SearchSecurity has coverage from RSA about a new version of the PCI Data Security Standard, due out sometime in Q3 of this year. It appears they’re taking a pragmatic approach, and indications are that it will be an evolution based on user feedback rather than a drastic, revolutionary change. PCI has been a sensitive topic, and the general consensus from practitioners is that it doesn’t really help prevent data breaches in and of itself. What it DOES do, however, is provide a stick to use to get your organization to fund information security and IT risk management gaps.
If we learned anything from SOX, it’s that managing any non-trivial set of risks and controls in spreadsheets, word documents, word of mouth and prayer is a recipe for failure. PCI, in any incarnation, is no different.
Over the last couple weeks, OpenPages has participated in three different conferences on risk and compliance. We sponsored the Global Conference on Operational Risk put on by the RMA and ORX, Gartner’s Risk Management and Compliance event in Chicago, and the RIMS show in Orlando. At each event, many people were asking about the role of risk management moving forward. In particular, as companies adjust to a new reality of risk management oversight, particularly in the financial services arena, many are rethinking how the different risk disciplines relate to one another.
Rene Stulz in the Six Ways Companies Mismanage Risk, published in the March issue of the Harvard Business Review, notes that risk managers often distinguish between market, credit and operational risks, which they measure separately and in isolation. However, Stulz points out that "when you put risks into a box, you’ve ignored the fact that business units strongly identified with a particular class of risk may be exposed to risks of other types that are associated with other units." Stulz goes on to point out that the collapse of the securitized mortgage market led to not just realized market risk for banks but also a very serious business risk associated with the drop in revenue associated with the lost fee income.
As more and more examples emerge about how risks cut across organizational silos, companies will more seriously consider a holistic approach to risk management. Part of the inertia has historical and cultural underpinnings, but to get out of the current crisis with a revamped risk management program that would help avoid another financial crisis of this type companies will need to get the different risk management silos to work more closely together. More on that later.
Shelley Parratt of the SEC’s Corporation Finance Division gave the afternoon keynote on Day 2 of Compliance Week 2010. She spoke about the Commission’s program of enhanced disclosure.
With 10K companies filing and SOX requiring the Commission to review every companies filing at least once in three years, she said that the SEC has to use their resources appropriately, and the filter that they use is how will the information be used by investors.
On executive compensation, she acknowledged that this is a very emotional topic. The SEC is trying to provide a clearer and more complete picture of what executives get paid. First, companies must provide a framework for how they make compensation decisions, but the SEC is interested in how the framework is used in real decisions. Also, the SEC is focusing on performance targets, how those targets change, and whether those targets are disclosed. “A company must engage in a thoughtful discussion about its disclosure decisions.” It is not sufficient, for instance, to just say that the target is “challenging” but should be put in context of historical performance.
On disclosure about the board and company leadership, Parratt was very clear that Chairman Shapiro is interested in increased disclosure on leadership choices and risk oversight. She said that there is no requirement for a risk committee. Different companies may choose different approaches to discharge their responsibility for risk oversight.
Regarding non-GAAP financial measures, Parratt said that disclosures should be consistent across filings and other communications. In other words, if a company uses non-GAAP financial measures in its earnings call, they should also use those measures in their filings. In no circumstances, however, should those measures be misleading, whether they are in a filing or not.
Regarding climate change, Parratt was careful to state that the Commission was not taking a position on the potential effects of climate change
During the Q&A session, Editor-in-Chief Matt Kelly asked about the current quality of the enhanced disclosure filings. Parratt acknowledged that “what we see in the first year of disclosure is often vastly different than what we will see in the second,” but noting that the first year’s disclosures aren’t necessarily out of compliance, inadequate, or poor, implying, of course, that this year’s proxy filings are all of the above!
Risk management best practices, strategic planning, networking and high energy were in abundance at OPUS 2010 – the sixth annual OpenPages User Symposium which witnessed continued growth in attendance. Featured topics at OPUS 2010 – where over 150 risk management professionals recently gathered from North America, Europe, South Africa and Asia, centered around evolving risk management strategies, risk convergence and implementing proactive compliance programs.
