Sleeping Better with ERM
More than 125 years ago, Leggett & Platt, Inc., took a risk on a bold new sleep technology by introducing the first bedspring. Previously, mattresses were filled with everything from feathers to sawdust, and the idea of sleeping on springs took some convincing. Ten years ago, the company took another risk of sorts and introduced enterprise risk management (ERM). The project was originally tasked to the company’s director of continuous improvement but soon became the responsibility of its staff vice president and risk manager, Dan Baldwin.
Baldwin, who started his career as a safety engineer at aerospace giant Boeing, discussed the ERM program at Leggett & Platt, which designs and produces a diverse array of products for homes, offices and vehicles, including furnishings, fixtures and industrial materials.
This interview is part of a continuing RIMS Q&A series spotlighting ERM practitioners. For more, visit the RIMS Strategic and Enterprise Risk Center at www.RIMS.org/ERM.
RM: When did you first learn about enterprise risk management?
Dan Baldwin: It was in the mid-1990s at a course provided by RIMS [publisher of this magazine]. I was a little reluctant at the time to introduce the concept [at Leggett & Platt], given the political issues around how it would look and work. I perceived the senior executives as the risk managers, since they handled risk every day. But, as I learned more about ERM, I became intrigued by its possibilities. And then one day in 2003 the CFO approached me about the subject. That got it going, and we formed a committee to launch the process and brainstorm our risks.
RM: I understand that the committee initially tried to do ERM “by the book,” so to speak. What happened?
Baldwin: Well, we found out that there is no such thing as a one-size-fits-all ERM program. You need to suit the program to your organization’s particular culture and risk profile. We also learned that you don’t simply flip a switch and the ERM program is done—it is a continuous improvement process that evolves slowly.
RM: What about the ERM committee? Who sits on it, how are meetings structured and who directs it?
Baldwin: The functional heads at the corporate level are committee members, including the CFO, treasurer, vice president of IT and the vice presidents of tax, legal, audit and accounting. I lead the committee, although the CFO participates very strongly in the meetings. The process initially involved everyone identifying the risks that confront us strategically, operationally and financially. Once we identified these risks, we assessed them from a severity and frequency standpoint.
RM: Did you plot the risks on a matrix, which seems to be the process at most organizations?
Baldwin: Yes, we do this for probability and significance, which helps us prioritize which risks can have the direst impact. In some cases, these exposures can be mitigated and reduced—the case with reputational risk, for instance, even though this is one of the more difficult risks to get our hands around. It’s outside risks like economic threats, which we have no control over, that give us pause. There is not a lot we can do about the decisions made by the Federal Reserve or actions taken by the European community.
RM: How do you categorize and track risks?
Baldwin: Different committee members are entrusted with identifying and tracking different risks. For example, I carefully track health and safety exposures confronting our 18,000 employees—I own that risk. I’ve developed specific metrics, monitor them on a regular basis and report any changes to the committee at the monthly meeting. Each risk is entrusted to an expert in that area. I don’t track tax risks because, quite honestly, that is not my area of expertise.
RM: What has been one of the more difficult assignments for the committee?
Baldwin: Hands down, we have the toughest time figuring out risk correlations. By this I mean one risk that leads to, or springs from, other risks. Take operating risk, for example. We’ve moved away from simply rating this risk on its own, and now identify the other exposures like reputational risk that it can trigger. The team does this with all risks. We’ll identify political risks and then assess their correlation with other risks, plotting it all on the matrices. If the outlook changes, the point on the matrix where a risk is plotted moves.
RM: Are there any insurance products that the company passed on previously that it is now considering as a result of your work on the ERM committee?
Baldwin: In fact, we are this minute examining the prudence of buying cyberrisk for the first time. It now seems this is a growing and dangerous exposure, one that has passed a threshold.
RM: What do you mean?
Baldwin: In my days at Boeing working on safety systems and subsystems, we would multiply probability and significance to produce a particular metric. When the number exceeded a certain limit, the Air Force required us either to increase safety via the design process, or create backup redundancy to get the number below the boiling point. I think we have now passed that point with cyberliability.
RM: What are some of the lessons you have learned from this process?
Baldwin: Risk is a big part of life and business. If you take no risks, you limit your potential for success. If you take too much risk, you may threaten your survival. This is why I believe ERM is as much art as it is science. You need to establish certain risks like health and safety that are absolutely unacceptable—hence our zero tolerance for accidents. Other risks that are more financial in nature are more acceptable to bear, but knowing where you verge into the unacceptable is what ERM is really good at. For this you need risk experts. Fortunately, they are at hand in most organizations.