Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  openpages compliance sec fcpa | 0 Comments | 2,776 Visits
We know the Justice Department and SEC in recent years revved up enforcement of the Foreign Corrupt Practices Act, which certainly has gotten the close and widespread attention of the business community. With the vast majority of U.S. companies large and small operating globally, general counsels, compliance officers, boards of directors, and other business executives are focusing on related risks and controls. And now the U.S. Chamber of Commerce’s Institute for Legal Reform, noting that companies want to comply with provisions of the FCPA but unclear enforcement makes it challenging, thinks "it is common sense that the rules of the road are clarified." As such, the Chamber has put forth five recommendations: Adding a compliance defense, limiting liability for the prior actions of an acquired company, adding a “willfulness” requirement for corporate criminal liability, limiting liability for acts of a subsidiary, and defining what constitutes a "foreign official."
It appeared these proposals might gain some traction, and then along came Wal-Mart. The charges of bribery in Mexico and subsequent cover-up seems to have dampened interest in modifying, or some would say softening, the FCPA and related enforcement. Certainly Wal-Mart has put tremendous effort into successfully lobbying legislators in both parties – and supporting the President’s initiatives in health coverage and pollution control, and the First Lady’s on healthy foods to combat childhood obesity – all of which may serve the company in good stead in containing political fallout. But we can also expect notoriety around the Wal-Mart case to signal the continued relevance of the Act and deflect efforts to weaken it.
It seems there’s an interesting analogy here, where the Wal-Mart bribery case might be to the FCPA what WorldCom was to Sarbanes-Oxley. After Enron imploded, there was stirring inside the Beltway about need for legislation, but nothing much was expected to happen – until a few months later when the WorldCom fiasco hit the headlines, thereby generating momentum that turned into a rush to get a law passed. In this instance, it may well be the converse – a law that might have been weakened is more likely to stay as is, with continued strong enforcement by regulators. We’ll stay tuned to see what transpires.
Richard Steinberg 270004HRBG email@example.com | | Tags:  risk-management dodd-frank compliance openpages | 0 Comments | 2,518 Visits
As a compliance officer, you’re dealing with increased regulation and expectations, while related resources are subject to budgetary constraints. Yes, senior managements read the headlines and recognize the reputational and related risks associated with legal and regulatory compliance. But what I and others see are compliance functions having to do more, often without a commensurate increase in resources.
These observations are consistent with a recent Thomson Reuters survey of financial services companies’ compliance professionals. The survey shows that compliance officers are struggling to keep up with increasing demands of global regulation – where rapidly growing regulations and increasing responsibilities, together with limited resources and constrained budgets, are causing compliance personnel to reached a “saturation point.” A whopping 84 percent of respondents say they expect to deal with more information from regulators and exchanges this year, with almost half expecting the level to be "significantly higher." The increase is expected to come from such events as splitting of the U.K. Financial Services Authority, added regulatory power of the European Supervisory Authorities, expansion of new and existing U.S. regulatory agencies resulting from Dodd-Frank, and expanded enforcement of such regulations as the U.K. Bribery Act and the U.S. Foreign Account Tax Compliance Act.
The survey results show that compliance responsibilities and expectations are diverging from realistic capabilities. For instance, with a key objective being to coordinate with other company professionals involved with regulatory risk, over half of compliance professionals say they spend less than one hour weekly with internal audit colleagues, and one third spend less than one hour per week with legal and risk professionals. And while 70 percent of respondents expect the cost of senior compliance staff to increase this year, only 11 percent of companies expect a significant increase in budgets.
Also interesting in the statement that: “While keeping executive management informed of regulatory issues is a key part of the compliance role, more than a quarter of respondents say they spend less than one hour a week reporting to their boards. In the U.S., more than half of the companies surveyed spend less than one hour a week reporting to their boards. This raises concerns about whether executive management is being kept sufficiently informed on compliance issues.” Well, it’s not entirely clear from this as to the extent of interaction between compliance officers and senior management – one hour a week with the board may be just fine, as long as there’s significant interaction directly with executive management.
