Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  grc risk openpages | 0 Comments | 1,775 Visits
This is the first in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Success in today’s dynamic business environment requires organizations to integrate, build and support business processes with an enterprise view of governance, risk management and compliance (GRC). Without an integrated view of risk and compliance, the scattered and nonintegrated approaches of the past fail and expose the business to unanticipated risk.
In a mature GRC program, the organization has an integrated process, information and technology architecture that provides visibility across risk and compliance domains. It offers an integrated approach for business managers and executives to leverage GRC data for risk-aware decision-making and resource allocation.
Inevitable Failure: Managing GRC in Silos
The multifaceted risk environment
Risk to the business is like the hydra in mythology — organizations combat risk, only to find more risk springing up to threaten them. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the enterprise.
The dynamic and global nature of business is particularly challenging to risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants and staffing) their risk profile grows exponentially. Organizations need to stay on top of their game by monitoring risk to their business internally (e.g., strategy, processes and internal controls) and externally (e.g., competitive, economic, political, legal and geographic environments) to stay competitive in today’s market. What may seem an insignificant risk in one area can have profound impact on others.
Organizations are increasingly aware of the critical need to link risk management and corporate performance management. To manage corporate performance, the organizations must understand risk and make risk-informed business decisions.
In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements that burden the business. Organizations face expanding regulations, increased fines and sanctions, and aggressive regulators and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management issue in a global environment.
Isolated risk and compliance initiatives introduce greater risk
Managing GRC activities in disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes for GRC fail to actively manage risk in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy and failure. The organization is not thinking about how GRC processes and controls can be designed to meet a range of risk and compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization.
A nonintegrated approach to GRC impacts business performance and how it is managed and executed, resulting in:
The pain organizations have expressed
Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not have a complete view of GRC in the context of the business. Corporate Integrity finds organizations that lack a collaborative, integrated and enterprise approach to GRC have:
Continue on to Part II in this series: GRC Maturity — Measuring a New Paradigm for Risk and Compliance
Liz Andrews 2700041WEU email@example.com | | Tags:  openpages grc risk | 0 Comments | 1,741 Visits
This is the second in a series of four blog posts where we present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
GRC Maturity — Measuring a New Paradigm for Risk and Compliance
Lacking an integrated view of GRC results in business processes, partners, employees and systems that behave like leaves blowing in the wind. Modern business requires a new paradigm for tackling risk and compliance issues across the enterprise. No longer can organizations afford to focus on single risk and compliance issues as unrelated projects; nor can they allow software Band-Aids that are not integrated with the business to masquerade as GRC. A targeted strategy addressing GRC through common processes, information and technology gets to the root of the problem.
With changing and diverse risks bearing down on the organization, there is a clear need to tackle the problem at its root and develop a mature approach to GRC. Instead of treating each risk and compliance issue as an individual problem, organizations need to define a common process, information and technology architecture to manage GRC across the range of issues.
To address these issues, leading organizations have adopted a common framework, information architecture and shared processes to effectively manage risk and compliance, enable risk-aware decision-making, increase efficiencies, and be agile in response to the needs of a dynamic business environment.
The questions organizations must ask:
A well-defined GRC environment will not only do risk assessment and modeling, but will also deliver definition, communication and training on risk-taking and accountability. The organization must map the interrelationship of risks to controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets and logical assets), and incidents to business strategy, objectives and corporate performance.
Mature GRC delivers better business outcomes because of stronger integrated information, which will:
Architect integrated GRC systems and processes
A properly defined GRC architecture is built upon common process, information and technology components that are adaptive to a dynamic business environment and integrate with critical enterprise applications. No longer is risk and compliance about an annual audit; it now involves continuous monitoring in an ever-changing environment. GRC has to be sustainable as an ongoing and integrated part of business processes. A successful and mature GRC strategy has a symbiotic influence on the variety of business stakeholder roles and their common requirements.
Organizations need to be intelligent about what processes and technologies they deploy. The goal is to make an effective decision once, and comply with many regulations, manage a range of risks and maximize value from the convergence of technology, people and process. A sustainable approach to GRC results in an organization looking to the future and mitigating risk in the course of business, as opposed to putting out fires by reacting to risk and control issues as they arise.
