As chief audit executive of the largest cruise vacation company in the world, Carnival Corporation & plc's Richard Brilliant takes an all-hands-on-deck view of governance, risk, and compliance (GRC) management.
"GRC is everything," says Brilliant, who also believes that "everyone's job can be described as managing risk."
The process by which GRC has developed at Carnival Corporation should serve as a model for other companies seeking to implement or strengthen GRC programs of their own for three reasons.
First, Carnival defines GRC clearly and practically; the company uses GRC as a platform that supports the execution of internal audit's operational improvement work, Sarbanes-Oxley compliance, other regulatory compliance assessments, and, most recently, enterprise risk management.
Second, the process by which the company built its GRC platform -- starting with executive support for an internal audit function whose objectives include facilitating operational improvements using a process approach in a highly decentralized collection of businesses (or brands, in Carnival parlance) among several other components -- demonstrates the building blocks of effective GRC capabilities.
Finally, Carnival Corporation's GRC development is ongoing. For example, Brilliant sees benefits if employee policies and procedures were to be updated to clearly lay out the risk(s) each position in the company is responsible for monitoring and mitigating. "And we don't want to stop there," he adds. "Why not set up facilitated sessions in which management and employees can get together on a regular basis and talk about risk? We're even considering mechanisms through which employees might communicate directly to our risk committees. We want to be creative."
Steering a Decentralized Ship
The need for creativity stems in part from Carnival Corporation & plc's decentralized nature. The organization consists of a set of 12 cruise line business. These brands include Carnival Cruise Lines, Holland America Line, and Princess Cruises, among others based in the U.S., Europe, and Australia. The company, which is headquartered in Miami and London, operates 88 ships (with another 17 set to sail through 2012), posted $14.6 billion in revenue last year, and employs more than 80,000 people, the majority of whom are seagoing.
"We are fortunate that we are all in the same business," Brilliant says of the company's brands. "From a GRC standpoint, this helps a lot because we can describe the business as a set of processes and underlying risks using the same taxonomy, if you will."
However, the individual cruise line businesses operate in a highly autonomous way, which requires GRC assessments, such as internal audits, compliance testing, and risk mitigation analysis, to be conducted multiple times -- and often in different countries and cultures where employees speak different languages. "We have to be very careful to ensure that everyone understands what information we're trying to get at when we conduct our assessments," Brilliant emphasizes.
As vice president and head of audit services, Brilliant is responsible for the operational and financial audit groups that reside at each of Carnival's brands. The corporation's dedicated technology audit group, a "special projects" function (which provides decision support at each brand and to senior executive management on strategic endeavors such as mergers and acquisitions) and the ERM function also report to Brilliant.
Intelligent Design
Although ERM represents a highly important activity (encompassing the most significant risks in the business) for a highly important customer (the senior executive team and the board of directors), it qualifies as a subset of Carnival's GRC program -- as do Sarbanes-Oxley compliance and fraud assessments.
"ERM fulfills a very important objective within our organization: to provide board reporting on what the most significant risks are to the enterprise and the effectiveness of risk management for key risks," Brilliant explains. "Richard Muth, director of ERM, has done a phenomenal job in developing a framework that enables us to provide risk reporting to the board that they never had before. The reporting not only allows directors to understand how risks are mitigated, but also provides ongoing risk monitoring as well as tracking of action plans for improvements."
"But this is just one piece of the puzzle. I don't want to dilute the importance of a board member's responsibility, but I do want to emphasize that there are a lot of other individuals in the business who have to be concerned with managing risks, whether it's driven by legislation, like SOX where you have to comply, or because we want to keep customers happy, or because we need to ensure the safety of our guests and crew." This, Brilliant adds, "is the overriding concept" and primary objective of GRC.
There are a number of enablers that allow Carnival to achieve its GRC objective:
• Executive and board support for a proactive audit function. Brilliant says that senior executive management and the board's audit committee have long espoused the importance of having an internal audit function that did much more than review financial controls. "They want a function that is proactive in looking at operational controls and finding ways to facilitate business improvements," says Brilliant. The approach has worked very well in the decentralized organization because internal audit has facilitated the identification and sharing of best practices from one brand to others. These practices may help to improve financial controls or center on operational process improvements that create efficiency gains. These different businesses "can learn from one another," Brilliant explains. "And we often serve as the link to facilitate this learning and the sharing of this information."
• A process approach to managing the business. Several years ago, as Carnival weighed a move to a risk-based audit plan, "we looked at the business as a set of departments," Brilliant recalls. This posed a problem from a risk-based audit plan perspective because different departments were referred to by different names among the company's different brands. So, the company was redefined based on business processes; in all, roughly 350 processes were identified throughout the company. "Once we defined our company down to the process level, it was great," says Brilliant. "When I speak with another audit department at another brand, as long as we're having that conversation at the process level -- that is the least common denominator." The common language of process later enabled internal audit to help the company start thinking about the strategic, financial reporting, operational, and compliance risks (the same risk classification system described in the COSO framework) associated with each process. The company eventually identified unique risks associated with each process in the business.
• A process approach to Sarbanes-Oxley compliance. When the Sarbanes-Oxley Act appeared, Carnival went back to its process classification model to figure out where financial reporting risks existed throughout the company. While other companies started with the financial statements, breaking down the largest accounts and linking these accounts to financial reporting assertions/risks (and what internal controls mitigated the risks), Carnival was able to leverage their business process model and make linkages between three elements: processes, risks, and financial accounts. "We used that approach to ensure that we had all of the necessary coverage for Sarbanes-Oxley compliance," Brilliant notes. "And it ran quite well."
