Risk Professional - December 2009

Can you describe the risk report-
ing lines?

I report to the CEO. The enterprise risk team reports to me. We have a corporate risk committee, consisting of senior executives including the CTO and head of operations, head of product, the corporate controller and counsel, who meet once a month. There are risk subcommittees in the regional hubs.

We use scenario analysis to identify risk and
opportunity. Management can use our services
to move business decisions forward.

And board governance? The board has an audit and risk committee. We report to them regularly on enterprise risk as well as internal audit and compliance. We also report on our top risks to the full board. When the financial crisis hit last year, we started doing regular updates, drawing on subject matter experts in different disciplines to provide our take on the crisis’ impact on Visa and mitigating actions that we were taking.

that might have had receivables from nonfinancials.

Bigger-picture, we looked at the economic impact, and how it might affect our plans for the year, revenue forecasts and consumer spending trends. We did some scenario planning around that, which was a useful integration between risk and strategy that we are also carrying forward.

the risk and the opportunity in those decision trees. So management can use our services to move business decisions forward much more efficiently, and I’m pleased with the success we’ve had there. We don’t want the company to be risk-averse. We want our team together with business management to be risk-aware, and we’ve done a good job so far of moving forward on that front.

Have those responses resulted in
lasting changes?

Some of our reactions were necessarily short-term, such as whether to put cash into money market funds after a fund we had invested in suspended redemptions. With financial institutions failing, we like everyone else had to look at the asset side of our balance sheet. As it happened, we had to manage where our cash was being invested and whether it was at risk from financial institutions going under.

In the early days of the credit crisis, the possibility that large institutions could fail caused concerns about nonpayment by clients, so we looked at enhanced ways of staying on top of clients’ financial condition, and some of those have continued. Because our clientele is almost exclusively financial, we were better off than a lot of other companies

Does risk management get the
credit it deserves?

Of course, risk management’s contribution is often less visible, because a crisis averted is a crisis unknown. But on a day-to-day level, I am pleased with the relationship we have with management. People here are extremely receptive to risk management input and to the tools we’ve put in place to help decisions get made with a consciousness of the risks involved. We’ll take some credit not only for getting that done with the right eye towards risk, but also doing so expeditiously, because it is a very complicated business. We have the four-party transaction model – issuing bank, merchant bank, cardholder and merchant – and a variety of business environments where in a given country we may have government-run payment systems and different types of regulatory interventions and interests in our system. This can raise some very complex questions as to what business strategy we should pursue in a particular country. One of the things we’ve done as a risk team is to use scenario analysis to quantify both

You’ve mentioned scenario plan-
ning. Is that something you have
instituted?

Yes, as a tool for management. We conduct workshops using our methodology to facilitate the decision-making process systematically and come up with strategies to mitigate risks.

Is there a particular challenge that
is top of mind?

The data security issue. We are in the era of hacking that dawned a few years back. Our industry, like others, like the government itself, has come under attack. My concern is not so much that cybercrimi-nals will get into Visa, which has taken the necessary steps to protect its infrastructure. It’s about all the participants in the payment system. The merchants who accept our cards and the companies that process on their behalf have become targets of this criminal enterprise that steals data and commits fraud. It’s an evolving situation. For every move we make, there is a counter-move by the criminals, so we have to continuously innovate to stay ahead of them.