At the recent OpenPages User Symposium (OPUS) 2010 held in Boston, Chris Haines, Vice President, Operational Risk Management Group at America Express presented a very informative and well attended session on how American Express has effectively leveraged the OpenPages technology in their efforts to converge risk management disciplines and best practices across the enterprise. In his session, Chris described how the Operational Risk Model employed by American Express provides management greater visibility into risk and empowers management to make strategic business decisions based on a broader understanding of its risk profile.
I caught up with Chris after his presentation and discussed his experience at OPUS as well as how American Express utilizes the OpenPages technology to create an integrated and converged risk and compliance management program that can streamline and improve its risk management processes.
Mark your calendars! OPUS 2011 will be hosted at the Renaissance Boston Waterfront Hotel, May 17-19, 2011. We’re developing an extensive lineup of speakers and domain experts based on your feedback and look forward to seeing you. A lot has changed since we last met and the world of risk management has evolved dramatically.
Risk managers are faced with growing complexity, the result of globalization, increased regulatory requirements and shareholder scrutiny. Regulators around the world will likely be enacting stronger regulation and pursuing a stricter line of regulatory oversight with regard to risk management. Building out a risk information architecture to support this new focus on risk management, and one that will deliver on the promise of risk management – better business performance, is precisely the challenge we face.
There has never been a better time to share experiences with peers and discuss risk management best practices with industry experts. Early-bird registration is available now at: http://www.openpages.com/opus
Chief audit executives do a lot of things really well, adding value to the companies they serve. What is especially interesting is how well many, especially CAEs of larger companies, gain information and insight through networking. Many are involved with their peers in industry or geographically based discussion groups, sharing through blogs, conferences, and internet-based information exchanges. And of course there’s still the opportunity to communicate via email or text or pick up the phone to talk with a valued colleague.
I’m a member of one internet-based group – though I tend to read rather than write – and am struck by several themes that are the subject of intense discussion and debate. Among them is the extent to which internal audit can and should become more actively involved in their company’s “governance” activities, however the term is defined. There’s an emerging consensus that yes, they should, and with their insights and skill sets they can add significant value, with an eye toward moving up the organization scale from process to senior management’s and the board’s activities. Another topic is transition from providing risk and assurance to performing more consultative services. The debate is heated, recognizing that IIA Standards speak to and enable both, with strong views expressed regarding the opportunities to add value while keeping in mind the need to maintain independence and objectivity. A related subject under discussion involves opportunities for internal audit personnel to move within their companies to other staff or operating units, into any number of management positions. There’s recognition of the benefits to the internal audit function’s recruiting and development and ability to add value, though caveats are expressed and concerns exist regarding retaining objectivity.
Relevant is the IIA Research Foundation’s 2010 Common Body of Knowledge Global Internal Audit Survey, called the “most comprehensive global study conducted on the practice of internal auditing.” Of particular interest is where practitioners focus attention now versus where they see internal audit five years from now. The study shows that while current attention is centered on operation and compliance audits, auditing financial risks, fraud investigations and internal control evaluations, the focus will shift. Going forward internal audit is expected to be looking more closely at corporate governance, enterprise risk management, linkage of strategy and corporate performance, ethics, migration to IFRS, social and sustainability issues, and disaster recovery testing and support. Other topics are mentioned, so readers might want to take a look at the report.
I marvel at the internal auditor networks, where practitioners are benefiting from the exchange of information and thought. If you’re not already involved in one, you might consider looking into how you can do so.
Financial services firms, pharmaceutical companies and other heavily regulated organizations have long devoted significant resources to a compliance office, typically with a chief compliance officer and strong support staff. Multinationals have embedded part of the compliance function locally, typically with reporting to both the central compliance office and local management. But companies not facing heavy regulation, even large ones, have struggled in deciding whether a full time compliance office is needed.
Well, now there are clear indications that a full time role is becoming more common. Compliance Week recently reported on two studies saying just that. One is from the Open Compliance and Ethics Group (OCEG), who’s survey shows 75% of the 365 respondents has a chief ethics and compliance officer or similar title with “top-level oversight of compliance.” And 40% said the compliance chief has no other role in their company, and for companies with over $1 billion in revenue, the number is 55%. Where the title is shared, it’s with the company’s legal department in 23% of the time. The other survey was conducted by the Society of Corporate Compliance & Ethics, showing that of 560 respondents, 97% have a designated compliance or ethics officer, with 36% having no other title. Of those with another role in the company, 20% share responsibilities in the legal department. As with the OCEG study, other shared roles range from the chief audit executive, CFO, and head of human resources, among others.
Also telling about the relative importance of the compliance officer role is the reporting relationships. The SCCE study, for instance, shows the chief compliance officer reporting directly to the CEO in 55% of the organizations. And the compliance officer provides reports to the board of directors or a board committee both in writing and face-to-face in 80% of the companies. And with a more senior role comes higher pay. The OCEG study shows the most common level of compensation (36%) is between $150,000 and $250,000, with 20% reporting pay at $350,000 and above, not counting bonuses, stock options or other forms of pay. As we might expect, pay in larger companies is at the higher end, with companies with more than $1 billion in revenue showing 23% with total compensation at the $450,000 level or higher.
Certainly, if you’re directly or tangentially involved with compliance, these numbers probably aren’t surprising. With the regulatory spotlight shining brightly and companies struggling to keep costs from soaring out of control and to enhance compliance program effectiveness, companies are looking to strengthen the role of their chief compliance officer.
My last posting spoke to one of COSO’s two recently issued guidance reports on enterprise risk management. The first provides approaches for getting started on an ERM initiative, and while it’s based on good intentions and provides useful information, especially to smaller companies, in Olympic games terms with only two entrants, that report gets the silver. The second report, Developing Key Risk Indicators to Strengthen Enterprise Risk Management – How Key Risk Indicators Can Sharpen Focus on Emerging Risk wins the gold – by a good margin.
COSO’s ERM report Application Techniques volume touches on the topic of key risk indicators, use of which was not commonplace at the time. Since then, along with key performance indicators, which focus primarily on past performance, more organizations have incorporated forward looking key risk indicators into their ERM processes, further enhancing risk management effectiveness. This new report does a good job of explaining KRIs and how they can be of benefit. A couple of simple examples include:
For customer credit, where a common KPI includes data about customer delinquencies and write-offs, KRIs are developed to help anticipate future collection issues, focusing for example on analysis of reported financial results of a company’s 25 largest customers or general collection challenges throughout the industry to see what trends might be emerging among customers that could potentially signal challenges related to collection efforts going forward.
Management of a chain of family-style restaurants sought to avoid a negative earnings event that could arise with unexpected market conditions. Recognizing that restaurant traffic is directly affected by customers’ discretionary income – where as discretionary income levels fall off, customers are less likely to dine out – management establishes as a KRI average gasoline prices people pay at the pump. This is based on the premise that when gasoline prices rise, discretionary income for individuals and families representing their core customer base decreases, and customer traffic begins to drop.
As such, KRIs enable management to take quicker action in dealing with the risks. In the later example, management is positioned to adjust marketing and promotion events to reduce the impact of the risk.
The report explains how KRIs are most effective when closest to the ultimate root cause of the risk event, providing more time for management to act proactively. And multiple KRIs can provide still more relevant information, keeping in mind that a close relationship between the KRI and the risk, and accuracy of information used, are both critical. Another benefit is the ability to readily track trend lines with dash boards or exception reports, quickly and easily communicating where action may be needed.
With KRIs continuing to gain recognition as important elements of enterprise risk management, this COSO report provides readily usable information and is definitely worth the read.
Two recent events involving hurricanes provide insight into what risk management is about. Many of us who live in on the east coast of the U.S. know all too well the damage wrought by Irene. And many in the Florida are dealing with damage to the University of Miami “Hurricanes” football team.
Let’s begin with Miami, where student athletes are said to have taken gifts from a fan – against NCAA rules. The University has already suspended a number of players. But what could be coming is worse, when the NCAA completes its investigation and decides on such sanctions as loss of scholarships, ability to play in bowl games, and the like. The impact on the football team and indeed the University are seen by some as potentially devastating. Miami’s President seems to be taking an appropriate course in saying the University will take action to be sure this kind of thing doesn’t happen again. Kind of sounds like what many senior business executives say when they suffer a major mistake. But, wait a minute – haven’t many, many other university football programs suffered the same kind of misconduct and paid a very high price? Since the answer is a resounding “yes,” then why wouldn’t a university like Miami, which treasures its football program, have long ago recognized the risks and taken action to prevent, or early on detect, any such kind of misconduct?
As for Hurricane Irene, let’s take a look at the plight of homeowners. Certainly those residing in the Carolinas know well the paths of past hurricanes. And while the Northeast has fewer, it is by no means unfamiliar with hurricanes, nor’easters, and the like. Whether or not they’re in some level of denial, people residing in flood zones aren’t ignorant of the risks, and others are aware of the possibility of wind damage, loss of power and the like. Certainly storms can’t be prevented, but their impact can be mitigated, through storm shutters or plywood boards, generators, and insurance coverage, among other actions. Yes there’s a cost-benefit relationship, but the other side is the cost of being emotionally and financially devastated. Yes, as we see the news coverage our hearts go out to those who have suffered, and we recognize that some simply can’t afford even basic protections. But we can wonder whether sufficient advance thought was given to managing the risks.
