Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  openpages compliance sec fcpa | 0 Comments | 2,433 Visits
We know the Justice Department and SEC in recent years revved up enforcement of the Foreign Corrupt Practices Act, which certainly has gotten the close and widespread attention of the business community. With the vast majority of U.S. companies large and small operating globally, general counsels, compliance officers, boards of directors, and other business executives are focusing on related risks and controls. And now the U.S. Chamber of Commerce’s Institute for Legal Reform, noting that companies want to comply with provisions of the FCPA but unclear enforcement makes it challenging, thinks "it is common sense that the rules of the road are clarified." As such, the Chamber has put forth five recommendations: Adding a compliance defense, limiting liability for the prior actions of an acquired company, adding a “willfulness” requirement for corporate criminal liability, limiting liability for acts of a subsidiary, and defining what constitutes a "foreign official."
It appeared these proposals might gain some traction, and then along came Wal-Mart. The charges of bribery in Mexico and subsequent cover-up seems to have dampened interest in modifying, or some would say softening, the FCPA and related enforcement. Certainly Wal-Mart has put tremendous effort into successfully lobbying legislators in both parties – and supporting the President’s initiatives in health coverage and pollution control, and the First Lady’s on healthy foods to combat childhood obesity – all of which may serve the company in good stead in containing political fallout. But we can also expect notoriety around the Wal-Mart case to signal the continued relevance of the Act and deflect efforts to weaken it.
It seems there’s an interesting analogy here, where the Wal-Mart bribery case might be to the FCPA what WorldCom was to Sarbanes-Oxley. After Enron imploded, there was stirring inside the Beltway about need for legislation, but nothing much was expected to happen – until a few months later when the WorldCom fiasco hit the headlines, thereby generating momentum that turned into a rush to get a law passed. In this instance, it may well be the converse – a law that might have been weakened is more likely to stay as is, with continued strong enforcement by regulators. We’ll stay tuned to see what transpires.
Richard Steinberg 270004HRBG email@example.com | | Tags:  compliance openpages ocie sec | 0 Comments | 3,251 Visits
The head of the SEC's Office of Compliance Inspections and Examinations, Carlo di Florio, recently spoke about what his 900 professionals look for in conducting examinations of a wide range of financial institutions – noting the OCIE is breaking new ground. In carrying out its mission to improve compliance, prevent fraud, monitor risk, and inform policy, di Florio's office is expanding its focus to include boards of directors. In considering a firm's compliance culture, the OCIE is entering into direct discussions with boards of directors, to get a sense of the board's as well as senior management's attention to and focus on regulatory compliance issues. di Florio didn't name names, but media reports say such discussions already have taken place with the likes of Goldman, Morgan Stanley, Barclays and Wells Fargo. He did say that the new focus is due in part to the fact that a firm's compliance culture is an "elusive concept and a real challenge," having a huge impact on the extent to which a firm engages in ethical conduct, also noting the need to integrate compliance within risk governance processes.
If you've encountered Carlo di Florio, you may have observed a soft spoken, gentle demeanor and charming personality. But that shouldn't be misinterpreted for anything less than a hard-nosed and rigorous approach on the part of him and his staff. Having worked with him in our “past life,” I can assure you that he is not only thoughtful and creative in approach, he can be relentless in pursuing objectives.
OCIE's approach is multifold, focusing first on review of a firm's polices and related procedures, including policy management and flexibility in dealing with evolving conditions. There's focus on effectiveness of communication and training, and on such matters as how a firm assigns responsibility and handles accountability. Also in its sights are monitoring and testing processes, protocols for communicating issues upstream, and internal whistleblower processes. di Florio notes that the better the internal processes, the less OCIE will need to do. Highlighting its insightfulness, OCIE looks at such critical matters as where the power lies – the business side or legal/compliance – how bonus pools are allocated, independence of compliance staff, and involvement in critical decision-making. Also, the extent of compliance contributions of business units in performance assessment and reward processes are considered.