Mature GRC enables the organization to understand performance in the context of risk and compliance. It achieves the definition of GRC, which is “a capability that enables an organization to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].” Effective and mature GRC delivers:
Continue on to Part III in this series: Five Stages of GRC Maturity
Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  risk openpages grc | 0 Comments | 1,748 Visits
This is the third in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Five Stages of GRC Maturity
Mature GRC is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board, and made part of the fabric of business, not an unattached layer of oversight. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk.
Corporate Integrity has developed the GRC Maturity Model to articulate an organization’s maturity in GRC processes.
1: Ad Hoc/Unaware — Department-Level Maturity
Characteristics of this GRC stage are:
Organizations in the Ad Hoc/Unaware GRC stage answer many of the following questions affirmatively:
2: Fragmented — Department Level Maturity
Characteristics of the Fragmented GRC stage are:
Organizations in the Integrated GRC stage answer many of the following questions affirmatively:
3: Integrated — Department Level Maturity
Characteristics of the Integrated GRC stage are:
Organizations in the Integrated GRC stage answer many of the following questions affirmatively:
4: Aligned — Enterprise GRC Maturity
Characteristics of the Aligned GRC stage are:
Organizations in the Aligned GRC stage answer many of the following questions affirmatively:
5: Optimized — Enterprise GRC Maturity
Characteristics of the Optimized GRC stage are:
Organizations in the Optimized GRC stage answer many of the following questions affirmatively:
Come back next week to view the final post in this series: Getting to the Head of the Class: Advancing Your Organizations GRC Maturity
Liz Andrews 2700041WEU email@example.com | | Tags:  compliance risk openpages grc | 0 Comments | 2,037 Visits
Getting to the Head of the Class: Advancing Your Organizations GRC Maturity
Organizations with GRC processes siloed within departments operate at the Unaware, Fragmented, or Integrated stage. At these stages GRC may be effective within a silo, but lacks an enterprise perspective of risk and compliance and gains no efficiencies from shared processes. Different departments may be at different levels of maturity.
The Aligned and Optimized maturity levels represent maturity of organizations with an enterprise GRC strategy, focused on developing a common GRC process, information and technology architecture. These organizations report process effi
Considerations for Moving From Fragmented to Integrated
Departments at the Fragmented stage have siloed approaches to risk and compliance at the department level. This means no integration or sharing of risk and compliance information, processes or technology.
To move from Fragmented to Integrated requires the department reduce manual data integration and improve overall visibility into risk exposure. Organizations should consider defining GRC process and information architecture at the department level and implement technology to manage multiple risk and compliance initiatives cohesively.
Considerations for Moving From Integrated to Aligned
Departments at the Integrated maturity stage are in a good place to lead the organization in an integrated GRC strategy to the Aligned stage. They have a strategic approach to GRC at the department level, supported by mature GRC processes that can be extended to other departments. These organizations have a shared-services approach to GRC to deliver common processes and integrated information.
To move from the Integrated to the Aligned stage requires a common risk catalog that shows the relationship of risks across the business and risk ownership. The purpose is to enable the business to make risk-informed decisions. Orga
Considerations for Moving From Aligned to Optimized
To difference between the Aligned to Optimized stage is primarily one of context. At the Aligned stage the orga
Achieving the Optimized stage requires GRC expectations set as part of the annual strategic planning processes. The organization has extensive measurement and monitoring of GRC in the context of business strategy, performance and objectives. There is shared information and technology between risk, control and compliance management as well as decision support, optimization and business intelligence. The organization has integrated risk and finance data to drive performance and maximize value creation.
Fundamental Steps to Establishing Your GRC StrategyTo achieve the benefits other organizations have seen from a GRC strategic plan and common approach, Corporate Inte
We did an interesting survey at OPUS a couple weeks ago. We’ll be publishing the results here next week, but one of the GRC topics that people have been talking about is whether GRC spending will decrease like most of the rest of the tech sector, or increase based on the very obvious need for better risk management in corporate America. Whether or not GRC spending increases next year will depend, of course, on the state of the economy, and a host of other issue that Brian Sommer discusses in a blog post this week at ZDNet.