A key learning point from this is that risk management can be viewed as having several “tiers”: identifying what has not yet occurred but could occur, seeing what has happened to others, and knowing what harm has already hit home. The last two tiers are by far the easiest to recognize and analyze in terms of potential impact, while the first takes more thought and analysis though still cannot be ignored. In the cases of Irene and Miami, these events clearly have occurred previously, and the inherent risks were well known and needed to be managed. The same holds true for businesses looking to survive and prosper in a dangerous economic and competitive environment. It’s well known that supply chains can be interrupted, product quality compromised, IT systems hacked, and company personnel can do bad things. In all likelihood, risks have materialized in one’s own company or at a competitor, and are well known and can be managed cost-effectively. It takes identification and analysis, along with the right tools and technology to ensure appropriate attention, accountability and communication – all critical to making better business decisions.
My sense is that as a reader of this blog, you already have a good handle on what’s involved here. But hopefully it will prove useful if you’re striving to influence and convince others in your organizations of what risk management is about, and why it needs to be taken seriously.
Unless you’ve escaped to a remote island with no communication capability, you know about the serious issues facing banks and mortgage generators and service companies surrounding the foreclosure fiasco. For background, you might want to refer back to my October 15 blog which outlines some of the problems stemming from shortcomings in risk management and related internal control.
Well, the lawsuits have begun, with tens of billions of dollars at stake. State courts already have issued rulings, with the Supreme Judicial Court of Massachusetts, the State’s highest court, deciding that two major banks didn’t have the appropriate documentation when they foreclosed, and returned the properties to the borrowers. New York State’s chief judge, noting “it’s such an uneven playing field [where] banks wind up with the property and the homeowner winds up over the cliff [not serving] anyone’s interest, including the banks,” set forth procedures to ensure all homeowners facing foreclosure have legal representation. The impact in human terms is illustrated by recent reports of how two large banks took action against active servicemen and overcharged 4000 service personnel, reportedly failing to follow the Servicemembers’ Civil Relief Act that allows mortgage rate reductions and outlaws foreclosures. More lawsuits are on the way, led by a former prosecutor driving a class action.
Not only might other states become more proactive, but no less than three federal government agencies have begun investigations – the Department of Justice’s Executive Office for U.S. Trustees, the Federal Housing Administration, and the Federal Reserve. And none of this has been lost on a coalition of all 50 state attorneys general, which recently presented the five largest banks with a set of game-changing demands. Reports say these include prohibition against beginning foreclosure proceedings while a borrower is actively seeking loan modification, a requirement that a borrower making three payments under a temporary loan modification agreement be granted a permanent modification, modification turn-down subject to automatic review by an ombudsman or independent review panel, compensation programs that reward employees for pursuing loan modification rather than foreclosure, curtailing of late fees, and where banks engage in misconduct borrowers would be compensated by a pre-established fund and mortgage balances would be subject to reduction. While some analysts say these changes would drag out the foreclosure process and delay stabilization of the housing market, this attorneys general plan is reportedly supported by the newly formed Consumer Financial Protection Bureau, along with the Departments of Treasury, Justice, and Housing and Urban Development, and the Federal Trade Commission.
We continue to wonder how major banks dealt with the basics of risk identification and analysis – the risk that reliable documents would be needed in the foreclosure process – and establishing control activities to ensure document processing was accurate and complete, with files intact and readily accessible when needed, and accountability in carrying out control procedures. And we can wonder about due diligence in selecting and using outsourcing firms.
Does risk management and related internal control matter? Unfortunately, learning too late may cost financial institutions billions of dollars.
We know the banks and related mortgage service organizations have been under fire for their role in the financial system’s near meltdown and ensuing foreclosure fiasco. JPMorgan Chase’s CEO Jamie Dimon reportedly owned up to taking some responsibility, saying “Some of the mistakes were egregious, and they’re embarrassing . . . but we made a mistake, and we’re going to pay for that mistake.” The 50 state attorney generals and the SEC, among others, are pushing for changes in how the banks and services operate, and there’s little doubt changes are coming.
In the interim, a report emanating from investigations by the Office of Comptroller of the Currency, Federal Reserve Board, Office of Thrift Supervision, and Federal Deposit Insurance Corporation, is expected to form a basis for a settlement where the financial institutions would make fundamental changes in operations and controls. The banks and other servicers would, for instance, have to:
Set up a single contact point within the organization, enabling homeowners to avoid what’s often a maze of different departments
Take steps to ensure there will be no action to foreclose while borrowers are pursuing loan modifications
Improve training of staff handling foreclosures
Establish more layers of management oversight over the process
Engage an independent consultant to review foreclosures over the past two years, and compensate homeowners who were treated improperly.
One wonders why adequate business process design and basics of internal control weren’t in place long ago, even though the volume of foreclosures wasn’t anticipated. The sloppiness has caused tremendous problems for both the banks and servicers on the one hand and their customers on the other – and executives should know by now that if a large swath of consumers is damaged, then laws and regulations will surely follow.
This of course is not the end for the banks and servicers – not by a long shot. They still need to deal with the state attorney generals and other regulators, and we can expect more required changes to be forthcoming, along with large financial payments for past misdeeds. Oh, if only the risks had been identified earlier and better managed, with appropriately designed business processes, and basic and supervisory controls and compliance in place.
With over $400b in assets under management and 57,000 employees in 38 countries, Old Mutual is a Fortune 500 company (#225) with an operational footprint that spans all 7 continents. Now based in London and listed on the FTSE100, Old Mutual was founded in South Africa in 1845 as the 166-member Mutual Life Association of Cape of Good Hope.
While steeped in history and tradition, Old Mutual has a progressive approach to risk management which includes a ‘risk governance framework’ based on a ‘three lines of defense’ model:
functions owning and managing risk
functions overseeing the management of risk; and
functions providing independent assurance.
Old Mutual recently adopted OpenPages Operational Risk Management (ORM) to improve its enterprise-wide risk management efforts. OpenPages ORM is being used by numerous global organizations like Old Mutual to manage risk through self-assessments, end-user surveys, automated workflow and executive dashboards that provide management with the visibility, control and decision support required to understand and manage risks throughout the organization.
It’s well known that a company’s tone at the top is critically important in determining its culture, including whether or not it will act with integrity and ethical values – fundamental elements of effective internal control and risk management. And we know it’s not only the words spoken at the top, but also the CEO’s actions that drive culture. What brings this to mind is the recent conviction of the CEO of fraud detection firm Fraud Discovery Institute. While a conviction of the head of this type of firm might appear unusual though not particularly noteworthy, what’s truly compelling about this news is that the CEO is none other than Barry Minkow.
If you were following internal control, risk management and fraud back in the late 1980’s, you’ll likely remember the well-publicized fraud carried out by Minkow when he led ZZZZ Best Co. Reportedly he started the business at age 16, and took it public with the value exceeding over $200 million. But it turns out he cooked the books and falsified documents to support the fraudulent financial statements. Having been found out, he was convicted and sentenced to a 25-year prison term, ultimately serving a bit more than seven. After leaving prison, he started Fraud Discovery Institute in San Diego to uncover corporate fraud for clients, and took on a role as pastor of a community church. Why would anyone hire his newly formed firm? Well, certainly Minkow could be termed an expert in how to commit fraud, and thus how to prevent it, and having paid his dues to society it’s understandable that he was given the benefit of the doubt in redemption and starting a new and productive life.
It would be nice if this story had a happy ending, but it turns out that in his new firm Minkow reverted to his old ways. Prosecutors claimed that Minkow made false and misleading statements about Miami homebuilder Lennar Corp.’s financial condition to drive down the company’s share price [and] abused his relationship with federal law enforcement agents to get non-public information about Lennar and traded on that information.” And the 45-year old Minkow was sentenced in federal court to a five year prison term.
One could say that “once a crook, always a crook,” but that would be unfair. People do bad things and then turn to the straight and narrow, and have done good deeds in their lives. Nonetheless, when it comes to leading a business, it’s not three strikes and you’re out, but two, or more likely one. The tone at the top and actions of a CEO are too important to trust to anyone with anything other than a background not only of skill and performance, but also acting with integrity and ethical values.
Some months ago I came across an article co-authored by a colleague of mine on enterprise risk management. It’s aimed at boards of directors, providing needed insight into difficulties companies have experienced implementing ERM, and puts forth principles for its effective use.
What I found particularly interesting is reference to principles outlined by “legendary management thinker” Peter F. Drucker, and the authors’ description of how those principles can be applied to ERM:
There’s no indication in the article that Peter Drucker ever spoke to ERM specifically, and to my knowledge he never did (if any readers know otherwise, please let us know). I had the great pleasure of knowing and spending some quality time with Mr. Drucker when after my stint at the Wharton School I was doing graduate work at NYU Graduate School of Business where I was fortunate to have him as a professor in an advanced management seminar. It was evident to me even then, as a still wet-behind-the-ears student, that Peter Drucker indeed was someone extraordinarily special. He had an amazing ability to identify and articulate valuable truths about business, which while obvious after he spoke them, were previously hidden from everyone else’s view.