OpenPages President and CEO Michael Duffy kicked off Day One of the three-day user forum with the opening keynote address titled, ‘From Risk to Performance’ where he highlighted the evolution of risk management over the last decade and shared with attendees his vision for how risk management must adapt to the economic, regulatory and political pressures facing all companies today.
This was a common theme throughout OPUS 2010 as leading risk practitioners discussed the changes seen in the market over the past few years and how OpenPages customers are now in a unique position to provide valuable risk intelligence that will drive improved performance for their companies.
Following Michael Duffy’s opening keynote address, Madoff whistleblower Harry Markopolos outlined the red flags, warning signs and critical audit steps that companies need to be aware of to prevent similar events from occurring in the future. Following his keynote, Harry spent the day speaking to attendees, signing copies of his new book ‘No One Would Listen’ and sharing his thoughts on upcoming financial regulation (check out Pat O’Brien’s blog for more detail).
Julian Parkin, Group Privacy Programme Director at Barclays kicked-off Day Two with a fascinating case study on how Barclays has leveraged OpenPages for its risk management initiatives across the enterprise and across evolving risk types. Parkin described his target state as “a single view of risks, controls and governance across the organization.”
Throughout the three days, sessions were led by risk managers from a variety of customers and partners – American Express, Barclays, Carnival Corporation plc, Duke Energy, IBM, PwC and Williams Companies. Stay tuned for more details on these sessions in upcoming blog posts.
Thank you to all who attended, we look forward to seeing you at OPUS 2011!
It’s Day Three of RiskMinds in Geneva. “Risk Modeling, Measurement and Management in the New World Order” is the topic of the day. We’re in a session on operational risk, “Operational Risk Management Going Forward”, hosted by Joachim Pfeiffer, Commerzbank, and John Whittaker, Barclays.
This is an interactive session, with questions coming from the attendees. Whittaker kicks off the session by noting that many in the conference have said that operational risk is off the agenda as the roots of the crisis lay elsewhere (credit, in particular). Whittaker disagrees, pointing out that impairment at most banks has gone up at most banks, and, and if you look at the root causes of the impairment, certainly credit decisions played a significant part, but so did poor process (collateral not in place) or process not followed.
Whittaker also discussed his concern about regulatory change over the next year. In the coming year, for instance, the “living wills” discussion is of concern, with more hand-offs and hand-ins. He’s also concerned about whether we will have enough people to deal with the extra process.
The rate of change is also a concern. Whittaker notes that organizations will have to be able to quickly modify processes to keep up with regulatory change. The question is whether organizations can keep up.
New product introduction: participants described a process whereby support functions have the ability to veto a new product that can’t easily be supported.
People issues: How do we deal with risk culture? For instance, should we have stage gates for bonus hold back. Tone at the top is really important. People’s bonuses should be calculated based on a risk adjusted P&L. Companies are also beginning to think about earnings quality. Regulators are focusing on a use test: how are companies using risk information.
Operational risk capital number: How does this influence the function? The operational risk component of economic capital is fairly small so it’s difficult to influence policy through the capital calculation discussion. Operational risk could be a must larger component of regulatory capital, however, and operational risk could have more to say in that discussion. Scenarios drive a discussion with the business, potentially enhancing the profitability of the line.
Benefits of AMA: Capital allocation–12.7 for a TSA bank/10.8 for an AMA bank. Huge benefit to putting that capital to work.
BIS range of practices in scenarios: US regulators are not accepting scenarios. Is this a trend? Whittaker thinks no and that US regulators over time will gravitate towards the European point of view. Pfeiffer points out that scenarios are hard to include in a capital model when you need 99.9 confidence.
Loss-based models: Reduce loss without reducing risk . Do we need to move to a causal model? Whittaker believes that everyone will have to have a hybrid-model, including both loss data and scenarios.
Internal control systems: Operational risk can make sure that there’s a single control process throughout the organization so that the person operating the control can spend more time on the control and less time answering questions about whether the control is effective. Also, there should be some consideration given to the way different controls are tested.