Last week we announced the availability of OpenPages version 6.0, which marks a major milestone in the evolution of the GRC market-from convergence to insight. It also represents the completion of the first phase of our technical integration with IBM. And, the new release will help prepare our customers for managing through regulatory change in the post-Dodd-Frank environment.
Over the last few weeks, several studies have emerged that indicate a growing demand for risk management. In one of the better ones, in late July, Accenture published their study on Risk Management. Entitled Managing Risk for High Performance in Extraordinary Times, Accenture surfaces several major findings, a few summarized here:
2. Risk management is too separate from the business and not integrated with day to day operations.
3. Companies are expecting to invest more in their risk management capabilities, despite the fact that many budgets are decreasing.
One of the most commonly requested agenda items from past OPUS attendees has been for more Hands-on Workshop sessions.
We’re happy to announce for OPUS 2008, we’ve added an entire track dedicated to these valuable workshops. Each 2-hour session will provide you with a discussion on best practices, a technical demonstration, and a chance to work within a sample OpenPages 5.5 environment to implement the techniques that you have learned.
Keep in mind that the exclusive OPUS room rate will expire on September 28, 2008, so please book your room today. To make your hotel reservations call the hotel directly at 1-800-HOTELS-1 (1-800-468-3571) and ask for the OPUS room rate, or visit the Renaissance Boston Waterfront Hotel website.
See you at OPUS 2008!
“The SEC roars like a mouse and bites like a flea.”
– Harry Markopolos
OPUS 2010 keynote speaker, independent financial fraud investigator and Madoff whistleblower Harry Markopolos will release his exclusive story “No One Would Listen: A True Financial Thriller” on March 2.
The book, which will be made available to all OPUS 2010 attendees, describes how he and his team “The Fox Hounds” investigated Madoff and presented their case to the SEC on numerous occasions’ years before Madoff turned himself in on December 11, 2008 (approximately $65 billion later).
From May 2000 to December 2008, Markopolos and his team submitted five separate and detailed warnings to the Securities and Exchange Commission (SEC) about Madoff’s operations in an effort to launch an investigation on the validity of his practices.
During the OPUS keynote address, Markopolos will detail how his four person investigative team tracked Madoff and the Madoff Feeder Funds throughout Europe and North America and repeatedly submitted detailed reports to the SEC.
If you’re an OpenPages customer and would like to hear Mr. Markopolos discuss the red flags, warning signs and the critical audit steps that companies need to be aware of to prevent similar events from occurring in the future, register for OPUS 2010 and receive a complimentary copy of his new book. It’s promising to be a “Thriller”!
Tags: OPUS 2010
We’ve learned that operational risks played a big part in the losses associated with the current crisis. Now that companies are rethinking their risk management strategies moving forward, many are hoping to leverage operational risk management to improve performance in other risk management disciplines.
In a recent webinar, John Wheeler of Wheelhouse Advisors (formerly Senior Vice President and Senior Risk Officer within the Corporate Risk Management division at SunTrust Banks – see case study) spoke to some of the root causes of the crisis associated with operational risk management, and how moving forward operational risk management can be leveraged for strategic advantage.
What are some of the key linkages between operational risk and other risk disciplines at your company?
Businesses have always been engaged in managing risk, but it has taken an unprecedented wave of regulatory oversight to convince many organizations how inadequate their risk management policies and procedures really are.
The UK’s Financial Services Authority, in a May 2009 policy document, Insurance Risk Management: The Path to Solvency II, warned that “the risks of not developing detailed plans for Solvency II implementation are great.
Firms should have completed or be in the process of completing a detailed gap analysis to identify any shortfalls in expected compliance with the emerging Solvency II requirements, as they bear on their operations.”
A gap analysis should evaluate the current state of an insurer’s risk management system against current risk standards and the desired state. The organization then must develop a roadmap on how to achieve that desired state. Organizations need to evaluate their entire risk management system and how all of its risk areas are being managed.
Given that executive management is charged with ownership of operational risk management and the need to embed it within the organization, many companies are turning to integrated risk management solutions to better understand and proactively manage the risks that can impact the business.
