Michael McGarry is the Sr. Director of Enterprise Risk Management at Walgreens Boots Alliance (WBA). Michael was an original Protiviti Chicago employee who joined in 2002 after working for Arthur Andersen since 1996. During his 11 years at Protiviti, Michael worked in SOX and Internal Audit and eventually moved into Enterprise Risk Management. In 2013, Michael left Protiviti to become the Director of Enterprise Risk Management at Grainger where he spent two years building the company’s risk department. Connect with Michael on LinkedIn.
Tell us your career journey from Arthur Anderson in Australia to Protiviti Chicago to today.
I expect most people in enterprise risk will tell you it’s an interesting journey and there’s no direct path into risk. I started my career at Arthur Andersen in Australia as a financial and internal auditor, and transferred to Chicago right before Arthur Andersen closed down. I was one of the founding members of Protiviti Chicago and was there 11 years. I left Protiviti in 2013 and joined Grainger to help build their risk department, and now in my current role, I lead the Walgreens Boots Alliance enterprise risk function.
In your 11 years at Protiviti, how did you see the company change or evolve? How did your role change?
I think any of the original Protiviti employees will tell you it’s very different today, or when I left, than it was 15, 16 years ago. The early days were very entrepreneurial for lack of a better term. You’re taking a bunch of mostly accountants and forcing us to be entrepreneurial, which is novel. We were taking muffins to target clients and had to create all of the back office functions that we’d always taken for granted. I had the novelty of coordinating Chicago’s first new hire class and college recruitment events.
When I think about how Protiviti evolved, I look at two big events: one was the rise of SOX in 2003 and the boom that Protiviti experienced following that. I think that was clearly a big moment for the company. The other one that was maybe a little more subtle was around 2007 – 2008. Protiviti could see that the revenue generated from SOX was dying and really made a commitment to becoming a true risk consulting company. That was when the Solutions were born and we started talking to clients about broader offerings.
With regards to my role, when I first started with Protiviti, I was an internal auditor who had to quickly adapt to becoming a SOX consultant. Probably around 2008 when the company was evolving, I was exploring what I wanted to do after SOX. I had always been very interested in broader company risk and entity-level controls, so I volunteered for the opportunity to work in enterprise risk management. Over the remainder of my time at Protiviti, I focused on ERM and helped build out the methodology for non-financial services clients.
What was it like building out an ERM program at Grainger?
Grainger had been looking to hire a permanent person internally, but finding the right person took longer than expected, and they had used an accounting firm to help jumpstart their program. In my first year at Grainger, I had a great year. We addressed all of the key issues that the board of directors were concerned with and built up the credibility of the program. That was a positive year one. The downside of year two was that after we built up our credibility, enterprise risk became a lower priority for management, and our ability as a department to influence became much harder.
What was it like going into industry after working in consulting for so many years?
It was funny. I was thinking about this and remembered a mentoring session I had with one of the MDs at Protiviti. He looked at me and said, I don’t know if you’d be better at industry or consulting. I didn’t know what that meant at the time, but I’ve learned a little more about the key differences between the two since.
When you’re part of the organization, the expectation is that you have a much deeper understanding than a consultant. You are truly part of the fabric of the company – told more, shown more – so the expectation is that you really know your stuff, both in your competency, and how it relates to the company. On the flip side, when you’ve been at a company for a little while, there’s an assumption that you’ve lost touch with leading practices in your discipline. To put that in my terms, people may not see my views on ERM as representing what other companies are doing, unlike a consultant. That can be frustrating because I try to keep track of what’s going on externally, and I feel like I still wear that consultant hat sometimes.
How did your role change when you moved to Walgreens Boots Alliance (WBA)?
My role at Walgreens Boots Alliance is similar to Grainger in that I only focus on ERM here. The biggest difference is the scale of the organization and the global perspective. WBA is a Fortune 20 company. We have operations in 12 countries; sell into 25 countries and all of our businesses are largely run independently of each other. So what was one program to manage for Grainger is multiple sub-programs for WBA.
There are certainly unique challenges to it. Currently, it’s just myself and a director. So it’s a team of two coordinating those businesses.
Was there an existing ERM program at WBA?
Walgreens, the U.S. retail pharmacy operations, had an existing ERM director. The old Alliance Boots world, which is who Walgreens merged with, used its Internal Audit function to perform it risk activities. When I came in, the goal was to try to take the good things Walgreens was doing and leverage those across the other countries.
Has your role shifted at all since you first started?
When we first started, there were certain leaders who had strong perspectives on how ERM should be done. Our initial pass at forming the program tended to be a little more academic or theoretical. What we’ve really been trying to do over the last year is make it more practical for the business and capture more dynamic risks and mitigation.
In addition, my role has expanded somewhat in that I now have global oversight of our Business Continuity program and have recently been appointed chair of our Global Health, Safety and Environmental Committee.
How do you get stakeholders to agree to what you are proposing?
What I’ve found is that when it comes to WBA executive management, they really do want to try to manage the risk whether organically or through ERM.
They’re genuinely interested in making sure that they are identifying and managing their risks. Generally, we don’t have to force our way in – most of the teams are pretty happy to engage. We make sure that they understand our perspective that we’re not there to shut down their risk taking; we’re there to support them and help them take the right risks.
What’s unique about working at WBA?
If I answer it relative to other ERM programs, I think the complexity of our business makes our ERM program the most unique. We need to have different sub-ERM programs for our business because of our geographic footprint and the business environment in each of those markets.
We also have a very entrepreneurial-minded CEO who is very much interested in what risks we can take, rather than what risks we can’t. So when we’re talking about ways to manage the risk, we need to be very pragmatic. His intent is not to over control and constrain the business; he wants to manage risk, but still be able to make the next deal.
How have you seen risk management change in your experience over the past 15+ years?
When I first got into risk management, the selling point was helping companies identify their risks. That quickly expanded to evaluating how those risks are managed, often from a lens that risk was “bad” and we needed to find ways to reduce the exposure.
Today, it’s more that we have a set of risks that continue to evolve, but don’t necessarily change quarter to quarter; they are the same risks. What evolves is their impact to the business and how we manage them. We acknowledge that we aren’t going to eliminate these risks, but they are the important risks we must face to have long-term success.
I think the expectations on ERM practitioners has evolved to not just be, “here are my risks and how I’m managing them”. It’s now: how can I manage these risks better? Should we be looking to take more of this risk or less of that risk? What are the risks we aren’t talking about that we need to consider?
How do you think about and look at risks that might be in the further out future?
We do it in a few different ways. From an external perspective, we subscribe to different publications and resources to inform our thinking. Internally, we also stay close to the forward-looking functions of the business. The strategic planning team, for example, looks at different markets and different ways of doing business; same with our innovation team. We try to understand their focus, and determine what their work may tell us about potential risks.
For us, it’s trying to stay abreast of the industry and environment – what are people talking about and how could events in different markets could affect us? We maintain a “Risk Watch List” that includes broad business risks and emerging topics, as well as WBA specific items that we aren’t able to accurately assess. Our executive Governance, Risk and Compliance committee review these on a quarterly basis. It’s not perfect, but it gives us a shot at seeing around the corner!