Creating Value with ERM at Paychex

Morgan O'Rourke


August 29, 2012

Most risk managers believe in the merits of an enterprise risk management  program. But getting started can sometimes be easier said than done, particularly when resources are already scarce. The ERM initiative of payroll services firm Paychex, Inc., however, was able to gain traction by being more than just a risk management exercise—it was about creating value for the company as well.

As a result, ERM was able to identify and develop revenue opportunities that would eventually be directly responsible for bottom-line growth at the company. The ERM program at Paychex was so successful that it was recognized with an “ERM Award of Distinction” at the inaugural RIMS ERM Conference last year in San Diego. In the lead up to this year’s conference in San Antonio from October 29-30, we spoke to Frank Fiorille, senior director of risk management at Paychex, to gain a little more insight on his company’s award-winning program.

Risk Management: What inspired the shift to ERM at Paychex?

Frank Fiorille: My background is in the financial institution world at a couple of big banks, and when I came over to Paychex, I quickly saw that an enterprise, integrated risk framework was needed. We had silos and various components of risk management and risk function, but it wasn’t integrated under an ERM structure. I was pretty familiar with it at other places and saw how it was an evolving discipline and trend. I just thought that, given our industry and company profile, with many complex risks to manage on a day-to-day basis, ERM was needed.

Risk Management: What were the biggest challenges of the implementation? 

Fiorille: I think the key thing was trying to show the value of it and trying to get a couple of small wins under our belt to get people to see how it was helping not only to identify the risks but also the ability to take on more risk in a smarter way. The ability to not just protect shareholder value but grow the value was really the thing that I think got people’s attention around here—that this can really work and we should invest in it.

In some areas it was harder than others. But I think they quickly saw that it wasn’t a “gotcha” exercise or another bureaucratic process. We weren’t just saying “no” all the time, we were really saying, “OK, how do we do this?” or “Here’s how we say ‘yes’ with less risk or by mitigating most of the risk.”

Risk Management: Did you meet resistance? 

Fiorille: I’ll go back to my old days in credit risk. Back in the 1990s, when the FICO models came out and we tried to implement those in various underwriting groups, you had these underwriters who had been doing the process for 20 years. And here someone is telling them what they need to do, and they’re like, “Hey wait a minute, I know these customers better than any model. Why are you telling me to approve or disapprove?”

Risk management at Paychex was kind of like that because we’ve got various field personnel that are really tied in to the business and the risks. While ERM is a centralized function at Paychex, we still count on them as being the gatekeepers and the people that really own the risk, so we had to partner with them.

There was definitely some hesitancy whether we were trying to build a new model or change a policy or whatever. It was difficult in the beginning, but once they saw that it was creating value and really helping them, they embraced it.

Risk Management: What is one example of how these barriers were broken down? 

Fiorille: One of the core competencies or disciplines of risk management at Paychex is modeling. We have the client group and we didn’t want to push risk, fraud and collection models down their throat when I first started this process because they probably would not have embraced them and would have seen that as another policing audit.

But given the culture of the company at the time and what senior management was interested in, we turned it around. Instead of building risk models, we built revenue and sales models that we deployed into the businesses that worked really well. They embraced them because they saw that it was helping their business and their P&L. What that allowed us to do was add resources and invest into building more and more models that the company is now counting on to augment the businesses.

Risk Management: What was the overall effect of ERM on the company? 

Fiorille: I think we were already doing a good job playing defense but this allowed us to go play offense. We were doing a good job of mitigating credit risk and compliance risk and operating risk, but this allowed us to go off and use it for strategic risk management to grow shareholder value, not just protect it. Today there is additional revenue that can be directly attributed to what I am talking about. So it has definitely had an impact.

Risk Management: Now that you have a successful program in place, what is the next step?

Fiorille: The next step is to continue to push this. How do we use it not just for the bad things that can happen to companies but for the good things that can happen and really leverage that? Maybe [we can] get into a new business that we didn’t want to beforehand because we didn’t understand the risk. It’s really about trying to help grow the company.

And then, how do we calibrate it to the risks around the corner, the risks that aren’t fully baked just yet? People watch for them, but I’m not sure that any of the processes in place are really there to manage them yet.

Risk Management: What is one piece of advice you would give to a risk manager just starting an ERM initiative of their own?

Fiorille: Really understand the company and the business, and know what approach to take. All risk management and ERM programs are different, based on culture, the industry, and missions, goals and objectives. So understand your company and know where to go first with it so that you can build that capital with senior management and prove its worth. I hear people talk about how they can’t get senior management to focus on it and they can’t get any resources or any investment to get it going, but I think sometimes they just don’t know where to start.

Morgan O’Rourke is editor in chief of Risk Management and director of publications for the Risk & Insurance Management Society, Inc. (RIMS)