For more information on Solvency II and meeting the Solvency II operational risk challenge, check out this white paper.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  compliance enterprise egrc iii management grc solvency software audit selection openpages risk tooling governance ii basel and | 0 Comments | 2,986 Visits
Governance, Risk and Compliance software selection process
A client of mine recently asked me about what I have seen as the most effective way to run a selection process. Now I know this may seems a conflict of interest, a GRC solution vendor writing on the GRC software selection process and the need for a GRC platform. Still I think I can give you some dos and donts on a GRC software selection process since I have been there many times.
Let’s start with the need for a GRC software platform. Why do you need such?
Of course investing in a solution needs a compelling event. Either the cost for risk management and compliance becomes very high, or the process takes too long to be responsive to stakeholders or the 'in control' statement cannot be guaranteed any longer. Also external regulators can advise you to implement software.
Before you start thinking about a GRC platform carefully review the risk and compliance maturity level of your organization and the scope of the problem. This will help you make the judgment between 2 approaches. First approach is what we call 'point solution', second approach is 'enterprise solution'.
The first approach, Point Solution, is best when the compelling event is there but the scope is limited to one area. On a single point of your GRC activities you have a pain that must be resolved in a fairly short term. In this case you can search for specific capabilities with specific knowledge. You can make a selection of vendors that operate in the area where you have the pain and select the partner that understands your area. Of course you might want to consider your ambition on the long term. If your long term ambition is Enterprise wide GRC integration you might still look at enterprise vendors and use the specific area as a 'pilot' for further extension.
The second approach, Enterprise Solution, is best when the compelling event is on the integration of Governance, Risk and Compliance. The term risk and control convergence often comes up here. This approach requires a lot more work than the point solution and may have cultural impact. You might consider a second party to help you go through this project. A second party (consulting firm) can help you in making critical decisions and in reviewing your current (silo based) approach to GRC. They can keep the holistic view for you. Every silo needs to be reviewed and mapped to the enterprise approach. This will not come without discussions and sacrifices!
So the need is there, now how to make your selection?
In the first point solution approach there are just two considerations, short term or long term? In case of the short term do NOT select an enterprise vendor and go for the right point solution. Advantages are lower cost and shorter implementation time. Second consideration, long term, means a selection between enterprise GRC software vendors and consider the first phase as a pilot for the enterprise approach. Still you might want to involve a consulting firm with specific knowledge.
In the second enterprise approach you will go for an enterprise vendor. This is where you want to be careful in setting up your selection. I personally have seen many of these selection processes since I have been in such selections. And this is where I want to give you some guidance to save you a lot of time and money.
First do NOT expect the enterprise vendors to differentiate on functionality. The GRC software market has made an evolution in the last 10 years that have resulted in a fairly high mature software market. So a 'beauty contest' is a waste of money and resources. Outcome will be equal for all vendors and you will be stuck between your user community and the vendors in the process. You might get questions from your management team why you spend so much time and resources without any outcome.
Secondly involve your end users in the selection process early, but do not expect 20 people working in silos to come to one single conclusion. Again you will end up in a long discussion with no outcome. Have a small group of people (3 preferably) to make the selection.
Thirdly make your selection criteria known upfront and make them measurable. Also involve the vendors in the process and be open to them. If you are open and honest you will get transparent, open and honest answers. If you hide, vendors will hide! Criteria should be based on experience in your market, understanding of your organization, size and financial stability, ability to deliver in time and within budget, alignment of implementation approach to your implementation methodology and the cultural fit.
Again this may look preaching to the choir but I hope I just saved you time and money that you can invest in your implementation.
Two recent events involving hurricanes provide insight into what risk management is about. Many of us who live in on the east coast of the U.S. know all too well the damage wrought by Irene. And many in the Florida are dealing with damage to the University of Miami “Hurricanes” football team.
Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  openpages regulatory_compliance dodd-frank sec | 0 Comments | 1,604 Visits
The following excerpts are taken from “Compliance, complexity and the need for XBRL: An interview with former SEC Chairman Christopher Cox”:
What are the key drivers of regulatory reform? Will Dodd-Frank really reduce systemic risk? Can better compliance processes drive better financial results?
In the weeks running up to the Vision 2011 and OPUS 2011 conferences, experts within IBM Business Analytics Financial Performance and Strategy Management posed these and other questions to Christopher Cox, a former SEC Chairman and keynote speaker at both events. Below is a transcript of that interview.
Looking forward into the next three years, what are some of the key drivers in the US that will be shaping regulatory and compliance reform? How are those different from the past five years?
