Tommy Thompson, IT Security and Compliance Coordinator at Williams Company recently presented at OPUS 2010 on reducing the complexity of IT risk and compliance and how Williams was able to significantly reduce costs while at the same time increase the effectiveness of their IT compliance programs. In the following video, I had the chance to speak with Tommy after his presentation.
The PCAOB’s Auditing Standard 5 (AS5) is structured around a top-down approach to identify the most important controls to test during your Sarbanes Oxley (SOX) effort that address the assessed risk of misstatement for each relevant financial assertion.
At OPUS 2010, Jo Morton, Business Analyst, Internal Audit at Williams Companies, Inc. and Lawrence Joiner, Manager of Internal Audit Operations at Williams presented an informative session titled, “An OpenPages Approach to Auditing Standard 5 Compliance.” In their session, Jo and Lawrence outlined how Williams has been able to move beyond a “process by process” review and up to an Account Level review that truly is an AS5 “Top-down Approach” In the following conversation, Jo Morton describes her session and her overall OPUS 2010 experience.
While many companies have basic elements of a compliance program in place such as code of conduct and whistleblower programs, simply having these elements is no substitute for a comprehensive program. In reality, many companies have implemented a “one-off” approach in which procedures often become fragmented, duplicative and outdated over time. For these organizations, the cost of non-compliance can be extraordinarily high, whereas a well-designed, comprehensive compliance program provides numerous efficiencies and can serve as a solid foundation for effective Enterprise Risk Management.
Don’t miss Rick Steinberg, founder and CEO of Steinberg Governance Advisors and Compliance Week columnist, as he outlines steps that companies can take toward achieving a well-designed, comprehensive compliance program. In this informative Webinar, Rick describes a strategic, risk-based approach that supports business objectives and provides an enterprise view of compliance.
There are few things more devastating to a chief executive or board of directors than seeing their company’s name splashed across media headlines with allegations of having broken the law. After wondering how it could possibly happen to us, the focus quickly goes to how best to effect damage control, with accompanying thoughts of billions of dollars in fines, penalties, judgments and lost business, as well as personal exposure, and knowing great amounts of time and energy will be directed to dealing with regulators, lawyers, and investigators instead of growing the business.
It’s fascinating to see that, despite reading of such happenings at other companies, somehow many top managements can’t imagine it happening to them. Hence, too often companies put in place a code of conduct and ancillary policies, a whistleblower channel, and perhaps even a compliance officer – all useful elements – but which fall far short of an effective compliance program. And with each new law or regulation, a new policy and related procedures are installed, frequently duplicating existing procedures but still falling terribly short of an effective program. So we see fragmented and duplicative procedures that are administratively burdensome and often outdated, while the significant risks of non-compliance continue to grow.
In contrast, leading companies are proactively dealing with the associated risks. They take a holistic approach, first recognizing that laws and regulations were set forth in the first place as a reaction to damage to someone – customers, employees, investors or communities. And they recognize that companies satisfying related marketplace expectations – with “green” food products, better child safety products, better automobile gas mileage, or more desirable workplace environment – are rewarded with better workers, greater market share, and enhanced profits. With this recognition, they design a compliance program not only to ensure minimum compliance, but to seize related business opportunities geared to the underlying marketplace drivers. The compliance program is built into strategic objectives, and is risk-based and streamlined, with clarity around responsibilities and accountability, and supported by technology with meaningful communication and reporting.
Yes, there is an initial cost to doing this right, and a chief executive will expect to see a rational business case made for establishing such a program. But the benefits are real, and the CEO and board members will sleep better at night knowing an effective compliance program is in place in their company.
The Globe published an interesting article today about a Harvard Business School professor that resigned just before the scandal at Satyam broke. This was no ordinary professor. Krishna Palepu is an expert in corporate governance, control and accounting, and corporate management in emerging markets. In short, the perfect resume for a Satyam board member. So what went wrong?
This is not an isolated incident. In this financial crisis, many good people on boards of struggling companies have been surprised. And we’ll likely see more of that in the months to come. I think it’s overly simplistic to blame the board, and certainly in this case in which Palepu is so obviously qualified. What we see frequently is that internal control systems and risk assessment processes are not mature enough to catch wrong doing or, and this may be more important, change behavior. Companies that are growing quickly, like Satyam, have the most difficulty putting in place the risk management process to catch the kind of fraud perpetrated at the company. My guess is that in the future business process will be designed from the bottom up with risk management in mind. As we’re learning, it’s too hard to do it after the fact, especially for the complicated businesses we’re trying to govern today.
The SEC’s final rules implementing Dodd-Frank’s whistle blowing provisions failed to remove angst among compliance officers and general counsels. While there are some incentives for potential whistleblowers to first report alleged misconduct via internal reporting channels, there’s no requirement to do so – and many are concerned the internal channels will be bypassed. And going outside is on the rise. It’s been reported that in only seven weeks after the SEC’s program began, there were 334 whistleblower filings. Compliance officer concerns are well founded – that bypassing internal channels will deprive the company of being able to investigate and fix problems before they grow, and company personnel will need to play catch up with investigations in reaction to SEC probes.
We can point to many resolved whistle blowing cases for clear evidence of the potential impact of the SEC’s still relatively new program. One homeowner delinquent on her mortgage ultimately received $18 million for reporting suspected use of fraudulent documents in the bank’s foreclosure process. It’s said that in acting against this homeowner – an attorney and career insurance fraud investigator – the bank “picked the wrong person at the wrong time in the wrong place,“ but the robo-signing and other compliance failures were widespread and surfaced from a number of sources. Nonetheless, this individual was one of six whistleblowers receiving $46.5 million said to be part of the five-bank $25 billion settlement. In an unrelated case, a member of a major bank’s quality control team who reportedly was displeased that the misconduct wasn’t reported to regulators, decided to do so herself – ending up with a settlement of $31 million. And there are many more.
Worth noting is a recent survey that indicates more than one-third of American workers have seen misconduct on the job. While many instances of misconduct have been reported through internal channels, it appears the vast majority have not. Why? The survey shows it’s because of fear of not being able to remain anonymous, and of retaliation. Those two factors, plus the possibility of monetary reward, are reported as key factors in incentivizing internal reporting. And the survey also shows two-thirds of respondents didn’t know about the SEC’s program – at least not yet.
Certainly it’s in a company’s interest to be first to know about alleged misconduct, and compliance officers are working hard to upgrade policies, training, communications, and the internal whistleblower systems, all to encourage internal reporting. Actions to ensure anonymity, with positive responses and nothing close to retaliation, are expected to help. Some companies have begun to pay bounties for valued reports. There are indications that when employees believe their reports will be taken seriously without adverse repercussions, there’s increased likelihood for internal reporting. Law firms and others have provided guidance on which companies are acting. However, it remains to be seen the extent to which the possibility of a huge, life-changing payday by the SEC will be too much to resist. Time will tell.
For readers interfacing with your companies’ audit committees, a just released survey from Directorship Boardroom Intelligence highlights what’s in the forefront of committee members’ minds today. The results are reported in a top-ten list (unlike the Letterman top ten lists, this one appears to begin with the most significant):
Uncertainties of economic/legislative environments
Or more to the point, was he thinking at all? We’re talking about Rajat Gupta, operating at the highest echelons of multinational business, who finds himself charged by the Securities and Exchange Commission with illegally passing inside information to Raj Rajaratnam, the Galleon Group founder about to go on trial on charges of insider trading. Mr. Gupta, a Harvard Business School graduate and former head of McKinsey & Co., has been a board member of the likes of Goldman Sachs, Proctor & Gamble, and American Airlines.
What did he do? Well, he of course is innocent until proven guilty, and according to media reports, his lawyer says he has done nothing wrong. But the SEC says otherwise. It alleges Gupta gave the Rajaratnam advance information about earnings at both Goldman and P&G. On top of that, the SEC maintains that Gupta called the Galleon head with the inside scoop of the Goldman Board’s approval of Warren Buffett’s $5 billion investment in the firm. The allegations speak to multiple phone calls between the two men, enabling Galleon to reap millions in profits. What must be particularly troubling for both is that the SEC says it has recordings of numerous telephone conversations.
