Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  education openpages risk-analytics compliance risk-management risk | 0 Comments | 2,282 Visits
You may remember hearing about problems with the College Board, which owns the SAT, and the Educational Testing Service (ETS), which administers the tests. In the recent SAT cheating scandal the College Board and ETS were accused of having lax security and a system that failed to punish cheats. But problems go back further, when a couple of years ago the SAT has serious issues with incorrect scoring of tests. And media reports speak to extensive incorrect scoring and losing test results in England in 2008, with the UK Parliament calling their operation a "shambles." And as far back as 1983 cheating was suspected in California. For details you may want to refer to my blog posting of November 2011, which includes analysis of what the accused organizations did, or rather didn’t do, to right the wrongs.
Well, we now find another player in this industry accused of wrongdoing. Princeton Review, which provides help to students in preparing for college entrance exams and sells study guides, finds itself accused of defrauding the federal government. An arm of the company that provides after-school tutoring to students at troubled schools is said to have falsified records – including forging student signatures, falsifying sign-in sheets, and making false certifications – in order to boost payments due the company. Relevant is that the company was informed of these allegations back in 2006, but prosecutors, who are now suing, say the fraud continued as nothing was done to fix the system. For what it’s worth, Princeton Review reportedly closed its tutoring division and says most of its current management joined the company after the alleged fraudulent activity took place.
But what’s striking is how the few players comprising this industry have had serious problems – not only in allowing fraud to occur, but also in failing to act in the face of wrongdoing. And this is an industry supposedly driving high academic standards! Yes, we know academic institutions are not immune to misconduct, but we can wonder how these industry players each went so very wrong. And food for thought – do we see other industries with an inordinate number of companies experiencing widespread instances of non-compliance, fraud or other misconduct? And what does that say about the culture not only of the individual organizations, but the industry as a whole? Hmmmm.
Chief audit executives do a lot of things really well, adding value to the companies they serve. What is especially interesting is how well many, especially CAEs of larger companies, gain information and insight through networking. Many are involved with their peers in industry or geographically based discussion groups, sharing through blogs, conferences, and internet-based information exchanges. And of course there’s still the opportunity to communicate via email or text or pick up the phone to talk with a valued colleague.
You may be as amazed as I in continuing to encounter intelligent, accomplished business people who still don’t understand what Sarbanes-Oxley’s internal control requirements are about. Let me share a recent experience.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  openpages risk & of (track ii solvency governance convergence management 1014) and grc basel compliance | 0 Comments | 2,693 Visits
Convergence of Governance, Risk & Compliance, Basel II and Solvency II (Track 1014)
IBM Vision 2012, Tuesday May 16th, 16:45 – 17:45 pm I will be presenting the Convergence
of Governance, Risk & Compliance, Basel II and Solvency II.
In this session I will take you through the most common questions I received from our customers facing Basel II and Solvency II. I will help you understand the challenges from an Operational Risk perspective and speak about how my clients have overcome these challenges.
Convergence, Risk Adoption, Risk Montoring, Loss Registration, Risk Reporting
and Dashboarding and Regulatory Reporting are topics that will be discussed in
Hope to see you in Orlando next week!
Twitter : #Vision12
Blog post by Erwin Boeren
Senior Governance, Risk & Compliance specialist IBM
Twitter : http
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  grc risk reporting ibm compliance fsr cognos solvency regulatory ii basel openpages | 0 Comments | 2,873 Visits
Convergence of Performance Management and Risk Management - Part 2
the increase of the Governance, Risk & Compliance maturity level at many of
my clients I see that clients start to realize the benefits of the integration
of GRC activities in their Performance Management cycle. Therefore a follow up
on my previous article around Risk Management and the convergence with
Let me share some insights on Risk & Performance Management initiatives that keep clients busy around Europe. The following 4 items came up in the last 3 months.
1. Cost control and process performance improvement give us the opportunity to embed controls in our process. Lessons learned from Six Sigma and Lean can give us guidance here.
2. How do I manage organizational and regulatory change and monitor the impact on business processes, policies and my risk and control framework?