With that said, I’d like to take the liberty of guessing what Peter Drucker, if he were still with us, might put forth as simple truths about enterprise risk management:
Forget “risk assessments” – they have little to do with ERM
ERM must be embedded throughout the entirety of an enterprise
ERM isn’t done by a staff function – it must be incorporated into the soul of every manager in the company
It must encompass clear responsibilities and accountability, with open and rapid communication up and down the organization
And it needs to become an integral part of daily business, enhancing judgments and decision-making at every level – it’s not an add-on, but rather how business is conducted throughout the organization
Mr. Drucker, if somehow you’re listening, I hope you’re smiling at what you hear.
We had the opportunity to host a panel on operational risk at GARP this week in New York. The panel, “Using Operational Risk Management to Gain Competitive Edge”, included moderator Christopher Donohue, Managing Director, Research and Educational Programs, (GARP), and panelists Marcelo Cruz, Global Head of Operational Risk Management and Metrics, Morgan Stanley, Patrick McDermott, Senior Director, Enterprise Operational Risk, Freddie Mac, and Mairtin Brady, Head of Operational Risk Management, TIAA-CREF, as well as me, Gordon Burnes.
At the beginning of the the panel, McDermott outlined the basic set of questions that operational risk managers have to answer:
- What can go wrong? - How bad can it get? - How likely is it to happen? - What are we going to do about it?
This is a great way to frame the essence of an operational risk manager’s job, and those new to the discipline will do well to make sure that their program covers off on these fundamental questions.
This was an interesting panel in that each panelist represented a different perspective on managing operational risk programs. The starkest contrasts were between Cruz, representing the quants, and McDermott, representing the value and importance of qualitative information. Cruz took particular issue with scenario analysis but did acknowledge the limitations of models as expressed in confidence levels. It’s clear that there’s a wide range of practice in the industry on this topic, with some banks relying heavily on scenarios to model their capital, others relying more on internal data.
All panelist agreed that the operational risk function is on its ascendancy and is increasingly being brought to the table to weigh in on strategic matters, such as acquisitions or new product launches. One of the key takeaways was that operational risk information can help businesses better define their risk profile, allowing business managers to make better decisions about where to invest, and where to focus mitigation efforts.
Recently I’ve been communicating with a former COSO board member about a couple of terms in COSO ERM – specifically about “risk appetite” versus “risk tolerance.”
It’s interesting, as this board member was intimately involved in reviewing drafts of the ERM report as it was being developed and signed off on the final, and continues to be actively involved in discussions on the subject of risk management.
It becomes clear to me that anyone can easily fall into a trap, as follows. When a report, article, or other written document arrives in our hardcopy or electronic inbox, we take care in reading it, digesting it, and being sure we understand it. But over time, as we use the underlying terms and concepts, we begin to factor in our own thinking and judgments, and unintentionally modify their use.
In the case at hand, confusion arose about use of the term “risk appetite,” where it was being used at a lower level than appropriate – a level reserved for “risk tolerance.” To refresh memories, COSO ERM says “Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style.” On the other hand, “Risk tolerances relate to the entity’s objectives. Risk tolerance is the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.” It goes on to say “Management considers interrelated risks from an entity-level portfolio perspective. Risks for individual units of the entity may be within the units’ risk tolerances, but taken together may exceed the risk appetite of the entity as a whole.”
There’s more in the report making clear what each term means, but I don’t want to bore you. And the point here isn’t about these specific terms, but rather our being able to communicate effectively with business colleagues and partners. Okay, maybe I am a stickler for words, though I like to think there’s good reason we all should do our best to use terms precisely.
The sea of blue suits at the OpRisk North America conference being held in New York City this week provides a stark contrast to the cold rain falling in Times Square. The conference kicked off with a keynote address from Mitsutoshi Adachi, director and deputy division chief at the Bank of Japan. Mr. Adachi, who also serves as chair of the SIG Operational Risk Subgroup for the Basel Committee, noted that his travel plans had to be moved up a few days in order to account for the continued travel delays out of Japan.
His keynote highlighted a recent report published by the Basel Committee on Banking Supervision titled “Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches” which found that “Operational risk capital for non-AMA banks is higher than for AMA banks, regardless of the exposure indicator used for scaling.” Mr. Adachi also noted in his address that AMA firms showed “only modest increases in losses during the financial crisis period.” Certainly not an unexpected result but what was telling was his finding that for the period of 2008 to 2009 (during the financial crisis), operational risk losses for all banks were “2 to 3 times fold” compared with the previous Basel Committee internal loss data collection period of 2005 – 2007. Mr. Adachi declined to field a question on which business lines contributed the most to the losses, per his obligation to keep such information confidential.
He concluded by saying that “the Basel Committee finds it even more important to engage with the industry” moving forward. Looking forward to the Plenary address “Reforming U.S. financial markets: reflections before and beyond Dodd-Frank.”
As you may know, the Dodd-Frank Act gave institutional investors and shareholder activists perhaps the item highest on their wish list – gaining ready access to the proxy statement with ability to name its own director nominees. And the SEC developed enabling rules to make it happen. Well, the U.S. Court of Appeals for the D.C. circuit just pulled the rule out from under shareholders. If you’re a shareholder activist, you’re probably outraged, but if you’re a board member or member of the senior management team, you’re likely breathing a sigh of relief!
The suit was brought by the Business Roundtable and U.S. Chamber of Commerce, and many thought it didn’t have much chance of succeeding. But succeed it did. The court ruled the S.E.C. “acted arbitrarily and capriciously” in failing to adequately consider the rule’s effect on “efficiency, competition and capital formation.” In its unanimous decision, the court added that the SEC “inconsistently and opportunistically framed the costs and benefits of the rule; failed adequately to quantify the certain costs or to explain why those costs could not be quantified; neglected to support its predictive judgments; contradicted itself; and failed to respond to substantial problems raised by commenters.”
And this isn’t the first time the Court shot down SEC rules – it’s happened several times in the last few years, also on the basis that the SEC didn’t properly assess the economic effects. So, where does the Commission go from here? Since this decision was issued by a panel of the Court, the SEC could ask the entire Court to review the case, or appeal to the U.S. Supreme Court. Or, it might want to conduct a more in-depth economic assessment of the rule to satisfy the Court, or come up with another rule. As the U.S. Chamber calls its victory “a big win for America’s job creators and investors,” the SEC is “reviewing the decision and considering our options.”
For what it’s worth, my view is that direct shareholder nominating of directors can be counterproductive. While seemingly supported by the concept of a democratic process, putting dissident or one-issue directors on the board, which might have occurred, would normally not serve a board, the company or its shareholders well. While the SEC’s rule seemed reasonable in terms of effecting the law’s mandate, perhaps the SEC can come up with something better.
Leading research and analysis provider Chartis Research recently released the 2009 RiskTech100™ report – a comprehensive study of the top technology firms active in the risk management market.
Based on assessment criteria including functionality, core technology, organizational strength, customer satisfaction, market presence and innovation, Chartis named OpenPages the Category Winner in Operational Risk and GRC solutions. This is a real testament to OpenPages commitment and success in delivering integrated risk management solutions as Chartis surveyed hundreds of operational risk vendors.
The study included a survey which found that “66% of respondents expect to increase their risk technology expenditure by 10% or more in 2010” and that users are moving from a siloed approach toward an integrated risk management approach.
It should be news to no one that global companies today are struggling with increased regulatory onslaught. And as we’ve seen with Dodd-Frank, it’s clear that we can expect continued landmark legislation globally to address the risk management failures of the financial crisis. Chris McClean of Forrester Research recently commented that there are nearly 200 regulatory changes still on the US federal agenda across finance, healthcare and consumer protection. Beyond congressional action, we’ve also seen current regulators cracking down under their existing mandates. The question that many OpenPages customers are addressing today is, how can organizations prioritize and cope with such a large number of regulatory changes, and how can organizations prepare for upcoming rulemaking? Many companies are turning to policy management software to establish regulatory change management, regulator interaction management and policy lifecycle management.
Policies establish the culture, values, ethics, and duties of the corporation. Organizations that take an ad hoc approach to managing and communicating policies face significant risk to their business. The key to effective compliance and policy management is having a formalized and efficient mechanism for communicating changes to regulations and managing the internal regulatory change process so the business can react quickly – particularly in these times where you know the regulatory environment is complex and changing frequently. It is also important to manage the interactions, communication and internal work associated with external regulators such as inquiries, submissions, filings, exams and Audits. Today, this tends to be a very time-consuming, manual process for most companies.
To learn more about implementing an effective compliance and policy lifecycle management program, check out a recent webinar we conducted with Michael Rasmussen, president of Corporate Integrity LLC.
Last week we announced the availability of OpenPages version 6.0, which marks a major milestone in the evolution of the GRC market-from convergence to insight. It also represents the completion of the first phase of our technical integration with IBM. And, the new release will help prepare our customers for managing through regulatory change in the post-Dodd-Frank environment.
Several industry experts have had positive things to say about the news:
“But there is a significant gap between collecting data and actually making it usable. The release of version 6.0 of the OpenPages GRC platform, which IBM acquired last year, is a significant step forward in terms of closing that gap by tightening the integration between OpenPages and the business intelligence (BI) software from Cognos that IBM also acquired back in 2007.”