• Strategic risk questions from the board. With Sarbanes-Oxley compliance under control, Carnival Corporation & plc's board started asking more questions about broader risks, including strategic/external risks -- such the possibility of a widespread economic downturn. "Our model at the time did not contain a lot of information on strategic/external risks," Brilliant recalls. "If you consider risks that are very pervasive, like economic downturns or a lack of innovation, what business process are those associated with? Well, if you think about it, all of them." So, Carnival looked for an assessment that could focus on broader and more significant risks, including external/strategic risks. The search brought the company to ERM.
A "Cousin of Internal Audit"
The objective of ERM at Carnival, notes Muth, is to collect the different perspectives on risk that exist throughout the decentralized corporation, assess and prioritize these perspectives, and then use this analysis to fuel risk mitigation efforts throughout the enterprise.
"We started more or less fresh with ERM, and asked, What is the most effective way to build this model?" Muth explains. Carnival's program started as most ERM efforts do: identifying the most significant risks to the business, developing a classification scheme for these risks, and performing customized assessments with management.
However, unlike the company's existing Sarbanes-Oxley and internal audit assessments, which utilize a process classification scheme, ERM was developed using a risk classification scheme. "We wanted to ensure that the model was fundamentally focused on risk, regardless of where it is managed in the business, and that compartmentalization that could arise by starting with business processes was avoided," Muth explains. Despite their different starting points, the assessment models can be linked. As Brilliant points out, many business processes are essentially mitigations for enterprise-wide risks.
So, as the ERM initiative has progressed, Carnival has also worked to ensure that its other GRC assessments can work together. For example, data collected during Sarbanes-Oxley assessments and internal audit assessments can be used as risk events are assessed (and related mitigation plans are developed) during ERM activities. The key to making this work is the process and technology elements of Carnival's GRC platform.
An underlying GRC question at Carnival is, Can we get all of the data elements to link together? "If we can't do this, we are not going to move forward," says Brilliant. "That's the requirement-- if you are going to move forward on a customized risk assessment to accomplish a particular objective, you have to find a way to link to the other data elements that we have collected over time. Part of this is through process and part of it is through technology."
Carnival uses OpenPages for its GRC platform. "The software gives us the flexibility to support multiple assessments," Brilliant notes. For example, when Muth's team looks at business continuity planning (BCP) from an ERM perspective, it can tap the internal-audit assessment information (related to BCP) that already resides in the company's GRC technology platform. "Instead of having to gather all of this data again, they can mine the audit database and just move the information into their ERM assessment," Brilliant notes. "And the reverse is also true: Information collected during ERM assessments can be accessed by audit staff and leveraged to streamline various audit activities."
A major part of the budding ERM program's success also relates to structure (see the "ERM Organizational Structure" table). At the corporate level, Carnival operates a "corporate risk committee," which consists of the company's vice chairman and chief operating officer and his direct reports. This committee is tasked with reviewing risk information filtering up the organization to them and reviewing and approving the ERM content (updates on strategic risks and related mitigation activities occurring throughout the entire organization).
Separate risk committees also have been established in each of Carnival Corporation's operating companies. These committees consist of the CEO and senior managers within each of the brands. Committee members are responsible for reviewing all of the ERM information (e.g., risk assessments, action plans, and risk metrics) and then approving the report that is sent to the corporate risk committee. The operating risk committees also task subgroups within their companies to examine select risks and action plans at a more granular level while recommending enhancements.
Muth's ERM function is in the process of strengthening risk awareness and the flow of risk information between operating risk committees and employees. For example, employee policies and procedures may one day soon be written in a way that clearly defines the risks each position is responsible for monitoring and managing. This sort of connection, Brilliant believes, would "help employees to more clearly understand why they are doing something in a particular way." It would also strengthen risk monitoring by greatly increasing the number of employees who contribute to ERM assessments and the frequency with which they monitor (or, on a more general level, think about) risk.
"We really want to push a lot of risk management activities down to the operating company risk committees," Brilliant says. "We really think that this is an important organizational element that can be tapped to look at risks, assess risks, identify which risks are most relevant, identify new and emerging risks, and understand how the company responds to these risks. Doing so would cultivate a risk-management culture. We're starting that process by using ERM. Once this takes root, we think that there is potential to make these committees more self-sustaining and broader, in terms of their responsibilities, to include a host of other risk management activities."
Powering Ahead with "Ah-Ha" Propellers
Brilliant believes that "ah-ha" moments have driven the development of the overall GRC program more so than project plans or timelines.
"The progress is very much a function of the value we are able to provide to the business," he says, pointing to an example of a recent, ERM-related epiphany. "When you are able to show a board member a gap in being able to mitigate a particular risk in the business and the specific actions being taken to close the gap -- that's an ah-ha moment."
Brilliant says that presenting new, precise information to the board about the company's overall ability to manage governance, risk, and compliance issues has really improved the dialogue about how the company could better respond to risk in the business. Further, Brilliant notes, "the board can also more clearly see over time how things have improved."
This sort of visibility is the product of an all-hands-on-deck approach: Not only is GRC everything at Carnival, it is also everyone's job.