3. Trending topic is emerging risks, am I able to identity risks that are coming to me over time?
4. Integrated Financial and Risk reporting, an excellent example of ‘Where Performance Management meets Risk Management’.
Cost control and Process improvements
Implementing and testing controls has become a huge cost for many organizations. That is why some of my clients are now looking for a way to reduce cost by embedding controls in their existing business processes. This goes hand in hand with the global initiative on cost reduction. While optimizing or even re designing core business processes internal controls are being embedded in the process. What I see is that the organizations that involve process owners and process contributors are most successful. This is an initiative that we have seen before in Lean Six Sigma projects. The only way to optimize processes and to reduce waste is to involve the process owners. Instead of increasing regulatory pressure we should seek a solution in this area in my opinion. Business cases around this have proven to be very successful and savings up to millions of Euros per year have been achieved.
Regulatory changes are a huge concern of many risk, compliance, legal and audit professionals. How can we monitor these changes and how can we understand the impact on our organization? Taking this together with the fact that policy management is changing from a ‘must do’ once a year to a continuous process tells us that an integrated approach to Governance, Risk & Compliance is necessary to drive performance. I come across clients that have a monthly Performance Report that shows how they derived business objectives from their policies and how they are performing on a compliance level to these objectives. What risks did they identify in this process and how will they respond to these risks? Organizations realize that they need to understand the correlation between processes, policies, regulations, business objectives, risks and controls and how they might impact each other. An integrated GRC view is the only way to face this challenge.
Emerging Risk Modelling
One of the trending topics among customers is Emerging Risks. Can we model risks that we see coming and can we follow up on risks that are getting closer or fading away? Analytical Risk modeling is an answer to this question. This also let you perform risk forecasting with different scenarios. Interesting question is how the increase of a risk exposure in an operating entity will impact my group level exposure? Risk Analytics, derived from the Performance Management area can help us answer these questions. A financial performance management cycle contains the exact same characteristics.
Integrated Financial and Risk performance reporting
Financial and Risk reporting are standard items in today’s Annual Reports, Tax statements, Management reports and Regulatory reports. The big question is how do I keep all of this information organized in such a way that I understand the source of the information, the transformation it has gone through, the owner of the information and most important when information changes at the last moment that all information output contains the latest version? No bigger reputational risk than sending out inconsistent information to stakeholders. Some organizations saw their share price drop with 25% due to inconsistent external reporting. One of my clients has implemented a solution that orchestrates all of these information sources with workflow capabilities and even XBRL output. From a risk perspective this is a great mitigation of your reputational risk and an excellent example of ‘Where Performance Management meets Risk Management’.
Blog post by Erwin Boeren
Senior Governance, Risk & Compliance specialist IBM Europe
Twitter : http
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  analytics grc busness management openpages ibm erwin boeren performance risk | 0 Comments | 1,279 Visits
Last year IBM acquired OpenPages as a strategic move into the area of Governance, Risk and Compliance. The lasest announcement to acquire Algorithmics (quantitative risk management) shows the continuous commitment of IBM in the GRC market. GRC software will integrate into the Business Analytics Software group, the area where the former acquisitions like Cognos, SPSS and Clarity systems already resides.
Now that Risk Management is evolving, more and more organizations are starting an enterprise approach to risk management. And this is where I see the need for Risk and Performance Management convergence.
In past Risk Management implementations I see that a major portion of time and budget was spent on Risk Reporting and Dashboarding. Especially the need for self service reporting, where users can ad hoc create their own risk reports, is growing. We do not want to wait in the queue waiting for our report to be created. 2 days later you missed the opportunity to respond and the loss is there.
With this self service capability the question automatically pops up 'can I trust my data'. And now we are back in the area of data governance. This is exactly where the area of Performance Management is today.
Apart from these reporting and dashboarding capabilities Enterprise Risk Management means alignment of risks and controls to the strategic initiatives of the organization. What will prevent me from reaching my business goals? Isn't this defined as a risk? And how will we prevent this from happening? Wasn't that defined as a control?
