The business environment evolves, organizations evolve and people’s roles and contributions must evolve as well. Some risk managers have expressed frustration due to insufficient resources or support from senior management. Risk managers who have an active role in financial reporting compliance activities (e.g., SOX 404) however, find their departments’ visibility and influence within the organization high. Such was the case at Alfa Corporation.

This month’s Treasury & Risk Magazine cover story, Audit Busters, explains the business case for the CRO partnering with the CFO at Alfa Corporation resulting in the transformation of their compliance programs to serve their business strategy while reducing their external audit hours by 60% at the same time.

With the right ERM infrastructure, the CRO can now offer your CFO the capability to manage tomorrow’s financial surprises today while there is still time to change the outcome. New AS5 legislation that mandates a top–down, risk–based approach provides risk managers with the opportunity to deliver measurable financial and strategic value while building the right ERM infrastructure that easily extends to all areas of the business.

The stakes are high:
If history repeats itself, according to CFO magazine, How a Material Weakness Can Cost You, more than 11 percent of companies with financial reporting and compliance programs will be found to have material weaknesses. And about 86 percent of material weaknesses will be discovered not by management or consultants but by external auditors. The consequences are real. Companies affected see more than a 4 percent drop in stock price; their CFOs face a 62 percent likelihood of being replaced; and a 150 percent plus jump in ongoing external audit fees.

As problems like these mount, CFOs are beginning to realize that an ERM-based SOX effort works much better than a controls-based SOX effort or an ad hoc approach to risk.

Part II in the Series: The 21st Century CFO and CRO: Partners in Value

Posted by stevenminsky in ERM process management • ERM-based approach • Performance management • Root cause discipline • Software | Permalink | Comments (0) | TrackBacks (0)

One of the key challenges within the risk, performance, compliance and business continuity areas of the corporation is the management of data in spreadsheets and other office files, often referred to as unstructured data. Spreadsheet control issues for accounting processes have also surfaced in response to Sarbanes-Oxley. Not only do spreadsheets lack the authentication, audit trail, and integrity, but they also lack accessibility to roll-up information into an enterprise wide picture. This is a critical barrier to systematically identify dependencies and track change. Information within spreadsheets is largely inaccessible to infrastructure tools like business intelligence, content management and business process management functionality and the cost of maintenance of this data is unreasonable. The presence of spreadsheets is a symptom of manual processes which are also typically both expensive and error prone.

One of the core value propositions of an Enterprise Risk Management (ERM) solution is to effectively solve this problem of collecting and managing unstructured risk and performance data. A robust ERM solution should provide a schema or organizational hierarchy for risk data so that ERM can bring together unstructured and structured data across the enterprise with the goal to improve decision making. This framework for organizing data provides the foundation for increased quality and efficiency for assessments as well as a process for aggregation and analysis of the information for dependencies. You can download a business architecture that illustrates how problems with spreadsheets are solved within an ERM solution. Click here to download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Software | Permalink | Comments (0) | TrackBacks (0)

In every emerging market the question of build versus buy arises. Enterprise Risk Management (ERM) is no different. Why a purpose-built application in this space? What is the role of enterprise content, workflow and process management technologies? What is the value proposition for a specific purpose-built application in the ERM software space? Should content and process technologies be built into a vendor application or should the vendor application leverage existing Enterprise Content Management (ECM) and Business Process Management (BPM) technologies in the enterprise?

The ERM platform core value is measured by the degree of delivery of best practices content like key risk indicator libraries and the business process practices as outlined in the Australian Risk Management Standard and COSO ERM framework. Enterprise content, workflow and process management technologies are infrastructure technologies that belong to the realm of corporate technology architecture and not a purpose built ERM platform. Best of class purpose built ERM software will leverage industry standards in these areas to ensure their solutions are as compatible and configurable as possible across the various infrastructure tools that mainstream vendors offer in these areas. The job of the corporate IT organization is to design and manage the architecture, IT processes, security and standards of their corporation. As such, the enterprise should select the infrastructure tools that are appropriate for their company’s needs, not the ERM application vendor.

Business and Risk Management should select the ERM application. ERM vendor solutions should leverage the corporate infrastructure and technology standards. For example, ERM platforms should be role based with hooks to be managed easily by Business Process Management technology in the enterprise. ERM software vendors should provide within their solution the option to reference data and documents within the corporation's document management/content management infrastructure. Only if the company’s technology is absent should the ERM vendor solution provide basic content repository or workflow capabilities as options.

Posted by stevenminsky in Enterprise Risk Management • Software | Permalink | Comments (0) | TrackBacks (0)

In my blog last week I defined the terms in the poll below and explained how risk management can prevent these failures from occurring. Vote your opinion and then view the results of what others think:

Thanks to Toren for his comments on my blog last week "Intelligence Failures, Part II: Risk Management is the Answer" Toren writes:

"How would Risk management software deal with perceptions and preconceptions that drive leaders and make them look the other way once intelligence points against their gut feeling? Is there a software that integrates human experience and takes preconceptions, even feelings and mere hunches that may drive a decision, into account?"

Business has political interests and politics has business interests, but the discipline of risk management applies to all just the same. Toren's comment highlights the need for acquiring human intelligence front line experts and balancing it with other data sources to achieve better decision making. This is the heart of what risk management software is designed to address.

First, the underlying prerequisite for a successful risk management program is the "tone from the top" from leadership to embrace a rigorous, objective and qualified risk management process. Transparency in the risk assessment and mitigation process is necessary to build the confidence and credibility for this buy-in. Software achieves this with embedded best practices and real-time interactive dashboards and reports for efficiency and governance of the process. Senior leadership commitment to actively engage in the risk management process will result in their conviction in the results.