Let’s presume for a moment that the allegations are factual. A relevant question is, is this a black eye on the companies on whose boards Gupta sat (by the way, the reports say he resigned months ago from the Goldman board, and recently from P&G). My answer, based on the information available, is “no.” Certainly, if the allegations are true, a statement by SEC Director of Enforcement is on point: “Mr. Gupta was honored with the highest trust of leading public companies, and he betrayed that trust by disclosing their most sensitive and valuable secrets.” But what could or should have been done to prevent wrong doing at the board level?
We know well the importance of a company’s board of directors in keeping a close eye on what the CEO and senior management team do, and on the company’s system of internal control. We recognize the importance of compliance officers, risk officers and internal audit functions. But who keeps an eye on the board, especially when their actions are outside the inner workings of the company itself? We can look to what happened years ago at HP, when a board member leaked information to the media, which resulted in the pretexting fiasco.
There are no immediate answers, other than to continue to ensure full vetting of director candidates, and maintaining effective board and internal audit processes to best identify and manage potential misbehavior. With the thousands of directors of major companies acting with extraordinary integrity and ethics and in the best interests of their companies and shareholders, I believe we don’t have much to worry about. But it is worth more thought going forward.
We know that MF Global, the firm run by Jon S. Corzine, recently imploded under the weight of bad bets and huge leverage. Reports say that Corzine, former U.S. Senator, Governor of New Jersey, and co-head of Goldman Sachs, did at MF Global what he did at GS – and that’s take large risks in trading. How, one could ask, could it have turned out so wrong?
Effective risk management processes have at their core identifying, analyzing and managing risks. It will be a while before we know all the details of MF Global’s risk management process, but it appears to have worked reasonably well. Wait, what – is that a misprint? Probably not.
Based on reports, Corzine knew the risks he was taking. Basically, he bet that the European leaders would act in a way to alleviate the sovereign debt crisis. He put over $6 billion of the firm’s money at risk, which with the associated leverage put the firm’s existence at risk. And the firm’s risk officers also knew, and they seemed to have done what they were supposed to – they brought the matter to the board of directors. Reports say a senior risk officer described the situation and the risks to the board, with Corzine present. The risk officer pointed out not only the nature and size of the risks, but also that risks included both potential defaults on the sovereign debt and the bonds losing sufficient value to cause a liquidity crisis at the firm. The directors listened, and decided to approve what Corzine was doing.
Now, we weren’t in the room with the directors, or inside their heads, so we don’t know whether they made a thoughtful and rational business judgment, or whether they rolled over under Corzine’s undue influence. If the latter, then they failed in their job. But if the former, then they determined that they and the firm had a risk appetite large enough to “bet the ranch.”
So, whether this is a failure of risk management will be decided as the investigations continue and more facts emerge. And of course the missing “segregated” client funds is another matter, likely centered on specific internal controls over that money and what control activities might have been overridden by more senior executives. Also at issue is whether regulators did their job effectively. It will be interesting, indeed, to learn more, as no doubt we will as the investigations unfold.
It seems we can’t pick up a newspaper today without seeing another story on top management compensation, and its role in the near financial system meltdown. As Congress and the Administration wrestle with regulatory reform, fingers continue to point at CEOs and other senior executives who reaped huge rewards for taking what are deemed to be outsized risks – risks that brought some of their companies, and indeed the financial system, to the brink of disaster. The SEC’s new disclosure rules will shed more of a spotlight on executive pay and how companies and boards deal with corporate risk, and anger over “outsized” pay is boiling over in the form of regulatory reform and additional proposed taxes on financial services industry participants.
Certainly executive compensation should recognize the degree of risk inherent in performance. No one wants to see a CEO “bet the ranch” in a “heads the CEO wins, and tails shareholders and the taxpayers lose” scenario. So, yes, getting risk-reward back in balance at the top management level makes eminent sense, and already is under way.
With that said, however, we shouldn’t fall into a trap of thinking that dealing with the compensation issues can by itself address corporate risk. Those of you with leadership roles in risk management, compliance, auditing, and related areas in your organizations know full well that dealing with risk at the CEO level will not by itself transform how risk is managed throughout the organization. One can argue that CEO compensation has played only a limited role in causing financial institutions to take on such massive risks in the first place. Chief executives already have solid motivation to ensure the companies they lead achieve long term success, and certainly simply keeping their prestigious and lucrative job and reputation in tact are strong motivators. CEOs I’ve dealt with put the success of the company at the same if not higher level than acquiring personal more riches. Make no mistake, many do want to enhance their wealth, and some continue to keep score with peers, but putting their own personal objectives ahead of the company’s and its shareholders is not typical.
So, I hope and trust that neither the powers inside the Beltway nor corporate leaders and boards will think risk management is primarily about managing CEO’s motivations. The focus needs to be on risk management processes throughout the organization, linking risks with corporate objectives and initiatives, and managing risk to best achieve corporate goals.
Recently, much has been written about the fate of financial services technology spending given the recent financial crisis. The Wall Street Journal’s Business Technology blog, for instance, points out here that Lehman spent $309 million on technology and communications in the quarter ending August 31. It’s hard to know exactly how much of that spending would be cut under a dramatically reduced operation under Barclays, but clearly, at Lehman and elsewhere tech spending’s going to take a hit in the financial services sector.
However, there is one technology area that will certainly get increased attention and that is in risk management. It’s very likely that 2009 regulation will include greater checks on leverage and an expansion of banking-like regulation to other businesses with banking-like activities. And regulators are already focused on improving the risk management functions of financial services institutions. For instance, WaMu announced on Sept 8th that they had signed an MOU with the Office of Thrift Supervision concerning different areas of the business, including the risk and compliance functions.
Risk management technology, the systems that provide visibility into the state of risk in the business, is a critical component or early warning system for risk managers trying to run the business. Of course, knowing about the risks is not always sufficient. Just ask David Andrukonis of Freddie Mac who’s CEO apparently ignored the early warning signs of excess risk exposure, according to the New York Times. Nevertheless, having the risk managment infrastructure in place at least allows management to make informed decisions about what risks to take or not.
And there’s another driver here for risk management technology. Over time, shareholders, not just regulators, will want to have better visiblity into the risk exposures in a company. The Fed demonstrated that they are willing to let large entities fail (well, sort of), and as such it will be up to the market to assess risk in the business. Management will be encouraged to provide transparency as to the state of risk in the business through a lower cost of capital, the benefit for which would dwarf the cost of any risk management technology. Which is why I think spending on risk management technology will not drop as much as the overall market for financial services IT spending.
In February, British Banker and former chairman of Morgan Stanley International, Sir David Walker was appointed to lead a government inquiry into corporate governance in the banking sector. This week, he published the Walker Review which recommends overhauling the boards of banks and other big financial institutions by strengthening the role of non-executives and giving them new responsibilities to monitor risk and remuneration.
“We need to get governance back to centre stage,” said Walker in a statement regarding the report. “The fundamental change needed is to make the boardroom a more challenging environment than it has often been in the past. This requires non-executives able to devote sufficient time to the role in order to assess risk and ask tough questions about strategy.”
Some of the specific recommendations in the Walker Review include:
Banks should have board level risk committees chaired by non-executive
Risk committees to scrutinise and if necessary block big transactions
Chief Risk Officer to have reporting line to risk committee
Chief Risk Officer can only be sacked with agreement of board
The Walker Review proposes that most of the recommendations are enforced through inclusion in the Combined Code on Corporate Governance or a separate Stewardship Code for institutional investors, both operating on a ‘comply or explain’ basis.
It is clear that risk management will be under increasing scrutiny in the UK (and across the globe), and that the risk function will be increasingly important. To keep up with new regulation, companies will have to invest in systems to support the risk information sharing that such changes imply.
