The overriding risk management philosophy at CSL Ltd. and CSL Behring L.L.C. is operational risk management, and executing the philosophy involves a decentralized approach passing risk management responsibility to the managers of the companies' various operations.

“The process was really born probably 10, 12 years ago. Because of being an Australian company and a publicly traded company, legislatively we were required to have a risk management process,” said John J. Marren, director, global risk and insurance management at King of Prussia, Pa.-based CSL Behring and its Parkville, Australia-based parent.

“If you look at our framework, we're very specific in saying what this framework pertains to and, as importantly, what it doesn't pertain to,” Mr. Marren said.

While allowing that it could be referred to as an enterprisewide risk management program, Mr. Marren noted that the risk management process in which he's involved doesn't generally include consideration of aspects such as strategic risk, human resource risk, certain elements of legal risk, and certain elements of research and development risk.

“Things like that we specifically spell out as not being part of this process,” he said. “Not because we don't manage those risks; we just don't manage them inside of this process.”

There are 10 entities within CSL Ltd. that are responsible for reporting risks through the operational risk process, Mr. Marren said. They include all five of the company's manufacturing sites, its plasma collection business and operationally oriented corporate functions that include the global information technology practice, the global sourcing practice, the global logistics practice and the commercial operations practice within CSL Behring.

When Mr. Marren joined CSL in 2007, the operational risk management philosophy already had been in place for some time. But there was no common risk management language across the organization, leading to inconsistency in addressing exposures and making it difficult to share risk management information or lessons learned across the organization.

“When I came to CSL in 2007, the process had existed at that point for quite a number of years,” he said. “But...what we continually strive for is comparability and consistency across the group globally as far as how risks are viewed. Not that they're the same, even if you have the same risk at different sites, but to make sure that we're looking at the right things, making sure that we have a common lexicon for managing risks, so that we're talking about the same things.”

With Mr. Marren's arrival in 2007, CSL set about establishing a companywide risk management framework.

“It basically put in place the things you'd expect: a purpose, the scope of the process, common language...how we even defined risk, roles and responsibilities, what the different parts of the business are responsible for, who reports to whom, principles, setting some risk tolerance, some framework around how we would assess a risk,” Mr. Marren said. “It's really not too different from what you'd find at other companies that employ an ERM program.”

The effort led to different views of how the process should be implemented and how risks should be assessed, Mr. Marren said.

“In order to kick this off, we held our first global risk management meeting where all the people in the company globally got together for the first time in December 2007 to be introduced to this, to talk about what works in the process, what doesn't work in the process, what do we want to do to make it better,” he said.

One of the other things that came out of those discussions was the question of just what sort of tool managers would use to manage the risk management process. CSL Behring's chief information officer suggested the company's information technology staff could develop a tool that would suit that purpose until the company could find a more appropriate system on the market.

While the tool has been highly effective, CSL will soon replace it with a more up-to-date system the company is set to purchase.

The decentralized operational risk management approach is seen by many as the most logical way of managing CSL's exposures.

“Historically, (risk management) was very fragmented and each operational component of the business took responsibility,” said Gregory A. Boss, group general counsel at CSL Group. “We do continue that philosophy. Nobody can point to John and say, "John, you're the risk manager. It's your responsibility to make sure we're doing things right.' His job is to help coordinate activities, make sure they're aligned, make sure they're efficient.”

“Definitely we as a company have a philosophy that management of the risks should be at the most basic or local level, where real action can be implemented to prevent risks in advance,” Mr. Boss said. “Certainly, John or me or many others can respond to risks quickly and efficiently, but we do want to manage them before they happen and that's best done at the local level.”

While the risk management responsibility is local, the company has succeeded in globalizing the language of its operational risk management approach, said Mr. Marren.

“We've put a process in place for risk identification and assessment—a reporting chain for all of the businesses that are obligated to report their risks. Fast-forward to today, we've updated this framework considerably,” he said.

Parameters have been upgraded, and the company adopted AS/NZS ISO 31000 as its standard of reference for guiding the principles of the company's risk management process when the CSL board approved the latest version of the risk framework in February. “Wherever a risk falls in this residual risk matrix, we've got reporting thresholds,” Mr. Marren said.

Those common thresholds are another key element of globalizing CSL's risk management approach effectively, Mr. Marren said.

“Reporting thresholds are important because, previous to that, people were sending in reports with every risk they had,” he said.

“One site might report 10 or 11 or 12 risks, and another site might report 100, because there were no criteria for what was important to report up the food chain,” Mr. Marren said.