In any event, what we see is compliance departments already working at a fast pace with high efficiency, but they face risks going forward if responsibilities and resources aren’t recalibrated to be in sync.
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  openpages education risk-analytics compliance risk-management risk | 0 Comments | 2,745 Visits
You may remember hearing about problems with the College Board, which owns the SAT, and the Educational Testing Service (ETS), which administers the tests. In the recent SAT cheating scandal the College Board and ETS were accused of having lax security and a system that failed to punish cheats. But problems go back further, when a couple of years ago the SAT has serious issues with incorrect scoring of tests. And media reports speak to extensive incorrect scoring and losing test results in England in 2008, with the UK Parliament calling their operation a "shambles." And as far back as 1983 cheating was suspected in California. For details you may want to refer to my blog posting of November 2011, which includes analysis of what the accused organizations did, or rather didn’t do, to right the wrongs.
Well, we now find another player in this industry accused of wrongdoing. Princeton Review, which provides help to students in preparing for college entrance exams and sells study guides, finds itself accused of defrauding the federal government. An arm of the company that provides after-school tutoring to students at troubled schools is said to have falsified records – including forging student signatures, falsifying sign-in sheets, and making false certifications – in order to boost payments due the company. Relevant is that the company was informed of these allegations back in 2006, but prosecutors, who are now suing, say the fraud continued as nothing was done to fix the system. For what it’s worth, Princeton Review reportedly closed its tutoring division and says most of its current management joined the company after the alleged fraudulent activity took place.
But what’s striking is how the few players comprising this industry have had serious problems – not only in allowing fraud to occur, but also in failing to act in the face of wrongdoing. And this is an industry supposedly driving high academic standards! Yes, we know academic institutions are not immune to misconduct, but we can wonder how these industry players each went so very wrong. And food for thought – do we see other industries with an inordinate number of companies experiencing widespread instances of non-compliance, fraud or other misconduct? And what does that say about the culture not only of the individual organizations, but the industry as a whole? Hmmmm.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  openpages risk & of (track ii solvency governance convergence management 1014) and grc basel compliance | 0 Comments | 3,304 Visits
Convergence of Governance, Risk & Compliance, Basel II and Solvency II (Track 1014)
IBM Vision 2012, Tuesday May 16th, 16:45 – 17:45 pm I will be presenting the Convergence
of Governance, Risk & Compliance, Basel II and Solvency II.
In this session I will take you through the most common questions I received from our customers facing Basel II and Solvency II. I will help you understand the challenges from an Operational Risk perspective and speak about how my clients have overcome these challenges.
Convergence, Risk Adoption, Risk Montoring, Loss Registration, Risk Reporting
and Dashboarding and Regulatory Reporting are topics that will be discussed in
Hope to see you in Orlando next week!
Twitter : #Vision12
Blog post by Erwin Boeren
Senior Governance, Risk & Compliance specialist IBM
Twitter : http
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  grc risk reporting ibm compliance fsr cognos solvency regulatory ii basel openpages | 0 Comments | 3,583 Visits
Convergence of Performance Management and Risk Management - Part 2
the increase of the Governance, Risk & Compliance maturity level at many of
my clients I see that clients start to realize the benefits of the integration
of GRC activities in their Performance Management cycle. Therefore a follow up
on my previous article around Risk Management and the convergence with
Let me share some insights on Risk & Performance Management initiatives that keep clients busy around Europe. The following 4 items came up in the last 3 months.
1. Cost control and process performance improvement give us the opportunity to embed controls in our process. Lessons learned from Six Sigma and Lean can give us guidance here.
2. How do I manage organizational and regulatory change and monitor the impact on business processes, policies and my risk and control framework?
3. Trending topic is emerging risks, am I able to identity risks that are coming to me over time?
4. Integrated Financial and Risk reporting, an excellent example of ‘Where Performance Management meets Risk Management’.