The ERM Initiative at North Carolina State University was commissioned separately by the American Institute of CPAs (AICPA) and the Chartered Institute of Management Accountants (CIMA) to conduct surveys of their respective members on the state of enterprise risk oversight. While the AICPA survey was focused on US companies and the CIMA survey on global companies, not surprisingly respondents in all regions agreed in a new study titled ‘Enterprise Risk Oversight, A Global Analysis,’ that the volume and complexity of risks are increasing and that the need for increased risk oversight is being driven by senior executives and board members. Of greater concern, however is the number of respondents who feel that their risk oversight processes are immature. In the US, 84% of respondents rated their risk oversight processes as either ‘very immature’ or ‘only moderately mature.’ The study found that ‘46% of global respondents describe their risk oversight process as systematic, robust, and repeatable in contrast to 11% of U.S. respondents who believe they have a complete enterprise-wide risk management process in place.’
With recent disclosure rulings from the SEC including the board’s role in risk oversight and Dodd-Frank rulemaking on its way in which ‘risk committees’ will be required, companies rating their risk oversight processes as immature should begin preparations now. If you’re considering where to start, begin with the design goal of delivering an integrated and automated risk and compliance framework. A siloed approach limits an organization’s ability to streamline risk and compliance processes and reduce costs. It also limits your ability to gain a comprehensive view of the firm’s risk exposure.
Managing IT Risk and
Compliance with IBM OpenPages ITG (Track 1068)
IBM Vision 2012, Tuesday May 15th, 1:15 – 2:15 pm I will be presenting Managing
IT Risk and Compliance with IBM OpenPages IT Governance.
this session I will take you through the results of the IBM CIO Study 2011 that
was recently published and guide you through the IT Risk related subjects.
you want to understand how Big Data, Cloud, Regulatory Pressure, Business
Continuity Management, Disaster Recovery, Identity and Access Management, Segregation
of Duties, Automated Controls and Endpoint Controls will influence your GRC
all comes together in IBM Smarter IT Governance, Risk and Compliance.
Revised reporting of stock and option awards to company executives and directors in the Summary Compensation Table
Potential conflicts of interests of compensation consultants
What might not be entirely self-evident is when they take effect. Help is provided by PricewaterhouseCoopers, which issued an advisory highlighting the timing for these new disclosure requirements, as follows:
The effective date of the new rules was February 28, 2010. Accordingly, the Form 10-K and proxy statement of a calendar year company must be in compliance with the new disclosure requirements if filed on or after February 28, 2010. If a calendar year-end company files its proxy statement on or after February 28, 2010, the proxy statement must comply with the new disclosure requirements. This is true even if the 2009 Form 10-K was filed before February 28, 2010.
An existing SEC registrant with a 2009 fiscal year that ended before December 20, 2009 is not required to comply with the Regulation S-K amendments until it files its Form 10-K for fiscal year 2010. As a result, any registration statements filed before its 2010 Form 10-K is required to be filed would not be subject to the new Regulation S-K amendments. A company may early adopt the new disclosure provisions; however, if the company elects to voluntarily comply with the disclosure changes regarding stock and option awards, it must also comply with all the other applicable Regulation S-K amendments.
If a new registrant (e.g., a company completing an IPO or a registration statement on Form 10) first files its registration statement on or after December 20, 2009, compliance with the Regulation S-K amendments would be required for such registration statement to be declared effective on or after February 28, 2010.
Recently purchased by The Bank of Tokyo Mitsubishi (the 2nd largest banking group in the world), Union Bank, N.A. out of San Francisco has been asked to lead the way for the entire organization with respect to adopting Basel II and the advanced measurement approach for operational risk measurement.
Marty Blaauw, Senior Vice President of Operational Risk at Union Bank stated, “At Union Bank, we are striving to use the advanced measurement approach for operational risk measurement and OpenPages provides an integrated operational risk management framework that will assist us in this goal. We are confident that OpenPages’ solution will allow us to streamline our operational risk management and measurement process and provide the integrated risk reporting and dashboards being requested at the executive level.”
With $86 billion in assets under management and 340 banking offices in California, Oregon, Washington and Texas as well as two international offices, this is a strategic initiative with enterprise-wide implications. Union Bank purchased licenses for the entire OpenPages Platform and selected OpenPages ORM as the operational risk system of record for managing risk assessments, key risk indicators (KRIs), issue management and scenario analysis, as well as integrated risk reporting.
As you may know, the Dodd-Frank Act gave institutional investors and shareholder activists perhaps the item highest on their wish list – gaining ready access to the proxy statement with ability to name its own director nominees. And the SEC developed enabling rules to make it happen. Well, the U.S. Court of Appeals for the D.C. circuit just pulled the rule out from under shareholders. If you’re a shareholder activist, you’re probably outraged, but if you’re a board member or member of the senior management team, you’re likely breathing a sigh of relief!
The suit was brought by the Business Roundtable and U.S. Chamber of Commerce, and many thought it didn’t have much chance of succeeding. But succeed it did. The court ruled the S.E.C. “acted arbitrarily and capriciously” in failing to adequately consider the rule’s effect on “efficiency, competition and capital formation.” In its unanimous decision, the court added that the SEC “inconsistently and opportunistically framed the costs and benefits of the rule; failed adequately to quantify the certain costs or to explain why those costs could not be quantified; neglected to support its predictive judgments; contradicted itself; and failed to respond to substantial problems raised by commenters.”
And this isn’t the first time the Court shot down SEC rules – it’s happened several times in the last few years, also on the basis that the SEC didn’t properly assess the economic effects. So, where does the Commission go from here? Since this decision was issued by a panel of the Court, the SEC could ask the entire Court to review the case, or appeal to the U.S. Supreme Court. Or, it might want to conduct a more in-depth economic assessment of the rule to satisfy the Court, or come up with another rule. As the U.S. Chamber calls its victory “a big win for America’s job creators and investors,” the SEC is “reviewing the decision and considering our options.”
For what it’s worth, my view is that direct shareholder nominating of directors can be counterproductive. While seemingly supported by the concept of a democratic process, putting dissident or one-issue directors on the board, which might have occurred, would normally not serve a board, the company or its shareholders well. While the SEC’s rule seemed reasonable in terms of effecting the law’s mandate, perhaps the SEC can come up with something better.
You’re a CEO, senior manager, or board member watching your once-great company brought to its knees. You imagine yourself on the deck of the Titanic, your world coming to an end—your once confident self embarrassed in front of colleagues, competitors, friends, family, and the larger communities in which you once thrived and were held in such high esteem.
This is the first sentence a just-released book published by John Wiley & Sons. I got my hands on an advance copy, and it is compelling reading. It analyzes how – while facing different circumstances in different industries – common themes underlie why once-great companies have seen their fortunes sink, while others withstand economic turbulence and hazards to continue to grow and reap the rewards of success. But the book is not solely about how to avoid disaster. It highlights how having the right infrastructure enables an organization’s positive qualities to lead to success. This includes what’s needed to avoid the kinds of disasters that can befall any organization, but also essential to identifying opportunities and being positioned to seize them for competitive advantage.
I don’t often recommend books to others, but this one is exceptional. It has a long title: Governance, Risk Management and Compliance – It Can’t Happen to Us: Avoiding Corporate Disaster While Driving Success. I believe the substance stands up to its claim that “unlike other books, this one is not aimed solely at senior managers or solely at members of boards of directors. It’s directed to both, with an added objective of providing insight into the interface between the two.”
You might be asking why Steinberg is spending so much space here touting this book – it is because the book is really that valuable, or does he have some ulterior motive? Well, okay, I’ll fess up – the answer is “both.” Yes, as you may have guessed, I wrote the book. And I apologize for withholding that important fact until now! But I do believe virtually any reader of this blog will greatly benefit from reading the book. And I’m pleased that I’m not the only one who thinks so. Here’s what some others, whose names you might recognize, are saying:
Rick Steinberg is a time-tested expert in this ever more essential field. His refreshing candor in assessing recent shortfalls makes this book a must-read for corporate leaders — Mark R. Fetting, Chairman and CEO, Legg Mason, Inc.
