Business information provider Dun & Bradstreet's (D&B) marketing tagline -- "Decide with Confidence" -- could serve as the motto of its ongoing enterprise risk management (ERM) journey.
The program, which began more than two years ago, now enables the company to:
- Fund risk-mitigation efforts that are better aligned with corporate strategy;
- Refocus internal audit on operational audits (and away from Sarbanes-Oxley trenchwork);
- Deploy risk-management efforts to help lay the groundwork for global expansion;
- Stimulate knowledge and the sharing of governance, risk management, and compliance (GRC) practices throughout the organization; and
- Increase risk management awareness and monitoring from the ground level up to the board of directors.
As with other effective governance, risk management, and compliance initiatives, the source of D&B's ERM success resides in the people who execute the program, the processes they use to do so, and the technology deployed to support these processes.
Restatement as Career Development
"Companies really gain advantages from enterprise risk management when they're able to interface the four risk areas rather than keep them silo-ed," asserts Charles Pavlonis, Dun & Bradstreet's chief risk officer (CRO). "And it really helps to have one leader overseeing each area to ensure the linkages among them."
At D&B, these four risk areas match the areas defined in the COSO ERM framework: strategic risk, operational risk, reporting (financial statement) risk, and compliance risk. Pavlonis notes that his company uses the COSO framework "to get grounded," but also points out that other companies might choose fewer or additional risk areas, depending on their unique needs.
In addition to establishing risk-management processes based on the four buckets of risk COSO identifies, Dun & Bradstreet also designed its organizational structure accordingly -- which is where Pavlonis entered the picture in early 2006.
Prior to joining D&B CRO in September 2006, Pavlonis worked in finance and accounting management positions at advertising holding company Interpublic Group (IPG) and, before that, Mercer (where he was CFO of a global business unit). He came up through public accounting at KPMG. At IPG, Pavlonis worked under Chief Accounting Officer Nick Cyprus, a former Business Finance Influencer honoree and one of the country's leading finance executives.
Cyprus initially hired Pavlonis to head up the company's Sarbanes-Oxley compliance efforts -- a major challenge given that IPG is a conglomerate of 800-plus advertising agencies/fiefdoms around the world. Five months into that effort, however, most of IPG's finance and accounting team dropped what they were doing because errors under previous finance management teams necessitated the restatement of five years of financials.
The challenge sounds massive: The restatement required Pavlonis, who co-led the effort, and his team to reassess the revenue recognition approaches used in more than 20,000 contracts. "There was a lot of high-pressure work that needed to be accomplished in a short amount of time," Pavlonis recalls. "There were many late nights and weekends involved."
Pavlonis and his team finished the restatement in about nine months. Despite the pressure and massive amount of work, he credits the experience with imparting skills that have come in valuable in his current role as CRO.
"It helped me learn how to drive change through a large, disparate organization," he notes. "The industry and the organizational structure created a very difficult environment to work in as a finance executive. No one likes to feel that they have accountability to corporate, and it takes a lot of skill and work to penetrate that mind-set."
Primed for an Early Win
When D&B CFO Sara Mathew (now the company's president and COO) hired Pavlonis, she asked him to help develop the company's nascent transformation beyond a standard compliance approach to a more integrated and far-reaching ERM capability.
Pavlonis knew that he would need to conduct an enterprise risk assessment (ERA) as the foundation of the new ERM capability, but first he wanted to demonstrate to his new colleagues the value of a more integrated approach to GRC. Mathew and her C-level colleagues had helped to set him up for success by reworking the organizational structure so that previously silo-ed risk functions -- compliance (which had reported to the legal department), strategic risk (which had not formally existed), operational risk, and reporting risk -- now reported into the corporate risk management function that Pavlonis headed.
To get what he describes as an "early win," Pavlonis decided to bring the previously outsourced internal audit function back in-house. D&B had used Jefferson Wells International to help reshape a function that had previously been almost exclusively dedicated to Sarbanes-Oxley compliance work. While the arrangement worked well initially, Pavlonis says that there wasn't enough value in the relationship to continue it as the company moved into ERM.
After bringing internal audit back inside, the new department "issued some very insightful audit reports," Pavlonis explains. "It was one of the first times that internal audit was able to bring visibility to an issue that ... we thought we were much better at than we actually were. The work was done in such a way that it was indisputable." As a result, the company, says Pavlonis, "realized that we had something here -- a well-staffed department that was going to provide the right insights that we wouldn't have had otherwise. That moment really gave us the credibility to start expanding and going wherever we needed to go."
ERA Is a Tool
Equipped with this credibility, the corporate risk management function conducted an enterprise risk assessment (ERA). Pavlonis views the ERA as a crucial tool, but also one that some finance and risk managers misunderstand. "One of my biggest pet peeves is that people use the terms enterprise risk management and enterprise risk assessment interchangeably," he says. "They are not the same. The ERA is a process that helps facilitate successful ERM."
D&B's ERA consisted of Pavlonis and his team pulling subject matter experts from throughout the organization into a room and jotting down risks on a white board. The group organized the events into the four risk areas and then prioritized them based on likelihood and impact. The priority levels include high, medium, and low, along with a "Tier One" category. At D&B, Tier One describes risk events that "can have a material impact on total shareholder return in the medium term," Pavlonis explains. "It doesn't mean that it's a problem today. It means that we have to keep an eye on it and make sure that we have the right controls in place."
He then took the draft ERA on a road show to each of the company's top 35 executives. During one-on-one interviews, Pavlonis sought the executives' assessments of the probability and potential materiality of each risk event.
This work eventually yielded a final ERA, "which was something that we as a company could get behind because it had been vetted," Pavlonis explains. The ERA serves as the foundation of the company's risk management and internal audit plans for the upcoming year.