Even more interesting are questions like, 'What if I was able to perform risk scenario planning?', 'What if I could predict risks from happening?' or 'What is the correlation between the risks that have materialized?'.
And there is the proof that Risk Management and Performance Management have lots in common and should be integrated. Lets call it Business Analytics.
Governance, Risk & Compliance Leader
IBM IOT Southwest Europe
Richard Steinberg 270004HRBG email@example.com | | Tags:  openpages erm itg risk it-risk coso risk-management | 0 Comments | 2,351 Visits
If you haven't already seen it, it's worth a look – The Committee of Sponsoring Organizations of the Treadway Commission just published a thought paper dealing with risks related to cloud computing. It leverages off COSO's enterprise risk management framework, speaking specifically to issues surrounding hosted services delivered over the internet. The paper is geared not to the techie, but rather to management level personnel who need to understand not only the benefits, but also the associated risks. The paper briefly outlines the many benefits of cloud computing, including greater technology value at lower cost, faster speed of deployment, common technology platforms, reduced need for support personnel and related expenditures, and environmental benefits.
Naturally, most of the focus is on the risks. These include the strategic – with lower barriers of entry for new competitors and related challenge to current business models – and dependency on cloud service providers which in turn drives legal and related risks. Others include lack of transparency, reliability and performance issues, security and compliance concerns, and elevated risk of cyber attack or data leakage. The paper also deals with issues inherent in moving to the cloud, such as the extent to which management considers the impact on the company's organization and IT and other personnel resources, noting "In many cloud scenarios, the organization no longer has complete or direct control over technology and technology-related management processes. Management must determine if it has the risk appetite for the entire universe of potential events associated with a given cloud solution as some of these events extend beyond the organization's traditional borders and include some events that have an impact on the [cloud service provider(s)] supporting the organization."
The paper also discusses cloud issues in the context of COSO's ERM Framework's eight components, outlining how each can be addressed and used in evaluating cloud computing alternatives. It provides suggestions for dealing effectively with the more significant risks, and highlights key decisions to be made by senior management – as well as responsibilities of C-suite executives – and areas on which the board of directors needs to focus its attention. If your company is already in the cloud or considering going there, the paper is worth the read.
As an extension to the annual Pric
By functioning as a consultative arm to the business and helping to establish an enterprise-wide risk and control framework, audit has the capacity to influence the continued improvement of process level controls as well as the macro level control environment. Internal audit can bring to the business best practices for measuring, managing and prioritizing risks while cross pollinating effective management techniques and internal controls across the enterprise.
To learn more about Internal Audit and its evolving role in ERM, check out this white paper.
If you’re attending OpRisk USA in New York City March 24-26, don’t miss Scott Green’s discussion on reinventing risk processes. A frequent speaker and well versed GRC industry expert, Scott is the managing vice president of operational risk management at Capital One and also serves as vice president of the OpenForum User Group. At OpRisk USA, Scott will make a case for risk process integration and success factors in driving change to create a more effective and efficient ORM.
It’s well known that a company’s tone at the top is critically important in determining its culture, including whether or not it will act with integrity and ethical values – fundamental elements of effective internal control and risk management. And we know it’s not only the words spoken at the top, but also the CEO’s actions that drive culture. What brings this to mind is the recent conviction of the CEO of fraud detection firm Fraud Discovery Institute. While a conviction of the head of this type of firm might appear unusual though not particularly noteworthy, what’s truly compelling about this news is that the CEO is none other than Barry Minkow.
The Senate today voted 60-38 to end debate of the Financial Regulation Reform Bill and move to final passage later today before heading to President Obama’s desk. In addition to increased power to monitor systemic risk in banks, the Bill gives regulators the ability to step in and breakup or seize the assets of financial institutions deemed to be at risk of failing and posing a threat to the financial system. It also promises to create a new federal agency called the Consumer Financial Protection Bureau (CFPB) which will police loans and financial services products that banks and others sell to consumers. This morning’s vote was primarily democratic (all but one democrat supported the bill), and Republicans for the most part are claiming that it overextends the power of the government which, they argue in the long run will cost banks a significant amount of money in meeting the new regulations and reporting requirements.
