25/06/2010

By Graham Buck

You've been Reed Elsevier’s chief risk officer nearly two years; previously you were director of corporate audit services. Could you outline the path to your current job?
I joined Reed Elsevier in 2001, after a long career with KPMG in the Netherlands and New York that also included two years on secondment to Dutch airline KLM. Although this was before 9/11, potential mergers were already being discussed.
Risk managers come from a variety of career paths. In my case, this experience positioned me well for a role with the necessary analytical skills. In some companies the role is more technical in nature; Reed emphasises strategic risk management and established the role of chief risk officer (CRO), following the changing profile of risk in the information industry.
The role of CRO means cooperating closely with internal audit in many key risk areas, but the responsibilities are significantly different. It is more upfront, providing management with perspective on major proposals and there’s more of a managerial aspect. In my previous role, I had risk management responsibilities but the focus was more on processes and ensuring compliance with regulation.

Although it’s a while since you worked in the industry, do you have thoughts on airlines’ problems and how they should be tackled – for example BA’s industrial dispute?
The sector has always had problems; overcapacity means many carriers haven’t been profitable. Larger airlines are still impacted by legacies, while the low-cost operators started from scratch and don’t suffer the same restrictions.
I sense both BA’s management and unions are strong minded, so they have continued to clash. The aim of reducing the cost base, which needs to change, is hugely difficult.
Our own industry has also undergone significant change. For many years, we focused on books and journals; indeed, the Elsevier name goes back to 1600. The arrival of Google completely changed the rules of the game,
making it much more technology-based. The pace of change means everything has to be rethought, from our people to our business models. Our works councils fortunately understand the significance of these changes, so we’re far less constrained by regulations and legacies than
many industries.

What changes have you noted in attitudes to risk management over the years? And has interest in ERM noticeably increased since the financial crisis began?
The crisis definitely had an impact on our industry, if less so on Reed than some others. It meant the board started asking more questions and requesting greater transparency on risks faced by the business. There’s greater awareness that risk can suddenly materialise at any time.
Investment proposals are now supported by a proper perspective on the associated risks, so it has changed our financial policy. This was reflected, for example, in our decision last summer to make an equity placement when market conditions were still difficult, and in 2008 when we bought US group ChoicePoint, our biggest-ever acquisition. A few years ago, expanding into the US proved a disaster for one of our peers, Emap, so the decision to go ahead was only taken once it was supported by proper risk analysis. Good risk analysis means a business is better prepared for an acquisition or merger. Management now recognise this; hence their support for proper risk assessment.

Reed is listed in the UK, the US and the Netherlands. Is the approach to risk uniform, or are there differences from country to country to reflect reporting requirements?
You’re right that there are differences in addition to the commonalities. There is an overall risk approach to satisfy regulatory requirements, but we’re helped by the Dutch and UK corporate governance codes being very similar, both requiring specific disclosures. The US focus is more on financial risk and financial reporting, so we put systems in place for this when Sarbanes-Oxley took effect six years ago.

Tell me a little about the work that won you the Risk Manager of the Year award
I regard it as very positive that a non-financial company has a CRO and that Reed recognises the importance of risk management. Our risk profile has changed significantly over time; we’ve helped management understand risk and instal good mitigation controls, proper best practice and robust solutions. Risk management has moved from a supporting role and is now embedded in management functions.
Although the group is decentralised and local units have some independence, the risk management team is involved in the chief decisions. We’re both pragmatic and solutions-oriented. We have a healthy risk culture, which involves challenging management decisions. We’re also helped by having outsourced sections of the business to India, and we ensure that proper risk management practices are in place for these units. In the US, we are regulated from an information security perspective and we’ve put in a sustainable framework here that has already achieved success.The focus is very much on organisational awareness.
You need to be tuned in to top management. Thanks to this approach, the rate of success on our investment programmes has improved significantly, showing the value of risk management. These were the key aspects behind the award.

Which issues top your risk agenda? Which have increased in importance, and are emerging ones likely to join them?
Our overall risk profile probably hasn’t changed significantly, although the specific emphasis alters year-to-year. The sustainability of business models is certainly one issue that has moved up the agenda. We’ve launched new products and business models over the years – many proved very successful, but there have been those that fell away suddenly. So we have to stress test each of these business models.
Copyright is certainly an important issue for our industry. It’s one under discussion by the regulators, based on the premise that information should be freely available to all. Data privacy and information security are also vital for an information company. We have very sensitive data and it’s imperative this is protected as it’s hugely desirable for criminals. We constantly have to guard against hacking attacks. In the past, information security was nice to have; now it’s a crucial element of running our business.

In the past, you've mentioned the importance of a diversity of business backgrounds for the internal audit team. Does the same hold true for risk management?
The model for risk management is different from that for internal audit; the latter involves a central and global group of highly-qualified people. Risk management operates with a fairly small central team, relying on risk champions through the organisation to supply it with knowledge. So we need detailed information but a fairly small team keeps it clear who is responsible for managing risk.

You’ve said that corporate governance codes increased senior management’s appreciation of the work of internal audit – presumably this extends to risk management?
Yes, management’s understanding of risk management is getting better all the time, due partly to the financial crisis and the steadily increasing expectations of regulators. This trend is set to continue as regulators specify exactly what they want from us. The UK Combined Code is very important in this respect; it confirms the need for risk management and ensures that it remains a priority.
If the company needs to state its risk appetite it will be difficult to strike the right balance. It can't be too generic, but at the same time it doesn’t want to reveal sensitive information to competitors. Fortunately, UK regulators have a more balanced perspective than their US counterparts.

You also said that risk management isn’t about process or reporting, but people’s behaviour and good decision making. Do governments and regulators appreciate this?
I wouldn’t want that comment taken out of context, but risk management certainly drives better awareness. Good leadership and understanding, driving a healthy risk culture and making good decisions are the main elements in driving a successful business. A good business learns lessons and acts on them to improve its risk management; a bad business regards risk as something negative.
Regulators saw that financial service companies’ attitude to risk was too driven by short-term gains and the bonus culture. They appreciate that the lead given by behaviour at the top of the organization is vital. You can certainly regulate the process, as in Sarbanes-Oxley, but what is more effective is ensuring that behaviour and the corporate culture are right.

We're a few months into a new decade. What changes do you anticipate by 2020 that will affect risk management and the way it connects with other units of the organisation?
The big question for us is 'are we aware of all the risks we should be aware of'? That’s hard to answer; the Iceland volcano emphasised that risk still is something sudden and unexpected, although the better organisations were able to deal with it.
What’s next and what’s new are big questions. I don’t anticipate major changes, but risk management will continue to gain appreciation and become steadily more embedded as part of the management process. If we have this same discussion in five years’ time, I’d expect to be able to report great progress. For IRM and other major risk management bodies, the challenge is in being equipped to meet these changes. I’d agree with what was said at the Professional
Development Forum – your ability to negotiate and deal effectively with people is every bit as important as technical knowledge. And that should reflect in opportunities to train your upcoming talent and tomorrow’s professionals.
Arnout van der Veer was in conversation with Graham Buck, the editor of Risk Management Professional