The most significant characteristic of the time we are living in right now is the remarkable pace of change, both in legislation and in regulations governing corporate America, in particular the financial services sector.
Of course, the Dodd-Frank 2,300-page behemoth is well-known already to senior finance executives. But what is unknowable are the hundreds of rules that will be forthcoming under that legislation. The schedule called for in the statute has the bulk of the final rule makings scheduled for completion in the third quarter of 2011. It is very clear across the regulatory agencies that these deadlines are going to be largely missed.
As a result, not only will there be regulatory uncertainty on a continuing basis this year, but also for several years into the future. There are over 100 rule makings that have no statutory deadline at all. I think a significant share of even those that were expected to be completed earlier will also be rolled into the future. So during all of this time, senior Finance executives are going to have to be reading the tea leaves – not to mention the statute itself – to determine how to comply. And it isn’t just Dodd-Frank, of course, where we have all this legislative and regulatory ferment. The unprecedented rapid pace of chance in law and regulation and the continued uncertainty about what the government will do next pertains to the tax area as well. During the last year alone, Congress enacted no fewer than six major pieces of tax legislation – including the two “Obamacare” bills, the HIRE Act, the Education Jobs Act, the Small Business Jobs Act and, of course the year-end Tax Relief Act that temporarily extended the current tax rates.
That last piece of legislation bought us at least two years of tax certainty, but when it comes to long-term capital gains or any of the other rules governing the taxation of investment, two years are scarcely enough to permit long-term planning, and so the uncertainty continues.
That uncertainty about where financial, tax and regulatory policy are headed in turn creates a challenging environment within companies and within firms when it comes to shaping their response to regulatory and compliance changes. That’s the environment in which we find ourselves. Given the extent of this change and the predictable uncertainty that will continue for several years, it is very important that companies respond to this in ways that are exceptionally flexible.
How should Finance organizations prepare for this future regulatory environment in spite of uncertainties, particularly global companies that do business in multiple jurisdictions? What sustainable practices in their control and reporting processes and systems do they need to invest in to prepare for the future?
Being globally active, of course, only ramps up the uncertainty because the requirements from multiple jurisdictions are layered on the responsibility of senior Finance executives for U.S. compliance. It is nonetheless possible to synthesize thematically many of the global requirements, because at least topically, they have very much in common.
What is most important is that the different parts of a global organization can talk to one another and that the human beings who must extract information from the IT systems that collect and disgorge that information can rationalize it. In particular, companies that address these changes in ways that are adaptable and flexible will have a clear advantage. Companies that fail to manage the process in this way will likely find their companies non-compliant and their risk management practices called into question – not only by regulators, but also by their shareholders and their customers.
Do you think that the passage of Dodd-Frank will reduce systemic risk and improve stability in our financial services institutions?
Unfortunately, the Dodd-Frank Act failed to address several of the
most significant causes of instability in the financial system and
sources of systemic risk. The first is the status of the
This is particularly salient, as the conservatorships have required the GSEs to engage in practices that support housing at the expense of their financial well-being. Likewise, the government’s completely unjustifiable practice of keeping these two GSEs off the federal balance sheet, even as they are under government ownership, makes a mockery of financial reporting norms and honest accounting. Addressing this glaring omission in the Dodd-Frank Act remains a top priority of financial reform.
Next in importance is the inadequacy of bank capital and liquidity standards. Dodd-Frank did not adequately address the obvious failure of the Basel standards in the financial crisis. Those standards continue to create powerful incentives for asset concentration in mortgages and a reliance on credit ratings, and of course both of those had a role in generating the mortgage bubble that led to the financial crisis.
So the short answer to that question would be “No.”
Correct. I’d also say that Dodd-Frank has given the Financial Stability Oversight Council a strong incentive to protect competitors rather than to protect competition, which might take market share from the dominant firms. The systemically important designation implies government readiness to support those firms in a crisis, perversely encouraging more risky behavior despite the more stringent capital and other requirements and thus deepening moral hazard.
Can you discuss some of the best practices for boards of directors with regard to risk oversight? Do you think that changes in proxy disclosure with regard to risk governance has had an impact on risk management practices?
