Since its start in founder Jean Nidetch's living room in Queens, New York, in the early 1960s, Weight Watchers has grown into an international organization that has helped millions of people shed unwanted pounds. In 2011, Pamela G. Rogers was hired to help the company reduce something else—its strategic, financial and operating risks. As the vice president of enterprise risk and insurance management, Rogers was charged by the Weight Watchers board of directors to channel her three decades of risk management experience into creating, implementing and facilitating an enterprise risk management program. We sat down with Rogers to discuss her approach to ERM.This interview is part of a continuing RIMS Q&A series spotlighting ERM practitioners. For more, visit the RIMS Strategic and Enterprise Risk Center at www.rims.org/ERM.
RM: Weight Watchers urges a "science-driven approach to eating smarter, exercising and forming helpful habits." Does the company also seek a more science-driven approach to risk management?
Rogers: Yes, the board certainly wanted a sophisticated ERM program, led by someone who had put together such projects in the past. Several board members had heard about ERM, and may even have served as directors at other companies where ERM was implemented. They were all clearly interested in identifying the key risks to the organization and getting their arms around how these risks would be managed.
RM: Once you were hired to head up the ERM program, what were your first steps?
Rogers: I put together a presentation to the board recommending how I personally felt we should approach ERM. Typically, there are two approaches a company can take-the ISO 31000 framework or the COSO II framework. I presented the reasons why I felt ISO 31000 was the better path. My focus on ERM has always been that, yes, risks are bad and need to be controlled, but taking risks and carefully managing them offers an upside. ISO 31000 clearly allows for this, whereas COSO II, in my opinion, is more risk control-oriented. It's more about mitigating risk than optimizing risk.
RM: How did you convince them that your approach was right for the company?
Rogers: I told the board, I can guarantee you zero losses in an environment of 60,000 claims a year. We can simply shut the doors and not let people in, for instance. Then no one trips and falls. That's great for everyone but shareholders. Anyone can mitigate risks or eliminate them by transferring them to an insurance company, but the better choice is to optimize risks. We're an entrepreneurial company-we should take some risk. It's okay, as long as we're prudent. The board agreed.
RM: After you decided on an ERM framework, what came next?
Rogers: We did two things simultaneously. One was to form a risk committee, primarily to show the importance of the program throughout the enterprise, as there are not a lot of committees here structurally. We have a two-tier committee-executive and working group. The executive committee comprises senior executive leaders, and the working group is composed of senior vice presidents and group vice presidents. I work with them to generate ideas on managing risk that they can then present to the executive committee. The second thing we did was conduct more than 100 interviews globally in sort of a free-form format.
RM: What was the interview process like?
Rogers: First, we sent each interviewee a list of what we felt were our key risks and opportunities, to get them thinking. We then scheduled the interviews to be about an hour or two. We asked questions like, "Where do you think we could be just a little less risk-averse, and thereby seize a particular growth opportunity?" We also asked the flip side of that question, "Where might we be betting the farm and need more controls?" The whole process took about nine months to complete.
RM: What information did the interviews provide?
Rogers: We were able to identify our top 50 risks. The working group and our CFO previously had come up with the scoring format for our pure and residual risks. After we scored the top 50 risks and prioritized them, the working group brought them to the executive committee, which gave us the resources to put together a risk assessment workshop. This guided the development of our list of the top 10 risks. Each of these was subsequently assigned to a specific owner.
RM: So what's next on the agenda for the ERM program?
Rogers: The 10 risk owners are putting together their respective risk management teams to examine whether or not the status quo is sufficient to address the top risks. In some instances, no new tasks may be needed. In any case, we expect to build on the good processes we already have in place. For example, everybody has to deal with privacy and security issues, but are they looking at it from a geographical and cross-functional basis? This, to me, is the key to a successful ERM program-getting everyone in the organization to think like a risk manager. It's not about fancy risk management dashboards; it's about weaving risk management into the fabric of the company.
RM: Sort of viewing risks both horizontally and vertically, right?
Rogers: Exactly. I've been a risk manager for 32 years, and I see ERM as an opportunity to improve operational excellence. My goal is to eventually work myself out of a job by getting everyone here to be a risk manager. Fortunately for me, this doesn't happen overnight.