Paychex Inc. is a leading provider of payroll, human resources, and benefits outsourcing solutions for small and medium-sized businesses.  The organization offers comprehensive payroll services, including payroll processing, payroll tax administration, and employee pay services, as well as HR services, including 401(k) plan recordkeeping, health insurance administration, workers’ compensation administration, and time and attendance solutions.  Paychex was founded in 1971 and is headquartered in Rochester, New York.  The organization has more than 100 offices serving approximately 570,000 clients nationwide.

Paychex earned national recognition for its performance in enterprise risk management (ERM) by receiving the first-ever Risk and Insurance Management Society Inc. (RIMS) Enterprise Risk Management Award of Distinction in 2011, as well as multiple Alexander Hamilton Awards for excellence in ERM from Treasury & Risk magazine.  Paychex also received the RIMS Arthur Quern Quality Award for its predictive modeling efforts within ERM and the 2010 Kevin O’Brien ACH Quality Award from The Electronics Payments Association (NACHA).

APQC interviewed Frank Fiorille, senior director of risk management at Paychex, to gain some insight on the organization’s distinguished program.

ERM PROTECTS AND ENHANCES VALUE
Paychex’s leadership puts a large emphasis on protecting shareholder value.   “It’s all about risk and reward, and we’ve got individuals in ERM that are dedicated both to protecting and enhancing shareholder value,” said Fiorille.

Paychex’s ERM program is unique because it not only identifies risks; it leverages the risk management apparatuses, tools, and skills in ways that help the organization as a whole create value.  Fiorille identifies his passion for risk and value creation, saying that “Instead of playing only defense, Paychex is playing offense, as well.”

He added, “Anything that has a risk-centric flavor resides within a central utility, but the risk mindset is embodied by every person in the entire company.”

Paychex’s operations are very sales and marketing-heavy and largely decentralized; as a result, Fiorille must gather perspectives from all functional areas in all locations.  He emphasized that risk is always top-of-mind: “Company-wide, we’re always thinking about the risk in a strategy or situation, the downsides and the unknowns.  Whether it’s an emerging risk, something we’ve not dealt with before, or the chance that something will go wrong, we look at it and ask if there is an opportunity there.”  His philosophy comes down to this: “Companies that (a) understand risk when strategic decisions are being made and (b) make sure that senior executives communicate the company’s risk appetite both internally and externally have the best chance to strike the right balance between risk and reward.  This is fundamental to value creation and profitable growth.”

LEVERAGING DEEP DOMAIN KNOWLEDGE
An important nuance here is that Fiorille is not looking to turn the people involved in risk management into members of the marketing or sales teams.  However, discrete opportunities do arise for people on his team to be innovative and take steps that actually enhance the financial performance of the company.

One example: several years ago, an expert in the compliance organization had gained deep familiarity with the complex regulations and laws that pertain to a particular business segment.  “By leveraging that deep institutional and industry-specific knowledge, we were able to identify new opportunities to not only create operational efficiency and improve our internal control effectiveness, but also create potential new revenue streams that have delivered significant top line revenue to the company over the past few years,” he said, adding that, better still, the team was able to apply that same approach to other areas of the business and uncover additional opportunities to enhance the value proposition of other products and services.  This helped to strengthen partnerships with business unit managers and enhance their engagement in the discipline of strategic risk management.

Another example of the way the risk management group provides value involves the Ph.D.s on the analytics team.  They created predictive models that can be used to enhance day-to-day decision making.   So “we tasked the people responsible for building risk-centric models, fraud models, credit models, and so forth, with building models for people on the operating side,” said Fiorille.  Examples include sales optimization models and customer churn models.  These are forward-looking decision-support tools that are now institutionalized in the overall Paychex ecosystem.

UNDERSTANDING THE RISKS IN THE STRATEGY
Emerging risks at Paychex, which keep Fiorille on high alert, are known as “risks around the corner.”  They are defined by Paychex as developing or changing political, legal, economic, market, or physical environment conditions, situations, or trends that may impact the organization’s financial strength, reputation, or competitiveness over the next 12 to 24 months.  “I always think that it’s the bus that you don’t see coming is the one that runs you over,” said Fiorille.  “The emerging risk piece is the key.”

The other dimensions of risk management, such as getting good controls in place, documenting the use of controls, and so forth, are the fundamentals that most organizations do well today.  What is not so commonplace is the way Paychex works to build a sense of risks that have never before been encountered in the strategic planning process.  For one thing, the cultural message is clear: everyone is responsible for risk—it is not shoved into a silo.  Additionally, scenario planning embraces uncertainty and overtly strives to consider all possible developments.  Paychex endeavors to understand each business for which it provides services, meaning “learn all you can, turn over every rock, until you do understand enough to proceed.  If a situation cannot be understood, avoid it,” said Fiorille.

One innovative approach at Paychex is an annual group assessment involving nearly 200 top leaders of the company from all over the U.S. and Germany.  These leaders represent all vital business groups, from sales and marketing to finance and IT.  The risk management team actually conducts the assessment in a manner akin to college basketball’s March Madness.   Paychex’ game is called the “Tournament of Risk.”