Yes. In 2010, the SEC added requirements for proxy statement discussion of a company’s board leadership structure and its role in risk oversight. Now companies are required to disclose in their annual reports the extent of the board’s role in risk oversight, and they’re required to address such topics as how the board administers its oversight function, the effect that risk oversight has on the board’s processes, and whether and how the board or one of its committees monitors risk. That increased focus on risk management has had considerable and very earnest take-up across the corporate community.
There are several types of actions that companies and their appropriate committees have been taking to step up their focus on risk management. Without question, they are spending more time with management, and isolating the categories of risk that the company faces – focusing on risk concentrations and interrelationships, the likelihood that these risks might materialize, and the effectiveness of the company’s potential mitigating measures.
Many companies have created risk management committees. Financial companies, of course, that are covered by Dodd-Frank must have designated risk management committees, but boards of other companies have carefully considered the appropriateness of a dedicated risk committee, and many of them have found it prudent to create one. In other cases, boards have delegated oversight of risk management to the audit committee, which is consistent with the New York Stock Exchange rule that requires the audit committee to discuss policies with respect to risk assessment and risk management.
For large-cap companies that have a Big Board listing, that has continued to be another way to address these heightened concerns. I think boards are carefully bearing in mind that different kinds of risks may be better-suited to the expertise of different kinds of committees, so they may not always wish to stovepipe responsibility for risk in a single committee.
Above all, best practices today are focused on the fact that regardless of how the board subdivides its responsibilities, the full board has the responsibility to satisfy itself that the activities of its various committees are co-ordinated and that the company has adequate risk management processes in place.
It’s a fascinating world. I can see why if you’re a controller or CFO it’s an exciting but intense place to be.
I think that’s absolutely right. All of these changes we’ve discussed – in particular in the US – mean that we are entering an era of unprecedented demand on companies’ governance, risk, and compliance processes and IT infrastructures. I think that companies have dealt with regulatory changes over the past half-century largely incrementally. They’ve made adjustments to their enterprise-wide systems as needed to comply with what have been modest changes from year to year. But given the enormous scope of changes in these forthcoming new regulations, companies will find it necessary to find a comprehensive and holistic approach to at least regulatory reporting – and, in my view, their management control as well.
Companies have traditionally relied on different processes to gather enterprise data to help management run the business on the one hand, and to gather data in order to satisfy regulators, on the other. In part, that was sustainable because the information that regulators were requiring was historical and post-facto. But things are rapidly changing under these new frameworks. Regulators including the SEC are now requiring information that is risk-based and predictive. While that is a big change, it’s also a significant silver lining in that this will align the process of collecting and gathering information more closely with what management needs. That means that CIOs should be looking for ways to integrate their regulatory and their management reporting processes. For that reason, regulatory reporting doesn’t have to be viewed as sheer cost, or necessary evil. Instead, there can be significant efficiencies and productivity gains for the enterprise by merging the requirements of management and regulatory data gathering processes.
This convergence will also allow companies to restructure their data in a way that will feed predictive analytical systems. That, in turn, can lead to an improvement in both risk management at the board level, and risk-based decision-making processes at the management level.
About Christopher Cox, Former Chairman, United States Securities and Exchange Commission (SEC)
Beginning in 1988, when he was elected to the House of Representatives, Christopher Cox established a record of legislative accomplishments that elevated him to the top of the Congressional leadership. His wide range of expertise in a variety of complex issues gives him the ability to take the long view of the economic future, predicting both the actions of Congress and the effects those actions will have on the marketplace. The author of the Internet Tax Freedom Act, which protects Internet users from multiple and discriminatory taxation, Cox held leadership positions ranging from chairmanships on committees and taskforces overseeing everything from budget process reform and policy to homeland security and financial services. During his tenure as chairman of the Securities and Exchange Commission, he continued this fight for justice and transparency in the world of investing.
An Accomplished Lawmaker and Reformer. During his seventeen years in Congress, Cox served in the majority leadership of the U.S. House of Representatives. He authored the Private Securities Litigation Reform Act, which protects investors from fraudulent lawsuits, and his legislative efforts to eliminate the double tax on shareholder dividends led to legislation that cut the double tax by more than half. In addition, he served in a leadership capacity as a senior member of every committee with jurisdiction over investor protection and U.S. capital markets, including the Energy and Commerce Committee, the Financial Services Committee, the JointEconomic Committee, and the Budget Committee.