Cost control and Process improvements
Implementing and testing controls has become a huge cost for many organizations. That is why some of my clients are now looking for a way to reduce cost by embedding controls in their existing business processes. This goes hand in hand with the global initiative on cost reduction. While optimizing or even re designing core business processes internal controls are being embedded in the process. What I see is that the organizations that involve process owners and process contributors are most successful. This is an initiative that we have seen before in Lean Six Sigma projects. The only way to optimize processes and to reduce waste is to involve the process owners. Instead of increasing regulatory pressure we should seek a solution in this area in my opinion. Business cases around this have proven to be very successful and savings up to millions of Euros per year have been achieved.
Regulatory changes are a huge concern of many risk, compliance, legal and audit professionals. How can we monitor these changes and how can we understand the impact on our organization? Taking this together with the fact that policy management is changing from a ‘must do’ once a year to a continuous process tells us that an integrated approach to Governance, Risk & Compliance is necessary to drive performance. I come across clients that have a monthly Performance Report that shows how they derived business objectives from their policies and how they are performing on a compliance level to these objectives. What risks did they identify in this process and how will they respond to these risks? Organizations realize that they need to understand the correlation between processes, policies, regulations, business objectives, risks and controls and how they might impact each other. An integrated GRC view is the only way to face this challenge.
Emerging Risk Modelling
One of the trending topics among customers is Emerging Risks. Can we model risks that we see coming and can we follow up on risks that are getting closer or fading away? Analytical Risk modeling is an answer to this question. This also let you perform risk forecasting with different scenarios. Interesting question is how the increase of a risk exposure in an operating entity will impact my group level exposure? Risk Analytics, derived from the Performance Management area can help us answer these questions. A financial performance management cycle contains the exact same characteristics.
Integrated Financial and Risk performance reporting
Financial and Risk reporting are standard items in today’s Annual Reports, Tax statements, Management reports and Regulatory reports. The big question is how do I keep all of this information organized in such a way that I understand the source of the information, the transformation it has gone through, the owner of the information and most important when information changes at the last moment that all information output contains the latest version? No bigger reputational risk than sending out inconsistent information to stakeholders. Some organizations saw their share price drop with 25% due to inconsistent external reporting. One of my clients has implemented a solution that orchestrates all of these information sources with workflow capabilities and even XBRL output. From a risk perspective this is a great mitigation of your reputational risk and an excellent example of ‘Where Performance Management meets Risk Management’.
Blog post by Erwin Boeren
Senior Governance, Risk & Compliance specialist IBM Europe
Twitter : http
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  analytics grc busness management openpages ibm erwin boeren performance risk | 0 Comments | 1,683 Visits
Last year IBM acquired OpenPages as a strategic move into the area of Governance, Risk and Compliance. The lasest announcement to acquire Algorithmics (quantitative risk management) shows the continuous commitment of IBM in the GRC market. GRC software will integrate into the Business Analytics Software group, the area where the former acquisitions like Cognos, SPSS and Clarity systems already resides.
Now that Risk Management is evolving, more and more organizations are starting an enterprise approach to risk management. And this is where I see the need for Risk and Performance Management convergence.
In past Risk Management implementations I see that a major portion of time and budget was spent on Risk Reporting and Dashboarding. Especially the need for self service reporting, where users can ad hoc create their own risk reports, is growing. We do not want to wait in the queue waiting for our report to be created. 2 days later you missed the opportunity to respond and the loss is there.
With this self service capability the question automatically pops up 'can I trust my data'. And now we are back in the area of data governance. This is exactly where the area of Performance Management is today.
Apart from these reporting and dashboarding capabilities Enterprise Risk Management means alignment of risks and controls to the strategic initiatives of the organization. What will prevent me from reaching my business goals? Isn't this defined as a risk? And how will we prevent this from happening? Wasn't that defined as a control?
Even more interesting are questions like, 'What if I was able to perform risk scenario planning?', 'What if I could predict risks from happening?' or 'What is the correlation between the risks that have materialized?'.
And there is the proof that Risk Management and Performance Management have lots in common and should be integrated. Lets call it Business Analytics.
