This month’s Treasury & Risk Magazine cover story, Audit Busters, explains the business case for the CRO partnering with the CFO at Alfa Corporation resulting in the transformation of their compliance programs to serve their business strategy while reducing their external audit hours by 60% at the same time.
With the right ERM infrastructure, the CRO can now offer your CFO the capability to manage tomorrow’s financial surprises today while there is still time to change the outcome. New AS5 legislation that mandates a top–down, risk–based approach provides risk managers with the opportunity to deliver measurable financial and strategic value while building the right ERM infrastructure that easily extends to all areas of the business.
The stakes are high:
If history repeats itself, according to CFO magazine, How a Material Weakness Can Cost You, more than 11 percent of companies with financial reporting and compliance programs will be found to have material weaknesses. And about 86 percent of material weaknesses will be discovered not by management or consultants but by external auditors. The consequences are real. Companies affected see more than a 4 percent drop in stock price; their CFOs face a 62 percent likelihood of being replaced; and a 150 percent plus jump in ongoing external audit fees.
As problems like these mount, CFOs are beginning to realize that an ERM-based SOX effort works much better than a controls-based SOX effort or an ad hoc approach to risk.
Part II in the Series: The 21st Century CFO and CRO: Partners in Value
The new PCAOB rule recognizes the over burdensome effect of this approach and opens the door to significantly reduce SOX 404 external and internal costs. This new regulations has stated in clear terms that this is to be achieved by empowering management to be responsible, not consultants for determining for themselves what risks are material and focus their resources accordingly.
Now that we are set free, the issue shifts correctly to the more important questions of how is materiality decided? How is a consistent standard developed and applied? What is the scope of a remediation effort? Most importantly, how does business value become part of the equation? Enterprise Risk Management is the decision support framework that brings objectivity and consistency to answering these questions and providing the “how to” to implement this new guidance.
According to Harvey Pitt, former chairman of the SEC, “Financial statement risk management is but a subset of enterprise wide risk management. If management implements a comprehensive enterprise-wide risk management approach, the danger of material errors in financial statements will be vastly reduced.” Enterprise Risk Management as a discipline offers a common methodology, governance and framework that cuts across business silos and prioritizes efforts. Typical savings are estimated to be in the 30-60% range for reduction of external audit fees.
Enterprise Risk Management provides several tiers for evaluation of risks at increasingly granular levels which risks are most significant and which mitigation activities have the most “bang for the buck” in terms of impact, likeliness and effectiveness. These levels of increasing granularity include entity, business unit, process, account and mitigation activities. Evaluations at each level filter out appropriate low risk threats based on consistent and objective criteria.
The “top-down, risk-based” approach of Enterprise Risk Management empowers managers to use their expertise to address risks not only to financial reporting but also take into consideration the strategic, security and business continuity aspects as well. For example, entity wide control evaluations can be turned from a required “check box” activity to a real linkage of with process based activity level controls to help management understand the connection between principles and action.
In the ERM approach, mitigating activity becomes a strategic activity in support of corporate objectives and brings an agility that is a competitive advantage to early adopters. In this way, this new guidance paves the way not only for the reduction of external audit fees, but also to right size the resources applied to testing and documentation as well as take business value added activities into scope at the same time.
]]>Leading corporations are quickly adopting Enterprise Risk Management for this reason. However, some corporations are slow to adopt Enterprise Risk Management best practices and extend their programs to line management. According to a recent survey, although 70 percent of corporations say they intend to adopt Enterprise Risk Management in the next few years, many organizations have not met their Enterprise Risk Management goals. The following true story highlights the peril of not putting urgency behind rolling out an Enterprise Risk Management program to operational areas across the enterprise.
ChoicePoint is the largest data broker that assembles personal information records on all of us. ChoicePoint, like so many corporations, make assurances on data security. They probably truly believes that they are aware of all risks facing them as they claim and also believe that their organizations are effectively addressing those risks as needed. Certainty of conviction should not be mistaken for investigative knowledge, especially if that investigation may rely on a flawed process. According to a recent New York Times article, “Keeping Your Enemies Close” for years, ChoicePoint’s top management had assured the world that it carefully protected its databases from intruders: “Our systems are bulletproof. Intruder-proof. Believe us.”