An Advocate for Investors. At the SEC, Cox focused on the enforcement of securities law enforcement, bringing a variety of groundbreaking cases against market abuses such as hedge fund insider-trading, stock options backdating, and municipal securities fraud. He also helped turn the Internet into a secure environment, free of securities scams, and he worked to halt fraud aimed at senior citizens. As SEC chairman, he was one of the world’s leaders in the effort to integrate U.S. and overseas regulatory policies in this era of global capital markets, making international securities exchanges safe, profitable, and transparent. As part of an overall focus on the needs of individual investors, Cox reinvigorated the SEC’s initiative to provide important investor information in plain English, championing the investor’s right to a transparency. His reforms included transforming the SEC’s system of mandated disclosure from a static, form-based approach to one that taps the power of interactive data to give investors qualitatively better information about companies, mutual funds, and investments of all kinds.
In 1994 Cox was appointed by President Clinton to the bipartisan commission on entitlement and tax reform, which published its unanimous report in 1995. From 1986 until 1988, he served in as senior associate counsel to President Reagan. From 1978-1986, he specialized in venture capital and corporate finance with Latham & Watkins. Cox received an M.B.A. from Harvard Business School and a J.D. from Harvard Law School, where he was an Editor of the Harvard Law Review.
Timothy Powers 270003F3FN email@example.com | | Tags:  frank-dodd risk grc business-analytics cognos fraud performance-management compliance openpages analytics governance risk-analytics | 0 Comments | 3,287 Visits
By Gordon Burnes, Worldwide Marketing, IBM Risk Analytics
A key theme at Vision 2012, IBM’s three-day user conference for Finance and Risk professionals, is how organizations can leverage enterprise risk information to make better decisions while balancing the demands for risk oversight and regulatory compliance.
The current complex and dynamic regulatory environment is a particular challenge for risk and compliance directors. For instance, while organizations covered by Dodd-Frank must respond to current regulatory reporting requirements, less than a third of the associated rule-making has been finished.
So, risk and compliance professionals must put in place an approach to meet regulatory requirements that can easily adapt over time as regulations evolve, and this approach includes the capability to adapt internal policies to keep pace with the evolving regulatory environment.
During the Risk Analytics Keynote, IBM announced general availability of IBM OpenPages GRC Platform 6.1.
This new solution enhances the ability to make risk-aware business decisions, enables companies to react more quickly to regulatory changes through better policy management, and decreases costs and complexity of compliance.
Leveraging the IBM Cognos business intelligence platform, OpenPages 6.1 delivers interactive reports and dashboards that allow business managers to turn that risk information into insight and insight into better business outcomes.
The new release includes several important enhancements:
· Manages lifecycle of policies from creation, review, approval, attestation, and exception management
· Standardizes policy templates and approval processes across the business
· Allows policies to be structured in a standardized way but presented in narrative form (for editing and review, etc) the way people are used to working with policies
· Formalizes process for employee awareness and training and monitoring of campaigns
· Maps policies to regulatory library and control framework to increase visibility into policy coverage & adherence and make it easier to update policies as regulations change
· Enhanced reporting user interface and framework that empowers business users to explore and analyze risk data using interactive dashboards and reporting for better decision making
In summary, IBM OpenPages 6.1:
· Enables companies to react more quickly to regulatory changes through better policy management
· Enhances the ability to make risk-aware business decisions through easier access to risk and compliance information
· Decreases the cost and complexity of compliance with out-of-the-box configurations for policy management.
For more information:
· Read the Vision 2012 Day One Recap
· Read the blog post from Michael Zerbs, VP of IBM Risk Analytics, “Managing Risk: A Global Challenge that Must be Confronted"
· Download the whitepaper, "Managing Regulatory Change - Learn how Dodd-Frank Impacts Regulatory Compliance"
For more information:
· Read the Vision 2012 Day One Recap
· Read the blog post from Michael Zerbs, VP of IBM Risk Analytics, “Managing Risk: A Global Challenge that Must be Confronted"
· Download the whitepaper, "Managing Regulatory Change - Learn how Dodd-Frank Impacts Regulatory Compliance"