Governance, Risk & Compliance Leader
IBM IOT Southwest Europe
Richard Steinberg 270004HRBG email@example.com | | Tags:  openpages erm itg risk it-risk coso risk-management | 0 Comments | 2,856 Visits
If you haven't already seen it, it's worth a look – The Committee of Sponsoring Organizations of the Treadway Commission just published a thought paper dealing with risks related to cloud computing. It leverages off COSO's enterprise risk management framework, speaking specifically to issues surrounding hosted services delivered over the internet. The paper is geared not to the techie, but rather to management level personnel who need to understand not only the benefits, but also the associated risks. The paper briefly outlines the many benefits of cloud computing, including greater technology value at lower cost, faster speed of deployment, common technology platforms, reduced need for support personnel and related expenditures, and environmental benefits.
Naturally, most of the focus is on the risks. These include the strategic – with lower barriers of entry for new competitors and related challenge to current business models – and dependency on cloud service providers which in turn drives legal and related risks. Others include lack of transparency, reliability and performance issues, security and compliance concerns, and elevated risk of cyber attack or data leakage. The paper also deals with issues inherent in moving to the cloud, such as the extent to which management considers the impact on the company's organization and IT and other personnel resources, noting "In many cloud scenarios, the organization no longer has complete or direct control over technology and technology-related management processes. Management must determine if it has the risk appetite for the entire universe of potential events associated with a given cloud solution as some of these events extend beyond the organization's traditional borders and include some events that have an impact on the [cloud service provider(s)] supporting the organization."
The paper also discusses cloud issues in the context of COSO's ERM Framework's eight components, outlining how each can be addressed and used in evaluating cloud computing alternatives. It provides suggestions for dealing effectively with the more significant risks, and highlights key decisions to be made by senior management – as well as responsibilities of C-suite executives – and areas on which the board of directors needs to focus its attention. If your company is already in the cloud or considering going there, the paper is worth the read.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  openpages grc ipad solvency reporting | 0 Comments | 1,616 Visits
With Cognos 10.1.1 released you must have noticed the ability of having your reports and dashboards on mobile devices like iPad and iPhone.
With these mobile capabilities CROs (Chief Risk Officers) will now have the ability to measure risk from their mobile devices. For volatile risk areas like Market and Credit Risk this can make a huge difference.
IBM developed a risk monitoring system for CROs where one single version of the truth is provided of different risk areas like Credit Risk, Market Risk, Counterparty Credit Risk, Liquidity Risk, Basel II, Solvency II and Operational Risk. Not only does a CRO have the ability to monitor all these risk areas but he can also monitor the correlation between those risk areas and he is able to respond immediately to changes. Responses can immediately be formulated in the integrated social media platform.
One version of the truth and guaranteed quality of your data is simple to say but how do you govern this? This is where IBMs investment in data models starts to pay off. Since decades IBM develops and maintains data models for financial services including out of the box technical and business definitions. This enables organizations to come to one definition of risk over the entire organization. Taking definitions centrally will add value in the process of taking down the silod approach we spoke about in earlier articles. It will also help you in the accountability process of the business. Finally it is the business that should own the business definitions.
As discussed in our previous published blog (The convergence of GRC and Performance Management) Business Analytics capabilities like risk forecasting, risk adjusted profitability calculations, scenario planning and predictive risk analysis are part of this risk monitoring system called FIRM (Finance Integrated Risk Management).
The new regulation for Insurance companies, Solvency II requires organizations to plan their risk assessments and capital requirements 2 to 5 years ahead and to reflect impact on financial positions when a risk materializes. All this means that an integrated approach to risk management is a must. In next blogs we will go deeper into the Solvency II regulation.
Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  grc risk openpages | 0 Comments | 1,779 Visits
This is the first in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Success in today’s dynamic business environment requires organizations to integrate, build and support business processes with an enterprise view of governance, risk management and compliance (GRC). Without an integrated view of risk and compliance, the scattered and nonintegrated approaches of the past fail and expose the business to unanticipated risk.