With all this, the focus on board of directors is consistent with attention to the tone at the top of a firm. Carlo di Florio is moving the lines, and I've no doubt he and his staff will have a sharper focus on and greater insight into what drives compliance.
Timothy Powers 270003F3FN firstname.lastname@example.org | | Tags:  xbrl predictive-analytics governance decision-management risk grc business-analytics performance-management fraud compliance openpages clarity cognos analytics | 0 Comments | 3,494 Visits
Do you really understand the reasons you make decisions?
Sometimes the mind wants to unconsciously push us into a certain decision when there’s a better way to think about it.
That’s the premise of the book, Think Twice: Harnessing the Power of Counterintuition, written by Michael Mauboussin, Chief Investment Strategist at Legg Mason Capital Management and a keynote speaker at IBM’s upcoming Vision 2012 conference in Orlando, May 14-17.
Vision is IBM’s global conference for finance and risk professionals to help improve planning, budgeting and forecasting, identify and mitigate risk, and meet the demanding requirements of XBRL, IFRS, Basel II and Solvency II with greater confidence.
I talked to Mauboussin about his book, making data-driven decisions, some common pitfalls as decision makers, and his upcoming talk at Vision.
“What's very exciting is that in the last half dozen years, we've had a real influx of data, and we're now just learning how to tap that data for the benefit of better decision making,” said Mauboussin. “Now we can create a better intersection between value creation and making decisions.”
The problem however, according to Mauboussin, is that we still have the same cognitive makeup and the propensity to make common mistakes.
“We often think about our own decision making as being objective and fact based and rationale. And we tend to underestimate systematically how important the social context is for our decision making,” said Mauboussin.
To illustrate this point he told an interesting story from his book.
Researchers went into the wine section of a supermarket and set up French and German wines next to each other that were roughly matched in price and quality. Over a two week period they alternated playing distinctively French and distinctively German music to see if it would have any influence on purchase decisions.
Surprisingly, they found when French music played people bought French wine 77 percent of the time, and German wine 73 percent of the time when German music played. When asked if music affected their selections, the consumers unanimously said no.
“This basic experiment can be extrapolated to a lot of organizational settings where we think of ourselves as trying to be conscious and mindful as we make decisions. But indeed what is going on around us can be deeply influential to our decisions,” said Mauboussin.
So what do we do?
According to Mauboussin, integrate more data into quality decisions. However, there is still a tension between the intuitive, go by the seat of the pants experience group versus the analytically-minded group.
“Either extreme is not going to work but a blend between the two is right way,” said Mauboussin.
Read the rest of the interview with Michael Mauboussin on the Business Analytics Blog here.
For more information:
· Register here for the upcoming Vision 2012 conference
· Download the Vision conference guide for background on keynotes, elective sessions, demos & workshops
· Read a previous blog post on minimizing risk and improving performance
Liz Andrews 2700041WEU email@example.com | | Tags:  compliance risk openpages grc | 0 Comments | 1,714 Visits
Getting to the Head of the Class: Advancing Your Organizations GRC Maturity
Organizations with GRC processes siloed within departments operate at the Unaware, Fragmented, or Integrated stage. At these stages GRC may be effective within a silo, but lacks an enterprise perspective of risk and compliance and gains no efficiencies from shared processes. Different departments may be at different levels of maturity.
The Aligned and Optimized maturity levels represent maturity of organizations with an enterprise GRC strategy, focused on developing a common GRC process, information and technology architecture. These organizations report process effi
Considerations for Moving From Fragmented to Integrated
Departments at the Fragmented stage have siloed approaches to risk and compliance at the department level. This means no integration or sharing of risk and compliance information, processes or technology.
To move from Fragmented to Integrated requires the department reduce manual data integration and improve overall visibility into risk exposure. Organizations should consider defining GRC process and information architecture at the department level and implement technology to manage multiple risk and compliance initiatives cohesively.
Considerations for Moving From Integrated to Aligned
Departments at the Integrated maturity stage are in a good place to lead the organization in an integrated GRC strategy to the Aligned stage. They have a strategic approach to GRC at the department level, supported by mature GRC processes that can be extended to other departments. These organizations have a shared-services approach to GRC to deliver common processes and integrated information.