First, Fiorille’s organization identifies 64 risks that have been pegged as “key risks.”  This list is determined by considering each risk’s potential impact, likelihood, velocity, and management control effectiveness.

The leaders of the meeting put these risks up on a board that looks like an NCAA bracket (Figure 1).  Every one of the nearly 200 people present at the meeting has electronic voting capabilities and votes on each risk in head-to-head competitions—whichever one at each stage stands out because it has the greatest future residual risk (what remains after the mitigation strategy has been deployed) advances to the next level.

This way, the top leaders of the company are given the opportunity to identify and communicate what they think could have remaining risk from any event or combination of events after all mitigation strategies have been employed.  Note, too, that the executives get a clear set of definitions to help them work in a consistent and coherent fashion (Figure 2).

The ultimate goal for the Tournament of Risk is to gain collective feedback from senior leadership.  The individual risk score doesn’t really matter—it is fun and creates dialogue. “It is one way to get executives engaged and interested in risk,” said Fiorille.

In its tournament, Paychex distinguishes between strategic and operational risks.  Much in the same way that March Madness splits regions into north/south/east/west, Paychex distinguishes between financial risks, strategic risks, hazard risks, and operational risks.   Once the final set of key risks is determined, the risk management group assigns an owner who resides in business functions.  “Sometimes the risk owner can be a risk management person, but it’s often on the business side.  We partner with those risk owners to clarify a risk, give it dimension, and get at it in a mitigation plan,” explained Fiorille.

FOLDING RISK AWARENESS INTO THE CULTURE
Paychex is admirable in the way it has built a risk management assessment and mitigation process that folds perfectly into its culture.  The company has a strong sales/marketing orientation that is populated with leaders who feel a keen sense of ownership for their own pieces of this decentralized company.  These local leaders know their pieces of the pie intimately—they have a line of sight on emerging risks that could bubble up and eventually put a kink into overall strategy.  In many organizations, unfortunately, people with discrete leadership skills succeed and earn a spot on a top rung of the ladder.   They make the mistake of hanging onto decision rights that rightly belong on the front lines of the business.

Fiorille reports to Paychex’s CFO.  He also meets regularly with the CEO and makes a presentation in front of the full board of directors at least once a year.  In his presentations to the board, Fiorille covers classic risks, risks present on Paychex’s heat maps, and known recurring risks.  Then they go over emerging risks around the corner.

Paychex ensures that board members look beyond the usual assessment tools and gain the opportunity to “think the unthinkable,” which, according to Fiorille, is “what’ll kill you—the emerging risks that come up fast.”  ERM dashboards are also provided to the board and senior management to maintain optimal risk transparency throughout the year.

Paychex promotes cultural engagement so that risk becomes a part of the company’s DNA.  The organization raises awareness of risk throughout the company in several ways, ranging from workshops to regular communications.  For example, each week Fiorille composes a letter to officers, directors, and other leaders in the company.  It is simple but effective; very informal and only about one page long. “Leaders are hearing about the top 10 risks happening, what has gotten done, what hasn’t, what’s emerging.  It’s a quick read, but it’s something that builds awareness and creates an effective risk culture,” said Fiorille.

Paychex is also devoted to continuous improvement in ERM.  “Risk management is in almost every American company now, separate from audit committees, and carved out from legal departments—it’s becoming its own discipline,” said Fiorille.  “[But] will interest in ERM recede if there are fewer and fewer crises and ERM begins to look more like a cost center rather than a value-adding service?  We continue to reevaluate ERM in order to keep our vision and strategy aligned with the needs of the business.”

A FINAL WORD
Fiorille and his team offer great examples of ways to make ERM come alive and stay alive in the Paychex culture.  And that surely makes all the difference.  This case demonstrates that the ERM leader has to be creative in engaging business leaders and tucking risk management capabilities into the culture.  Fiorille, for instance, knew a few years back that the Paychex culture prized entrepreneurial thinking.  And he suspected his desire to introduce broad-based modeling of operational data would run into some resistance. Entrepreneurs can, at times, be suspicious of formulaic-sounding “black boxes.”  Still, Fiorille was determined to tap the mountain of rich data the company has amassed over the years.  So he built a customer churn model to demonstrate how a predictive model can help sales people spot customers most likely to switch to a competitor.  It worked, and that bought Fiorille the management support he needed to get predictive analytics capabilities up and running.

Bio:

Frank Fiorille is the senior director of Risk Management at Paychex.

APQC Description:

APQC is a member-based nonprofit and one of the leading proponents of benchmarking and best practice business research.  Working with more than 500 organizations worldwide in all industries, APQC focuses on providing organizations with the information they need to work smarter, faster, and with confidence.  Every day we uncover the processes and practices that push organizations from good to great.  For additional information, please visit: APQC.org and http://www.apqc.org/financial-management