Reducing Risks: Gap’s Experience

ichelle Banks, senior vice president and general counsel at retailer Gap, won the admiration of many of her compliance colleagues yesterday at Compliance Week 2007.

RELATED RESOURCES Return To The Conference Updates Page At CW ’07 Schedule Of Sessions At Compliance Week 2007 List Of Keynotes, Speakers And Panelists Presentations Click Here To Download Conference Presentations

The trick that drew kudos from fellow panel members discussing how to implement enterprise risk management was the efficient distillation of risk, and the effective presentation of that risk to the board, by Gap’s ERM team.

“We had to force ourselves to reduce key risks from 300 down to 25,” Banks said—and then added to an incredulous audience: “all on five pages.”

One of her fellow panel members suggested that simply getting major risks on such a short document could be the subject of a seminar itself.

The theme among professionals discussing ERM at the conference remained very much the same: How do you convince management and the board to buy into what is an expensive and possibly distracting process? It was this challenge that largely motivated Banks to get her team to define, refine, and focus a list that could have very easily become ungainly.

She and others at Gap each took a hard look at potential dangers and came up with their own lists. They looked specifically for those risks that could sink the company and would command the attention of the board. It didn’t hurt that Gap has an internal policy to keep memos short.

“You can’t take every risk to the board. Only a few bubble up,” she said. “You are forced to prioritize and decide what can take your organization down. I have to make sure I am not the next Enron.”

Banks comes from a relative unregulated industry. As a clothing retailer, Gap is not in finance, insurance, or any other industry that the government watches closely and continuously. Gap has to comply with SOX, but it does not have a huge internal compliance in infrastructure.

As a result, Gap’s “buy versus build” thinking to develop an ERM system tended to favor the buy; Gap brought in outside expertise to assist it in its ERM efforts. This may have been costly, but over the long term, Banks believes that enough would be absorbed in house to justify the up-front expense.

“We did not have the experience,” she conceded. “And we did incur the cost of brining people in. But we had internal audit shadow them.”

Steve Aleman, vice president of control compliance and assurance at health insurer Wellpoint, said that because his company is already highly regulated, much of the compliance infrastructure was already in place. ERM did not require the wholesale creation of that which did not already exist. It was more a case of getting the different parts of the organization thinking together and in a strategic manner about risk.

“It is a matter of connecting the dots,” he said. “You don’t eliminate silos.”

The panel agreed that selling ERM is about emphasizing the upside, to both the organization and to the individuals within it. Discussing potential disasters is important. The board must be scared. But gains as well as losses must be behind the argument.

“We tell them that you are going to get a `two-fer,'” said Jay Cohen, global compliance leader at Dunn & Bradstreet. “You are going to manage risk better and provide a tool for business to better do your job.”