To move from the Integrated to the Aligned stage requires a common risk catalog that shows the relationship of risks across the business and risk ownership. The purpose is to enable the business to make risk-informed decisions. Orga
Considerations for Moving From Aligned to Optimized
To difference between the Aligned to Optimized stage is primarily one of context. At the Aligned stage the orga
Achieving the Optimized stage requires GRC expectations set as part of the annual strategic planning processes. The organization has extensive measurement and monitoring of GRC in the context of business strategy, performance and objectives. There is shared information and technology between risk, control and compliance management as well as decision support, optimization and business intelligence. The organization has integrated risk and finance data to drive performance and maximize value creation.
Fundamental Steps to Establishing Your GRC StrategyTo achieve the benefits other organizations have seen from a GRC strategic plan and common approach, Corporate Inte
Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  risk openpages grc | 0 Comments | 1,400 Visits
This is the third in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Five Stages of GRC Maturity
Mature GRC is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board, and made part of the fabric of business, not an unattached layer of oversight. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk.
Corporate Integrity has developed the GRC Maturity Model to articulate an organization’s maturity in GRC processes.
1: Ad Hoc/Unaware — Department-Level Maturity
Characteristics of this GRC stage are:
Organizations in the Ad Hoc/Unaware GRC stage answer many of the following questions affirmatively:
2: Fragmented — Department Level Maturity
Characteristics of the Fragmented GRC stage are:
Organizations in the Integrated GRC stage answer many of the following questions affirmatively:
3: Integrated — Department Level Maturity
Characteristics of the Integrated GRC stage are:
Organizations in the Integrated GRC stage answer many of the following questions affirmatively:
4: Aligned — Enterprise GRC Maturity
Characteristics of the Aligned GRC stage are:
Organizations in the Aligned GRC stage answer many of the following questions affirmatively:
5: Optimized — Enterprise GRC Maturity
Characteristics of the Optimized GRC stage are:
Organizations in the Optimized GRC stage answer many of the following questions affirmatively:
Come back next week to view the final post in this series: Getting to the Head of the Class: Advancing Your Organizations GRC Maturity
Liz Andrews 2700041WEU email@example.com | | Tags:  openpages grc risk | 0 Comments | 1,398 Visits
This is the second in a series of four blog posts where we present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
GRC Maturity — Measuring a New Paradigm for Risk and Compliance
Lacking an integrated view of GRC results in business processes, partners, employees and systems that behave like leaves blowing in the wind. Modern business requires a new paradigm for tackling risk and compliance issues across the enterprise. No longer can organizations afford to focus on single risk and compliance issues as unrelated projects; nor can they allow software Band-Aids that are not integrated with the business to masquerade as GRC. A targeted strategy addressing GRC through common processes, information and technology gets to the root of the problem.
With changing and diverse risks bearing down on the organization, there is a clear need to tackle the problem at its root and develop a mature approach to GRC. Instead of treating each risk and compliance issue as an individual problem, organizations need to define a common process, information and technology architecture to manage GRC across the range of issues.
To address these issues, leading organizations have adopted a common framework, information architecture and shared processes to effectively manage risk and compliance, enable risk-aware decision-making, increase efficiencies, and be agile in response to the needs of a dynamic business environment.
The questions organizations must ask:
A well-defined GRC environment will not only do risk assessment and modeling, but will also deliver definition, communication and training on risk-taking and accountability. The organization must map the interrelationship of risks to controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets and logical assets), and incidents to business strategy, objectives and corporate performance.
Mature GRC delivers better business outcomes because of stronger integrated information, which will:
Architect integrated GRC systems and processes
A properly defined GRC architecture is built upon common process, information and technology components that are adaptive to a dynamic business environment and integrate with critical enterprise applications. No longer is risk and compliance about an annual audit; it now involves continuous monitoring in an ever-changing environment. GRC has to be sustainable as an ongoing and integrated part of business processes. A successful and mature GRC strategy has a symbiotic influence on the variety of business stakeholder roles and their common requirements.