PwC surveyed the chief audit executives (CAEs) of Fortune 250 companies about trends likely to affect internal auditors over the next five years and what they expect internal audit to look like in 2012. Titled “Internal Audit 2012”, the study lists “ten imperatives” that provide the foundation for a high performance internal audit function in the years ahead including:
“Take an integrated approach to IT audit, one designed to strengthen IT capabilities. IT audit strategies need to lay the groundwork for integrating IT audit expertise within audit teams. An IT audit plan should center on an annual IT risk assessment, reflecting a clear linkage between IT risk assessments and IT audit planning. In addition, it should address risks within individual business processes and provide for continuous enhancement of IT audit capabilities. It’s also important for the plan to be clearly articulated, formally documented, and well aligned with organizational IT strategies and objectives.”
One of the key roadblocks to an integrated approach to IT audit is the sheer complexity of data gathering and management. In the past, it represented a tremendous amount of effort for internal audit to collect relevant information and to govern access to that information securely. A centralized technology platform for identifying, assessing and monitoring risk and controls presents a unique and unprecedented opportunity to help the business focus on making risk decisions based on management’s risk appetite and tolerances.
This common framework and process can make the business more predictable in meeting IT, financial and management objectives and can help managers anticipate major risk and control problems of the future. As a partner with IT and the business in managing risk, internal audit should be a driving factor in evaluating technological and process-based changes and evolving the organization’s risk management practices.
Tommy Thompson, IT Security and Compliance Coordinator at Williams Company recently presented at OPUS 2010 on reducing the complexity of IT risk and compliance and how Williams was able to significantly reduce costs while at the same time increase the effectiveness of their IT compliance programs. In the following video, I had the chance to speak with Tommy after his presentation.
Former Federal Reserve Board Governor and PCAOB Chairman Mark Olson spoke during the general session this morning about the proposed legislation for financial services regulatory reform, the main point of which is to ensure systemic stability for the financial system. He made an interesting point, saying that in the US “we have a limited tolerance for financial volatility” and that regulatory reform aims to dampen that volatility.
Regarding “too big to fail,” Olson said that he agreed that we should focus legislation to manage this risk to taxpayers but that this “is a very complex task” that shouldn’t be understimated. He acknowledged that regulators and institutions agree that the soundness of the financial system requires better understanding the systemic risk posed by individual institutions, but the question is the best way to address this problem. He did note that the Dodd bill attempts to clarify the Fed’s role in “unusual and exigent circumstances” under section 13-3, which should provide more clarity as to what sort of consent is required for special action by the Fed, but, in the end, he said that the bill doesn’t address “too big to fail.”
He also said that the “tone and approach” of different regulatory agencies varies and that the bill will attempt to clarify responsibilities, although there are still certain areas of the bill which would lead to an overlap in responsibilities.
He noted that the Dodd bill will require risk committees that will require “timely and comprehensive information”, and he perceptively commented that the effectiveness of these committees will be dependent upon the quality of this information.
During the Q&A period, one member of the session asked about the so-called “shadow banking system” or financial services outside the regulatory scheme. Olson said that the consumer protection agency is trying to address this, and noted that the FTC had not been as aggressive as it should have been.
Overall, while Olson said that we would most likely get a bill passed this year, his comments did not make it clear that we would be getting the right one, or that it would truly address the complexities of managing risk in our financial system.
OPUS 2010 keynote speaker, independent financial fraud investigator and Madoff whistleblower Harry Markopolos will release his exclusive story “No One Would Listen: A True Financial Thriller” on March 2.
The book, which will be made available to all OPUS 2010 attendees, describes how he and his team “The Fox Hounds” investigated Madoff and presented their case to the SEC on numerous occasions’ years before Madoff turned himself in on December 11, 2008 (approximately $65 billion later).
From May 2000 to December 2008, Markopolos and his team submitted five separate and detailed warnings to the Securities and Exchange Commission (SEC) about Madoff’s operations in an effort to launch an investigation on the validity of his practices.
During the OPUS keynote address, Markopolos will detail how his four person investigative team tracked Madoff and the Madoff Feeder Funds throughout Europe and North America and repeatedly submitted detailed reports to the SEC.
