A Model of Thorough Risk Management
from March/April 2008
by Randy Myers
Banks and other financial-services companies are in the business of taking and managing risk, so it’s not surprising that they employ some of the most sweeping and sophisticated risk-management programs in the corporate world. At Prudential Financial Inc., for example, the work begins at the business-unit level. Each unit operates its own risk committee made up of senior managers and compliance and internal-audit people. They do a self-assessment, enumerating each risk the business unit faces and outlining the processes and procedures they’ve put in place to mitigate those risks, including the ones related to information technology. This happens at least once a year, and more often if the risk profile changes materially.
At the corporate level, Prudential feeds the individual assessments into a computer system. “For a given topic, for a given business, and for each of the specific risks—and there can be hundreds of these— the mitigating factors are entered, explaining what you’re doing to try to minimize the risk and who is responsible,” says executive vice president Bob Golden. Reports are published weekly, he says, showing the status of every item that requires action.
Each business-unit risk committee makes an annual presentation to a corporate-level operating-risk committee chaired by Golden; its members include the company’s top operating executives, as well as the heads of finance, compliance, risk management, and internal audit, plus representatives from the outside auditor. “Each business unit also has the responsibility to voluntarily come to the operating-risk committee throughout the year if anything happens that dramatically changes its risk profile, and to update the committee on what they’re doing to address that risk,” Golden says. The committee usually suggests additional action.
Golden formally updates the Prudential board’s audit committee on risk management twice a year. The company’s chief internal auditor briefs the audit committee on IT matters of importance as they surface.
