Risk Professional - December 2009

tutions. That enterprise risk group has evolved quite a bit beyond where it was two years ago. And there is a centralized compliance department that focuses on legal and regulatory compliance and is setting up a true state-of-the-art compliance program with the prevention, detection and communication components that you would expect in a global company. I also have administrative responsibility for internal audit, which reports to the audit committee of the board. So we have this internal group of audit, compliance and ERM that work closely together to manage the internal control risks and Visa’s overall ERM portfolio.

How did your past banking experience help inform your current role? We want to be clear that Visa is not a bank; it is a processing and technology company with a tremendously valuable brand. But, because of the value of the brand and the fact that our clients are financial institutions, we feel we have to meet certain internal-control standards and present a tightly controlled and disciplined face to the world that might not be characteristic of an ordinary technology company. So, yes, that discipline is valuable. Also, speaking personally, my experience at companies that encountered problems has helped me drive the sense of urgency that a newly public company needs to make sure that people are putting the right systems in place even when everything is going well.

Do you have client communication
responsibilities?

A lot of our communication is around the integrity of the payment system, including data security, business resumption, fraud, misuse of the system and il-

legal use of the system. We communicate with clients constantly, hold seminars and webinars and risk councils having to do with risk to the payment system. On the internal control/enterprise risk/ compliance side, we are just starting to get out into the community with events of that kind.

Is it fair to say that the preponder-
ance of risk that you manage is
operational?

Yes, operational risks are very prominent in the risk profile. The obvious, biggest risks to Visa include the system going down and the cards not working. Visa has always recognized this and invested heavily over the years in business resumption and system redundancy, to the point where the amount of downtime over the last 15 years totaled only 13 minutes. We consider this high-magnitude, and it is something we have always managed extremely well. Another top risk would be cybersecurity. A hacker into Visa could be very damaging to our reputation. So we spend a lot on hardening our infrastructure, building the right kind of security and doing everything we possibly can to protect the data within our care.

How complicated does it get when you have to take into account the data protection rules and other regulations that vary among countries and regions?

The very global nature of the operation is a big challenge. We rely on the legal department to stay on top of the evolving structures around the world. Fortunately, we have been out in these countries for a long time and have people who are familiar with those frameworks. We have beefed up our compliance program, separate from the legal

department, focusing on controls over compliance and assurance of controls. Another interesting challenge for a global enterprise is people – Visa is accepted in more than 200 countries and territories, but we have offices in about 40. All of our people speak English, but they come from many different backgrounds and have to understand the rules of business conduct and the expectations of an employer that is U.S.-based and publicly traded. As we were preparing for the IPO, we did what I call the compliance world tour. I went with a compliance officer and a lawyer to each of the regional centers – Miami, Singapore, London and Toronto – to meet with the leadership teams and conduct employee town halls covering Visa’s upgraded code of conduct and ethical expectations. We discussed, for example, anti-bribery laws, which are a big focus now for multinational companies, as well as insider stock trading and conflicts of interest.

Do you have a direct pipeline to
information technology as part of
the operational risk monitoring
mandate?

IT has pretty good MIS [management information system] key performance indicators, and we are working with them to supplement those with key risk indicators. The ERM team has also worked with IT to create an integrated business resumption plan for all of Visa. Basically, our philosophy is that management owns and manages the risks, and we as a risk group – outside of the risks that we manage directly, such as external data security – make sure that tools and frameworks are in place and roll up the reporting into a dashboard using the key risk indicators.