Organizations need to be intelligent about what processes and technologies they deploy. The goal is to make an effective decision once, and comply with many regulations, manage a range of risks and maximize value from the convergence of technology, people and process. A sustainable approach to GRC results in an organization looking to the future and mitigating risk in the course of business, as opposed to putting out fires by reacting to risk and control issues as they arise.
Mature GRC enables the organization to understand performance in the context of risk and compliance. It achieves the definition of GRC, which is “a capability that enables an organization to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].” Effective and mature GRC delivers:
Continue on to Part III in this series: Five Stages of GRC Maturity
Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  grc risk openpages | 0 Comments | 1,395 Visits
This is the first in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Success in today’s dynamic business environment requires organizations to integrate, build and support business processes with an enterprise view of governance, risk management and compliance (GRC). Without an integrated view of risk and compliance, the scattered and nonintegrated approaches of the past fail and expose the business to unanticipated risk.
In a mature GRC program, the organization has an integrated process, information and technology architecture that provides visibility across risk and compliance domains. It offers an integrated approach for business managers and executives to leverage GRC data for risk-aware decision-making and resource allocation.
Inevitable Failure: Managing GRC in Silos
The multifaceted risk environment
Risk to the business is like the hydra in mythology — organizations combat risk, only to find more risk springing up to threaten them. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the enterprise.
The dynamic and global nature of business is particularly challenging to risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants and staffing) their risk profile grows exponentially. Organizations need to stay on top of their game by monitoring risk to their business internally (e.g., strategy, processes and internal controls) and externally (e.g., competitive, economic, political, legal and geographic environments) to stay competitive in today’s market. What may seem an insignificant risk in one area can have profound impact on others.
Organizations are increasingly aware of the critical need to link risk management and corporate performance management. To manage corporate performance, the organizations must understand risk and make risk-informed business decisions.
In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements that burden the business. Organizations face expanding regulations, increased fines and sanctions, and aggressive regulators and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management issue in a global environment.
Isolated risk and compliance initiatives introduce greater risk
Managing GRC activities in disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes for GRC fail to actively manage risk in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy and failure. The organization is not thinking about how GRC processes and controls can be designed to meet a range of risk and compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization.
A nonintegrated approach to GRC impacts business performance and how it is managed and executed, resulting in:
The pain organizations have expressed
Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not have a complete view of GRC in the context of the business. Corporate Integrity finds organizations that lack a collaborative, integrated and enterprise approach to GRC have:
Continue on to Part II in this series: GRC Maturity — Measuring a New Paradigm for Risk and Compliance
Richard Steinberg 270004HRBG email@example.com | | Tags:  risk openpages dodd-frank grc sec whistleblowing | 0 Comments | 1,201 Visits
The SEC’s final rules implementing Dodd-Frank’s whistle blowing provisions failed to remove angst among compliance officers and general counsels. While there are some incentives for potential whistleblowers to first report alleged misconduct via internal reporting channels, there’s no requirement to do so – and many are concerned the internal channels will be bypassed. And going outside is on the rise. It’s been reported that in only seven weeks after the SEC’s program began, there were 334 whistleblower filings. Compliance officer concerns are well founded – that bypassing internal channels will deprive the company of being able to investigate and fix problems before they grow, and company personnel will need to play catch up with investigations in reaction to SEC probes.
We can point to many resolved whistle blowing cases for clear evidence of the potential impact of the SEC’s still relatively new program. One homeowner delinquent on her mortgage ultimately received $18 million for reporting suspected use of fraudulent documents in the bank’s foreclosure process. It’s said that in acting against this homeowner – an attorney and career insurance fraud investigator – the bank “picked the wrong person at the wrong time in the wrong place,“ but the robo-signing and other compliance failures were widespread and surfaced from a number of sources. Nonetheless, this individual was one of six whistleblowers receiving $46.5 million said to be part of the five-bank $25 billion settlement. In an unrelated case, a member of a major bank’s quality control team who reportedly was displeased that the misconduct wasn’t reported to regulators, decided to do so herself – ending up with a settlement of $31 million. And there are many more.