The Huffington Post is reporting that, “a team of Goldman Sachs analysts predicted in a Tuesday research note that the legislation will annually cost Bank of America about $4.4 billion, Citi about $3.7 billion, JPMorgan about $5.3 billion, Morgan Stanley about $900 million, and Wells Fargo about $2.2 billion.”
The bill seems certain to pass the final Senate vote later today and Obama is ready to sign it. The ultimate impact on the risk and compliance management market is yet to be determined, but one thing is for certain, the era of deregulation is officially over.
The Financial Stability Oversight Council is a new regulatory body created by the law that is tasked with monitoring and regulating companies that are deemed by the Council to be “systemically important.” The Council has the authority to instruct the Federal Reserve to impose new requirements on systemically important companies such as increased capital and liquidity levels as well as disclosing risk practices, regulatory gaps and resolution plans or “living wills.” In its role as systemic risk monitor, the Council will collect risk data from various sources including Federal and State financial regulatory agencies and the newly created Office of Financial Research (OFR) – which will among other things be responsible for collecting data from financial services companies.
The Dodd-Frank law also calls for a Risk Committee to be established by all public, non-bank financial companies, as well as all public, bank holding companies with over $10B in assets under management. Supervised by the Board of Governors of the Federal Reserve, the Risk Committee will be held responsible for enterprise-wide risk management oversight and practices, and be required to include “at least 1 risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.”
To meet these requirements for risk exposure data, financial services institutions need an information architecture that provides full transparency and reporting for the Board, Risk Committee and potentially the OFR. If you’re looking to develop an information architecture that will meet the requirements of Dodd-Frank and new regulations to come, here are a few things to consider:
1. Create a central platform to pull all of the different data elements together and maintain the relationships between elements (RCSA, Loss Events, KRIs, Issue Management, Policy Management, etc.)
2. Establish a common taxonomy and library for policies, processes, risks, controls, regulatory requirements and other key data elements
3. Integrate multiple areas of risk (operational, compliance, strategic, etc.) to provide aggregated analysis and full reporting of all risks across the enterprise
In my last blog post, I mentioned that the new Financial Stability Oversight Council created under Dodd-Frank will collect risk data from various sources including Federal and State financial regulatory agencies and the newly created Office of Financial Research (OFR). The OFR in turn is responsible for collecting risk data from financial services institutions at the behest of the Council. These additional, external information and reporting requests will not only compound the extensive reporting responsibilities of risk committees and risk managers, but will also likely overlap with internal reporting requirements from Boards and executives.
As the Dodd-Frank rulemaking proceeds in the coming years, reacting to each new rule and regulatory requirement with siloed technology and resource investments will clearly not be effective. The financial crisis of 2008 highlighted the interdependency of risks across an enterprise (credit, market, operational) which need to be managed holistically rather than in traditional silos. A siloed approach limits an organization’s ability to streamline risk and compliance processes and reduce costs. It also obscures the opportunity to integrate risk and compliance to gain a comprehensive view of the firm’s risk exposure.
Gordon Burnes commented in a recent blog post that “as companies put in place this information architecture to surface enterprise risk exposure, thinking about interdependencies will be critical to reduce cost.” I’ve worked with numerous OpenPages customers who are actively managing multiple risk and compliance programs on a single framework. The impetus behind these initiatives varies from the need to review enterprise risk and control performance at executive and Board-level meetings, to Federal regulator demands, to the need to simplify and rationalize risk and control assessments. A large, OpenPages financial services customer recently completed the convergence of risk assessments across all risk and compliance programs with the explicit intention of monitoring risk exposure across their business.
Moving forward as new Dodd-Frank requirements emerge, financial services institutions will require a converged information architecture that supports multiple risk and compliance initiatives on a single framework. An integrated risk and compliance framework can reduce the disparate databases and reporting structures, while at the same time meeting internal and external reporting requirements more efficiently. Whatever risk disciplines are significant within your firm, the goal should be to integrate them within a single framework that produces a holistic view of your risk landscape, while meeting the needs of regulatory agencies.