Industry Analyst Guillermo Kopp wrote a report on 6.0, which details the key benefits and opportunities for the combined solutions of OpenPages and IBM. In regards to integrated risk management he says:
“A centralized governance, risk, and compliance (GRC) platform will help large companies manage various risks across client, location, product, and service domains. For financial firms, integrating financial risk dimensions (e.g., credit, market) will augment the challenge substantially.”
6.0 was also featured as the top story in CMS Wire’s GRC Roll-up
Fueled by a global audience that is desperately looking for disclosure in the wake of the economic crisis and mature digital computing technologies that make it more and more difficult to contain sensitive information, WikiLeaks has emerged as a viable new threat to data security.
Until now the United States government has been the central target of WikiLeaks attacks, however, with WikiLeaks founder Julian Assange’s recent claim to be ready to release corporate secrets in early 2011, organizations everywhere are faced with a looming risk management challenge that is not likely to dissipate anytime soon.
Experts agree, and Assange himself has suggested, that the information that will be leaked is more likely to consist of internal communications between executives and other employees rather than the personal data protected by privacy compliance laws. However, the threat of any kind of exposure means that corporations need to tighten data security and evaluate areas of potential vulnerability.
Unfortunately, WikiLeaks has highlighted a liability that persists across all corporations and government agencies that technology and compliance measures alone simply cannot contain: the human factor. The increasing number of compliance and regulatory mandates that have been put in place in recent years have not proven enough to combat the risk posed by employees leaking sensitive information.
A recent poll by Harris Interactive reports that only 9% of companies have adequate crisis protocols in place to protect themselves from a potential onslaught. In this period of uncertainty, with virtually all large enterprises under the WikiLeaks radar, it is vital that organizations devise an adaptable enterprise risk management strategy to identify and manage areas of weakness without sacrificing business performance.
Just as a sharp increase in regulatory compliance mandates has created a necessary shift in industry risk management tactics, so has WikiLeaks spawned the recognition of new vulnerabilities that face companies in the modern digital age. The organizations that are well prepared to assess and mitigate against untested threats, like the one posed by WikiLeaks, are those that combine deep domain expertise with powerful and flexible tools to analyze and weigh the probability and cost associated with any given challenge.
COSO recently released reports providing guidance in two areas related to risk management. One is Embracing Enterprise Risk Management – Practical Approaches for Getting Started, which suggests ways in which companies, especially smaller ones, can begin a risk management initiative with the objective of ultimately moving to an ERM process. It puts forth “keys to success” in terms of a number of “themes,” beginning with being sure to have support from the top. Theme 2 is building on incremental steps, which includes implementing key practices to gain immediate and tangible results. Theme 3 continues with focusing first on a small number of “top” risks, and theme 4 is leveraging existing resources by utilizing the capabilities of the chief audit executive, chief financial officer or other executive as a catalyst to begin the initiative.
The guidance continues with theme 5, building on existing risk management activities already being performed, for example, by internal audit, insurance or compliance functions, fraud protection/detection measures, or credit or treasury functions. Theme 6 involves embedding risk management into the fabric of the business, and concludes with theme 7’s continuing to update and educate senior management and the board on evolving ERM practices.
The guidance also provides seven “action steps” to support development of an ERM initiative: Seeking board and top management leadership, involvement and oversight; selecting a strong leader for the ERM initiative; establishing a risk committee or working group; conducting an enterprise wide risk assessment and developing a related action plan; inventorying existing risk management practices; developing a communication and reporting process; and developing the next phase of action plans and communication.
As stated in the report, the guidance says the suggested incremental step-by-step approach may be particularly useful to smaller companies, and importantly, the suggested approach is a only a starting point for moving to an enterprise risk management process. I believe the report is well meaning, looking to break down barriers and resistance to embarking on building an ERM process, and as such may be useful to companies considering taking a first step. But that’s all it is. It doesn’t provide guidance on how to design an ERM process, and how it can be effectively implemented throughout an organization. Yes, some of the “steps” are a start, but my concern is that, despite the warnings, companies going down this path will somehow believe they will have installed ERM in their organizations.
In Olympic games terms, with only two entrants, this report gets the silver. The second report on key risk indicators wins the gold – by a good margin. I’ll speak to that report in my next blog posting.
Many of our customers are in the process of rethinking their risk management programs. A key element of any program is the risk control self assessment, and, in fact, in many cases, provides the foundation for the overall program. The RCSA provides a baseline for risk exposure that drives further activity in key areas of risk for the business. Of course, as human judgement is involved, no company would rely solely on this single process for their exposure metrics. Many back test the RCSA process with actual loss events and validate management’s self-assessment of risk through an internal audit function.
The recent edition of Operational Risk and Regulation highlight the importance of the RCSA process at a large Japanese financial services company, Mizuho Financial Group, one of only two AMA-approved banks in Japan. The article notes that Mizuho Financial Group’s AMA model is largely driven by over 660 different scenarios, which, in turn, are based on the risk control self-assessment. One of Mizuho Financial Group’s subsidiaries, Mizuho Securities, is an OpenPages customer.
660 scenarios represents a lot of data to keep track of in spreadsheets, especially if you’re tying the scenarios to the RCSA process and ultimately want to back test the results with actual loss data. Only an integrated, automated approach make sense, and we’re seeing more financial services institutions abandon their first gen operational risk systems (and Excel!) as regulatory oversight heats up.
The subprime mortgage crisis has sparked a lot of discussion about risk management and, specifically, whether banks that suffered huge losses did so as a result of failures in the risk management function or in business management in general. The general business management failures occurred in situations where the risk management identified unacceptable risks but the business managers in charge of risk mitigation opted not to mitigate the risk(s).
This failure of exercising good business judgement in spite of warnings from the risk management function is exactly what the CEO at Freddie Mac, Richard F. Syron, is being criticized for in an article in today’s New York Times. Reporters Charles Duhigg and Eric Dash interviewed former executives and others associated with Freddie Mac, and their article paints a picture of an executive team, led by Syron, taking unacceptable risks despite the warnings from his Chief Risk Officer and others.
If senior management, in conjunction with the board, cannot be trusted to make the correct decisions about risk management, then there needs to be better transparency about the risks being assumed by the company, and shareholders can make their own decisions about whether to hold the stock or not. In this case, according to the article, “shoddier” underwriting standards exposed the company to too much risk, and Syron was warned of this situation. But did shareholders have a view into these changing underwriting standards?
Whether or not Freddie Mac could have avoided their recent meltdown given their market share and decline of the housing market is an open question. What is clear is that the risk/reward tradeoff was not managed well and that while shareholders had full visibility to the company’s earnings (the reward side of the equation), there is little doubt that the company did not provide similar transparency to the risk side of the equation. My guess is that increased regulation or shareholder demands will start to encourage better reporting of risks in the business, and not the kind of reporting you currently find in most 10-Ks.
A recent client discussion reminds me of an article I came across a few years back with important implications for dealing with risk – or rather a risk that materializes into a major problem. The article, “What Organizations Don’t Want To Know Can Hurt,” focuses on events surrounding the College Board when it learned of extensive errors scoring its SAT tests, and provides a good example of not to do.
The company’s president reportedly said that finding the specific cause of the failure “did not really matter,” but rather what’s important is to ensure that improved controls catch future problems. His position was supported by the engagement leader of a consulting firm hired by the company, saying that dissecting past problems is not necessary either to ensure that the scoring system works better in the future or there is a good safety net to catch errors. He goes on, “You can do both without knowing whether it was rain that made the papers wet, or whether someone spilled a cup of coffee…[and] if we tried to brainstorm everything that could go wrong, we’d be here for years – for a lifetime. But if controls are in place to identify problems, and rescore tests that were misscored, that’s what you’re really looking for.”
These statements are fascinating – that there’s no need either to look back at why something went wrong because it’s unnecessary, or to dig deeply into what could go wrong because it would take too long. It suggests that problems in test scoring – which would certainly seem to be central to the company’s credibility and indeed its sustainability – are okay as long as they ultimately are found and test results rescored. Simply “catching future problems” by “rescoring tests” means that the company is satisfied detecting major problems with scoring after they occur, rather than taking steps to prevent such problems in the first place. I wonder what users of SAT scores think about that!
If you’re smiling at this you’ve got company. Cleary, looking neither backward nor forward is not a viable option. And, doing one or the other also is not the answer. Rather, it’s necessary to do both. Only by getting behind what went so wrong can management feel comfortable it understands what risks continue to exist, and only then is it positioned to look at what additional risks need to be the focus of its attention going forward.
It doesn’t take a genius to know that when a problem rears its ugly head it essential to find out why. The article talks about fields like aviation and medicine that conduct investigations to find out exactly what went wrong, to learn from often deadly mistakes and to improve processes and protocols. The National Transportation Safety Board does so focusing primarily not on casting blame but on making things better. Similarly, many hospitals hold mortality and morbidity conferences to analyze and learn from mistakes. Many businesses do that as well, learning from what went wrong. They don’t choose between learning from the past and working to make things better. They do both, with one supporting the other. And no, it doesn’t take “a lifetime” to find out what caused a major problem or to identify the source of the next potential disaster.
