Exel claims to be the world leader in supply chain management. Marv Larger, senior vice president, commercial services, tells Adrian Leonard about the company's risk management practicesHow does Exel approach risk and risk management?
Marv Larger As an organisation, our broad philosophical approach is that the ownership of, and responsibility for, financial and strategic risks remain within the business units where the risks originate. We support their handling of that responsibility through a central risk function, and through central legal, audit, human resources, and other functions.
The merger [in May 2000] required us to evolve a vision of the combined entity from a risk perspective. There are a number of components to that vision: good risk management practices must be embedded in the business units worldwide; they will manage risk proactively, within a consistent framework. Business units will have their own risk management resources, but they will have shared resources on a field basis. Our centralised approach becomes decentralised as appropriate, but always with central oversight, and always with a consistent approach.
We think that relevant, accurate management information is very important. We are migrating our regulatory reporting systems into a central database and reporting process. The information is local information, but it can be rolled up to allow global visibility.
What risks and responsibilities stay at the centre?
Marv Larger The central risk function owns and keeps current the risk management framework. It works with the business units to assist in behavioural change, and to manage risks. It ensures that allocation of risk is fair and transparent to the business units, which allows them to be rewarded for good risk management practice, and penalised, financially, for bad practice.
But risk is a board-level concern. John Coughlin, deputy chief executive and group finance director, is the executive board member with day-to-day responsibility for ensuring risk is managed in the business. Overall risk management is supported at a senior management level with a number of mechanisms. The global risk management steering committee includes the divisional CEOs and the senior corporate function leaders from audit, finance, risk, etc. John Coughlin is chairman. The risk management function establishes the committee's agenda. Its remit is broader than the traditional, narrow risk management function, and it looks at overall enterprise risk issues.
Then there is an organisational risk assessment process driven by the global audit and assurance function. The business units are responsible for broad risks issues, including growth issues and client issues. They look at risk in its broadest sense. Audit and assurance works with them through a process to identify and quantify risks and approaches to mitigating them, and action processes for significant risks. Since organisations are dynamic, risks are dynamic, so it is an ongoing process. Business units have to sign off on this procedure twice a year.
For the classic risk function, we established three theatres: Asia, Europe & Africa, and the Americas. Each has a risk function leader who is responsible for ensuring that we coordinate the risk practices established by the global risk management steering committee, and for providing a regional framework that supports the businesses as needed. The theatre risk function leaders have individuals on their teams assigned to specific business units to support their risk management. That can mean a shared service approach where it makes sense, or it can require having resources at an individual site or at a specific business unit. It involves providing a coordinated thought leadership role.
Does the Exel's risk management strategy consider operational risks?
Marv Larger We consider many risks beyond the classical hazard risk: organisational design and structure, employee productivity, contractual risk … in general, it is everyone's responsibility to manage risk in their area of expertise. For example, if the organisational risk assessment process identified a risk where training was an issue, it would fall to the human resources function to work with the business units to handle it. For the more traditional hazard risks, we have defined very clearly the risk function's role: it has responsibility for insurance and risk financing, claims and litigation, safety, health and the environment, security, business continuity planning, transportation, health and safety practice and compliance, and the risk elements of contract liability.
What is your risk appetite?
Marv Larger We will retain risk when it is cost effective to do so, and we will have higher retention levels, over time where appropriate, which is a function of having higher confidence in our own risk management. At the same time, we want to be sure there is a demonstrable return on our investment in risk management. We do it for all the right corporate governance reasons, but also we want it to be an investment that provides an adequate return.
Clearly, with hardening insurance market conditions, the cost of insurance has increased dramatically. When we look at our cost of risk, we look at the trade-off of retaining risk to buying insurance, which has caused us to continue to look at self retention levels. In some cases we have increased the level of retained risk, with the goal of reducing overall cost, or trying to strike the proper balance. We view the key role of insurance and risk transfer to protect against severe and catastrophic losses, and we retain and manage the others. About 85% of our effort is on control of risks. Only 15% is the financial component. We believe the first line of defence is having risk management embedded in the business.
How have you embedded a risk-aware culture in Exel?
Marv Larger Our risk effort has reinforced the philosophy that we have a dynamic business, and so we need to keep our risk management programmes dynamic too, both through steering committees and down to the site level. A manual on the shelf is not enough; risk management has to be part of the way we manage the business. We have standard policies and procedures, but they mean nothing if they do not come to life every day for individuals.
Responsibility for health and safety performance is at site level. Financial allocations make it meaningful, and keep the issue of risk focused in front of the sites. We have periodic health and safety audits, and a risk management information system that looks at all claims and every area of risk. That data is regularly fed back to all the sites, so they can see how they are performing against key indicators which set out the overall targets. We have established operational risk steering committees at the theatre level, where we bring together senior theatre business unit leaders with the risk function, and they work to review the key risks of the business, and look at strategies for risk mitigation and management. A risk steering committee can approve mitigation measures. Then the individuals go out to the sites and discuss, review, mitigate, and manage.
What has been the influence of developments such as the UK's Turnbull guidance?
Marv Larger It is probably a coincident tool, because of the merger. When we combined the two organisations we looked at all our risks. Turnbull reinforced what we were trying to do anyway: to look at our holistic risk. The overall intent of the Combined Code makes good business sense, provides a good environment, and has reinforced our efforts. It has also helped us achieve a very structured organisational risk management process.
Has risk assessment changed since 11 September?
Marv Larger Clearly now the whole area of security and related issues, particularly in areas like air freight, has heightened the real risk to all of us. The ability to obtain coverage and mitigate the risk through coverage has been much more difficult globally.
How is risk handled with third parties in joint ventures?
Marv Larger We take a three pronged approach. We have contractual arrangements to help mitigate third party risk, and operational processes that look hard into joint ventures. Finally, there's insurance.
What tools, beyond conventional insurance, does Exel use?
Marv Larger We use captives, which become more important as you take on more retained risk. We have just completed a global risk financing study to look at captives and other risk-financing techniques, which I expect all organisations are doing in this volatile risk environment. A captive, in certain cases, is an efficient method to finance increased self-retention. We have not yet made the final decision, but captives will continue to play a role.
Has Exel calculated its cost of risk? How much is it? What does it mean?
Marv Larger We do calculate it, but it is not something that we publicise. We have risk information systems that help us come up with the calculation, and our goal is to keep driving it down as a percentage of overall revenue. Adrian Leonard is insurance market correspondent, StrategicRISK
Exel is a UK listed company. It was formed through the merger of Ocean Group plc and Exel plc. The company has turnover of over £4.5bn and customers that include over two-thirds of the world's largest quoted non-financial companies. It employs more than 60,000 people in 1,300 locations in about 120 countries. Its sector focus is: technology 25%; consumer 22%; retail 16%; automotive 11%; chemical 7%; healthcare 5%, and other 14%.