Accelerated filers of course have long been subject to SOX 404 (a), requiring management reporting on the effectiveness of internal control over financial reporting, as well as section (b), where auditor attestation is required. While having to incur tremendous costs, with some companies seeing little commensurate benefit, others have seen improvement in business process effectiveness, internal control beyond financial reporting, and improved compliance more broadly. Non-accelerated filers, already subject to management reporting, have gained another reprieve from the auditor attestation requirements of section (b). Great news, many are saying. They hail the opportunity to avoid incurring additional costs and taking focus away from running and growing their businesses.
Recently I came across an article in Directors & Boards by a former colleague of mine that offers a different perspective, which in my view is worth considering. His view is, in addition to the SEC losing credibility – agreeing to another deferral after making clear and definitive statements that no more would be forthcoming – that requiring and adhering to section (b) offers benefits beyond the costs, for a number of reasons. These include (1) Smaller companies traditionally have less sophisticated systems and less experienced individuals in management positions, with statistics showing greater incidences of fraud and restatement of financial results (2) The 404(b) compliance costs have come down with the advent of AS 5 and COSO’s guidance for smaller businesses (3) Studies indicate that companies that are not SOX compliant or have material weaknesses in their internal controls receive a lower valuation, whereas those that are compliant receive higher multiples when sold (4) These companies are less likely to take advantage of IT solutions that provide enhanced efficiently and management capabilities well beyond better controlled financial reporting, and (5) CEOs and CFOs who already must certify to the effectiveness of financial reporting controls are on the hook by themselves, failing to receive the comfort provided by auditor attestation.
Although there were differing opinions about the main causes of the current financial crisis, most speakers at RiskMinds in Geneva were unanimous in their belief that the worst is still to come in what many were referring to as the “Great Recession.”
Robert Shiller of Yale University drew many parallels between the Great Depression and today’s crisis. For example, we have lost 60% of the stock market value since the 2000 high, while during the great depression there was an 80% drop. But Shiller refuted many of the commonly believed causes of the current crisis such as weak underwriting standards, unsound risk management practices, increasingly opaque financial products, and aggressive leverage. He maintains that the speculative bubble in both the real estate and stock markets were largely to blame for the worst financial crisis since 1929.
Maureen Miskovic, CRO at State Street, opened her presentation with a quote from Dickens’ Tale of Two Cities: “It was the best of times, it was the worst of times, …” and went on to claim that we are in the midst of a financial revolution. Miskovic predicts that we will see unemployment levels of close to 10% in the U.S. next year which will in turn cause problems in the prime mortgage market. She also predicted that the current political climate will result in punitive regulation which will transform the large U.S. banks into institutions that are very similar to public utilities (increased disclosure, more transparency, and intrusive examination).
Zannie Beddoes, Global Economics Editor at the ECONOMIST, predicts that shrinking personal wealth will greatly effect demand and eventually push the world into depression era economics. She stated that the current situation is unlike other post war recessions due to the asset bubble burst and so we are in for a deep, long recession. She also fears an anti-market backlash which could result in subsidy wars and protectionism policies.
While the speakers painted a picture of doom and gloom, they were clear about the increasing role that risk managers need to play in helping financial institutions restore confidence and trust, as well as create a sense of opportunity in the financial markets.
I’ll summarize some of their recommendations in tomorrow’s blog.
How can risk management help restore confidence and trust in financial institutions and the stock market in particular?
Robert Shiller of Yale University believes that we need a new information infrastructure that provides comprehensive financial advice for everyone. He compared receiving professional financial advice to how most people have access to professional medical advice today. Imagine, for example, that if you got sick you had to go to a major drug company and ask them what to do and their advice would always be centered around their products, even if they knew a competitor had a drug that would be just right for you. For the majority of people, this is the situation we are in today with respect to financial advice and Shiller believes this needs to change even if it requires subsidizing financial professionals. Shiller also discussed ways to help improve the housing crisis where more than 12 million homes are now under water (mortgage-wise). He suggested that we need improved retail products such as home equity insurance and continuous workout mortgages that would adjust mortgage balances as housing prices decline.
