Compliance Week’s second annual eConference is just around the corner and kicking off the conference will be Rick Steinberg, founder and CEO of Steinberg Governance Advisors. Rick has a wealth of experience in corporate governance and in particular, the board-management interface as he advises boards of directors – and their governance, audit and other committees – of Fortune 100 companies, mid-size corporations, major institutional investors and leading universities, as well as federal governmental bodies.
In the first session of the event titled, “Aligning Risk Reporting with Risk Oversight,” Rick will outline how most boards believe that the CRO is solely responsible for all things risk-related, and that the CCO is solely responsible for all things compliance-related – which in reality, is virtually impossible. He’ll explain that the CRO and CCO are responsible for ensuring that there is an effective risk and compliance process in place to reduce exposure and litigation and that the CRO and CCO need to be sure they are giving the board the appropriate level of information needed to govern. In his presentation, Rick will describe how companies need a programmatic way to report on risk, controls, issues, and other risk and compliance related information to support the senior executives and board.
Recently I’ve been communicating with a former COSO board member about a couple of terms in COSO ERM – specifically about “risk appetite” versus “risk tolerance.”
It’s interesting, as this board member was intimately involved in reviewing drafts of the ERM report as it was being developed and signed off on the final, and continues to be actively involved in discussions on the subject of risk management.
It becomes clear to me that anyone can easily fall into a trap, as follows. When a report, article, or other written document arrives in our hardcopy or electronic inbox, we take care in reading it, digesting it, and being sure we understand it. But over time, as we use the underlying terms and concepts, we begin to factor in our own thinking and judgments, and unintentionally modify their use.
In the case at hand, confusion arose about use of the term “risk appetite,” where it was being used at a lower level than appropriate – a level reserved for “risk tolerance.” To refresh memories, COSO ERM says “Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style.” On the other hand, “Risk tolerances relate to the entity’s objectives. Risk tolerance is the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.” It goes on to say “Management considers interrelated risks from an entity-level portfolio perspective. Risks for individual units of the entity may be within the units’ risk tolerances, but taken together may exceed the risk appetite of the entity as a whole.”
There’s more in the report making clear what each term means, but I don’t want to bore you. And the point here isn’t about these specific terms, but rather our being able to communicate effectively with business colleagues and partners. Okay, maybe I am a stickler for words, though I like to think there’s good reason we all should do our best to use terms precisely.
Washington DC played host to the 2010 Gartner Security and Risk Management Summit this week. At the event, Gartner Research Vice President French Caldwell provided a new twist on audience interaction with live polling via cell phone texting. In his session titled “Selecting and Applying GRC Frameworks and Standards,’ French polled the audience on “which areas are you most likely to apply standards?” Not surprisingly, IT risk and IT security ranked highest followed by regulatory compliance and enterprise risk. With respect to ERM, French then asked, “which ERM standard is most commonly used in your company?” The largest response was “none!” Fortunately, this was closely followed by COSO ERM, custom or self-defined frameworks and ISO 31000.
In a separate, lively and entertaining session titled “Research Factory,” French moderated a panel of Gartner analysts in a close-up look at how Gartner analysts propose and debate the merits of a new research topic. French again polled the audience on which proposed research topic was most relevant and had the best chance/probability of being fulfilled. Each analyst had four minutes to propose their topic and defend the debunkers on the panel. When all topics were complete, the audience voted on who presented and defended their topic the best. The winner was Research VP, Jay Heiser who in his proposal contended that there is a strong likelihood of a failure/data loss from a SaaS product or Cloud Service in the next few years having a major business impact on its subscribers.
Regardless of whether Jay’s prediction comes to fruition, clearly a strong case can be made for a detailed risk assessment of your SaaS and Cloud Services data protection processes.
At the recent OpenPages User Symposium (OPUS) 2010 held in Boston, Chris Haines, Vice President, Operational Risk Management Group at America Express presented a very informative and well attended session on how American Express has effectively leveraged the OpenPages technology in their efforts to converge risk management disciplines and best practices across the enterprise. In his session, Chris described how the Operational Risk Model employed by American Express provides management greater visibility into risk and empowers management to make strategic business decisions based on a broader understanding of its risk profile.
I caught up with Chris after his presentation and discussed his experience at OPUS as well as how American Express utilizes the OpenPages technology to create an integrated and converged risk and compliance management program that can streamline and improve its risk management processes.
