaluation, or monitoring—and presented these findings, along with a proposed improvement plan, to the board's audit committee. The audit committee was highly receptive to the plan, and in late 2009 charged the internal audit department with developing a companywide enterprise risk management (ERM) process.

The company's senior management team developed a list of high-level categories of strategic risks that Harley-Davidson faces, including brand, supply chain, regulatory environment, and competition. With the corporate CFO as executive sponsor of the project, Gould spearheaded an ERM team that consisted of staff from the strategic planning and internal audit functions.

The team's first task was to draft a statement of the company's risk appetite, based on Harley's existing activities and stated risk tolerances in specific areas. At the audit committee's request, they boiled down the risk appetite into a one-page document that summarized acceptable risk levels for the executive team's nine categories of strategic risks.

Next they worked with the business units and corporate functions to develop a four-quadrant map for each of the nine strategic risks (a list that has since grown to encompass 16 strategic risks). Every risk map rated a variety of exposures on impact along one axis and likelihood along the other axis. For each risk that appeared on one of the risk maps, the group developed a situation analysis that defined the risk, identified the risk owner, and described how and when the risk might occur. Each situation analysis also examined the long-term trend of the risk—whether it was increasing or decreasing—and explained the risk's potential impact to the business as well as the timing of that impact. Finally, they put together a mitigation report for each risk, explaining both the company's plan for mitigation of the exposure and progress toward mitigation goals.

"The situation analysis and risk mitigation report enable the board to quickly size up the overall profile of risk," Gould explains. "We developed a consistent way to roll up risk information across the company, and we first presented these findings to the audit committee in 2010."

Although every risk received a situation analysis and mitigation report, the ERM team devoted the most attention to risks in the upper right quadrant of a risk map—indicating both high likelihood of occurrence and high impact. "Those are the ones we're really focused on surfacing and bringing forward to the board," Gould says. "Details on risks in the lower-priority quadrants go in the appendix, so they're there if board members want to see them, but we don't plan to walk through the details of those."

The feedback from the board was very positive. Gould and the CFO now present updated versions of the company's risk maps, situation analyses, and risk mitigation reports to the audit committee every April and to the entire board every September. However, much of the work of developing these documents is now handled by a group of "risk liaisons," managers from across the organization who are actively involved in monitoring and mitigating one of the company's 16 strategic risks. The risk liaisons meet twice a year to discuss how the company's risk landscape is changing, and how they're dealing with exposures in their area of responsibility.

"This is a great forum," Gould says. "We have 13 risk owners who have quite a bit of influence in the company, and they're having a dialogue about these critical strategic risks. This sharing of information is such a huge benefit, both for the risk liaisons and for the company overall. Seeing information about risks from all the other areas of the organization has really opened the eyes of many in this group to how the company is thinking about future-state issues."

Consolidating so much information about various risks also enables the internal audit team to look for trends and themes across all 16 risk maps. For example, Gould says, they can analyze how compliance issues in different areas are changing over time. "Which new risks are showing up? Which risks are dropping off or moving to lower risk quadrants? We are able to look at those moves and then build some intelligence around what's causing the trends so we can facilitate a deeper discussion at the board level."

A few years ago, the ERM team also helped facilitate an examination of various black swan risks—risks with a very low likelihood of occurrence, but a potentially catastrophic impact on the business. "We looked at the company's critical strategic assumptions, the four or five key factors that Harley-Davidson is relying on for our future success," Gould says. "Then we analyzed what the effect would be if those things didn't happen—if, in fact, the reverse happened. What would the implications be, and is there any way to put in place some preventative measures?"

One example of a black swan risk they evaluated was a scenario to transition all the company's motorcycles to an engine type other than internal combustion. "Our customers like what we're offering now," Gould says. "What implications would it have for our brand if external forces eventually compelled us to put electric engines in all our bikes? What future would Harley have in that situation?"

That black swan analysis involved a dozen executives from across the company. Today Harley-Davidson has a prototype of an electric motorcycle, and thousands of customers from around the world are test-riding the bike.

"When you think through these kinds of issues in a careful and intentional way, you can better anticipate these events, you can make better choices, and you can have more confidence that you are making the right choices because you've really thought through the implications," Gould says.

From the board's perspective, the ERM initiative has been a huge success. "It just took off," Gould says. "I think the board sees this process as helping them meet their fiduciary responsibilities. They like the discussion of risk and how it gets integrated into our planning. They especially like the black swan concept because we're looking at longer-term, strategic threats to the business."

The project has also helped integrate risk management deeper into the overall corporate culture. "People across the company have become much more comfortable with discussions of risk," Gould reports. "They know the board is very interested and executives are very interested. And it helps them manage the business better.

"We're moving toward a state where all employees will consider themselves to be risk managers," he adds. "People are no longer reluctant to have conversations about risk; it's becoming just a natural part of the way we do business. Managers throughout the company are now more confident that they're on top of their exposures. As an organization, I think we're much less likely to be surprised because we've developed a standard process through which people are sharing risk information very openly and regularly."

Innovation Brings Big Benefits

Google has earned a reputation for providing a great work environment because its commitment to employees' well-being runs deep. Sometimes this commitment turns the company into a pioneer and requires creative thinking on the part of its benefits and insurance teams. One recent example was the launch of a unique "survivor income" benefit.