For example, because D&B is a data company, it has a fiduciary responsibility to protect certain types of data such as personally identifiable information (PII). While the company does not collect PII, its clients could, unknowingly, provide data considered PII. If this occurs, says Pavlonis, "you don't want to be that company on 60 Minutes that lost the tape with everyone's Social Security number on it."
To ensure that this circumstance does not arise, Dun & Bradstreet has developed a robust and highly coordinated data privacy program helmed by a data privacy officer. The program illustrates how the ERA provided visibility into a potential Tier One risk and how the company responded with resources and a program to mitigate the risk.
Dun & Bradstreet currently conducts an ERA once each year. "We think that this is adequate," Pavlonis reports. "The amount of change our environment experiences does not merit doing the ERA more frequently right now. This might change, though, and, if so, we would increase the frequency. Other companies may be better served doing an ERA more frequently. You have to tailor the robustness and frequency of the ERA to the size and nature of the business you're in. It's not a one-size-fits-all for everybody."
Operational Audits
In addition to bolstering its risk management capabilities around data privacy, the ERA has driven several significant operational improvement efforts throughout Dun & Bradstreet.
Although roughly 80 percent of the company's business is based in the U.S., D&B's overseas business, currently based primarily in the UK and Italy, continues to grow in the Asia-Pacific region and other parts of the world. Thanks to the ERA -- which essentially funnels firsthand risk knowledge and insights from around the organization into a central brain trust -- the corporate risk function identified Foreign Corrupt Practices Act (FCPA) compliance as a growing risk as the global expansion increases.
In response, the function has formalized an FCPA compliance program and rolled out an awareness plan. Doing so helps the company to remain "ahead of the curve," Pavlonis says. "When we start moving into these areas, as part of due diligence of an acquisition and integration or simply the opening of a new office, we can build controls in place on the front end."
The ERA also inspired the company's internal audit function to conduct an audit of call center effectiveness. "We use call centers to interact with our customers," Pavlonis notes. "We wanted to get our leadership a really independent assessment of this area. From what I've seen in my career, a lot of internal audit departments are very focused on Sarbanes-Oxley compliance and doing some fraud work after something pops. I don't see a lot of internal audit departments asking, 'What are the operational issues that really make the company tick, and how can we help those areas?'"
Since the introduction of ERM, D&B's internal audit function has also assessed the company's business continuity management (BCM) capabilities and its information security practices.
A Common Risk Taxonomy
While the ERA tool is crucial to Dun & Bradstreet's ERM achievements so far, there are other contributors as well.
"The tone at the top here is just incredible," Pavlonis asserts. "President and COO Sara Mathew and CFO Anastasios Konidaris spent the time to understand conceptually what enterprise risk management is and how it can be an asset to the company. Whereas many of my peers out there work for organizations where everyone does something because they think they should, and I don't know if they really have the understanding and buy-in from the highest level of the organization that says that this is a priority. It's obvious that we have this buy-in from the way that they let us organize risk management."
This organization supports the oversight and processes Pavlonis needs to execute ERM. For every risk management activity that is conducted in one of the four areas that reports to Pavlonis, managers take time to ask how other risk management areas might benefit from the activity. For example, "when we conduct an operational risk management effort, we take time to ask what we learned from a compliance perspective, a financial reporting perspective, and a strategic perspective," he notes. "We report on those insights so that our leadership can share the information and we can all help to get it operationalized. It's a highly integrated approach."
Technology also plays a key role. Dun & Bradstreet uses OpenPages' compliance and audit applications to help it execute its ERM strategy. The tools help store, traffic, and reinforce what Pavlonis describes as "one common risk taxonomy." When Pavlonis's team uses the term "fraud risk," the entire organization understands what this means.
"The tool facilitates the ability to get a 360-degree view on risk," he adds. "If we do SOX testing, every control we look at ties back to one of the items on the risk taxonomy. The tool really helps us to facilitate our integrated approach because the risk taxonomy links it all back together."
And this view provides D&B much greater confidence that it is managing risks in a way that aligns with its overall strategy.
Keys to Success
Dun & Bradstreet's enterprise risk management (ERM) initiative has achieved success -- the privately held convenience store chain Wawa has used D&B's program as a benchmark -- thanks to the following qualities:
- Specificity: Executive support is vital, agrees Dun & Bradstreet Chief Risk Officer Charles Pavlonis. Obtaining the support requires a highly specific description of what the ERM program is designed to accomplish. "Without that specificity," he notes, "you can generate a lot of paper, charts, and all that good stuff, but it will not be taken seriously because the value is not clear."
- Visibility: Pavlonis, his C-level colleagues, and the board can see and respond to all of the risks across the enterprise thanks to an organizational structure in which the company's four major risk areas (strategic, operational, reporting, financial reporting, and compliance) all report into Pavlonis's corporate risk management function. "If you can get one leader who pulls all of the disciplines together, that is a major advantage," Pavlonis says. "Our audit committee is a huge fan of what we're doing. They can see the efficiency we operate with and how all of our work ties back to the enterprise risk assessment."
- Credibility: Rather than try to do too much too soon, D&B's corporate risk function started the full-fledged ERM program with a single initiative -- bringing back in-house a previously outsourced internal audit (IA) function. The first operational audit the newly native IA function (an important component of the overall ERM structure) conducted produced insights the company had not had prior to the move.
- SOX Virtuosity: Before launching ERM, D&B wove its Sarbanes-Oxley compliance program into its day-to-day operational flow -- something many companies have yet to accomplish. Pavlonis credits the company's work on that count prior to his arrival as well as the use of a compliance software tool from OpenPages. "Companies that are struggling year-to-year with Sarbanes-Oxley compliance have distraction that does not allow them to free resources to conduct the other risk assessments they need for ERM."