This outstanding book provides a critically important perspective on how risk management can only be truly achieved by aligning culture, strategy, compliance programs, and compensation. It should be must reading for any board member concerned with improving the management of risk — Jay Lorsch, Louis E. Kirstein Professor of Human Relations, Harvard Business School
A comprehensive and insightful examination of corporate governance. A must-read for those of us who are CEOs and serve on public boards — Randall L. Clark, Chairman and CEO, Dunn Tire LLC; former Chairman and CEO, Dunlop Tire North America
Attention directors and officers: Ignore this book at your own peril. Richard Steinberg has crafted a careful, thoughtful approach to managing risks, and it should be required reading for Corporate America — Scott S. Cohen, founder and former Editor and Publisher, Compliance Week
Richard Steinberg’s comprehensive and clearly written work will substantially benefit both new and experienced directors. It will help corporate boards recognize the challenging forces businesses face, as well as the techniques and standards available to intelligently monitor and supervise firms and their senior management. An easy and engaging read, this book should be on the bookshelf of every corporate director — William T. Allen, Director, NYU Pollack Center of Law & Business; former Chancellor, Court of Chancery of the State of Delaware
Richard Steinberg, a respected and time-proven governance hand, has written a most enjoyable and thought-provoking work—an excellent addition to anyone’s governance shelf! — Charles Elson, Edgar S. Woolard, Jr., Chair in Corporate Governance and Director of the Weinberg Center for Corporate Governance, University of Delaware
By the way, the IBM Open Pages people were kind to allow me to use a paper I wrote for them as the basis of one of the chapters. I hope you will consider reading the book, and I trust you will not be disappointed!
The first keynote was delivered by Eric Rosengren, President and CEO of the Boston Fed. Rosengren opened by showing an interesting chart on the LIBOR to Overnight Swap spread, which jumped last summer and has been very volatile ever since, evidence of the reluctance of banks willingness to lend to each other.
Rosengren covered the role of liquidity in risk modeling, which he noted was largely underestimated in many models over the last year. He also noted that other fundamental assumptions were wrong, like the one that housing prices across the US are not correlated (he showed a chart of regional housing data over the last five years that looked highly correlated.)
Rosengren also spoke about the impact of rogue trading and legal settlements. Many institutions think these losses are 1 in a 1000 year events, but as we get more data, it’s emerging that these events are much more common than previously thought.
Regarding scenarios analysis and stress testing, Rosengren asked how much confidence should we put into this? In many cases, the stress tests did not accurately take into account the risks. He noted that the effect of falling housing pricing was not accurately assessed. He also noted that the impact of mortgage defaults on liquidty was universally missed.
In the Q&A period, he went on to say that we need to be more humble about the effect of some of these unexpected events and that we need to broaden our thinking about what could possibly happen.
A key theme of Rosengren’s talk is that organizations are too willing to ignore what they consider 1 in a 1000 year events, when in fact these events are turning out to be quite frequent. For instance, last year there were 14 losses over $1 billion reported. He reinforced this notion in the Q&A session that extreme losses have occurred much more frequently than we would have assumed a couple years ago.
Rosengren was followed by Randall Kroszner, Member of the Board of Governors, Federal Reserve. Kroszner took a broader perspective on Basel II, and the enhancements the framework committee is considering. He noted that banks pursuing AMA qualification need strong senior management and board oversight. He also noted that senior management can create an AMA that’s reflective of organizational realities.
Kroszner noted that Basel II has been the official regulation for just one month, but the implementation will take some time. Implementation must be taken “thoughtfully and deliberately” by individual banks which should first start with a sober and frank appraisal of their current state.
The core banks will have to plan in place for AMA qualification by Oct 1, and Kroszner noted that this will require buy-in and resource commitment from the top.
Kroszner also noted that their hope is to provide more information over the next couple months but provided some initial thoughts on what the plan will have to cover:
Gaps between existing practice and AMA
Objective and measurable milestones
Planning and governance process for meeting qualification requirements fully
He noted that the final rule allows 36 months before exiting the parallel run phase.
After some discussion of upcoming improvements to the Basel II framework, Kroszner addressed the standardized approach for non-core banks. He stated that the Fed expects that Basel II (referring to both the AMA and standardized approaches) will make the US banking system more resilient.
A key theme that emerged from Kroszner’s talk and the subsequent Q&A period was that a one size fits all approach is probably not best for the range of institutions we have in the US. Rosengren noted in the Q&A period that the final rule is more of a principles-based than a rules-based document and repeated that “it’s not clear that one size fits all.” He also noted that there’s already a wide range of practices in play right now.
Someone asked if Basel II make us more vulnerable to systemic risk because of model convergence? Kroszner responded that the flexibility of the final rule and the judgement afforded by the icap process should mitigate systemic risk. Rosengren said that oprisk has enough variety in the modeling, but that credit risk calculations over the last year may have been too reliant on the same historical data.
The Stress Tests for the US Bank Holding Companies (BHC) have been released by the Fed. As had been leaked, the industry must raise $74.6 billion. The biggest number is for the Bank of America, which must raise $33.9 million, as they are unlikely to convert the preferred shares owned by the Treasury. The New York Times is reporting that the US Government will end up owning 36 pct of Citi after they convert their rescue funds into common stock. They will still have to raise $5.5 billion. Other interesting details:
Residential and consumer loans account for 70% of the losses projected under the adverse scenario, which would amount to $599.2 billion. The adverse scenario has unemployment at 8.9% in 2009 and topping out at 10.3% in 2010. Assuming that residential and consumer loans losses are a function of the unemployment rate, a lot is riding on what some economists think is an optimistic number. According to the Bureau of Labor Statistics, we’re already at 8.5% as of March (April’s numbers are being released tomorrow at 8:30 am). These results also suggest that commercial lending comprises a much smaller portion of the overall losses and won’t be the "next shoe to drop" for the economy as many people have suggested.
In the adverse scenario, each BHC was given a range of loss percent for the various categories. Each BHC could use firm-specific data to come up with their own assessment of the loss rate. Interestingly, for the First Lien Mortgages Bank of America came up with 6.8% while JP Morgan Chase 10.2%–a differential that seems quite high. Of course, JPMC bought WaMu, which had a large market share on the west coast. Another west coast bank, Wells, used 11.8% as their loss rate.
The Fed refers to the SCAP buffer–the capital needed to be raised under the Supervisory Capital Assessment Program, as a way for market participants, as well as the firms themselves, to have "confidence in the capacity of the major BHCs to perform their vital role in lending even if the economy proves weaker than expected." The press surrounding this announcement suggests that certainly the former will benefit from these results. What’s less clear is whether the banks themselves will magically start lending again. And, as discussed here, in this dynamic market, how will business models evolve to account for emerging opportunities and risks?
As a follow on to my previous post about the survey conducted at OPEN, we also learned something about companies’ GRC efforts.
Almost 90% said that their GRC spending would either increase or stay the same over the next year. During a time when IT spending overall is dropping, it’s important to note that spending in the risk management sector is holding up. We’ve blogged about this before, but we keep getting additional data that all point to the same conclusion: companies are not cutting back on risk management spending.
The answer to the next question may provide some insight as to why. We asked how companies would characterize the current state of their GRC management efforts: siloed, converged or coordinated. 73% said siloed, 27% coordinated. This mirrors almost exactly the responses from October 2008, which suggests that the road to convergence is not a short one.
At last week’s OPEN — OpenPages European Network, we conducted a survey of attendees to get a better sense of what they thought about the impact of the financial crisis on the regulatory environment and their own approach to risk management. There were some interesting results, especially when compared with those from OPUS, held 11 months prior in October of 2008.