You’re a CEO, senior manager, or board member watching your once-great company brought to its knees. You imagine yourself on the deck of the Titanic, your world coming to an end—your once confident self embarrassed in front of colleagues, competitors, friends, family, and the larger communities in which you once thrived and were held in such high esteem.
This is the first sentence a just-released book published by John Wiley & Sons. I got my hands on an advance copy, and it is compelling reading. It analyzes how – while facing different circumstances in different industries – common themes underlie why once-great companies have seen their fortunes sink, while others withstand economic turbulence and hazards to continue to grow and reap the rewards of success. But the book is not solely about how to avoid disaster. It highlights how having the right infrastructure enables an organization’s positive qualities to lead to success. This includes what’s needed to avoid the kinds of disasters that can befall any organization, but also essential to identifying opportunities and being positioned to seize them for competitive advantage.
I don’t often recommend books to others, but this one is exceptional. It has a long title: Governance, Risk Management and Compliance – It Can’t Happen to Us: Avoiding Corporate Disaster While Driving Success. I believe the substance stands up to its claim that “unlike other books, this one is not aimed solely at senior managers or solely at members of boards of directors. It’s directed to both, with an added objective of providing insight into the interface between the two.”
You might be asking why Steinberg is spending so much space here touting this book – it is because the book is really that valuable, or does he have some ulterior motive? Well, okay, I’ll fess up – the answer is “both.” Yes, as you may have guessed, I wrote the book. And I apologize for withholding that important fact until now! But I do believe virtually any reader of this blog will greatly benefit from reading the book. And I’m pleased that I’m not the only one who thinks so. Here’s what some others, whose names you might recognize, are saying:
Rick Steinberg is a time-tested expert in this ever more essential field. His refreshing candor in assessing recent shortfalls makes this book a must-read for corporate leaders — Mark R. Fetting, Chairman and CEO, Legg Mason, Inc.
This outstanding book provides a critically important perspective on how risk management can only be truly achieved by aligning culture, strategy, compliance programs, and compensation. It should be must reading for any board member concerned with improving the management of risk — Jay Lorsch, Louis E. Kirstein Professor of Human Relations, Harvard Business School
A comprehensive and insightful examination of corporate governance. A must-read for those of us who are CEOs and serve on public boards — Randall L. Clark, Chairman and CEO, Dunn Tire LLC; former Chairman and CEO, Dunlop Tire North America
Attention directors and officers: Ignore this book at your own peril. Richard Steinberg has crafted a careful, thoughtful approach to managing risks, and it should be required reading for Corporate America — Scott S. Cohen, founder and former Editor and Publisher, Compliance Week
Richard Steinberg’s comprehensive and clearly written work will substantially benefit both new and experienced directors. It will help corporate boards recognize the challenging forces businesses face, as well as the techniques and standards available to intelligently monitor and supervise firms and their senior management. An easy and engaging read, this book should be on the bookshelf of every corporate director — William T. Allen, Director, NYU Pollack Center of Law & Business; former Chancellor, Court of Chancery of the State of Delaware
Richard Steinberg, a respected and time-proven governance hand, has written a most enjoyable and thought-provoking work—an excellent addition to anyone’s governance shelf! — Charles Elson, Edgar S. Woolard, Jr., Chair in Corporate Governance and Director of the Weinberg Center for Corporate Governance, University of Delaware
By the way, the IBM Open Pages people were kind to allow me to use a paper I wrote for them as the basis of one of the chapters. I hope you will consider reading the book, and I trust you will not be disappointed!
Even in the wake of sweeping deregulation of the energy industry, few companies face as much government oversight as utilities. Power generation and distribution companies are subject to a maze of regulatory oversight, including state agencies and the federal agencies, the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), the Nuclear Regulatory Commission (NRC), the Environmental Protection Agency (EPA) and the Occupational Safety and Health Administration (OSHA).
As Managing Director of Corporate Compliance at Duke Energy, Tom Wiles knows first hand the challenges of operating a business in a regulated industry. Duke Energy – a Fortune 500 company traded on the New York Stock Exchange – is one of the largest electric power companies in the United States delivering energy to approximately 4 million U.S. customers.
In a Compliance Week Webinar titled “Proactive Ethics and Compliance Programs in a Regulated World”, Tom Wiles discusses how a “proactive partnering” and “risk-focused coverage” approach has delivered positive results for Duke. He states that in order to create an effective and efficient enterprise-wide ethics & compliance infrastructure, the Ethics and Compliance Manager needs to establish expectations, communicate expectations, monitor behavior, report results and provide continuous improvement.
If you’d like to learn the key steps your organization can follow to integrate disciplined ethics and compliance management into your business and hear about the value organizations are receiving from effective programs, check out this Webinar.
I work in the computer software business and experienced firsthand the dot-com bust of 2000. As VP of Corporate Strategy for a public software company, I was involved in M&A activities, strategic partnerships and large OEM deals with dot-com companies. I rode the wave of going from $15/share to $95 and back down to $5. I understand the difference between client/server, n-tier, and cloud computing, and the subtleties between ISV, OEM and VAR relationships (in this context VAR means “value added reseller” not “value at risk”). I know why the dot-com era was a façade and why the bubble eventually had to burst.
As I read accounts of what was happening during the subprime crisis, I struggled to understand key concepts such as CDS (credit default swap), CDO (collateralized debt obligation) and SPV (Special Purpose Vehicle). I blamed my inability to grasp what was really happening on my lack of experience with complex financial products: I wasn’t “in the business.”
After reading Tett’s book, I now realize that I wasn’t the only one who couldn’t figure out what was going on. “As the pace of innovations heated up,” Tett writes, “credit products were spinning off into a cyber-world that eventually even the financiers struggled to understand. The link between the final product and its underlying assets was becoming so complex that it appeared increasingly tenuous. . . . Most financiers lacked the cognitive skills to truly understand the connections in this new world.” Oh yes, and “even regulators seemed only vaguely aware of what the banks were really doing.”
I highly recommend reading Tett’s book. She is able to decipher Wall Street mumbo-jumbo in terms that a lay reader, or at least a determined lay reader, can understand. Tett provides a rich cast of characters and a storytelling device that helps make this book compelling fun to read. More importantly for risk managers, however, you will also gain a new appreciation for the significance of sound risk management for your organizations. There are lots of reasons why the crisis developed, for example greed, carelessness, and deceptive practices. But across the financial services industry, systemic weaknesses in risk management culture, discipline, and implementation of best practices added fuel to the flame.
In a subsequent blog I will summarize some of the key risk management lessons that Fool’s Gold uncovers.
Today we announced that Julian Parkin, Group Privacy Programme Director at Barclays will deliver the day two keynote address at OPUS 2010. In his address titled, “Supporting Risk Management Initiatives Across the Enterprise with OpenPages,” Julian will discuss how Barclays has leveraged OpenPages for its risk and compliance management initiatives across the globe including data privacy, operational risk and financial controls management.
“As a global financial services organization, Barclays has wide ranging requirements for managing risk and compliance activities across the enterprise and across the globe,” said Julian. “The OpenPages platform provides the integration layer for enterprise risk management, assessment, monitoring and reporting which delivers risk intelligence to business end-users and management. I look forward to discussing successful risk management approaches and how the OpenPages Platform can be leveraged to drive sustainable improvements.”
If you’re an OpenPages customer and would like to learn more from Julian and the extensive cast of industry experts and practitioners at OPUS 2010, register now by clicking here.
Lesson 3: You cannot afford to overlook or underestimate the correlation of risks.
There were two innovations that fueled the growth in the subprime mortgage market. The first was credit derivatives: in its simplest form, a credit derivative is a contract between two parties in which the seller agrees to compensate the buyer if a loan goes into default. The second innovation involved a process called securitization, which traditionally involved lenders selling their loans to an investment bank. The investment bank “bundled” the loans together and sold pieces of the bundle to pension funds and other investors. The original lenders, having offloaded their loans, could make new ones. The investors acquired a slice of the loan bundle and its interest income without having to go to the trouble of meeting and assessing the borrowers.
The innovation was securitizing not just loans but credit derivatives. It was first applied to corporate loans which tend to have very little correlation (correlation is the degree to which the defaults in any given basket of loans might be interconnected). But then it was carried over to mortgages and more importantly subprime mortgages. The financial services sector industrialized the procedure, and began selling securitized debt and derivatives on an extraordinary scale. The fatal mistake was not realizing that subprime mortgages were highly correlated, especially in an economy where interest rates were rising and housing prices were falling nationwide. Moreover, subprime mortgages had intrinsic flaws (such as issuing loans with escalating interest rates to homebuyers with dubious credit ratings) that inevitably resulted in extremely high default rates.
J.P. Morgan opted not to get into this market, a very smart expression of a cautious corporate risk culture that ultimately saved the company from the disasters others suffered. Fool’s Gold gives a great account of how Morgan risk managers struggled to understand how other banks could be making so much money and covering their risks at the same time. To their credit, they did not enter the market because they understood the risk and did not have a way to mitigate it.
Lesson 4: Do not think that models are anything more than a guide or a compass.