"Google receives a lot of publicity for providing a workplace that is supportive of its employees," says Dan Smedley, a senior manager on the company's business risk and insurance team. "It is widely known that the company provides paid-for meals in the onsite cafes and has a quirky tech culture. But Google's employee benefits go much deeper than just free food. With the survivor income benefit, Google is expanding its commitment to support employees when they need it most."

In 2012, the company announced the survivor income program for U.S. employees as a supplement to its standard life insurance benefit. In the event of the death of a full-time U.S. employee, the program pays the employee's surviving partner or spouse 50 percent of the employee's monthly salary (up to $12,500) every month for 10 years or until the surviving partner/spouse remarries. It also pays $1,000 per month for children until they reach age 19, or age 23 if they are in college.

The benefit is non-standard, to say the least. Google first rolled it out in the United States for two reasons: because the U.S. is where the company has the highest concentration of employees and because the relatively mature insurance market made insurers more comfortable supporting this new offering. As Google announced the U.S.-specific program in 2012, the business risk and insurance team was already working to lay the groundwork for deploying survivor income benefits farther afield.

"We started the international rollout in 2013," Smedley says. "Different countries have different rules. This type of insurance product is not readily available in many regions, because few companies request it. Insurers do not want to dedicate resources to developing a product, getting it rated, and going through the necessary regulatory processes if they are concerned about the demand. On top of that, we've found it takes many insurance companies a good amount of time to get used to a new coverage offering."

For years, the business risk and insurance group within Google's treasury function has worked closely with the company's benefits teams on a variety of issues around funding of benefits and management of Google's captive insurance company. The two groups built on that history as benefits managers on the ground in international locations began talking to local insurance providers about the company's plans for growing the survivor income program.

"We already had some partnerships in place internationally," Smedley says. "Our insurance partners were offering basic life, disability, standard group offerings. So we interviewed them and discussed what we wanted to accomplish. We talked about how a program could be designed in different parts of the world, what was possible, and what was the best mechanism for achieving our goals."

Insurance companies that work with Google to offer more traditional benefits to foreign employees had incentives to try to help this large client—but it wasn't a simple task. In some regions, the obstacles to survivor income were significant. The obstacles included regulatory differences between countries, lack of consistent local experience, and overall lack of desire to change. Even with these challenges, though, Google teams and their insurance partners have been able to find solutions.

"We work with our insurance carrier in each market and ask them what they can do in country, and what they can't do," Smedley says. "Often we liaise directly with the local teams and get the benefit of their expertise because they are dealing with the regulators in country. In certain countries, we've gotten feedback from the local teams that the pension-type structure we developed for the U.S. doesn't exist." When there is no available off-the-shelf solution, Smedley and his colleagues have to get creative.

So far, Google has rolled out survivor income to more than 3,000 employees in 17 countries outside the United States. The benefits don't look the same in every country. In some locations, the survivor income program is very similar to the U.S. program—50 percent of salary, capped at a specified level and paid for 10 years, with additional benefits for children. In other countries, though, it looks quite different.

"One of the ways we've looked at this was to try to mimic the survivor income by offering a lump sum that's equivalent in value to what the benefit would be in the United States," Smedley says. "Another possibility is to build into a standard life insurance contract the ability to make regular payments. It may not be possible to make payments over 10 years, but at least you can make payments over a defined period of time."

Google makes these unusual insurance arrangements more appealing for its insurance partner by reinsuring all its survivor income policies through its captive. The insurer abroad ends up serving as a fronting carrier; the insurance company writes the policies, but Google's captive insurer takes on most of the risk. "Having our captive reinsure the risk provides comfort for the carriers to offer these unusual types of solutions," Smedley says.

The business risk and insurance team developed an actuarial model to gauge the level of risk Google was taking on and to determine whether the prices Google was being offered for survivor income benefits made sense. "We have been reinsuring standard life benefits, and this was essentially an additional life benefit," Smedley says. "So we really had to examine what that meant in terms of volatility, and how it would affect our overall loss ratios and loss expectations. We relied on our fronting carriers to define what they thought premiums should be, and then we used our own modeling as a check, to make sure we felt the premium matched up with the risk." Google engaged Aon Risk Consulting to peer review the model and make sure the program makes sense from a third-party perspective.

Although Google now offers some type of survivor income benefits in a total of 17 countries through the captive reinsured structure, the benefits and business risk and insurance teams continue to work on expanding the program into more of the over 40 countries where Google employs people. "We're continuing to see how we can grow it internationally," Smedley says. "We're working with the insurance marketplace, in different countries and regions, to determine where there's an appetite and a solution."

The close relationship between the business risk and insurance team and the benefits group helped smooth out some of the wrinkles in the international rollout of this unique program. "This would have been very difficult to do if the business risk and insurance team hadn't already cultivated partnerships with the benefits group over time," says Ronni Horrillo, assistant treasurer of Google. "The partnerships between these functions is a key to our success."

Adds Smedley: "That cross-collaboration is one of the things we're most proud of with this project. We've worked closely not only with our benefits team, but also with accounting and controls, legal, tax, and our captive management team. This project would never have succeeded as a siloed endeavor; we've all worked together very collaboratively."

This collaborative spirit has translated into strong support for families of Google employees who pass away. "We've paid several claims, and the program has delivered exactly what we expected it to deliver," Smedley says. "Google is a great place to work. As a company, we want to have world-class benefits. By all working together, we've been able to innovate in the benefits space similar to how we approach consumer product innovation."