The first question asked whether or not we’ll see new laws and regulations over corporate risk management oversight within the next year. Just over 80% said they believed that we would see new laws and regulations within the next year. What’s interesting is that almost the same percentage said the same thing almost one year ago. The difference is that we’ve seen no new laws or regulations in the past year. In other words, the expectation of regulatory reform is clearly stronger than the reality. Obama’s focus on healthcare, the EU’s debate over various reg reform proposals, and the general resistance to change are all contributing to a lengthening of the reg reform process.
Our second question asked whether the financial and credit crisis has influenced your company’s thinking and approach to risk management. 62% said yes. Eleven months ago only 46% said yes. The difference here speaks to what companies have found over the last year that suggest a revamping of their approach to risk management. Frankly, I am surprised that the number is not higher. Clearly, we all learned that very smart people can make bad decisions–isn’t that something that companies should want to control for?
Fueled by a global audience that is desperately looking for disclosure in the wake of the economic crisis and mature digital computing technologies that make it more and more difficult to contain sensitive information, WikiLeaks has emerged as a viable new threat to data security.
Until now the United States government has been the central target of WikiLeaks attacks, however, with WikiLeaks founder Julian Assange’s recent claim to be ready to release corporate secrets in early 2011, organizations everywhere are faced with a looming risk management challenge that is not likely to dissipate anytime soon.
Experts agree, and Assange himself has suggested, that the information that will be leaked is more likely to consist of internal communications between executives and other employees rather than the personal data protected by privacy compliance laws. However, the threat of any kind of exposure means that corporations need to tighten data security and evaluate areas of potential vulnerability.
Unfortunately, WikiLeaks has highlighted a liability that persists across all corporations and government agencies that technology and compliance measures alone simply cannot contain: the human factor. The increasing number of compliance and regulatory mandates that have been put in place in recent years have not proven enough to combat the risk posed by employees leaking sensitive information.
A recent poll by Harris Interactive reports that only 9% of companies have adequate crisis protocols in place to protect themselves from a potential onslaught. In this period of uncertainty, with virtually all large enterprises under the WikiLeaks radar, it is vital that organizations devise an adaptable enterprise risk management strategy to identify and manage areas of weakness without sacrificing business performance.
Just as a sharp increase in regulatory compliance mandates has created a necessary shift in industry risk management tactics, so has WikiLeaks spawned the recognition of new vulnerabilities that face companies in the modern digital age. The organizations that are well prepared to assess and mitigate against untested threats, like the one posed by WikiLeaks, are those that combine deep domain expertise with powerful and flexible tools to analyze and weigh the probability and cost associated with any given challenge.
Rising from the banks of the Potomac in National Harbor, Maryland, the Gaylord National is an engineering marvel which provides a scenic venue for the 2010 Gartner Security and Risk Management Summit. I attended an intriguing session by Richard Hunter, Gartner vice president and distinguished analyst in which he described the value of IT risk management.
Hunter recently published a book titled, “The Real Business of IT: How CIOs Create and Communicate Value” which is co-authored with George Westerman of MIT. As part of the research for his book, Hunter conducted a survey of CIOs from 2006 to 2009 on IT Risk management. One of his takeaways from his research is that the business context for the value of IT can be summed up as:
Run the business
Grow the business
Transform the business
In terms of running the business, Hunter put it into the context of “at the best possible balance between price and performance” (i.e., cost of doing business). The key point Hunter stressed was that the measure of value should not be based on the return on investment (ROI), rather it should be based price and performance. As an example, Hunter asked, “Would you ask for an ROI on a firewall, or an audit?” The point being, there is no measurable return on these investments, they are a cost of running the business and the alternative is much costlier.
IT grows business, continued Hunter, by ensuring “capacity and capability and providing the ability to conduct business in a certain way.” In others words, he explained, it supports someone else’s profit and loss. The third value (transforming the business), is about “enabling new value propositions for new customer segments.”
He recommended IT organizations take the following steps to show value:
Change the way you think. Frame every comment in terms of business outcomes and business performance. Adopt the language of business in every discussion of risk (i.e., the point of BCM is not to recover the server farm, it is to recover customer service, accounts receivable
Show value for money, meaning the right services at the right level of quality at the right time. Never discuss cost apart from quality of service.
Position IT (and IT risk management) as a component of investment in near and long-term business performance.
A very common theme at the Summit is supported here in that “performance should be defined in terms of business outcomes and performance, not IT performance.”
According to an IBM study of over 1,200 CFOs and senior finance executives, 62 percent of enterprises with over $5 billion in revenue encountered a major risk event in the previous three years, and when a major risk event did occur, 42 percent were not well prepared. Unlike Sarbanes Oxley and other structured, clearly defined compliance initiatives, building an effective operational risk control environment and culture requires proactive identification and frequent review of potentially harmful events.
GRC industry expert and Corporate Integrity president Michael Rasmussen’s favorite operational risk case study is the Titanic in which as he states, “There are a variety of risks the Titanic faced – overconfidence, poorly manufactured rivets, focus on speed while ignoring the external risk environment, inadequate design, and lack of someone diligently watching for icebergs”. While the Titanic was heralded for its superior safety in engineering design, not all risks were considered holistically. In many organizations today, operational risk continues to be managed in silos, where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions.
To learn more, check out the “Ultimate ORM Platform” webinar in which Michael Rasmussen and OpenPages director of product management Patrick O’Brien describe the need for a common, enterprise-wide view of risk and what to look for in an “Ultimate ORM Platform”.
The Shareholder Bill of Rights Act of 2009 submitted by Senators Schumer and Cantwell addresses one of the key issues in the current financial crisis, that of corporate governance. While the NYSE has a rule that the board must articulate its enterprise risk management strategy, such a proscription has yet to be enshrined in law. The Schumer Bill address that:
16 (A) IN GENERAL.—Each issuer shall…establish a risk committee, comprised entirely of independent directors, which shall be responsible for the establishment and evaluation of the risk management practices of the issuer.”
It’s unlikely that this particular bill passes as written, but the notion that companies will have to formally name a risk committee will certainly shine the light on how companies identify and evaluate risk in their business.
Interestingly, in the UK, the Financial Reporting Council just finished their review of the corporate governance code. There’s an interesting article in Management Today here:
I disagree with the conclusion, however. The ‘comply or explain’ approach will never work. We just learned that lesson from the former investment banks that were supposed to self-regulate in the US. My view is that you can fashion regulation that’s not “over-reaching” (some would say Sarbanes-Oxley falls into this category) yet provides sufficient guidance on operating requirements to actually mitigate real risks.
Companies today are being forced to comply with an extensive set of regulations. One thing that you can count on in the fallout of the financial meltdown, is that regulatory pressures will continue to mount. And for large, multi-national organizations in heavily regulated verticals, the problem is further compounded. Businesses need to take a practical, cross-regulatory approach to managing compliance in order to alleviate the increasing burden while gaining insight into risks to key business processes that could affect overall corporate performance.
In a recent webinar, in which I had the privilege of co-presenting with Michael Rasmussen, president of Corporate Integrity and GRC advisor, Michael detailed several strategies that successful companies take to build an effective compliance program. Of particular note, he stated “A reactive and siloed approach to compliance is a recipe for disaster and leads to lack of visibility, wasted and/or inefficient use of resources, unnecessary complexity, lack of flexibility and vulnerability and exposure.
While compliance requires adherence to policies and a top-down driven culture, technology can play a critical role in effective compliance management through an integrated risk and compliance framework that enables business owners to document, assess, measure and test once; and then satisfy many stakeholders. This model leads to two main benefits:
1. Reduce cost and better efficiency
2. Improved effectiveness – in terms of better overall view of risk and compliance and the dependencies between them.
To find out how a Fortune 500 utility company leveraged technology to manage a massive compliance monitoring effort spanning multiple business units and areas of responsibility, check out the archived webinar or download the case study.