Models are useful but they have limits. They are essential for navigating in the world of modern finance, but they are not infallible, no matter how well crafted they are. Models are only as good as the data that is fed into them and the assumptions that underpin their mathematics. The key simplifying assumption on which the credit derivative models rested was that the future was likely to look like the recent past. New financial innovations have no way to be tested relative to their risk level except by means of computer simulations that use historical data. But there are no statistics that truly represent the environment surrounding the new instrument and, as a consequence, no one really fully knows what are the risks associated with the instrument. This is especially true of risks connected with the “correlation” factor. Hence, innovations can always have “surprises” connected with their usage. Remember that models are only tools and should not be used without human intelligence.
Lesson 5: Regulation is not a panacea.
As the crisis unfolded, there was a lot of blame placed on regulators and regulation. Although the Federal Reserve had the legal authority, they did not have the inclination to regulate the behavior by banks that led to the disaster. Alan Greenspan, head of the Fed, admitted that he had made a ‘mistake’ in believing that banks would do what was necessary to protect their shareholders and institutions. This “absence” of the oversight of the bank regulators has resulted in lots of discussion around new regulations, new regulatory agencies and so on. Tett’s book does an especially nice job in explaining how banks worked to get around capital requirements using the new tools and instruments. Part of the problem connected with the absence of the regulators during this period of time was that the banks worked very hard to expand their use of leverage in ways the policy makers could not see. Of course, this came back to haunt them when the collapse occurred. Financial institutions will always attempt to get around regulations in one way or another because it is profitable to do so. In addition, regulators are always behind what is going on in the industry. This is just the nature of the relationship.
The noon panel at GARP discussed risk and performance management, with a diverse set of participants, including representation from Hess, Swiss Re, and Vanguard.
Kanwardeep Ahluwalia from Swiss Re noted that many companies are going through a derisking process right now. However, Ahluwalia cautioned that companies need to be cognizant of how much they are paying to reduce their risk. In many cases, especially now, it may make more sense to manage the risk internally to maximize performance.
What is the role of risk management in the budget process? Panelists suggested that during the budgetary process risk management should step up and call out inconsistencies between risk and performance goals. The moderator, Kevin Buehler from McKinsey, noted that many times he has found that companies in trouble have misaligned expectations between risk and reward. For instance, a company may have aggressive revenue goals to take share in a particular (emerging) market, but those goals may in conflict with a risk adjusted return on capital. However, he said that typically risk management does not normally win out in a conflict in which the CEO is on the other side, but you have to force the dialog.
Jonathan Stein from Hess argued that risk management needs to move beyond the Be Careful mantra and move into recommendations for risk mitigation. He talked about the importance of developing scenarios that help define triggers risk mitigation actions.
In general, the message from the panelists was that deeper interaction with the business allows risk managers to be more effective. This includes everything from designing risk management processes around the way the business makes money to prompting a dialog at the executive level when risk and performance expectations are not aligned.
When organizations choose to shift their corporate mission and redefine organizational goals, it is vital that they carefully evaluate the potential risks and fallout from redefined core value propositions and tactics. A case in point is Toyota—a company that has built its reputation on the quality of its product, but in recent years focused its sights on profits.
With the introduction of the Prius to the U.S. market in 2000, it appeared that a strategic risk had paid off, Toyota had created a hybrid engine for the mass market that was a clear success and was even marked in the press by a drove of Hollywood celebrity drivers including Leonardo DiCaprio, Cameron Diaz, Larry David, Billy Joel, David Duchovny, and more.
However, in recent years Toyota has been plagued by a series of escalated vehicle malfunctions. While the entire scope of the financial loss is currently unclear, since 2009 the company has initiated over 14 million recalls worldwide and more than $48.8 million in fines in the U.S. alone. The world’s number one automaker has also temporarily suspended U.S. sales of eight of its top models and halted production in five U.S. plants, an unprecedented step that clearly demonstrates the effort being made to maintain Toyota’s once solid reputation for customer satisfaction.
Overwhelming growth and the pressure to match increasing demand with production to has stifled Toyota’s promise of reliability. It is yet unclear what affect these recalls will have on Toyota’s global standing in years to come, but potential customers will certainly approach the automaker’s brand more tentatively than in decades past.
The lesson here is that all corporations must be prepared to mitigate risk, especially when taking such a precarious step as redefining their core vision and business strategy. Toyota now faces the huge challenge of recreating its customer brand loyalty while at the same time maintaining the momentum that their swollen infrastructure investments require.
When several prominent industry analysts (Gartner, Chartis and Celent) recently published research on operational risk management (ORM), a common theme emerged – ORM is a critical and growing discipline; and OpenPages is a leading software provider in this market.
OpenPages was cited as a leading provider of operational risk management software in the Chartis Operational Risk Management Systems 2009 market analysis report. The report states that, “Successful vendors need to be able to assist in the implementation, training and methodological aspects of ORM,” and identifies OpenPages as a company with particularly strong efforts in this area.
Chartis is forecasting the worldwide ORM market will grow at 6.9% to $1.68 billion by 2013. They expect this growth to be fuelled by among other things:
An increased focus on the benefits of compliance
The convergence of oprisk, ERM and GRC, and;
Ongoing demand from emerging markets of Asia, Africa and Latin America.
This month, OpenPages was also recognized as a leading software company in the Enterprise Operational Risk Management Compliance, and Governance Solutions report by independent analyst group, Celent. The report notes that OpenPages is one company that is, “leading the field in terms of depth of functional capabilities.” The report continues that, “OpenPages is particularly strong in its multidomain governance, risk, and compliance management approach.”
According to an IBM study of over 1,200 CFOs and senior finance executives, 62 percent of enterprises with over $5 billion in revenue encountered a major risk event in the previous three years, and when a major risk event did occur, 42 percent were not well prepared. Unlike Sarbanes Oxley and other structured, clearly defined compliance initiatives, building an effective operational risk control environment and culture requires proactive identification and frequent review of potentially harmful events.
GRC industry expert and Corporate Integrity president Michael Rasmussen’s favorite operational risk case study is the Titanic in which as he states, “There are a variety of risks the Titanic faced – overconfidence, poorly manufactured rivets, focus on speed while ignoring the external risk environment, inadequate design, and lack of someone diligently watching for icebergs”. While the Titanic was heralded for its superior safety in engineering design, not all risks were considered holistically. In many organizations today, operational risk continues to be managed in silos, where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions.
To learn more, check out the “Ultimate ORM Platform” webinar in which Michael Rasmussen and OpenPages director of product management Patrick O’Brien describe the need for a common, enterprise-wide view of risk and what to look for in an “Ultimate ORM Platform”.
The Institute of Internal Auditors 2009 General Audit Management Conference is coming up and should be quite timely given the evolving role that Audit is playing in providing an independent assessment of enterprise risk and governance. The conference has some intriguiging sessions including:
As you can see, internal audit has evolved from its traditional role of record examination and identification of policy violations to a more modern, consultative approach aimed at risk mitigation. As part of this evolutionary process, internal auditors have also focused more of their efforts on the risk assessment process and a top-down approach to audit scoping.
One of the key roadblocks to an integrated approach was the sheer complexity of data gathering and management. In the past, it represented a tremendous amount of effort for internal audit to collect relevant information and to govern access to that information securely. A centralized technology platform for identifying, assessing and monitoring risk and controls presents a unique and unprecedented opportunity to help the business focus on making risk decisions based on management’s risk appetite and tolerances. This common framework and process can make the business more predictable in meeting financial and management objectives and can help managers anticipate major risk and control problems of the future.
As a partner with the business in managing risk, internal audit should be a driving factor in evaluating technological and process-based changes and evolving the organization’s risk management practices.
If you’re planning on attending IIA GAM March 16-18 in Washington, DC please visit the OpenPages booth. And don’t forget to enter the raffle for a Flip handheld video recorder. Or, to learn more download our informative white paper, Internal Audit and its Evolving Role in ERM.
GRC is touching just about everyone these days. A lot has been written about the CFO, CRO, CCO and CIO and their roles in deploying GRC technologies. Mike Rothman at the Daily Incite writes here about the CISO’s role in deploying GRC solutions and makes the point that CISO’s should be focused not on implementing specific controls but on the program (my emphasis added). We could not agree more. A security program identifies the key areas of focus and prioritizes activities accordingly. A bottom-up approach doesn’t necessarily allocate resources to the high risk areas, and, given that most companies are operating with increasingly scare financial resources, a risk-based approach is the best way to allocate resources.
You’ve surely heard about Goldman Sachs’ settlement with the SEC on fraud charges related to the firm’s disclosure, or lack thereof, of a collateralized debt obligation that purportedly was designed to fail. The $550 million to be paid may seem like a lot, and indeed is said to be the largest SEC fine against a Wall Street bank, but many observers maintain that the firm got off easy, especially when the amount is viewed in light of Goldman’s revenue and profits.
But there’s another way in which Goldman seems to have dodged a bullet. While other companies have had to accept a government appointed monitor working inside the organization, Goldman won’t be subject to such meddling. In my mind, avoiding this kind of intrusive interloping is just as big, if not more so, than the manageable size of the fine – especially for a firm as sophisticated as Goldman Sachs.
