At the recent Institute of Internal Auditors (IIA) event “2007 Risk and Control Conference Featuring Governance, Risk, and Compliance” one of four tracks was dedicated to Enterprise Risk Management (ERM). The role of internal audit has gained in stature as a result of the financial reporting scandals in the past five years. However, internal audit has seen their time become overly focused on the risks of misstatement of financial reporting. The message at the conference “Back to Operational Audits” resounded loud and clear. ERM provides the path to return to operational audits while maintaining the financial reporting compliance achievements without adding resources or work. The Internal Audit function is increasingly championing ERM as one of their priorities.


Conference attendees could be frequently heard discussing the new Sarbanes-Oxley guidance pertaining to section 404, called Auditing Standard 5 (AS5). AS5 prescribes ERM, a top-down and risk based approach, as the recommended way by the Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC) to increase efficiency and effectiveness of financial reporting compliance. External Auditor fees have risen dramatically since 2002 and conference attendees are recognizing that much work needs to be done to apply this new guidance and ERM to reduce the burden to their businesses. In the session “SOX Controls Rationalization – Better Coverage, Less Effort” Beth Kaplan at Deloitte & Touche, remarked that companies up until now have not done risk assessments well and that in the past controls and risk were not linked as they should be. Her client, “PETCO Animal Supplies, Vice President of Internal Audit and Asset Protection, James Brigham in that same session commented that the risk owners, which are in the operational areas, are critical to get involved. Jim lamented that SOX software today “is weak on assessment capabilities that are both graphical and intuitive to make it easy to engage and involve front line management. Assessments quality is all about asking the right questions and focusing on the process directly with the process owners.” When asked how did PETCO become committed to ERM while so many other companies have not yet made progress. Jim mentions that PETCO recently pulled product off the shelf from 900 stores for contaminated pet food. This was a wake-up call for ERM and he was hired to initiate ERM at PETCO. Jim further remarked that “it is sad that companies have to get burned before they appreciate the significant of what ERM has to offer. This can also be seen with the recent embargo of Chinese products with pollutants. Retailers are in tough shape sourcing a lot of the products and not dealing with the problem until it already happens. ERM is about getting ahead of the problem and preventing it from happening.”


It seems sometimes that compliance gets people’s attention because it is perceived as doing what is required. However, this view has been getting corporation America into trouble. According to keynote speaker, Rushworth Kidder, the President, Institute for Global Ethics, 15% of the population is dedicated to compliance which is destroying our economy. Rushworth made the case that better corporate governance is a key to reducing the compliance burden. Rushworth presented his research on how lapses in ethics may be the canary in the coal mine and a key indicator of more insidious and material weaknesses throughout the enterprise. The Rushworth message was that a strong governance based approach is a more effective and efficient way to achieve results versus a compliance approach that focuses primarily on controls.


If you are an Internal Auditor focused on business value, the risk manager is your new best friend as ERM solves the following Internal Audit headaches:

1. Independence: Many Internal Audit teams are burdened with doing risk assessments in order to gather the information they need to perform their duties. ERM facilitates accountability and helps identify the owner of risks and prescribes an infrastructure and process for them to do their own risk assessment.
   
2. Audit Plan Coverage: Internal Audit teams are resource constrained and their discretionary internal audit time typically covers only 5 to 10% of the enterprise in any given year. Management input often consists of hallway conversations or emails leaving the Internal Auditor with insufficient information to prioritize resources. ERM provides common enterprise-wide evaluation criteria, an information gathering process and standardized scoring criteria so that any and all risks from any business area can be compared objectively and resources can be matched accordingly.
   
3. Communications: ERM eliminates the redundancy due to overlap of multiple functionally specific risk assessments by reaching across silos with a common risk assessment framework to collect information once providing a comprehensive view of risk in the enterprise. This provides a foundation for an integrated mitigation planning capability to facilitate collaboration between internal audit and business areas.
   

Posted by stevenminsky in Compliance | Permalink | Comments (0) | TrackBacks (0)

One of the key challenges within the risk, performance, compliance and business continuity areas of the corporation is the management of data in spreadsheets and other office files, often referred to as unstructured data. Spreadsheet control issues for accounting processes have also surfaced in response to Sarbanes-Oxley. Not only do spreadsheets lack the authentication, audit trail, and integrity, but they also lack accessibility to roll-up information into an enterprise wide picture. This is a critical barrier to systematically identify dependencies and track change. Information within spreadsheets is largely inaccessible to infrastructure tools like business intelligence, content management and business process management functionality and the cost of maintenance of this data is unreasonable. The presence of spreadsheets is a symptom of manual processes which are also typically both expensive and error prone.