Rising from the banks of the Potomac in National Harbor, Maryland, the Gaylord National is an engineering marvel which provides a scenic venue for the 2010 Gartner Security and Risk Management Summit. I attended an intriguing session by Richard Hunter, Gartner vice president and distinguished analyst in which he described the value of IT risk management.
Hunter recently published a book titled, “The Real Business of IT: How CIOs Create and Communicate Value” which is co-authored with George Westerman of MIT. As part of the research for his book, Hunter conducted a survey of CIOs from 2006 to 2009 on IT Risk management. One of his takeaways from his research is that the business context for the value of IT can be summed up as:
Run the business
Grow the business
Transform the business
In terms of running the business, Hunter put it into the context of “at the best possible balance between price and performance” (i.e., cost of doing business). The key point Hunter stressed was that the measure of value should not be based on the return on investment (ROI), rather it should be based price and performance. As an example, Hunter asked, “Would you ask for an ROI on a firewall, or an audit?” The point being, there is no measurable return on these investments, they are a cost of running the business and the alternative is much costlier.
IT grows business, continued Hunter, by ensuring “capacity and capability and providing the ability to conduct business in a certain way.” In others words, he explained, it supports someone else’s profit and loss. The third value (transforming the business), is about “enabling new value propositions for new customer segments.”
He recommended IT organizations take the following steps to show value:
Change the way you think. Frame every comment in terms of business outcomes and business performance. Adopt the language of business in every discussion of risk (i.e., the point of BCM is not to recover the server farm, it is to recover customer service, accounts receivable
Show value for money, meaning the right services at the right level of quality at the right time. Never discuss cost apart from quality of service.
Position IT (and IT risk management) as a component of investment in near and long-term business performance.
A very common theme at the Summit is supported here in that “performance should be defined in terms of business outcomes and performance, not IT performance.”
Tommy Thompson, IT Security and Compliance Coordinator at Williams Company recently presented at OPUS 2010 on reducing the complexity of IT risk and compliance and how Williams was able to significantly reduce costs while at the same time increase the effectiveness of their IT compliance programs. In the following video, I had the chance to speak with Tommy after his presentation.
Julian Parkin, Group Privacy Programme Director at Barclays, recently delivered the day two keynote address at OPUS 2010 – the OpenPages User Symposium. In his keynote address, Parkin discussed how Barclays has leveraged OpenPages for its risk management initiatives and how the flexibility of OpenPages’ technology has been harnessed to drive sustainable improvements across evolving risk types.
After his keynote, I had the opportunity to interview Julian and discuss his experience at OPUS 2010 and as a member of the OpenPages user community.
I had the privilege of first speaking and later serving on a panel at the Institute of Internal Auditors International Conference earlier this month, held this year right here in the U.S., in Atlanta. The panel moderator asked what I thought was a particularly interesting question – “GRC is an acronym used by many but with many different meanings; what does GRC mean to each of you?” I’d like to share my response, which went something like this.
Thinking back some years, it seems the term GRC, standing for governance, risk and compliance, came about from the management consulting world, with technology firms and others quickly picking it up. The term has served a purpose in communicating available services and software solutions. At the same time, there wasn’t anything called a “GRC” unit in businesses then, and still aren’t today. And while the term sometimes is used by compliance officers, risk officers or internal audit personnel, it’s seldom used or readily understood by line executives or board members.
As for what GRC means, to me it’s a combination of related though somewhat disparate concepts. The term “governance” traditionally has been used in context of a company’s board of directors. A definition I particularly like is “the allocation of power between the board, management and shareholders.” But of course the term now is used by many professionals to encompass what senior management does to run a company, and indeed even referring to activities downstream in the management ranks. The “R” is for “risk management,” and that term is used in many different ways, from a simple risk assessment to a full-blown enterprise risk management process. And “compliance” initially was applied to adherence to applicable laws and regulations, though many users now also include adherence to internal company policies as well.
I mentioned “disparate” because GRC isn’t really one end-to-end process that companies employ. And while the elements of GRC can be related to a company’s strategic and other business objectives, they in fact relate to activities and processes at different levels of an organization. Indeed, from a technical perspective we can say that there’s overlap, in that risk management can and should be designed to address compliance as well as other categories of objectives.
What’s important in my mind is not necessarily to try to put the genie back in the bottle by getting everyone to use these terms in the same way, because that’s just not going to happen. Rather, we need to be sure when we use the terms in our organizations that we’re very clear as to exactly what we mean.
