Equinix VP Rod Verhulp shares the company’s approach to enterprise risk management

Rod Verhulp

VP Finance, Equinix

As a leading global data center services company, Equinix, Inc., not only has to manage the risks associated with its global data center operations, we must also understand and manage the risks required to sustain rapid growth and continue to achieve the operating results expected by our shareholders. At Equinix we believe there are two choices for how to deal with risk: 1. Proactive Risk Management or 2. Reactive Crisis Management. We have chosen proactive risk management as our preferred approach.

Risk defined

We define risk as anything that impacts the achievement of the company’s goals and objectives. This includes: strategic risks, operational risks, financial risks and regulatory compliance risks. Enterprise risk management (ERM) is used to protect and create value by choosing the best opportunities given the risks involved.

A look at enterprise risk management at Equinix

We are a very successful company that has experienced rapid growth (over the past seven years we have grown from US$730M to US$3.5B in revenues). We offer high quality data center services including guaranteeing uptime to the “five 9s” (i.e., uptime of 99.999 percent of the time), low latency and being network neutral. Our customers include the world’s largest financial institutions, their trading partners, the major ISPs, cloud services providers and the largest enterprise companies.

To maintain our success we realized that we need to understand the risks that impact our key business drivers. Our key drivers include: superior Data Center Operations; highly effective Sales and Customer Service processes (significant organic growth with 95%+ recurring revenue); growth through acquisition and expansion into new markets; integration of acquired operations; leverage of technology trends (e.g., cloud technology); and strong support functions such as Finance, Legal, HR and IT.

Here are the basic steps we undertook to build our ERM program:

1. Identify your key—and emerging—risks

We started by developing a list of Key Risks, which were identified through interviews with over 50 individuals, including members of the Board, Executive and Senior Management, Operating Management and outside resources such as insurers, legal counsel and external auditors.

We also developed and maintain a list of Emerging Risks. Each year we review the list of Key Risks and Emerging Risks and update our ERM database based on the latest input.

2. Develop a risk profile for each key risk

For each Key Risk, we developed a Risk Profile, which includes data on:

  • Velocity
  • Inherent Likelihood and Impact
  • Mitigation Capabilities
  • Effectiveness of Mitigation Capabilities
  • Residual Likelihood and Impact (based on Mitigation Effectiveness)

3. Create a risk scorecard and a dashboard (hint: you need a great technology platform)

We use the ACL GRC platform to support our ERM program. Once we have the data for the Risk Profiles, we generate a Risk Scorecard for each Key Risk as well as a Dashboard showing the status for of the Key Risks on a single page report.

4. Assign executive ownership for each key risk

We assign an Executive Owner for each of the Key Risks. They are required to maintain the Risk Profiles for each of their Key Risks and provide a report to the CEO each quarter using the Risk Scorecards. The annual performance measurement of Executive Owners includes an evaluation as to how effectively their Key Risks are being managed.

5. Take action to mitigate gaps and seize opportunities

Risk Scorecards include information as to any Mitigation Gaps or Opportunities. For each Gap or Opportunity, the Executive Owner is required to determine what action will be taken to close the Gap or leverage the Opportunity.

In most cases, specific action plans are developed with a project plan for completion. In some cases, the Gap is evaluated and it is determined that the risk level is acceptable and no action will be taken to improve the Mitigation Capabilities to reduce the risk. Our philosophy is that this is an acceptable response and an informed investment decision has been taken. That is the core to the value of ERM at Equinix.

Read More: In part-two of this post I share 4 ERM critical success factors that led Equinix to successful development and operation of our ERM program. Click here to read part-two.


Learn more about how Rod and the team at Equinix are using ACL’s data-driven platform to collaboratively manage governance, risk and compliance across the enterprise.

View case study

Share This