Worth noting is a recent survey that indicates more than one-third of American workers have seen misconduct on the job. While many instances of misconduct have been reported through internal channels, it appears the vast majority have not. Why? The survey shows it’s because of fear of not being able to remain anonymous, and of retaliation. Those two factors, plus the possibility of monetary reward, are reported as key factors in incentivizing internal reporting. And the survey also shows two-thirds of respondents didn’t know about the SEC’s program – at least not yet.
Certainly it’s in a company’s interest to be first to know about alleged misconduct, and compliance officers are working hard to upgrade policies, training, communications, and the internal whistleblower systems, all to encourage internal reporting. Actions to ensure anonymity, with positive responses and nothing close to retaliation, are expected to help. Some companies have begun to pay bounties for valued reports. There are indications that when employees believe their reports will be taken seriously without adverse repercussions, there’s increased likelihood for internal reporting. Law firms and others have provided guidance on which companies are acting. However, it remains to be seen the extent to which the possibility of a huge, life-changing payday by the SEC will be too much to resist. Time will tell.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  ibm solvency insight dashboarding governance grc management openpages risk reporting basel cognos ii compliance | 0 Comments | 2,749 Visits
With the brand-new IBM Cognos Insight you can now connect to your IBM OpenPages environment from your desktop. You always have that moment that you need the information on a report but just a bit different than the standard report provides to you. The solution is here now, IBM Cognos Insight!
Insight is a powerful, intuitive desktop solution, that can read many different data sources from Excel to datawarehouses. Even your real time IBM OpenPages environment!
And it is not only reporting and dashboarding but it also lets you create what if scenarios on the fly! How would my risk exposure be if in one risk category the loss impact increases with 15%? Two clicks and you know the answer! And then you can comment on your report, which gives your colleagues more information on the context the moment you share your workspace.
How easy can risk reporting be???
For more tour on how IBM Cognos Insight please look at : http
Blog post by Erwin Boeren
Senior Governance, Risk & Compliance specialist IBM
Twitter : http
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  dodd-frank risk risk_management openpages | 0 Comments | 892 Visits
If you’re in or work with the financial services industry, you probably know about the late December holiday "gift" from the U.S. Federal Reserve – proposed rules implementing provisions of the Dodd-Frank Act which could have a profound effect on how boards and managements deal with risk. In any event, you’ll want to keep in mind that the Fed is accepting comments only for the next month – until March 31.
The proposed rules are far-reaching, including requirements for risk-based capital and leverage, liquidity, stress tests, sing
The risk committee is required to "document and oversee, on an enterprise-wide basis, the risk-management practices of the company's worldwide operations." The committee would be chaired by an independent director, and at least one member needs to have risk-management expertise commensurate with the company's size, complexity, and other risk-related factors. Further, its members are expected to understand risk-management principles and practices relevant to the company, with specified experience in risk management. And there are rules for a committee charter, meetings, and documentation.
The committee’s responsibilities include reviewing and approving an appropriate risk-management framework commensurate with the company's size and other factors. The framework’s scope is outlined, including requirements for risk limits appropriate to each line of business, policies and procedures for risk-management practices, processes for identifying and reporting risks, monitoring compliance with risk limits and procedures, and specification of management's authority and independence to carry out risk-management responsibilities. Additionally, the larger covered companies will need to appoint a chief risk officer in charge of implementing and maintaining the risk-management framework and practices approved by the risk committee, with the rules specifying responsibilities and qualifications for the CRO and reporting relationships.
If not already under way, now is the time to analyze the proposal and its implication, and let the Fed know what changes are needed. If interested, you might want to tune into the upcoming IBM OpenPages webinar where I’ll be discussing the proposed rules, their implications and the challenges they present – March 8, 2:00 pm Eastern Time.