As an extension to the annual PricewaterhouseCoopers “State of the Profession” survey for internal auditors, PwC surveyed the chief audit executives (CAEs) of Fortune 250 companies about trends likely to affect internal auditors over the next five years and what they expect internal audit to look like in 2012. Titled “Internal Audit 2012”, the study predicts the value of a controls-focused approach to internal audit to diminish and suggests that internal audit leaders revisit their objectives and adopt a “risk centric mindset” if they wish to remain key players in assurance and risk management. The study lists “ten imperatives” that provide the “foundation for a high performance internal audit function in the years ahead” including my favorite:
“Adopt a risk-centric value proposition that focuses continually on enterprise risks. To meet rising stakeholder expectations, internal audit needs to embrace a risk-centric approach to delivering value. That requires providing assurance on risks as well as controls, maintaining an ongoing focus on risk, and keeping the audit committee and senior management well informed about changing risk exposures.”
Traditionally, internal audit has focused on assuring that internal policies and procedures are being followed and that the business is in compliance with external regulations. This has been accomplished through the monitoring and assessment of internal controls and tracking of issues that are raised during audits. The methodology tended to be bottom-up, check-the-box, account-based auditing intended to provide independent assurance that the business is operating as designed with as much transparency as possible.
By functioning as a consultative arm to the business and helping to establish an enterprise-wide risk and control framework, audit has the capacity to influence the continued improvement of process level controls as well as the macro level control environment. Internal audit can bring to the business best practices for measuring, managing and prioritizing risks while cross pollinating effective management techniques and internal controls across the enterprise.
To learn more about Internal Audit and its evolving role in ERM, check out this white paper.
At the recent OpenPages User Symposium (OPUS) 2010 held in Boston, Chris Haines, Vice President, Operational Risk Management Group at America Express presented a very informative and well attended session on how American Express has effectively leveraged the OpenPages technology in their efforts to converge risk management disciplines and best practices across the enterprise. In his session, Chris described how the Operational Risk Model employed by American Express provides management greater visibility into risk and empowers management to make strategic business decisions based on a broader understanding of its risk profile.
I caught up with Chris after his presentation and discussed his experience at OPUS as well as how American Express utilizes the OpenPages technology to create an integrated and converged risk and compliance management program that can streamline and improve its risk management processes.
Recently I’ve been communicating with a former COSO board member about a couple of terms in COSO ERM – specifically about “risk appetite” versus “risk tolerance.”
It’s interesting, as this board member was intimately involved in reviewing drafts of the ERM report as it was being developed and signed off on the final, and continues to be actively involved in discussions on the subject of risk management.
It becomes clear to me that anyone can easily fall into a trap, as follows. When a report, article, or other written document arrives in our hardcopy or electronic inbox, we take care in reading it, digesting it, and being sure we understand it. But over time, as we use the underlying terms and concepts, we begin to factor in our own thinking and judgments, and unintentionally modify their use.
In the case at hand, confusion arose about use of the term “risk appetite,” where it was being used at a lower level than appropriate – a level reserved for “risk tolerance.” To refresh memories, COSO ERM says “Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style.” On the other hand, “Risk tolerances relate to the entity’s objectives. Risk tolerance is the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.” It goes on to say “Management considers interrelated risks from an entity-level portfolio perspective. Risks for individual units of the entity may be within the units’ risk tolerances, but taken together may exceed the risk appetite of the entity as a whole.”
There’s more in the report making clear what each term means, but I don’t want to bore you. And the point here isn’t about these specific terms, but rather our being able to communicate effectively with business colleagues and partners. Okay, maybe I am a stickler for words, though I like to think there’s good reason we all should do our best to use terms precisely.
One wonders what the heck was going on at Daimler, maker of the high quality, classy Mercedes Benz automobile. In case you missed it, media reports depict Daimler as admitting to having engaged in a massive and pervasive bribery scheme, and agreeing to pay $185 million to settle charges. And this wasn’t information the company volunteered, but rather the result of a lengthy government investigation.