However in February 2005, according to the New York Times, ChoicePoint had to acknowledge that it had focused so intently on preventing hackers from gaining access to its computers through digital back doors that it had simply overlooked real-world con artists entering unnoticed through the front door. This year, the Federal Trade Commission hit ChoicePoint with a $10 million fine, the largest civil penalty in the agency’s history, for security and record-handling procedures that violated the rights of consumers. The ChoicePoint operations process for approving business partners was vulnerable. Fraudsters were officially becoming business partners by exploiting ChoicePoint’s business process and practices. That kind of vulnerability can best be uncovered by using risk assessments conducted by the operations team which is typical of an Enterprise Risk Management approach. The more rigorous the Enterprise Risk Management framework used to conduct this assessment the more effective and valuable the results will be. Process-driven software with embedded frameworks can help create a repeatable and sustainable process.
Lessons learned from this story: Review lesson number one or your successor may be doing that for you.
1) Roll-out your Enterprise Risk Management charter to your line managers
2) Use root cause as part of self-assessments to understand the source of risk
3) Use best practice risk indicators that are forward looking in nature to uncover risks
4) Develop clear measures of the penetration of your Enterprise Risk Management program
5) Measure the progress of your Enterprise Risk Management program roll-out and don’t allow the timetable to slip.
Amaranth Advisors was described as increasingly brash in their investments due to their confidence in their quantitative approach to risk management. According to this article in Business News, “The risk models employed by hedge funds use historic data, but the natural-gas markets have been more volatile this year than any year since 2001, making models less useful. They also might not predict how much selling of one’s stakes to get out of a position can cause prices to fall.” The Amaranth Advisors risk culture also had its roots in convertible-bond trading, a less-volatile market.
Enterprise Risk Management (ERM) best practices add a forward looking and scenario based approach for a more balanced and comprehensive view of risk. ERM is a process comprised of a series of iterative and sequential steps to enable continuous improvement in decision-making and performance with regards to the reduction of uncertainty within an organization. ERM helps a management team examine the markets in which it operates and formalize the acceptable risk tolerance for each segment. This process-driven approach helps a company set more appropriate controls to bring the business in alignment with the established risk appetite. This approach addresses the root cause of potential future problems rather than monitor transactions for historic symptoms.
The Amaranth Advisors outcome is a classic case that demonstrates the pitfall of an overly quantitative approach to risk management. Companies that have an over reliance on the traditional quantitative approach to risk management, namely the use of automated triggers based on data analysis to control risk, is much like the Emperor in the fabled children’s story who believed too heavily in just one approach for the source of his information.
However, when the statue was shown to art experts their conclusions were immediate that it was a fraud. These art historians sensed that although the statue had all the obvious telltale signs that it was genuine, their instinct told them it was a fake.
As a result, the investigations were revisited and the holes began to appear in what was previously determined a rock solid conclusion. Eventually, the statue was revealed to be a forgery dating back to Rome in the early 1980’s. How could 14 months of rigorous due diligence by highly trained and paid professional consultants be wrong? So wrong in fact, that art historians who relied on their instincts could come to the correct determination in a matter of moments?
The author, Gladwell, argues in his book, a powerful process in all of us is working subconsciously to sort through huge amounts of information gathered over a lifetime, make associations between data, and extract key indicators to arrive at rapid highly accurate conclusions.
This is also the process of Enterprise Risk Management (ERM). A few ERM best practices are illustrated in this story:
According to the article, “One current BP employee who worked at both Prudhoe Bay and in Texas and spoke to Fortune on condition of anonymity says no one should be surprised by what eventually occurred. "The mantra was, Can we cut costs 10 percent?” he recalls.
How can such bad decision making be made by such smart people? The answer is found in the over reliance on quantitative analysis. There is a philosophy among some risk managers that all answers can be found in the deep quantitative analysis of the numbers in databases to detect patterns. This is true for high frequency risks. However, for low frequency and high impact risks (like the BP oil leak) quantitative analysis will often lead to incorrect decision making or more analysis with no decision making at all. First, there is insufficient data historically to analyze and many possible outcomes can easily and incorrectly be “fit to the data”. Second, with too little data, the patterns of correlation, dependency and therefore big picture ramifications can not be easily understood.
