Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  fraud risk_management | 0 Comments | 980 Visits
We know the Olympus Corp. suffered a major management fraud. Financial statements were manipulated to hide huge losses, resulting in its stock price dropping like a rock and jeopardizing the company’s listing status and indeed existence in its current form. For more on the fraud, you may want to look at my October 15, 2011 blog posting.
Those looking at this fiasco may well be asking why this fraud, which had been going on for more than a decade, wasn’t brought to light any sooner – that is, before newly appointed CEO Michael Woodford began to smell a rat. Well, now it’s come out that one critical element in detecting and possibly preventing fraud at the highest management levels – which is having an effective whisleblowing process – wasn’t in place at Olympus. Sure, they had a process, but now it’s reported that the very executives perpetrating the fraud were in charge of the hotline! It’s said that the company’s internal auditors and other employees wanted the whistleblower system to be run by outside parties, but at least one of the executives alleged to have been driving the fraud objected and won out. According to an independent panel investigating the fraud, the corporate atmosphere was such that the hotline was “significantly disabled.” Is it essential to have the hotline outsourced? No. But it is critical that company personnel feel comfortable that their communications will not come back to haunt them, which is said not to be the case at Olympus.
Much has been written about management fraud, and what internal controls are needed to prevent or detect it. But my experience is that it really comes down to four key factors. One is having a culture of integrity and ethical values, with the “right” tone at the top of the organization and open communication channels. Another is a board of directors (and audit committee) that is independent and providing effective oversight. One more is an effective internal audit function. And then there’s an effective whistleblower process. Based on what’s been reported, Olympus evidently didn’t have any of these big four – we don’t know much about the functioning of its internal audit function, but now learn that the company is suing the former internal auditor along with two other executives who an independent panel said “orchestrated the scheme.” So is it surprising that such a fraud could have existed for so long? In light of its governance, risk management and internal control processes, the answer is “not really.”
When we look at the potential of management fraud, it’s critical to look at these four elements. If even one is missing, the chance of fraud going undetected increases greatly. And no one should proceed with the odds stacked in favor of bad actors.
Richard Steinberg 270004HRBG email@example.com | | Tags:  risk_management | 0 Comments | 735 Visits
We know that senior executives, especially chief executive officers, look to drive their organizations’ growth initiatives. Many are hard-driving, proactive, and intently focused on doing what needed to carry out strategic plans. Optimism is a typical trait, which can be contagious in getting others in the organization to work in sync towards established goals. This is what CEOs are charged to do, and a key reason why those who do it successfully get the big bucks.
With that said, experience shows that many CEOs are not sufficiently attentive to what can go wrong – that is, what future events could keep their organizations from successfully carrying out the established initiatives. Of course many CEOs and their C-suite teams do focus on such risks, and their organizations benefit from doing so. One such company is Mazor Robotics, a medical technology company based in Israel, whose CEO Ori Hadomi recently was interviewed. He makes a number of interesting observations, one of which is especially insightful – describing risk management in a particularly understandable and compelling way. He associates risk management with ensuring there’s a devil’s advocate involved in key decision-making.
He says: “One of the most obvious mistakes we found is that too often we choose to believe in an optimistic scenario — we think too positively. Positive thinking is important to a certain extent when you want to motivate people, when you want to show them possibilities for the future. But it’s very dangerous when you plan based on that. So one of our takeaways from that was to appoint one of the executive members as a devil’s advocate.” Hadomi expands on how that works, emphasizing that the assigned executive knows the right questions, and asks them in challenging assumptions and pointing out a need to be “more humble with our assumptions.” Hadomi notes that the most surprising thing is that this devil’s advocate is the V.P. of sales for international markets: “You would expect the V.P. of sales to be pie-in-the-sky all the time. But he has a very strong, critical way of thinking, and it is so constructive,” adding that one of the pitfalls of leadership is “thinking too positively when you plan and set expectations.”
I’ve worked with many large companies, and certainly smaller company executives learn from them. But the reverse also is true. In this case, the CEO of Mazor Robotics provides useful insight into how risk management can be effectively conceptualized and applied. Of course, there’s much more to risk management, including capturing the identified risks, analyzing them, and managing them with accountability for needed actions, follow up, etc. But the concept of a devil’s advocate is powerful, especially for executives who may be struggling with what risk management is about.
Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  risk-management risk_management risk-analytics risk financial-risk | 0 Comments | 2,237 Visits
Many of our GRC members may not be familiar with TH!NK, Algorithmics, an IBM Company’s semi-annual magazine exploring the world of financial risk management. However, the June 2012 issue has something for everyone - and is centered on the perspective that to successfully identify and respond to the economic challenges of our times, we must seek a balance between learning from the past and developing the solutions of the future.