The PCAOB’s Auditing Standard 5 (AS5) is structured around a top-down approach to identify the most important controls to test during your Sarbanes Oxley (SOX) effort that address the assessed risk of misstatement for each relevant financial assertion.
At OPUS 2010, Jo Morton, Business Analyst, Internal Audit at Williams Companies, Inc. and Lawrence Joiner, Manager of Internal Audit Operations at Williams presented an informative session titled, “An OpenPages Approach to Auditing Standard 5 Compliance.” In their session, Jo and Lawrence outlined how Williams has been able to move beyond a “process by process” review and up to an Account Level review that truly is an AS5 “Top-down Approach” In the following conversation, Jo Morton describes her session and her overall OPUS 2010 experience.
Managing risk and compliance in silos is both cumbersome and costly. Implementing a new technology point-solution for each new regulation or risk discipline, limits an organization’s ability to streamline risk and compliance processes and reduce costs. It also obscures the opportunity to integrate risk and compliance to gain a holistic view of the firm’s risk landscape.
At OPUS 2010, Chris Haines, Vice President, Operational Risk Management Group at American Express discussed how American Express effectively leveraged the OpenPages technology in their efforts to converge risk management disciplines and best practices across the enterprise. American Express utilizes the OpenPages technology to create an integrated and converged risk and compliance management program that can streamline and improve its risk management processes. The Operational Risk Model employed by American Express provides management greater visibility into risk and empowers management to make strategic business decisions based on a broader understanding of its risk profile.
Whatever risk disciplines are significant within your firm, the goal is to integrate them within a single framework that produces a holistic view of your risk landscape. While most leading companies have tailored their risk methodologies to match their business operations, it is imperative to select a technology solution that can easily adapt to your firm’s unique risk and compliance methodology and evolve gracefully over time.
The ability to adapt the technology solution to your company’s specific risk management methodology and framework, without having to write custom code, is critical. The key business benefits of flexible configuration include:
Lower costs: Custom code is more expensive to develop for initial implementation and much more expensive to maintain and extend over time.
Time to deployment: Configuration can support rapid implementation at a fraction of the time compared with writing custom code.
Future proofing: Configuration will allow you to quickly adapt your risk framework to meet changing requirements while minimizing the impact on your business operations.
The extent to which your technology platform is configurable is arguably the most important decision criterion for selecting a solution.
One wonders what the heck was going on at Daimler, maker of the high quality, classy Mercedes Benz automobile. In case you missed it, media reports depict Daimler as admitting to having engaged in a massive and pervasive bribery scheme, and agreeing to pay $185 million to settle charges. And this wasn’t information the company volunteered, but rather the result of a lengthy government investigation.
And it wasn’t just a one-time event – not by a long shot. Rather, hundreds of bribes totaling tens of millions of dollars were paid in no less than 22 countries over a ten year period. In a number of instances so called “cash desks” were used to pay currency directly to government officials. In other cases the company used foreign bank accounts of shell companies to hide payments. Daimler reportedly also jacked up invoices for cars to generate still other payments.
What’s perhaps most disturbing is that the reports say this wasn’t a lower and middle management activity, but involved “important executives” including heads of overseas sales divisions, and more unsettling, even the company’s internal audit office. The Department of Justice complaint speaks to Daimler’s “longstanding violations” of bribery rules and a “corporate culture that tolerated and/or encouraged bribery.” The reports also says the complaint points to “a lack of central oversight over foreign operations.”
It’s well known the Justice Department in the U.S. is pushing hard on possible Foreign Corrupt Practices Act violations, and European regulators are increasing rule making and enforcement as well. And internal controls to help deal with the risk of improper payments are well known. Of course, if senior managers are turning a blind eye, or worse yet encouraging such payments, then all bets are off. For readers with responsibility for dealing with these kinds of issues, a company’s corporate culture, including the tone at the top of the organization, is the first place you’ll want to focus attention. And then you’ll want to look at the kind of risk management and compliance processes in place, and how they’re working, to hopefully gain comfort in your organization that anti-bribery indeed is under control.