The solution is Enterprise Risk Management (ERM). ERM is an iterative and sequential series of steps that utilizes risk self-assessment (the process of identifying and evaluating risk with regard to their potential impact and likelihood, as well as related controls) as well as the subsequent risk management process of control evaluation, action plan definition, monitoring of risk- and implementation development. Enterprise Risk Management starts with a holistic and qualitative approach to first identify all the possible root causes of an issue and then systematically help quantify the total risk consequence taking all the possibilities into consideration with scenario analysis and if needed quantitative analysis.
Quantitative analysis is expensive and very focused in applicability. Enterprise Risk Management is all about best practices of performing a self-assessment and scenario analysis before deciding where, when and how to invest in an deeper quantitative analysis like loss database approaches. With ERM, management can prioritize the full costs versus the benefits to make a better decision. You can download a whitepaper on Risk Event Classification. Click here to download.
One of the core value propositions of an Enterprise Risk Management (ERM) solution is to effectively solve this problem of collecting and managing unstructured risk and performance data. A robust ERM solution should provide a schema or organizational hierarchy for risk data so that ERM can bring together unstructured and structured data across the enterprise with the goal to improve decision making. This framework for organizing data provides the foundation for increased quality and efficiency for assessments as well as a process for aggregation and analysis of the information for dependencies. You can download a business architecture that illustrates how problems with spreadsheets are solved within an ERM solution. Click here to download.
The ERM platform core value is measured by the degree of delivery of best practices content like key risk indicator libraries and the business process practices as outlined in the Australian Risk Management Standard and COSO ERM framework. Enterprise content, workflow and process management technologies are infrastructure technologies that belong to the realm of corporate technology architecture and not a purpose built ERM platform. Best of class purpose built ERM software will leverage industry standards in these areas to ensure their solutions are as compatible and configurable as possible across the various infrastructure tools that mainstream vendors offer in these areas. The job of the corporate IT organization is to design and manage the architecture, IT processes, security and standards of their corporation. As such, the enterprise should select the infrastructure tools that are appropriate for their company’s needs, not the ERM application vendor.
Business and Risk Management should select the ERM application. ERM vendor solutions should leverage the corporate infrastructure and technology standards. For example, ERM platforms should be role based with hooks to be managed easily by Business Process Management technology in the enterprise. ERM software vendors should provide within their solution the option to reference data and documents within the corporation's document management/content management infrastructure. Only if the company’s technology is absent should the ERM vendor solution provide basic content repository or workflow capabilities as options.
]]>
Core processes are the fundamental activities or group of activities that are so critical to an organization's success that failure to perform them will result in deterioration of the organization. These are typically processes that directly touch the organization's customers, reflect the major cost drivers, or are on the critical path in the service chain. Core processes by definition may cut across organization boundaries.
How do you set objectives for business performance, and how do you stay out of trouble with the compliance and internal audit folks in your organization and regulators in your industry? Agility is like fire, it can heat your house or burn it down! How do you know what new risks you are exposed to due to your BPM efforts? How do you define core processes? How can you empower these process experts to own their risks? What controls are needed to be in place for your revised process? How do you design appropriate controls to meet business objectives as well as compliance?
The answer to these questions is found within enterprise risk management. You can download my whitepaper, The Challenge of BPM Adoption for more detail on the risk based challenges to BPM adoption and the enterprise risk management answer.
]]>"I am researching and reviewing for the best approach for my organization. I have also talked to some consultancy firms. My initial thoughts is to select a suitable Enterprise Risk Management software package which could guide us through the various stages of risk management and generate different risk reports to different levels of management. However, in the course of my research, I also came across some sources which advised that ERM software should be the last thing to consider in the implementation of risk management. Could you help clarify my doubts and concerns."
