The Challenge: Replace static out-of-date risk data with a comprehensive risk system to support company growth
The Solution: Configure ARM to be the single repository to meet Fortescue’s operational and enterprise risk needs
The Results: Fortescue can base decisions on the up-to-date picture of risk from right across the business
In less than a decade Fortescue Metals Group (Fortescue) has become the world’s fourth largest iron ore producer and one of the top 25 companies listed on the Australian Stock Exchange.
Fortescue has seen phenomenal expansion, reporting record revenues of US$6.7 billion in FY2012, only four years after mining and loading its first ore onto ships using its own rail and port facilities.
Dynamic risk information is vital to support both day-to-day operations and strategic planning to maintain growth, profitability and reputation. In 2011 it was recognized that Fortescue’s risk management systems and processes needed revitalizing to support its rapid growth, and future strategic and operational plans.
Fortescue’s original risk management approach used external risk consultants to produce static risk reports from spreadsheet-based risk registers. There were large amounts of data which dated quickly.
Fortescue evaluated four risk systems, selecting Active Risk Manager (ARM) for its enterprise risk management capabilities and the knowledge and support of its team and local consulting partner EDSR.
The focus to-date has been on rolling out the use of ARM as the central, single repository of dynamic operational and corporate risk information. ARM now covers 75% of the organization, with well over 100 ARM users spread across the risk spectrum in over 30 business units, including support functions such as Supply Chain & Procurement, Environmental Management, and operational sites such as mines, and port and rail facilities.
A phased rollout of ARM was adopted to ensure that risk management added value to the business, improving employee engagement, and acting as a catalyst to increase organizational risk maturity.
Fortescue has also configured ARM to hold an Internal Audit actions management register and created a report to track progress on action completion, which enables reporting at board and executive levels. Risk registers will increasingly influence the annual internal audit programme with a focus on controls relied upon by the business to mitigate risk.
ARM is now Fortescue’s best source of enterprise risk information, enabling a stronger focus on risk mitigation activity and better reporting at all levels.
Geoff Harry, Fortescue’s Group Manager, Risk & Assurance, summarizes the 3 most important things Active Risk brings to Fortescue’s drive for better risk management performance as:
- Excellent implementation and support – people who really understand risk management
- ARM is an incredibly useful tool even at a basic level – providing the data needed for board reporting and the capability to track follow-up actions
- ARM has enabled Fortescue to move from static reporting to a dynamic, always up-to-date picture across the business
The vision the Fortescue risk team is working towards is for each executive and general manager to have daily access to a personalized ARM risk dashboard via MS Outlook. Fortescue is planning to use ARM Risk Performance Manager (RPM) to help create these dashboard reports.