For readers interfacing with your companies’ audit committees, a just released survey from Directorship Boardroom Intelligence highlights what’s in the forefront of committee members’ minds today. The results are reported in a top-ten list (unlike the Letterman top ten lists, this one appears to begin with the most significant):
Uncertainties of economic/legislative environments
In the Compliance Week 2010 panel Honest Experience with GRC Tools, Joann Sochor, VP Corporate Compliance at the Bank of Montreal Financial Group, spoke about their experience with OpenPages. See http://bit.ly/bMjFbl for slides that describe scope of implementation–40 different data marts, over 5K controls consolidated onto a single technology platform.
US Rep and House Financial Services Committee Chair Barney Frank gave the opening keynote at Compliance Week 2010, day 2. As usual, he was witty and insightful. His remarks covered the conceptual underpinnings of financial services regulatory reform. He then took questions from the group.
He started out by saying that we needed to move quickly to provide stability to the financial system. Healthcare created a delay, but they are now on track.
To those who are cynical about government and think that “big money” runs politics, he said that the bills are the “defining counter example” of a bill that passed despite big money lobbying.
He noted that once the House passed their bill there was an assumption that the Senate would pass a watered down version, but the opposite happened–because the public was paying attention, it forced the Senate to pass a strong bill, the implication being that we should all be more vigilant about the process on Capitol Hill.
Bill should be passed before July 4, which is important for stability.
The outlines of the bill was described by Paulson in March of 2008 when he described the need for a way to dissolve non-bank financial institutions. As Frank put it, Palin’s “Death Panels” were discussed in the context of the wrong bill!
This bill will require that all financial services institutions will have to report their financial transactions to some regulator. If an entity becomes problematic, then the regulator can take action. The regulators will also have a mechanism to require enough capital for these entities to stay solvent. Although, as has been commented on the Baseline Scenario at http://bit.ly/bDddch, the amount of capital that would be required has not been defined, potentially to allow for alignment with rules in other countries.
Frank said that the real “problem was non-regulation”, pointing out that we did not have rules for credit default swaps, for instance. During the Q&A period, he used derivatives as another example of non-regulation. He said that under the bills, derivative transactions will have to be reported.
Matt Kelly, Compliance Week Editor, asked a question about international coordination. Frank pointed out that “nothing in the world is more mobile than capital” and that we should not legislate unilaterally without coordination with other countries.
Companies with market caps less than $70 million will likely be excepted from 404.
Addressing the concern of “unintended consequences,” Frank said that it was not an unintended consequence that companies may not be able to make as much money trading derivatives, as his vision for the financial services sector is that it exists to enable investment activity to grow the economy.
When asked by the regulatory reform bill is so broad, he pointed out that many of these issues are interrelated, concluding that “the ankle bone is [ultimately] connected to the shoulder bone.”
Shelley Parratt of the SEC’s Corporation Finance Division gave the afternoon keynote on Day 2 of Compliance Week 2010. She spoke about the Commission’s program of enhanced disclosure.
With 10K companies filing and SOX requiring the Commission to review every companies filing at least once in three years, she said that the SEC has to use their resources appropriately, and the filter that they use is how will the information be used by investors.
On executive compensation, she acknowledged that this is a very emotional topic. The SEC is trying to provide a clearer and more complete picture of what executives get paid. First, companies must provide a framework for how they make compensation decisions, but the SEC is interested in how the framework is used in real decisions. Also, the SEC is focusing on performance targets, how those targets change, and whether those targets are disclosed. “A company must engage in a thoughtful discussion about its disclosure decisions.” It is not sufficient, for instance, to just say that the target is “challenging” but should be put in context of historical performance.
On disclosure about the board and company leadership, Parratt was very clear that Chairman Shapiro is interested in increased disclosure on leadership choices and risk oversight. She said that there is no requirement for a risk committee. Different companies may choose different approaches to discharge their responsibility for risk oversight.
Regarding non-GAAP financial measures, Parratt said that disclosures should be consistent across filings and other communications. In other words, if a company uses non-GAAP financial measures in its earnings call, they should also use those measures in their filings. In no circumstances, however, should those measures be misleading, whether they are in a filing or not.
Regarding climate change, Parratt was careful to state that the Commission was not taking a position on the potential effects of climate change
During the Q&A session, Editor-in-Chief Matt Kelly asked about the current quality of the enhanced disclosure filings. Parratt acknowledged that “what we see in the first year of disclosure is often vastly different than what we will see in the second,” but noting that the first year’s disclosures aren’t necessarily out of compliance, inadequate, or poor, implying, of course, that this year’s proxy filings are all of the above!
A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.