Below are a few of the self serving myths told by consultants to create fear and doubt in the hearts of risk managers:
Myth: Software is the last thing to consider - The first priority is to get buy-in from the CEO and the senior management team that enterprise risk management is needed and establish the mandate and timeline to get this accomplished. After appointing a responsible executive to manage your ERM program, software is the next on the list as the best way to adopt best practices within a sustainable process. Select software that has embedded industry best practices. Best practice frameworks include the Australian Risk Management Standard, COSO ERM, COBIT 4.0, Standard & Poor's ERM among others. Make sure you select a software package the requires little or no training. Speak with the software vendor's customers about how easy the software is to use. Consulting proposals greater than 5-10% of the software purchase price is a red flag on ease of use. Note that a consulting first or consulting only approach without the software infrastructure is the biggest red flag, as these best practices and methodologies will quickly be forgotten and consultants will have a perpetual source of income training and re-implementing their services.
Myth: Quantitative risk assessment is better than Risk Control Self Assessment. The right answer is that you need both. According to a recent survey by the Global Association of Risk Professionals (GARP), only 12% of companies are doing a quantitative only approach, 29% a qualitative only approach, while 59% are doing both. (You can access a copy of the GARP Survey on my website.)
Enterprise risk management is about bringing together a risk picture from the entire enterprise (credit, market, operational risk, etc.) using a variety of qualitative methods like Risk control self-assessment along with complimentary quantitative methods. Here are the reasons why:
a) There is insufficient data available to use traditional quantitative methods to quantify operational risk. Risk Control Self Assessment is best suited for this purpose.
b) Coverage is the main issue for Enterprise Risk Management: Quantitative methods are 10 times more expensive and at best can be applied to only 10-15% of the risks threats facing an enterprise. The risk control self assessment approach is proven to help management discover and uncover risk across the entire enterprise. Risk control self-assessments prioritize risk threats and performance opportunities that need follow-up with deeper analysis, including quantitative methods.
The next time a wolf suggests you not to put a perimeter around your hen house, consider the source and the agenda behind the recommendation.
You are in good company. At the SIA risk conference I had the opportunity to meet with Richard G. Ketchum, Chief Executive Officer of the New York Stock Exchange Regulation. One of the major themes he spoke about was the need for Technology Assessments to review governance, risk and compliance issues. He commented that adoption of new technology combined with changes due to mergers and acquisitions have left corporate systems frail and patched 3-4 levels below the senior management level where they are "common knowledge" by operational staff members. He mentioned that these high risk field issues however are frequently not known or understood by leadership and audit committees. He further spoke of the need for best practices to be implemented to identify reporting and control gaps.
When asked about methods to approach this problem, Mr. Ketchum commented “Precision in an imprecise area is dangerous” and suggested to look at the qualitative risk assessment approach of Enterprise Risk Management tools. He further commented that high risk subjects include processes with deficiencies, that have been triaged, areas not well connected, and legacy systems. Issues to focus on include operations and control practices.
COBIT 4.0 is just such a set of operational and control best practices that can help in this endeavor. According to ISACA, the publisher, COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Craig Symons at Forrester research, comments that "COBIT 4.0 Is A Strong Governance Platform"
You can download a complementary copy of the new COBIT 4.0 best practices document on my website. I also recommend reading my article on Risk Maturity Models to best understand how to use the COBIT 4.0 framework, "The Elephant at the Enterprise Risk Management Party"
My next blog will address the number two voted issue in the opinion poll of my last blog "How to draw the line between acceptable and unacceptable risks?"
For those of you who could not attend, the following are the hot topics to think about: 1) setting of risk tolerance or thresholds, 2) convergence of assessment work within risk, compliance, IT, and finance and audit functions, 3) centralization or decentralization of the risk management function, 4) bird flu impact on business continuity, 5) The need for technology audits, and 6) accelerated adoption of Enterprise Risk Management as a business necessity by credit rating agencies.
According to Julian Fry, Global Head of Operational Risk at Merrill Lynch & Co., Inc., who was a panelist at the conference, the top 10 risk management business issues within Financial Services and Investment Management companies are:
1) Proper business practices, 2) Internal fraud, 3) Knowing your client, 4) Transaction execution, 5) Client selection exposure, 6) Business disruption, 7) Product complexity/pricing, 8) Employment practices, 9) Accounting evaluation (sox), and 10) Back office operations.
You can find downloads for a few of the presentations from the conference at:
risk conference presentations for download.