Over the last couple weeks, OpenPages has participated in three different conferences on risk and compliance. We sponsored the Global Conference on Operational Risk put on by the RMA and ORX, Gartner’s Risk Management and Compliance event in Chicago, and the RIMS show in Orlando. At each event, many people were asking about the role of risk management moving forward. In particular, as companies adjust to a new reality of risk management oversight, particularly in the financial services arena, many are rethinking how the different risk disciplines relate to one another.
Rene Stulz in the Six Ways Companies Mismanage Risk, published in the March issue of the Harvard Business Review, notes that risk managers often distinguish between market, credit and operational risks, which they measure separately and in isolation. However, Stulz points out that "when you put risks into a box, you’ve ignored the fact that business units strongly identified with a particular class of risk may be exposed to risks of other types that are associated with other units." Stulz goes on to point out that the collapse of the securitized mortgage market led to not just realized market risk for banks but also a very serious business risk associated with the drop in revenue associated with the lost fee income.
As more and more examples emerge about how risks cut across organizational silos, companies will more seriously consider a holistic approach to risk management. Part of the inertia has historical and cultural underpinnings, but to get out of the current crisis with a revamped risk management program that would help avoid another financial crisis of this type companies will need to get the different risk management silos to work more closely together. More on that later.
Some of you will remember the keynote by Professor Hal Scott from last year’s OPUS. Professor Scott is a professor at the Harvard Law School and is also the Director of the Committee on Capital Markets Regulation, an entity supported by Treasury Secretary Paulson. In 2006, the Committee issued an interim report on the competitiveness of the US equity markets. One of the interesting recommendations, which Professor Scott discussed during his OPUS keynote, is a consolidation of the US financial regulatory structure. In general, their point is that the regulatory structure is too cumbersome and burdensome to be effective. For instance, it might make sense to combine the SEC and the CFTC into a single entity as they’re both market regulators. You can read the report here.
Earlier this year, Secretary Paulson proposed a blueprint that would modernize our financial regulations. For example, the Federal Reserve would be authorized to take a closer look at the operations of companies across the financial spectrum and ensure that their practices do not threaten overall financial stability. There are other good ideas, and members of Congress should consider them. As they do, they must ensure that efforts to regulate Wall Street do not end up hampering our economy’s ability to grow.
Clearly, this is an effort to shape the upcoming debate around how to make sure we don’t repeat the same mistakes we’ve made to get us in the current financial crisis. Hopefully, the debate will last longer than a week.
Widely reported today was Bank of America’s replacing their Chief Risk Officer, Amy Woods Brinkley, apparently at the behest of the government, which is eager to improve the risk management capability at the bank. Also, perhaps coincidently (or maybe not), the Wall Street Journal broke a story here about an internal struggle between the FDIC on one side and the OCC and Fed on the other. Apparently, the FDIC and Sheila Bair is pressing the government to change the internal rating they use to gauge the health of financial institutions. Such a rating change would allow the government to apply more pressure on the institution to change key managers in the business. Maybe Brinkley’s replacement is a result of this dynamic. What’s clear is that the risk management function will be in the cross-hairs of government regulators going forward.
In the wake of Dodd-Frank passage, Chris McClean of Forrester Research commented that there are nearly 200 regulatory changes still on the U.S. federal agenda that span industry verticals such as finance, healthcare, and consumer protection.
As regulatory pressures continue to mount, organizations that adopt a more practical regulatory management approach across the enterprise will be able to react quicker to regulatory change and decrease costs and complexity while gaining valuable insight into the risks that could affect corporate performance in the form of legal action, fines and penalties, or a decline in company/brand loyalty.
The recently announced OpenPages 6 .0 includes significant enhancements to the Policy and Compliance Management (PCM) module that allows organizations to react quickly to changes in regulatory mandates and to manage regulator interactions effectively:
Regulatory Change Management — lets users easily communicate, track, and manage regulatory change and enables quicker reactions.
Regulator Interaction Management — provides workflow enablement to help users prepare for and manage complex regulator interactions.
Policy Lifecycle Management — offers a new user-friendly view to consolidate policy details with configurable field/template definitions.
Policy and compliance management software is playing and increasingly important role in the business by allowing companies to easily communicate changes in laws and regulations and enable quicker reactions by the business.
We’ve discussed in this blog the role of IT in GRC, mostly in terms of how IT manages risk inherent in delivering IT services. But there’s another risk that IT should be addressing, and that is the risk of disparate risk data marts scattered across the enterprise. I’ve written about it here.
We’ve discussed in this blog the role of IT in GRC, mostly in terms of how IT manages risk inherent in delivering IT services. But there’s another risk that IT should be addressing, and that is the risk of disparate risk data marts scattered across the enterprise. I’ve written about it here.
Last week, the head of the New York Fed William Dudley, echoed the chorus that is getting louder and louder. Namely, that our regulatory system needs a complete overhaul to deal with the systemic risk posed by our largest financial services institutions. According to Dudley,
We need a more effective regulatory system. We need a systemic risk authority that has both the responsibility and the powers to look across the entire financial system—both depository institutions and the capital markets.
One issue with the current regulatory system is that it was not designed to support the sharing of information across institutions. It was designed to regulate individual institutions, and as the Fed, and other regulatory agencies, start to think about how to compare information across institutions, we can expect to see them demanding a great degree of standardization in term of how data about risk in the business is collected, managed and shared.
This must be the season for surveys on risk management. E&Y recently published their perspective on risk management. They surveyed over 500 companies around the globe, almost 80% of which have over $1 billion in revenue, and the sample represents a variety of industries. You can find the report here.
Only 1% of those surveyed said they would be spending less on risk management in the next 12 to 24 months, which clearly makes sense given recent events; however, putting this in context of overall corporate revenue declines suggests that risk management will emerge from the recent downturn with a large share of the overall spending pie.
E&Y zeroed in on the complexity of risk management at most organizations:
“Over the past few decades, the number of risk management functions has grown to the point where most large companies have seven or more separate risk functions — not counting their independent financial auditor. This has created inefficiencies and resulted in a degree of fatigue on the business.
As the number of risk functions increases, coordination becomes more diffcult and often results in coverage gaps and overlapping responsibilities. The demands and various reporting requirements placed on the business by these risk functions can become significant and burdensome. The number of risk functions and the various communications from these functions can be a challenge for executives and the board of directors to manage and understand.”
In fact, over 90% of those surveyed indicated that there is overlapping coverage in two or more risk functions. Now, redundancy isn’t always a bad idea, but my guess is that a substantial portion of the overlapping coverage is the result of inefficient processes and technology infrastructure. The argument for efficiency addresses not just the business fatigue that multiple risk management functions create but also the huge infrastructure cost of supporting multiple platforms and processes. Interestingly, 61% said that they planned to commit no additional resources augment their capabilities, which means that incremental spending will have to come from savings, which by our measure can amount to millions of dollars per year. Please contact us if you’re interesting in exploring those savings at your organization.
This weekend the president-elect Barak Obama was interviewed by Tom Brokow on Meet the Press. The interview covered a wide variety of topics, but one caught my eye as it impacts the risk management business moving forward.
On the subject of regulation in the financial services industry, Obama was very clear:
“And so, as part of our economic recovery package, what you will see coming out of my administration right at the center is a strong set of new financial regulations in which banks, ratings agencies, mortgage brokers, a whole bunch of folks start having to be much more accountable and behave much more responsibly because we can’t put ourselves–we, we can’t create the kind of systemic risks that we’re creating right now, particularly because everything is so interdependent. We’ve got to have transparency, openness, fair dealing in our financial markets. And that’s an area where I think, over the last eight years, we’ve fallen short.”