In a mature GRC program, the organization has an integrated process, information and technology architecture that provides visibility across risk and compliance domains. It offers an integrated approach for business managers and executives to leverage GRC data for risk-aware decision-making and resource allocation.
Inevitable Failure: Managing GRC in Silos
The multifaceted risk environment
Risk to the business is like the hydra in mythology — organizations combat risk, only to find more risk springing up to threaten them. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the enterprise.
The dynamic and global nature of business is particularly challenging to risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants and staffing) their risk profile grows exponentially. Organizations need to stay on top of their game by monitoring risk to their business internally (e.g., strategy, processes and internal controls) and externally (e.g., competitive, economic, political, legal and geographic environments) to stay competitive in today’s market. What may seem an insignificant risk in one area can have profound impact on others.
Organizations are increasingly aware of the critical need to link risk management and corporate performance management. To manage corporate performance, the organizations must understand risk and make risk-informed business decisions.
In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements that burden the business. Organizations face expanding regulations, increased fines and sanctions, and aggressive regulators and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management issue in a global environment.
Isolated risk and compliance initiatives introduce greater risk
Managing GRC activities in disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes for GRC fail to actively manage risk in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy and failure. The organization is not thinking about how GRC processes and controls can be designed to meet a range of risk and compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization.
A nonintegrated approach to GRC impacts business performance and how it is managed and executed, resulting in:
The pain organizations have expressed
Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not have a complete view of GRC in the context of the business. Corporate Integrity finds organizations that lack a collaborative, integrated and enterprise approach to GRC have:
Continue on to Part II in this series: GRC Maturity — Measuring a New Paradigm for Risk and Compliance
Liz Andrews 2700041WEU email@example.com | | Tags:  openpages grc risk | 0 Comments | 1,748 Visits
This is the second in a series of four blog posts where we present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
GRC Maturity — Measuring a New Paradigm for Risk and Compliance
Lacking an integrated view of GRC results in business processes, partners, employees and systems that behave like leaves blowing in the wind. Modern business requires a new paradigm for tackling risk and compliance issues across the enterprise. No longer can organizations afford to focus on single risk and compliance issues as unrelated projects; nor can they allow software Band-Aids that are not integrated with the business to masquerade as GRC. A targeted strategy addressing GRC through common processes, information and technology gets to the root of the problem.
With changing and diverse risks bearing down on the organization, there is a clear need to tackle the problem at its root and develop a mature approach to GRC. Instead of treating each risk and compliance issue as an individual problem, organizations need to define a common process, information and technology architecture to manage GRC across the range of issues.
To address these issues, leading organizations have adopted a common framework, information architecture and shared processes to effectively manage risk and compliance, enable risk-aware decision-making, increase efficiencies, and be agile in response to the needs of a dynamic business environment.
The questions organizations must ask:
A well-defined GRC environment will not only do risk assessment and modeling, but will also deliver definition, communication and training on risk-taking and accountability. The organization must map the interrelationship of risks to controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets and logical assets), and incidents to business strategy, objectives and corporate performance.
Mature GRC delivers better business outcomes because of stronger integrated information, which will:
Architect integrated GRC systems and processes
A properly defined GRC architecture is built upon common process, information and technology components that are adaptive to a dynamic business environment and integrate with critical enterprise applications. No longer is risk and compliance about an annual audit; it now involves continuous monitoring in an ever-changing environment. GRC has to be sustainable as an ongoing and integrated part of business processes. A successful and mature GRC strategy has a symbiotic influence on the variety of business stakeholder roles and their common requirements.
Organizations need to be intelligent about what processes and technologies they deploy. The goal is to make an effective decision once, and comply with many regulations, manage a range of risks and maximize value from the convergence of technology, people and process. A sustainable approach to GRC results in an organization looking to the future and mitigating risk in the course of business, as opposed to putting out fires by reacting to risk and control issues as they arise.
Mature GRC enables the organization to understand performance in the context of risk and compliance. It achieves the definition of GRC, which is “a capability that enables an organization to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].” Effective and mature GRC delivers:
Continue on to Part III in this series: Five Stages of GRC Maturity