And it wasn’t just a one-time event – not by a long shot. Rather, hundreds of bribes totaling tens of millions of dollars were paid in no less than 22 countries over a ten year period. In a number of instances so called “cash desks” were used to pay currency directly to government officials. In other cases the company used foreign bank accounts of shell companies to hide payments. Daimler reportedly also jacked up invoices for cars to generate still other payments.
What’s perhaps most disturbing is that the reports say this wasn’t a lower and middle management activity, but involved “important executives” including heads of overseas sales divisions, and more unsettling, even the company’s internal audit office. The Department of Justice complaint speaks to Daimler’s “longstanding violations” of bribery rules and a “corporate culture that tolerated and/or encouraged bribery.” The reports also says the complaint points to “a lack of central oversight over foreign operations.”
It’s well known the Justice Department in the U.S. is pushing hard on possible Foreign Corrupt Practices Act violations, and European regulators are increasing rule making and enforcement as well. And internal controls to help deal with the risk of improper payments are well known. Of course, if senior managers are turning a blind eye, or worse yet encouraging such payments, then all bets are off. For readers with responsibility for dealing with these kinds of issues, a company’s corporate culture, including the tone at the top of the organization, is the first place you’ll want to focus attention. And then you’ll want to look at the kind of risk management and compliance processes in place, and how they’re working, to hopefully gain comfort in your organization that anti-bribery indeed is under control.
A recent industry survey by PTC shows that the highest cost of product compliance failures is not always fines and legal fees, but delayed time to market and product shipments. This is particularly true in manufacturing where restricted substance-based product recalls have cost manufacturers and consumer product companies millions in lost revenue due to compliance failures or supply chain disruptions.
Of course implementing a compliance program has its costs as well. As our recent white paper “The High Cost of Non-Compliance” authored by Rick Steinberg points out, an OCEG Benchmarking Study shows the cost of Sarbanes-Oxley compliance alone averaging:
$4 million for companies with $5 billion revenue
$10 million for companies with $10 billion and more in revenue, and;
for companies with more than $1 billion revenue, compliance costs equaled 190 full time equivalent employees.
So, while implementing a compliance program may seem high, it’s clear that not putting an effective compliance program in place can be significantly more expensive.
The white paper points out several key ways companies have succeeded not only in reducing compliance costs, but also enhancing efficiency and gaining real business benefits:
Built into Business Processes
A Program Founded on Ethics and Integrity
A Risk-Based Approach and Clarity Around Responsibilities
Julian Parkin, Group Privacy Programme Director at Barclays, recently delivered the day two keynote address at OPUS 2010 – the OpenPages User Symposium. In his keynote address, Parkin discussed how Barclays has leveraged OpenPages for its risk management initiatives and how the flexibility of OpenPages’ technology has been harnessed to drive sustainable improvements across evolving risk types.
After his keynote, I had the opportunity to interview Julian and discuss his experience at OPUS 2010 and as a member of the OpenPages user community.
Compliance Week’s second annual eConference is just around the corner and kicking off the conference will be Rick Steinberg, founder and CEO of Steinberg Governance Advisors. Rick has a wealth of experience in corporate governance and in particular, the board-management interface as he advises boards of directors – and their governance, audit and other committees – of Fortune 100 companies, mid-size corporations, major institutional investors and leading universities, as well as federal governmental bodies.
In the first session of the event titled, “Aligning Risk Reporting with Risk Oversight,” Rick will outline how most boards believe that the CRO is solely responsible for all things risk-related, and that the CCO is solely responsible for all things compliance-related – which in reality, is virtually impossible. He’ll explain that the CRO and CCO are responsible for ensuring that there is an effective risk and compliance process in place to reduce exposure and litigation and that the CRO and CCO need to be sure they are giving the board the appropriate level of information needed to govern. In his presentation, Rick will describe how companies need a programmatic way to report on risk, controls, issues, and other risk and compliance related information to support the senior executives and board.