So, what does this mean for the risk management business? Well, there are two key points about what Obama said. First, he mentions accountability. The question is accountable for what. My guess is that the accountability he’s talking about is that, for instance, rating agencies have to be accountable for the ratings they issue, banks will have to be accountable for describing accurately, and completely, the securities they are selling, etc. Second, he mentions transparency and openness. Clearly, banks are going to have to provide more transparency around reporting on risk in their business. And with with more stringent reporting requirements will come greater emphasis on internal reporting on internal controls and risk exposure. Steve Adler of IBM blogged about this 10 months ago. It won’t be another 10 months for stricter regulation to materialize; the question is how will the industry respond?
OpenPages will be hosting a webcast with Compliance Week titled, “The Future of Compliance” in which featured speaker Chris McClean of Forrester Research, Inc. will discuss how as regulatory pressures continue to mount from new regulations such as the Dodd-Frank Act, businesses need to adopt a comprehensive and risk-based view of the organization’s regulatory responsibilities and provide early exposure to potential compliance gaps.
If you’re in or work with the financial services industry, you probably know about the late December holiday "gift" from the U.S. Federal Reserve – proposed rules implementing provisions of the Dodd-Frank Act which could have a profound effect on how boards and managements deal with risk. In any event, you’ll want to keep in mind that the Fed is accepting comments only for the next month – until March 31.
The proposed rules are far-reaching, including requirements for risk-based capital and leverage, liquidity, stress tests, single-counter-party credit limits, debt-to-equity limits, and early remediation. They apply generally to bank holding companies with consolidated assets of $50 billion or more, as well as non-bank firms designated as systemically important. But some of the rules – those for stress testing, and requiring board level risk committees and related risk management activities – also apply to smaller public firms with consolidated assets of $10 billion. Obviously, reading the fine print is important for all who may be subject to these proposals.
The risk committee is required to "document and oversee, on an enterprise-wide basis, the risk-management practices of the company's worldwide operations." The committee would be chaired by an independent director, and at least one member needs to have risk-management expertise commensurate with the company's size, complexity, and other risk-related factors. Further, its members are expected to understand risk-management principles and practices relevant to the company, with specified experience in risk management. And there are rules for a committee charter, meetings, and documentation.
The committee’s responsibilities include reviewing and approving an appropriate risk-management framework commensurate with the company's size and other factors. The framework’s scope is outlined, including requirements for risk limits appropriate to each line of business, policies and procedures for risk-management practices, processes for identifying and reporting risks, monitoring compliance with risk limits and procedures, and specification of management's authority and independence to carry out risk-management responsibilities. Additionally, the larger covered companies will need to appoint a chief risk officer in charge of implementing and maintaining the risk-management framework and practices approved by the risk committee, with the rules specifying responsibilities and qualifications for the CRO and reporting relationships.
If not already under way, now is the time to analyze the proposal and its implication, and let the Fed know what changes are needed. If interested, you might want to tune into the upcoming IBM OpenPages webinar where I’ll be discussing the proposed rules, their implications and the challenges they present – March 8, 2:00 pm Eastern Time.
The Institute of Internal Auditors 2009 General Audit Management Conference is coming up and should be quite timely given the evolving role that Audit is playing in providing an independent assessment of enterprise risk and governance. The conference has some intriguiging sessions including:
As you can see, internal audit has evolved from its traditional role of record examination and identification of policy violations to a more modern, consultative approach aimed at risk mitigation. As part of this evolutionary process, internal auditors have also focused more of their efforts on the risk assessment process and a top-down approach to audit scoping.
One of the key roadblocks to an integrated approach was the sheer complexity of data gathering and management. In the past, it represented a tremendous amount of effort for internal audit to collect relevant information and to govern access to that information securely. A centralized technology platform for identifying, assessing and monitoring risk and controls presents a unique and unprecedented opportunity to help the business focus on making risk decisions based on management’s risk appetite and tolerances. This common framework and process can make the business more predictable in meeting financial and management objectives and can help managers anticipate major risk and control problems of the future.
As a partner with the business in managing risk, internal audit should be a driving factor in evaluating technological and process-based changes and evolving the organization’s risk management practices.
If you’re planning on attending IIA GAM March 16-18 in Washington, DC please visit the OpenPages booth. And don’t forget to enter the raffle for a Flip handheld video recorder. Or, to learn more download our informative white paper, Internal Audit and its Evolving Role in ERM.
A recent industry survey by PTC shows that the highest cost of product compliance failures is not always fines and legal fees, but delayed time to market and product shipments. This is particularly true in manufacturing where restricted substance-based product recalls have cost manufacturers and consumer product companies millions in lost revenue due to compliance failures or supply chain disruptions.
Of course implementing a compliance program has its costs as well. As our recent white paper “The High Cost of Non-Compliance” authored by Rick Steinberg points out, an OCEG Benchmarking Study shows the cost of Sarbanes-Oxley compliance alone averaging:
$4 million for companies with $5 billion revenue
$10 million for companies with $10 billion and more in revenue, and;
for companies with more than $1 billion revenue, compliance costs equaled 190 full time equivalent employees.
So, while implementing a compliance program may seem high, it’s clear that not putting an effective compliance program in place can be significantly more expensive.
The white paper points out several key ways companies have succeeded not only in reducing compliance costs, but also enhancing efficiency and gaining real business benefits:
Built into Business Processes
A Program Founded on Ethics and Integrity
A Risk-Based Approach and Clarity Around Responsibilities
Okay, this is difficult for me – to think that I might have actually made a mistake! Those of you who know me well realize that I seldom if ever make such a statement. For example, there have been instances when speaking at conferences a participant suggests that a statement I’ve made might not have been entirely accurate, and my response is not “oops, I made a mistake,” but rather “I might have misspoken”!
Relevant to these self-observations is that years ago in advising clients and otherwise communicating with the business community, I believed that while it was challenging to implement enterprise risk management effectively, it could be done without use of advanced technology. Well, my thinking has evolved as to the need for an effective software solution. It’s true that in mid-size companies (I generally don’t work with smaller organizations) that were centralized with few levels of management I saw opportunities for enterprise risk management to work successfully with protocols that didn’t necessarily require use of specialized software. Effectively addressing risk factors in each operating and staff unit at every management level, with highly effective information sharing and communication, made ERM workable.
But over time I’ve come to recognize that the above scenario is extraordinarily rare or non-existent in companies of any decent size. With increasingly challenging economic, regulatory and competitive environments, fewer personnel stretched thin and channels and markets rapidly changing, the need for effective software becomes essential. Otherwise, the ability to capture all significant risks related to business objectives and related mitigating actions and control activities becomes difficult if not impossible. And coupled with a need to track assignment of responsibility to specific personnel and manage accountability – along with effective communication across organization layers and business units – specialized technology becomes that much more important. And when we superimpose a need for senior managers to readily obtain relevant risk-related analyses with dashboards with drill-down capability, then it’s a no-brainer that the right software solutions is essential.
Well, maybe things were simpler in the “old days,” and it’s only time and circumstances that have changed, rather than my sense of what’s required for effective ERM implementation. I hope you’ll let me leave it at that!
I’ve been having conversations with customers and prospects about the value of an integrated risk management platform. (You can substitute ‘GRC’ for ‘integrated risk management’ if you’ve been reading any analyst covering the space recently.) There are lots of value drivers, but to date most CIOs haven’t embraced the logic yet and are opting instead to buy for very specific solutions areas. There are some exceptions, and on Friday I had a conversation with one of those exceptions, and he made a compelling case for why an IT organization should work with the business on an integrated control environment.
The specific case this customer made was around the need to manage the General Computing Controls associated with Sarbanes-Oxley. The finance side of the company had been the buyer of their SOX solution, and they, of course, look at the world through accounts and processes. Their SOX solution was configured accordingly, and all of their controls roll up to processes associated with accounts. Unfortunately, the IT organization doesn’t look at the world that way, and, according to this customer, “There’s nowhere in this model to stick the IT controls in a rational way.” The IT organization would much rather organize the GCCs by ISO 17799 or some other framework and associate each control to the appropriate risk in the finance model. In this way, the IT organization can leverage a control management structure already in place, without duplicating any effort.