There is, however, an annual requirement for filing a certificate, for three years, that Goldman is in compliance with the terms of the settlement. Of considerable interest is that the certificate is to be signed by the firm’s general counsel or global head of compliance. Some pundits are saying this makes eminent sense, while others take the position that it should be the CEO or board, who are ultimately responsible for ensuring compliance, to be putting their signature on the dotted line. In any event, all this puts more of a spotlight on chief compliance officers and compliance programs. One former chief compliance officer reportedly said the SEC “seems to be attempting to elevate importance of the chief compliance officer role,” while an active compliance chief says the settlement shows that compliance officers “are becoming true C-suite level executives.”
There’s a lot going on here, and we can expect to see the focus on compliance officers ratcheting up further going forward.
The Globe published an interesting article today about a Harvard Business School professor that resigned just before the scandal at Satyam broke. This was no ordinary professor. Krishna Palepu is an expert in corporate governance, control and accounting, and corporate management in emerging markets. In short, the perfect resume for a Satyam board member. So what went wrong?
This is not an isolated incident. In this financial crisis, many good people on boards of struggling companies have been surprised. And we’ll likely see more of that in the months to come. I think it’s overly simplistic to blame the board, and certainly in this case in which Palepu is so obviously qualified. What we see frequently is that internal control systems and risk assessment processes are not mature enough to catch wrong doing or, and this may be more important, change behavior. Companies that are growing quickly, like Satyam, have the most difficulty putting in place the risk management process to catch the kind of fraud perpetrated at the company. My guess is that in the future business process will be designed from the bottom up with risk management in mind. As we’re learning, it’s too hard to do it after the fact, especially for the complicated businesses we’re trying to govern today.
The announcement of IBM’s intention to acquire OpenPages generated volumes of editorial response and news coverage in today’s world of instant publishing. The news which provoked a very positive response across the board from OpenPages customers, prospects, media and analysts, has generated over 1,400 ‘tweets’, numerous news stories and some thought-provoking analysis from industry analysts.
In particular, Chris McClean of Forrester raised an interesting point in his blog coverage noting that acquisitions in the GRC market over the past two years have resulted in not only vendor consolidation, but also market fragmentation. He points out that the Thomson Reuters acquisition of Paisley was meant to ‘strengthen its tax and accounting business’, while EMC acquired Archer ‘as a dashboard (at least initially) to pull together IT risk data and processes,’ whereas the IBM acquisition of OpenPages ‘will likely turn the company more toward higher-level corporate performance and enterprise risk management.’ I think Chris is as usual on target, yet would respectfully add that integration with the control infrastructure allows OpenPages to instrument the risk assessment and control testing process, thereby delivering the only comprehensive solution on the market.
Also published recently is Gartner’s ‘First-Take’ on the acquisition in which analysts French Caldwell and John Hagerty report that they are expecting a ‘Market Split’ whereby the vendor landscape will be divided between those that have coupled qualitative risk assessments with quantitative risk analytics, and those that provide just qualitative risk assessments: ‘Vendors that have a risk intelligence strategy would compete for large accounts with combined risk analytics and traditional governance, risk management and compliance (GRC) management functionality, while those without risk analytics capabilities would address less-quantitative risk assessments, compliance and audit management.’
If you’re a risk manager or a business manager, the integration of risk analytics with GRC management will provide your business with more timely and more accurate information to understand the risk exposure to the business and help you make better decisions.
In a recent research brief published by Forrester Research, analyst Chris McClean listed his predictions for GRC in 2011 and beyond. #3 on his list is: “New and changing regulations will hinder GRC maturity in the short term.”
We believe that new and changing regulations will segment the GRC market between those vendors that manage regulatory change, and those that do not. As we’ve seen with Dodd-Frank and the countless new and upcoming regulations across finance, healthcare and consumer protection, risk and compliance managers are struggling with an unprecedented onslaught of regulation that as Chris states, will pile on “countless control and reporting requirements onto already complex and taxed compliance departments.”
If you’re considering a GRC solution to assist with this dynamic environment of regulatory change, you would do well to require one that can help you put in a place a programmatic framework for communicating changes to regulations and managing the internal regulatory change process so your business can react quickly. You will also want to consider a solution that can help you manage the interactions, communication and internal work associated with external regulators such as inquiries, submissions, filings, exams and Audits.
One wonders what the heck was going on at Daimler, maker of the high quality, classy Mercedes Benz automobile. In case you missed it, media reports depict Daimler as admitting to having engaged in a massive and pervasive bribery scheme, and agreeing to pay $185 million to settle charges. And this wasn’t information the company volunteered, but rather the result of a lengthy government investigation.
And it wasn’t just a one-time event – not by a long shot. Rather, hundreds of bribes totaling tens of millions of dollars were paid in no less than 22 countries over a ten year period. In a number of instances so called “cash desks” were used to pay currency directly to government officials. In other cases the company used foreign bank accounts of shell companies to hide payments. Daimler reportedly also jacked up invoices for cars to generate still other payments.
What’s perhaps most disturbing is that the reports say this wasn’t a lower and middle management activity, but involved “important executives” including heads of overseas sales divisions, and more unsettling, even the company’s internal audit office. The Department of Justice complaint speaks to Daimler’s “longstanding violations” of bribery rules and a “corporate culture that tolerated and/or encouraged bribery.” The reports also says the complaint points to “a lack of central oversight over foreign operations.”
It’s well known the Justice Department in the U.S. is pushing hard on possible Foreign Corrupt Practices Act violations, and European regulators are increasing rule making and enforcement as well. And internal controls to help deal with the risk of improper payments are well known. Of course, if senior managers are turning a blind eye, or worse yet encouraging such payments, then all bets are off. For readers with responsibility for dealing with these kinds of issues, a company’s corporate culture, including the tone at the top of the organization, is the first place you’ll want to focus attention. And then you’ll want to look at the kind of risk management and compliance processes in place, and how they’re working, to hopefully gain comfort in your organization that anti-bribery indeed is under control.
We’re pleased to announce that OpenPages and Network Frontiers have partnered to deliver the Unified Compliance Framework (UCF) to the OpenPages customer base. The addition of the UCF content into the OpenPages IT governance solution – OpenPages ITG supports OpenPages’ goal of providing its customers with a holistic approach to managing IT risk and compliance.
The partnership provides strong synergies for our customer base of enterprise GRC professionals, many of whom are looking to OpenPages for IT risk and compliance management. Previewed at OPEN 2009 – the OpenPages European Network Summit recently held in London – the UCF data gives OpenPages customers access to the most comprehensive set of IT policies and controls that cross multiple regulations, thus reducing the time commitment and costs associated with complying with the slew of IT risk and compliance mandates nearly all companies are faced with today. In a survey conducted at OPEN 2009, 93% of organizations stated that within 2-3 years they are likely to converge or coordinate IT risk and compliance with GRC management.
The announcement was well received by industry experts including Michael Rasmussen, President of Corporate Integrity, a GRC strategy advisory firm:
“In today’s economy, wasting valuable resources on costly and time-consuming processes associated with compliance and risk management can be damaging to IT GRC programs. With the UCF enhancements to the OpenPages Platform offering, customers are given the tools to more quickly and effectively comply with a multitude of regulations and from there, can focus more attention on ensuring that their IT GRC programs are sustainable, repeatable and increase transparency across the enterprise.”
Or more to the point, was he thinking at all? We’re talking about Rajat Gupta, operating at the highest echelons of multinational business, who finds himself charged by the Securities and Exchange Commission with illegally passing inside information to Raj Rajaratnam, the Galleon Group founder about to go on trial on charges of insider trading. Mr. Gupta, a Harvard Business School graduate and former head of McKinsey & Co., has been a board member of the likes of Goldman Sachs, Proctor & Gamble, and American Airlines.
What did he do? Well, he of course is innocent until proven guilty, and according to media reports, his lawyer says he has done nothing wrong. But the SEC says otherwise. It alleges Gupta gave the Rajaratnam advance information about earnings at both Goldman and P&G. On top of that, the SEC maintains that Gupta called the Galleon head with the inside scoop of the Goldman Board’s approval of Warren Buffett’s $5 billion investment in the firm. The allegations speak to multiple phone calls between the two men, enabling Galleon to reap millions in profits. What must be particularly troubling for both is that the SEC says it has recordings of numerous telephone conversations.
Let’s presume for a moment that the allegations are factual. A relevant question is, is this a black eye on the companies on whose boards Gupta sat (by the way, the reports say he resigned months ago from the Goldman board, and recently from P&G). My answer, based on the information available, is “no.” Certainly, if the allegations are true, a statement by SEC Director of Enforcement is on point: “Mr. Gupta was honored with the highest trust of leading public companies, and he betrayed that trust by disclosing their most sensitive and valuable secrets.” But what could or should have been done to prevent wrong doing at the board level?
We know well the importance of a company’s board of directors in keeping a close eye on what the CEO and senior management team do, and on the company’s system of internal control. We recognize the importance of compliance officers, risk officers and internal audit functions. But who keeps an eye on the board, especially when their actions are outside the inner workings of the company itself? We can look to what happened years ago at HP, when a board member leaked information to the media, which resulted in the pretexting fiasco.