If you’re an OpenPages customer and would like to hear Mr. Markopolos discuss the red flags, warning signs and the critical audit steps that companies need to be aware of to prevent similar events from occurring in the future, register for OPUS 2010 and receive a complimentary copy of his new book. It’s promising to be a “Thriller”!
Revised reporting of stock and option awards to company executives and directors in the Summary Compensation Table
Potential conflicts of interests of compensation consultants
What might not be entirely self-evident is when they take effect. Help is provided by PricewaterhouseCoopers, which issued an advisory highlighting the timing for these new disclosure requirements, as follows:
The effective date of the new rules was February 28, 2010. Accordingly, the Form 10-K and proxy statement of a calendar year company must be in compliance with the new disclosure requirements if filed on or after February 28, 2010. If a calendar year-end company files its proxy statement on or after February 28, 2010, the proxy statement must comply with the new disclosure requirements. This is true even if the 2009 Form 10-K was filed before February 28, 2010.
An existing SEC registrant with a 2009 fiscal year that ended before December 20, 2009 is not required to comply with the Regulation S-K amendments until it files its Form 10-K for fiscal year 2010. As a result, any registration statements filed before its 2010 Form 10-K is required to be filed would not be subject to the new Regulation S-K amendments. A company may early adopt the new disclosure provisions; however, if the company elects to voluntarily comply with the disclosure changes regarding stock and option awards, it must also comply with all the other applicable Regulation S-K amendments.
If a new registrant (e.g., a company completing an IPO or a registration statement on Form 10) first files its registration statement on or after December 20, 2009, compliance with the Regulation S-K amendments would be required for such registration statement to be declared effective on or after February 28, 2010.
OpenPages finished another strong quarter this week. Big wins in the US, UK and South Africa led to another profitable quarter, with both revenue and bookings up significantly in Q3 over Q2. Other highlights from the quarter included being named as a leader in both the Forrester EGRC Wave and the Gartner MQ as well as in reports by European analyst firms Chartis and Celent. If there were a Sprint Cup for risk management software, OpenPages would be way out in the lead! We’re seeing more and more evidence of what we surveyed at OPEN, namely, that risk management spending is trending up this year, and we’re also starting to see companies prepare for 2010. We’re involved in several opportunities that already have approved budgets for January.
This weekend the president-elect Barak Obama was interviewed by Tom Brokow on Meet the Press. The interview covered a wide variety of topics, but one caught my eye as it impacts the risk management business moving forward.
On the subject of regulation in the financial services industry, Obama was very clear:
“And so, as part of our economic recovery package, what you will see coming out of my administration right at the center is a strong set of new financial regulations in which banks, ratings agencies, mortgage brokers, a whole bunch of folks start having to be much more accountable and behave much more responsibly because we can’t put ourselves–we, we can’t create the kind of systemic risks that we’re creating right now, particularly because everything is so interdependent. We’ve got to have transparency, openness, fair dealing in our financial markets. And that’s an area where I think, over the last eight years, we’ve fallen short.”
So, what does this mean for the risk management business? Well, there are two key points about what Obama said. First, he mentions accountability. The question is accountable for what. My guess is that the accountability he’s talking about is that, for instance, rating agencies have to be accountable for the ratings they issue, banks will have to be accountable for describing accurately, and completely, the securities they are selling, etc. Second, he mentions transparency and openness. Clearly, banks are going to have to provide more transparency around reporting on risk in their business. And with with more stringent reporting requirements will come greater emphasis on internal reporting on internal controls and risk exposure. Steve Adler of IBM blogged about this 10 months ago. It won’t be another 10 months for stricter regulation to materialize; the question is how will the industry respond?
We’re now in “Moving Operational Risk Forward” or “Getting Value from ORX Data and Tying Operational Risk into Each Business Unit” with Joe Sabatini, JP Morgan, and Simon Wills, ORX. The introduction is being given by David Millar, PRMIA, who opened the session with a statement on the fire evacuation procedures. Some will remember that a fire alarm during an operational risk conference is not unheard of.