This is the most basic value proposition for an integrated risk management platform. And many companies are seeing big savings as the number of regulations they are trying to manage increase. Sure, you can probably manage SOX in a bunch of spreadsheets, but try adding a couple more regs and reporting and policy management, and you’re very quickly into the realm of a purpose-built solution. The interesting problem is that that the cost of siloed solutions doesn’t fall fully in the office of the CIO. If it did, we would have many more CIO converts.
On a daily basis, we’re out speaking with prospects, customers, analysts, press, and thought leaders in the GRC/ERM space. Over the course of the last year, we’ve heard many myths about risk management, and, over the course of the next couple weeks, we’ll address these myths. But we thought that we would give you a taste of what’s to come, so here is a list of the top 10 myths in risk management. Please feel free to add your own in the comments section. This list is certainly not exhaustive!
1. IT Risk Management = Information Security
2. CIOs Have Embraced GRC
3. A Rigid, Standardized Approach Is Best
4. You Can Only Manage Risk from the Center
5. You Can Manage Risk and Compliance in Spreadsheets
Many of our GRC members may not be familiar with TH!NK, Algorithmics, an IBM Company’s semi-annual magazine exploring the world of financial risk management. However, the June 2012 issue has something for everyone - and is centered on the perspective that to successfully identify and respond to the economic challenges of our times, we must seek a balance between learning from the past and developing the solutions of the future.
You will find in this issue articles that seek to explore this balance between past wisdoms and new possibilities, like our cover story “Back to the Future,” which revisits capital and its role in the bank of tomorrow. In our latest “In Conversation” piece, IBM’s Brenda Dietrich serves as our first IBM contributor to TH!NK, discussing how research and new data systems are changing the way we think about information. Other articles explore some of the most pressing topics in financial services, such as the interconnectivity of risk on the Buy Side or the very real trading benefits to a bank in establishing a CVA desk. As always, TH!NK seeks to build insight and linkages across seemingly disparate realms – such as social media and financial risk management, which as you will read, may not be so disconnected after all.
I encourage you to "flip through" this valuable resource - and please visit our Discussion Forum if anything in particular piques your interest!
Today we unveiled ten best practices to help companies prepare for a new era of risk and regulatory oversight. In the New Era of Risk Management, companies will seek to integrate risk management silos from across the business and squeeze out additional efficiencies. This integration will reduce costs through a consolidated technology infrastructure and shared processes and will provide better transparency into the interdependencies of risks in the business.
OpenPages is working closely with its customers as they make the transition to a risk-based approach to managing their business. The ten best practices represent immediate actions OpenPages customers are taking and serve as guidance for others to ensure that their organizations are prepared to face new risk and regulatory demands. Check them out here. We also recently published a paper on the New Era of Risk Management.
Let us know how your company is preparing for the new era.
It’s become clear that a risk-aware corporate culture is of critical importance to an organization. In the past year alone, there have been various examples in the news where a lack of risk-aware corporate culture has hurt companies, some beyond repair. Rick Steinberg, Founder and CEO of Steinberg Governance Advisors, Inc., recently joined OpenPages’ Gordon Burnes for a webinar discussion on how to develop a risk-aware culture, and the role technology can play in transforming an organization’s approach to enterprise risk management.
How does your organization promote a risk-aware culture?
If you’re involved in developing, enhancing or monitoring your company’s risk management activities, you probably know that “risk” and associated terms are used very differently by different people. This too often is the case throughout an organization, right up to the board level. Indeed, experience shows that senior managements and boards think they’re talking the same language, when they are not.
How often have you heard the terms “risk assessment,” “risk management,” and “enterprise risk management” used almost interchangeably? If your experience is anything like mine, it happens all the time. My sense is that busy executives and directors understand the basic concept of risk and don’t take the time to get into what are perceived to be details in terminology. The resulting problem, however, is that we talk at cross purposes and misunderstandings abound. Risk related professionals know well that a risk assessment is a point-in-time snapshot of risks in an organization, risk management includes a number of activities in identifying, analyzing and managing risk, and enterprise risk management raises the bar to a still higher level.
A fundamental issue is that too often top managements and boards believe their organizations have in place effective enterprise risk management processes when in fact they don’t. They know the words, and truly believe they deal with risk as well as any organization. They believe their senior management team focuses on risk and drives risk management throughout the organization. And what we’ve often found is that they are wrong.
It is not a simple task to change the minds of high powered CEOs and directors. And one wonders whether it’s worth one’s political capital to push this issue. But this is so important a matter that to know there’s misunderstanding and allow it to continue is dangerous – for top management, the board, the company, and all of its people.
PwC surveyed the chief audit executives (CAEs) of Fortune 250 companies about trends likely to affect internal auditors over the next five years and what they expect internal audit to look like in 2012. Titled “Internal Audit 2012”, the study lists “ten imperatives” that provide the foundation for a high performance internal audit function in the years ahead including:
“Take an integrated approach to IT audit, one designed to strengthen IT capabilities. IT audit strategies need to lay the groundwork for integrating IT audit expertise within audit teams. An IT audit plan should center on an annual IT risk assessment, reflecting a clear linkage between IT risk assessments and IT audit planning. In addition, it should address risks within individual business processes and provide for continuous enhancement of IT audit capabilities. It’s also important for the plan to be clearly articulated, formally documented, and well aligned with organizational IT strategies and objectives.”
One of the key roadblocks to an integrated approach to IT audit is the sheer complexity of data gathering and management. In the past, it represented a tremendous amount of effort for internal audit to collect relevant information and to govern access to that information securely. A centralized technology platform for identifying, assessing and monitoring risk and controls presents a unique and unprecedented opportunity to help the business focus on making risk decisions based on management’s risk appetite and tolerances.
This common framework and process can make the business more predictable in meeting IT, financial and management objectives and can help managers anticipate major risk and control problems of the future. As a partner with IT and the business in managing risk, internal audit should be a driving factor in evaluating technological and process-based changes and evolving the organization’s risk management practices.
There’s been a good deal of discussion recently about organizational location and reporting lines for a company’s compliance function. Some are stand alone, though many are embedded within the legal department, with concern of legal privilege among the considerations. Some report to the CEO, though for many others the reporting line is to another senior executive. And to further complicate matters, some compliance functions also have responsibility for ethics, with some being asked to take on even greater responsibility.
Certainly there are pros and cons to each organizational structure. What I’d like to focus on here is the critical relevance of a few key factors. One is to be sure a chief compliance officer, wherever he or she appears on the company organization chart, has the ability to bring relevant information directly to the chief executive and where necessary the board of directors. Depending on the nature of identified non-compliance events or associated risks, such access is essential. Also relevant are the recent amendments to the U.S. Sentencing Guidelines, which call for the compliance officer to report regularly to upper management and the board of directors or audit committee.
Another key factor is clarity around the compliance office’s scope of responsibility. Is It responsible for establishing a process for effecting compliance with all relevant laws and regulations to which the company is subject? That’s a good start. Does the scope include compliance with internal polices? That’s typically the case as well, and makes sense. But does the CEO and board think the compliance office can possibly ensure compliance? You and I know it can’t – the compliance function needs to focus on process and protocols, with direct responsibility for effecting compliance resting with line and staff unit leadership. Clarity around responsibility is essential. Amazingly, some company boards are looking to the compliance function to also take on responsibility for enterprise risk management! Fortunately chief compliance officers have fought the attempt, for good reason.
And another factor is the compliance function’s relationships with the legal and ethics functions, if separate. Certainly compliance processes must adequately reflect the legal and regulatory realities, and we know there often is a fine line between – and sometimes a forerunner or impetus for – unethical behavior crossing over to illegality. So clearly there must be close coordination to ensure information flows, policies, procedures and reporting mechanisms are in sync.
Of course each company needs to determine organization, reporting and responsibility for compliance to fit its own culture, management style and personnel. Getting this right will serve your organization well.
A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.