Businesses have always been engaged in managing risk, but it has taken an unprecedented wave of regulatory oversight to convince many organizations how inadequate their risk management policies and procedures really are.
Firms should have completed or be in the process of completing a detailed gap analysis to identify any shortfalls in expected compliance with the emerging Solvency II requirements, as they bear on their operations.”
A gap analysis should evaluate the current state of an insurer’s risk management system against current risk standards and the desired state. The organization then must develop a roadmap on how to achieve that desired state. Organizations need to evaluate their entire risk management system and how all of its risk areas are being managed.
Given that executive management is charged with ownership of operational risk management and the need to embed it within the organization, many companies are turning to integrated risk management solutions to better understand and proactively manage the risks that can impact the business.
For more information on Solvency II and meeting the Solvency II operational risk challenge, check out this white paper.
Rising from the banks of the Potomac in National Harbor, Maryland, the Gaylord National is an engineering marvel which provides a scenic venue for the 2010 Gartner Security and Risk Management Summit. I attended an intriguing session by Richard Hunter, Gartner vice president and distinguished analyst in which he described the value of IT risk management.
Hunter recently published a book titled, “The Real Business of IT: How CIOs Create and Communicate Value” which is co-authored with George Westerman of MIT. As part of the research for his book, Hunter conducted a survey of CIOs from 2006 to 2009 on IT Risk management. One of his takeaways from his research is that the business context for the value of IT can be summed up as:
Run the business
Grow the business
Transform the business
In terms of running the business, Hunter put it into the context of “at the best possible balance between price and performance” (i.e., cost of doing business). The key point Hunter stressed was that the measure of value should not be based on the return on investment (ROI), rather it should be based price and performance. As an example, Hunter asked, “Would you ask for an ROI on a firewall, or an audit?” The point being, there is no measurable return on these investments, they are a cost of running the business and the alternative is much costlier.
IT grows business, continued Hunter, by ensuring “capacity and capability and providing the ability to conduct business in a certain way.” In others words, he explained, it supports someone else’s profit and loss. The third value (transforming the business), is about “enabling new value propositions for new customer segments.”
He recommended IT organizations take the following steps to show value:
Change the way you think. Frame every comment in terms of business outcomes and business performance. Adopt the language of business in every discussion of risk (i.e., the point of BCM is not to recover the server farm, it is to recover customer service, accounts receivable
Show value for money, meaning the right services at the right level of quality at the right time. Never discuss cost apart from quality of service.
Position IT (and IT risk management) as a component of investment in near and long-term business performance.
A very common theme at the Summit is supported here in that “performance should be defined in terms of business outcomes and performance, not IT performance.”
The court did take issue with the way PCAOB members could be removed, and ruled that board members could be removed “at will” by the commissioners of the Security and Exchange Commission. In the majority opinion, Chief Justice Roberts wrote that, despite the unconstitutional tenure provisions, the Act remains “fully operative as a law.”
So what does this mean? Congress clearly tried to insulate the PCAOB from the political whims of the executive office, passing the Act, as it did, during an administration skeptical of regulation. Roberts’ court handed advocates of executive power a victory by ruling that dual for-cause limitation on the removal of officers is not constitutional and that the president must have a direct line to remove officers of the government, which the Board members were determined to be.
However, given the current administration’s concern about corporate accountability and the integrity of financial risk reporting in general, it would be very surprising if SEC Chair Mary Shapiro were to exercise her new found power and replace Board members with someone more lenient on the accounting firms. And, AS5 really took the heat off of corporate America vis-a-vis their auditors, anyway; the SEC’s the one that carries the big stick with regard to the integrity of financial controls.
Further, more and more SOX efforts are being rolled into a comprehensive program of managing risks enterprise-wide. Companies are more interested in broadening the application of the approaches, tools and techniques for testing financial controls to their broader control environment. The net here is that the Supreme Court’s ruling will probably have little to no effect on how companies actually manage their risk with respect to financial reporting.
A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.