Sabatini started out by echoing comments from a previous session: namely, that the increased regulatory pressure will increase the challenges of managing operational risk at regulated entities.
Loss data, according to Sabatini, has been one of main drivers for change within the operational risk field. Before loss data was collected, no one really knew how much money was being lost on operational risk. With the collection of loss data, business lines understood how critical operational risk was.
With regard to capital calculation, the Enron/Worldcom data points included in the traditional LDA approach for capital would suggest for JP Morgan that they need $50 billion in capital driven somewhat by investment banking underwriting risk. Sabatini discussed an approach similar to that in the credit world where you calculate the probability of default, loss and investors winning a suit. This approach produces a more realistic capital number.
Sabatini also discussed some of the challenges and opportunities with regard to risk management, including business unit benchmarking, trend analysis, correlation with business metrics, and dynamic reporting. He also suggested that a significant advance would to have a real time dashboard that would allow what-if analysis discussion between market, credit and operational risk functions.
Simon Wills then gave an overview of ORX, our customer and partner. He said that they will be up to 54 member institutions when they announce their newest member tomorrow. Wills noted that ORX follows the Basel II categorization, with an additional category for corporate losses (ransom paid for a kidnapping of the chairman, for instance).
ORX also collects data on the product (e.g. equity derivative) and process (sales and marketing) associated with the losses, which provides a greater degree of granularity to the loss. ORX also collects additional information on large losses (over €10 million).
Wills shared some recent data on operational risk losses, and noted that sales and trading have been the driver of the large number of losses in 2008, whose aggregate severity rivals that of the Enron/Worldcom losses of 2002.
ORX is interested in a better visualization of the data to improve the communication and engagement of operational risk with the business. Corporate finance, for instance, tends to have low frequency and high severity losses, the opposite of losses in the retail business. Wills showed a 3D graph of the two different loss data sets, with dramatic spikes in the corporate finance business.
Wills talked about ORX sector services that will provide insight for different business units to benchmark against their peers, and, in this way, provide real business performance value to operational risk managers and their business line colleagues.
John Whittaker’s session on operational risk and aligning with the business covered some interesting approaches:
Barclays defines 13 principal risks that the business owns. The oprisk function can provide guidance on the control framework to mitigate each risk, but the oprisk function does not control the risk. The real process of operational risk does not sit in the corporate function.
Operational risk should be involved in discussions of strategy: it helps think through how the business can maintain their performance objectives during a 1 in 7 or 1 in 20 downturn; participates in new product approval; reviews the impact of large events. Whittaker also noted that oprisk should be involved in the stress testing process.
Operational risk managers need to understand the business intimately. This allows the function to influence decision-making effectively.
With regard to reporting, try taking away a report to see how much value it actually has. There’s some reporting that isn’t delivering the value that the reporters think. Also, trend analysis and comparison is important, not just absolute numbers. The main point is to create a discussion, which brings operational risk into the business.
Hosted by Barclays, this year’s OPEN (OpenPages European Network) Summit promises to be the best yet with a jammed-packed agenda including real-world case studies from OpenPages customer executives at Allianz, Barclays, Lloyds, ORX and Swiss Re. Joining them will be executives and product experts from OpenPages who will share the latest OpenPages product developments and review OpenPages investments and rapid customer adoption in EMEA.
If you’re unable to make it, check back for a recap of the event in the following week. Otherwise, we look forward to seeing you at Canary Wharf in London!
Patrick de Fontnouvelle of the Federal Reserve Bank of Boston presented a an interesting session at GCOR 2010 titled, “The Role of Operational Risk in the Recent Financial Crisis.” His basic premise was that the financial crisis of 2008 could have been avoided had financial institutions implemented and followed basic operational risk management best practices. And more importantly, that there is a history of operational risk management best practices being violated repeatedly throughout history with predictable consequences. He recommended three steps to moving forward and preventing similar crises in the future:
We must work to develop and normalize operational risk management and measurement
Outreach is critical: there is a lack of understanding or a misunderstanding regarding the nature and impact of operational risk
Governance: the risk function must have sufficient stature and authority to take action against questionable practices (in other words they must have a seat at the table)
A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.