You will find in this issue articles that seek to explore this balance between past wisdoms and new possibilities, like our cover story “Back to the Future,” which revisits capital and its role in the bank of tomorrow. In our latest “In Conversation” piece, IBM’s Brenda Dietrich serves as our first IBM contributor to TH!NK, discussing how research and new data systems are changing the way we think about information. Other articles explore some of the most pressing topics in financial services, such as the interconnectivity of risk on the Buy Side or the very real trading benefits to a bank in establishing a CVA desk. As always, TH!NK seeks to build insight and linkages across seemingly disparate realms – such as social media and financial risk management, which as you will read, may not be so disconnected after all.
I encourage you to "flip through" this valuable resource - and please visit our Discussion Forum if anything in particular piques your inte
Richard Steinberg 270004HRBG email@example.com | | Tags:  dodd-frank risk risk_management openpages | 0 Comments | 1,156 Visits
If you’re in or work with the financial services industry, you probably know about the late December holiday "gift" from the U.S. Federal Reserve – proposed rules implementing provisions of the Dodd-Frank Act which could have a profound effect on how boards and managements deal with risk. In any event, you’ll want to keep in mind that the Fed is accepting comments only for the next month – until March 31.
The proposed rules are far-reaching, including requirements for risk-based capital and leverage, liquidity, stress tests, sing
The risk committee is required to "document and oversee, on an enterprise-wide basis, the risk-management practices of the company's worldwide operations." The committee would be chaired by an independent director, and at least one member needs to have risk-management expertise commensurate with the company's size, complexity, and other risk-related factors. Further, its members are expected to understand risk-management principles and practices relevant to the company, with specified experience in risk management. And there are rules for a committee charter, meetings, and documentation.
The committee’s responsibilities include reviewing and approving an appropriate risk-management framework commensurate with the company's size and other factors. The framework’s scope is outlined, including requirements for risk limits appropriate to each line of business, policies and procedures for risk-management practices, processes for identifying and reporting risks, monitoring compliance with risk limits and procedures, and specification of management's authority and independence to carry out risk-management responsibilities. Additionally, the larger covered companies will need to appoint a chief risk officer in charge of implementing and maintaining the risk-management framework and practices approved by the risk committee, with the rules specifying responsibilities and qualifications for the CRO and reporting relationships.
If not already under way, now is the time to analyze the proposal and its implication, and let the Fed know what changes are needed. If interested, you might want to tune into the upcoming IBM OpenPages webinar where I’ll be discussing the proposed rules, their implications and the challenges they present – March 8, 2:00 pm Eastern Time.
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  grc risk_management | 0 Comments | 1,272 Visits
We know that MF Global, the firm run by Jon S. Corzine, recently imploded under the weight of bad bets and huge leverage. Reports say that Corzine, former U.S. Senator, Governor of New Jersey, and co-head of Goldman Sachs, did at MF Global what he did at GS – and that’s take large risks in trading. How, one could ask, could it have turned out so wrong?
Effective risk management processes have at their core identifying, analyzing and managing risks. It will be a while before we know all the details of MF Global’s risk management process, but it appears to have worked reasonably well. Wait, what – is that a misprint? Probably not.
Based on reports, Corzine knew the risks he was taking. Basically, he bet that the European leaders would act in a way to alleviate the sovereign debt crisis. He put over $6 billion of the firm’s money at risk, which with the associated leverage put the firm’s existence at risk. And the firm’s risk officers also knew, and they seemed to have done what they were supposed to – they brought the matter to the board of directors. Reports say a senior risk officer described the situation and the risks to the board, with Corzine present. The risk officer pointed out not only the nature and size of the risks, but also that risks included both potential defaults on the sovereign debt and the bonds losing sufficient value to cause a liquidity crisis at the firm. The directors listened, and decided to approve what Corzine was doing.
Now, we weren’t in the room with the directors, or inside their heads, so we don’t know whether they made a thoughtful and rational business judgment, or whether they rolled over under Corzine’s undue influence. If the latter, then they failed in their job. But if the former, then they determined that they and the firm had a risk appetite large enough to “bet the ranch.”
So, whether this is a failure of risk management will be decided as the investigations continue and more facts emerge. And of course the missing “segregated” client funds is another matter, likely centered on specific internal controls over that money and what control activities might have been overridden by more senior executives. Also at issue is whether regulators did their job effectively. It will be interesting, indeed, to learn more, as no doubt we will as the investigations unfold.