One of the core value propositions of an Enterprise Risk Management (ERM) solution is to effectively solve this problem of collecting and managing unstructured risk and performance data. A robust ERM solution should provide a schema or organizational hierarchy for risk data so that ERM can bring together unstructured and structured data across the enterprise with the goal to improve decision making. This framework for organizing data provides the foundation for increased quality and efficiency for assessments as well as a process for aggregation and analysis of the information for dependencies. You can download a business architecture that illustrates how problems with spreadsheets are solved within an ERM solution. Click here to download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Software | Permalink | Comments (0) | TrackBacks (0)

Below are four poll questions recently asked to Chief Risk Officers at organizations across North America. Take the survey yourself below and then compare your results by downloading their poll results along with a write-up explanation. Click here to download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Risk Assessment • Risk Maturity Model • Risk Mitigation | Permalink | Comments (0) | TrackBacks (0)

At the SIA’s 2nd Annual Risk Management Conference for financial services firms held on June 27th in New York City, overall, the maturity of enterprise risk management in the past year has definitely moved up one notch. Uncertainty about how to define enterprise risk management and the debate about the value of risk management have been replaced with more practical concerns on how to best implement a risk management program and how to measure the performance.

For those of you who could not attend, the following are the hot topics to think about: 1) setting of risk tolerance or thresholds, 2) convergence of assessment work within risk, compliance, IT, and finance and audit functions, 3) centralization or decentralization of the risk management function, 4) bird flu impact on business continuity, 5) The need for technology audits, and 6) accelerated adoption of Enterprise Risk Management as a business necessity by credit rating agencies.

According to Julian Fry, Global Head of Operational Risk at Merrill Lynch & Co., Inc., who was a panelist at the conference, the top 10 risk management business issues within Financial Services and Investment Management companies are:
1) Proper business practices, 2) Internal fraud, 3) Knowing your client, 4) Transaction execution, 5) Client selection exposure, 6) Business disruption, 7) Product complexity/pricing, 8) Employment practices, 9) Accounting evaluation (sox), and 10) Back office operations.

You can find downloads for a few of the presentations from the conference at:
risk conference presentations for download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Risk Identification | Permalink | Comments (0) | TrackBacks (0)

The article by Evan Busman Handling Twin Takes of ERM is a great overview of evaluating technology for Enterprise Risk Management, especially in highlighting the pitfalls of compliance software not addressing the more strategic business risk and performance management objectives of the firm. Risk Management has traditionally been associated with risk elimination, insurance and compliance. Most software vendors have predictably added some risk features onto their existing compliance packages because it is easier from them to sell. You can put lipstick on a pig, but it's still very much a pig.

The true Enterprise Risk Management approach is best described by Dan Borge in his The Book of Risk, as "Risk Management means taking deliberate action to shift the odds in your favor - increasing the odds of good outcomes and reducing the odds of bad outcomes". Enterprise Risk Management is about building business value in support of better decision making rather than only providing oversight of major compliance issues or satisfying the requirements imposed by external auditors. New software built from the ground-up to meet the very different needs of true Enterprise Risk Management is required.

Enterprise Risk Management software must manage the complexity for an ERM program. Based on my research, I have identified the following key characteristics:

1) Root Cause: A framework that gets to the cause of issues makes follow-up straight forward and logical.

2) Motivation: Performance Management functionality that makes it easy to help line managers achieve process improvements to reduce costs, bottlenecks, and unnecessary risk translates into their embracing risk management.

3) Process Driven: Selecting the most relevant 30 to 50 key risk indicators for each core business process from thousands of possibilities.

4) Cross Functional Risk: Features to deliver a portfolio view with interactive dashboards to drill down or cut across silos to identify dependencies between risks.

5) Operational Controls: Go beyond financial controls to also quantify the effect of controls on business goal achievement while maintaining accountability throughout the process.

6) Risk Tolerance: Embedding risk management processes within the existing corporate culture from enterprise-wide board room strategy to tactical planning and analysis.

7) Maturity Model: Enable the risk management department itself to accelerate adoption of best practices, to set program objectives and measures and to manage ERM program activities.

With this criteria you can evaluate new software coming to the market from true ERM vendors and use risk tolerance to achieve the strategy and performance targets for your organization. There is more on the evaluation criteria for selection of Enterprise Risk Management technology in my ebizQ column, The Dos and Don’ts of Enterprise Risk Management

Posted by stevenminsky in Compliance • Enterprise Risk Management • Software | Permalink | Comments (1) | TrackBacks (0)