There are no immediate answers, other than to continue to ensure full vetting of director candidates, and maintaining effective board and internal audit processes to best identify and manage potential misbehavior. With the thousands of directors of major companies acting with extraordinary integrity and ethics and in the best interests of their companies and shareholders, I believe we don’t have much to worry about. But it is worth more thought going forward.
Risk management is a hot topic at Davos this year. Over on the Forbes blog, Paul Maidment notes that companies are thinking about how to improve their risk management approach, prompted in part by the new SEC proxy disclosure rules, though many are opting not to have a so-called risk committee. Maidment notes that management is responsible for educating board as to the state of risk exposure in the company. We would argue that there’s a step that has to happen first: companies have to put in place an information architecture that can provide transparency to that exposure in the first place. A rat’s nest of Excel spreadsheets won’t do the job.
Coincident with Davos, PwC released their 13th annual global CEO survey which found an up uptick in CEO sentiment worldwide. The survey also found that over 83% of companies are planning ‘a major change’ to their risk management approach. This is higher that for any other aspect of their strategy, organization or operating model. Clearly, we’ve reached the tipping point on risk management. Companies that don’t address this critical area of their business risk being left behind.
Yesterday, we announced a joint business relationship with PwC. This is the result of our closer alignment in the market for GRC solutions. We’re proud to be associated with such a great firm: with over $26 billion in revenue and 163,000 people in 151 countries, PwC has a strong global presence. We’ve found that PwC also has a strong presence at our financial services customers, and, given the challenges facing that industry, we think there’s a great opportunity to deliver joint solutions to our common customers.
OpenPages’ solutions inherently deliver a risk-based approach to GRC. This approach aligns perfectly with PwC’s top-down approach to GRC. They’re always asking the question, “What are your business objectives and what are you doing to achieve them?” We find that many service providers in the GRC business tend to take a bottoms up approach, implementing a comprehensive controls infrastucture, for instance, without making sure that the right controls are being implemented or that the right business objectives are being met. Given the financial constraints facing many customers, allocating resources effectively is a critical success factor for GRC programs, and we look forward to working with PwC to help our joint customers operationalize those programs for better business outcomes.
In 1958, IBM researcher Hans Peter Luhn first introduced the term business intelligence (BI) in an article he contributed to the IBM Journal. He described business intelligence as "the ability to apprehend the interrelationships of presented facts in such a way as to guide action towards a desired goal." Cleary, business intelligence plays a key role in risk management providing executive level decision-makers the ability to look across all categories of risk (in different business units, categories, geographies etc.) and providing a global view into business performance and risk exposure.
Business Intelligence and risk management are linked on two levels. First, when used in conjunction they provide executive level transparency into risks within the organization, and secondly, they provide product planners and corporate strategists a risk-adjusted performance view.
If you’re considering a risk management solution, you might want to listen to a recent IT-Finance Connectionpodcast on the role of business intelligence in risk management. Additionally, here are some tips on leveraging risk management practices to provide stronger and more introspective BI analysis:
Identify and eliminate risk factors and exposure points within the organization to create a strong foundation/base.
Examine opportunities related to taking strategic risks within the business (new products, launches into new geographies/industries, M&A, etc.).
Asses the potential risk exposures tied to moving forward with strategic company direction and initiatives.
Apply this risk management analysis to your overall business intelligence framework to provide executive management/management board with a clear view of not just the company’s risk exposure (and where risks have been eliminated altogether) but where there is an opportunity to take strategic risks with the added layer of business intelligence needed to make smarter business decisions.
This year’s OPUS is shaping up to be the best yet! In addition to leading GRC executives presenting case studies and lessons learned, OPUS 2008 includes the who’s who of GRC thought leaders:
French Caldwell, Research VP at Gartner, Inc. will discuss the latest GRC Technology Trends.
Chris McClean, Analyst at Forrester Research, Inc. will provide a perspective on Corporate Social Responsibility and the growing influence of GRC.
John Haggerty, Vice President & Research Fellow at AMR Research will discuss his view on the future of GRC.
David Holcombe, Director of Risk Management for International Speedway Corporation and NASCAR, Inc will provide a history and evolution of safety in motor sports from the NASCAR and motor sport facility perspective.
Mark Beasley, Director, ERM Initiative and Deloitte Professor of ERM at NC State will discuss how many organizations are responding to external pressure by leveraging traditional risk management processes into an enterprise risk management (ERM) view.
Richard Steinberg, Founder and Principal, Steinberg Governance Advisors, will provide his insight on risk convergence.
You can get a preview of Richard Steinberg’s perspective on enterprise-wide risk management by checking out our recent blog entry. In this video, Richard is interviewed by Gordon Burnes at the recent Executive ERM Forum.
Check back soon for more detail on our extensive line-up of customer case studies being presented at OPUS and our extended Hands-On Workshops.
We’re nearing the second anniversary of SAP’s purchase of Virsa and their entry in a serious way to the GRC space. Last week, they made a series of announcements about their GRC products, which now extend beyond industry apps and the SOD/access control arena to other areas of GRC. Business Finance has a new GRC blog and covered SAP’s announcements. John Cummings notes that "the sheer scope of GRC offerings from SAP and other enterprise software providers is impressive, and point-solution vendors will need all of their agility to respond."
Certainly, we wouldn’t argue with that statement, but we would say that one of the most important parts of a GRC solution is how it fits into the rest of the system. While SAP (and maybe Oracle) might be able to make the argument that you should be single threaded on SAP, the rest of us cannot make that argument, so we have to play nice in the sandbox and 1) fit into the existing (heterogeneous) environment and 2) work across silos. This latter point is critical because what the enterprise GRC platform vendors are delivering is a way to see risk across the organization. When SAP demonstrates their risk management application, they focus on controls associated with a sales process; that’s a very different solution, a tightly integrated top-to-bottom solution, but not very good at crossing silos. And, as I blogged earlier in the week, the real value in risk management comes from relating risk together at the top of the business. Of course, we’re not an ERP vendor, but you have to wonder if you want the fox guarding the hen house.
Now that healthcare reform has passed, the Obama administration has turned its focus on financial services regulatory reform. Today, Obama gave a speech on the administration’s position and priorities. The House has already passed a bill, and the senate may take up one this week, largely authored by Senator Dodd. A major sticking point has been the fund to facilitate an orderly liquidation (labeled a “bailout” fund by some critics) and the way to handle derivatives, but Senator Grassley’s vote yesterday to approve a senate committee’s plan for derivatives trading gave new momentum to a bipartisan effort on regulatory reform, and it looks increasingly likely that in the coming months (if not weeks) we’ll see a major overhaul of the regulations that govern Wall Street.
Further, the SEC demonstrated late last week that they are one government agency that is going to take their oversight responsibilities seriously. Their civil suit against Wall Street giant Goldman Sachs sent shock waves through the financial services sector. It’s clear that there’s a major shift on in the way regulators are regulating. Whether or not you agree with the merits of the suit, SEC Chair Shapiro is sending a message to the industry that they are going to be watching closely.
A common theme here is transparency: the SEC argues that Goldman didn’t provide adequate disclosure about the nature of the Abacus investment opportunity; Obama argues today that “reform would bring new transparency to many financial markets.” We also see this as a common theme with our customers–they are looking for greater transparency into the risks in their business. We see this push for regulatory reform and increased oversight as driving the demand for a new information architecture that provides this transparency to managers, executives, board members and regulators. Of course, many companies are finding that it can help you run your business better, too.
We did an interesting survey at OPUS a couple weeks ago. We’ll be publishing the results here next week, but one of the GRC topics that people have been talking about is whether GRC spending will decrease like most of the rest of the tech sector, or increase based on the very obvious need for better risk management in corporate America. Whether or not GRC spending increases next year will depend, of course, on the state of the economy, and a host of other issue that Brian Sommer discusses in a blog post this week at ZDNet.
Brian and I discussed a variety of topics on the value of GRC deployments and in particular on the importance of risk management. While technology alone would not have prevented the current crisis, it can be an enabler for change, and many firms at OPUS indicated that using a GRC management system can enforce policy and help catalyze behavioral change around risk management. The beauty of such a system is that you can very quickly find out who’s following the rules and who’s not. That might have been helpful for some of the financial services institutions trying to deal with risk exposure they never knew they had.
I’ll be the last one to tell you that a strong central risk management function is a bad thing. Unfortunately, many organizations make the mistake of investing only in a centralized function because it’s too difficult to federate, and push risk management to lower levels of responsibility in the organization. It’s a classic consistency vs. quality of information problem.
Accurate information lies at the business line level – a manufacturing company’s CRO may not know that you’re throwing away millions of dollars a year due to a lack of quality suppliers, but the supplier quality manager certainly does. The challenge is that it’s traditionally very expensive to consolidate this local lower level information. Organizations attempt to survey and assess process owners, but the information comes back in various formats, of various levels of quality, and it leads to information silos – it’s impossible to get an apples to apples comparison. Out of frustration, many of these efforts fail, leading to a strong centralized risk function.
Organizations must augment their centralized risk management efforts with localized, distributed data, and the only to reliably do that is to invest in automated technology solutions.
A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.