Zannie Beddoes, Global Economics Editor at the ECONOMIST, gave her opinion on how we get rid of the inevitable headaches we are experiencing after moving from bubble to hangover, where assets went bust, greed changed to fear, and where thrift is foremost in everyone’s mind. Annie believes that letting Lehman fail was a major blunder and instead of an orderly wind down we were thrown into a major financial crisis. Her global to-do list for a recovery includes strengthening banks, lowering interest rates, and injecting money to provide credit liquidity.
A prominent theme from most speakers was the need to bring fairness to the restitution process. Shiller cited the example of how Germany was treated after World War I as the wrong approach. But public sentiment is definitely against the privatization of profits and the socialization of losses that seems to be happening within the financial services industry. And there is no question that providing NINJNA loans (no income, no job, no assets) was a colossal mistake but how should individual borrowers be treated in the aftermath? Should the general public be subsidizing borrowers who in many cases should not have purchased a home in the first place?
Nick Mongue, from the MACQUARIE GROUP, said that the good news is that very few banks have lost more than their capital models suggested. But, the bad news is that they lost it all in one year and that most of the losses have come from the good assets where there was hardly any risk allocated. He suggests that the current period will be rich in lessons to learn, but for risk professionals you want to learn from other banks as opposed to your own.
Even in the wake of sweeping deregulation of the energy industry, few companies face as much government oversight as utilities. Power generation and distribution companies are subject to a maze of regulatory oversight, including state agencies and the federal agencies, the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), the Nuclear Regulatory Commission (NRC), the Environmental Protection Agency (EPA) and the Occupational Safety and Health Administration (OSHA).
As Managing Director of Corporate Compliance at Duke Energy, Tom Wiles knows first hand the challenges of operating a business in a regulated industry. Duke Energy – a Fortune 500 company traded on the New York Stock Exchange – is one of the largest electric power companies in the United States delivering energy to approximately 4 million U.S. customers.
If you’d like to learn the key steps your organization can follow to integrate disciplined ethics and compliance management into your business and hear about the value organizations are receiving from effective programs, check out this Webinar.
Information infrastructure provider EMC yesterday announced that it will buy IT GRC vendor Archer. According to the press release, EMC bought Archer for it’s “technologies for information risk management and information security” and will operate as part of the company’s RSA security division. Archer will become part of the EMC information management stack, integrated tightly with EMC products, like their widely renowned storage solutions.
A recent report from Forrester Research found that 46% of GRC inquiries were aimed at “understanding how to improve their compliance program.” Many asked if compliance should be part of a strategic plan or just a tactical component. If you tuned into the recent OpenPages Webinar with Aviva/Norwich Union’s David Fisher you heard how risk management practices at Aviva are being applied to financial controls to accomplish compliance goals while also improving operational control environments.
Carnival Corporation Case Study Webinar: Leveraging the Power of Integrated Risk Management
The Great Financial System Meltdown: Underlying Causes and Impact on 2009
COSO has released a new paper titled Effective Enterprise Risk Oversight: The Role of the Board of Directors which is aimed at helping boards of directors strengthen their oversight of enterprise risks. In particular, it points to four specific areas discussed in COSO’s 2004 ERM framework that contribute to board risk oversight:
The last area is one that cruise line leader Carnival Corporation has taken to heart. In a recent interview with Erik Krell from Business Finance, Carnival’s vice president and chief audit executive Richard Brilliant explained how his team “has done a phenomenal job in developing a framework that enables us to provide risk reporting to the board that they never had before. The reporting not only allows directors to understand how risks are mitigated, but also provides ongoing risk monitoring as well as tracking of action plans for improvements.”
Brilliant says that presenting new, precise information to the board about the company’s overall ability to manage governance, risk, and compliance issues has really improved the dialogue about how the company could better respond to risk in the business. Further, Brilliant notes, “the board can also more clearly see over time how things have improved.”
To read the full interview click here.