With this mandate in place, the next issue then is how to widen the net and process the information in an objective and consistent fashion to prevent unsubstantiated preconceptions from blocking out the facts. True Enterprise Risk Management software supports a risk control self-assessment approach with a library of guided questions to qualify, quantify and prioritize human intelligence for follow-up. This process breaks the information down into its root cause categories and factors and quantifies the potential impact of the risk, the likelihood that the risk will occur and the current effectiveness of controls in place should the risk actually occur. A risk index score is calculated with the formula of (impact x likelihood x control). The highest risk score index can now systematically cull a broader base of information systematically to the most dangerous or high risk issues or scenarios.

Follow-up activities are assigned with due dates for deeper analysis that culminates in a recommendation for action along with the supporting documentation of cost benefit analysis, controls, budgets, etc. This web based system aggregates data from all areas of the organization. Control activities enforce discipline in the implementation and monitoring phases of then preventing risks or minimizing the impact of risks should they occur. It is this combination of methodology, process and software that prevents a premature conclusion or disregard for the facts.

Thanks again to Toren, keep your inquires coming and don't forget to vote your opinion above!

Posted by stevenminsky in Risk Assessment • Risk Mitigation • Software | Permalink | Comments (0) | TrackBacks (0)

IBM announced today their newest Risk Management service offering, Contingency Planning Assessment in their press release, IBM TO HELP COMPANIES DETERMINE PANDEMIC PREPAREDNESS. I had the opportunity to speak with Rich Cocchiara, IBM Distinguished Engineer & CTO for Business Resilience at IBM prior to their announcement. Rich made the point that business continuity and disaster recovery and crisis management is constantly evolving and that new threats need new strategies. Rich outlined a few of the differences to consider in planning for a Bird Flu Pandemic versus a traditional business continuity and disaster recovery issue.

1) People vs. Infrastructure Resources - Bird Flu scenarios can affect up to 40% of employees where traditional business continuity has been all about the physical property infrastructure of buildings, transportation, data and communications.
2) Global vs. Local Geographies - a Pandemic is forecast to affect multiple cities, regions and entire countries simultaneously where traditional business continuity planning has been focused on reactions to single localized events.
3) Long term vs. Temporary Impacts - Avian Flu may have several waves lasting several years and may change the way business is conducted on the long term, where traditional business continuity has been thought of as a few days to a few weeks in duration.

Rich posed the question on corporate preparedness "Does your organization know how operations will be impacted due to a health Pandemic? What business areas will need to be shut down or functions, locations or processes abandoned?” Rich also pointed out that all organizations are impacted, including small and medium sized businesses, not just the largest enterprises and government agencies.

Rich also commented on the importance of risk management software tools to support an Enterprise Risk Management program for identifying and assessing scenarios, evaluating options as well as planning and tracking results. Further, having Corporate Objectives and a Performance Management view in mind can also help address current business operations issues to help make your business better today. For example, enabling business processes for greater effectiveness in telecommuting or shifting operational capabilities for work between offices and regions can help business reduce costs and increase productivity today even if a bird flu pandemic does not materialize.

This announcement by IBM validates the critical need to put an enterprise framework in place with both a methodology and process to constantly reevaluate thinking and planning on how risk can impact your business and what actions need to be taken.

What is keeping you up at night and what are you doing about it?

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Mitigation • Software | Permalink | Comments (0) | TrackBacks (0)

The article by Evan Busman Handling Twin Takes of ERM is a great overview of evaluating technology for Enterprise Risk Management, especially in highlighting the pitfalls of compliance software not addressing the more strategic business risk and performance management objectives of the firm. Risk Management has traditionally been associated with risk elimination, insurance and compliance. Most software vendors have predictably added some risk features onto their existing compliance packages because it is easier from them to sell. You can put lipstick on a pig, but it's still very much a pig.

The true Enterprise Risk Management approach is best described by Dan Borge in his The Book of Risk, as "Risk Management means taking deliberate action to shift the odds in your favor - increasing the odds of good outcomes and reducing the odds of bad outcomes". Enterprise Risk Management is about building business value in support of better decision making rather than only providing oversight of major compliance issues or satisfying the requirements imposed by external auditors. New software built from the ground-up to meet the very different needs of true Enterprise Risk Management is required.

Enterprise Risk Management software must manage the complexity for an ERM program. Based on my research, I have identified the following key characteristics:

1) Root Cause: A framework that gets to the cause of issues makes follow-up straight forward and logical.

2) Motivation: Performance Management functionality that makes it easy to help line managers achieve process improvements to reduce costs, bottlenecks, and unnecessary risk translates into their embracing risk management.

3) Process Driven: Selecting the most relevant 30 to 50 key risk indicators for each core business process from thousands of possibilities.

4) Cross Functional Risk: Features to deliver a portfolio view with interactive dashboards to drill down or cut across silos to identify dependencies between risks.

5) Operational Controls: Go beyond financial controls to also quantify the effect of controls on business goal achievement while maintaining accountability throughout the process.

6) Risk Tolerance: Embedding risk management processes within the existing corporate culture from enterprise-wide board room strategy to tactical planning and analysis.

7) Maturity Model: Enable the risk management department itself to accelerate adoption of best practices, to set program objectives and measures and to manage ERM program activities.

With this criteria you can evaluate new software coming to the market from true ERM vendors and use risk tolerance to achieve the strategy and performance targets for your organization. There is more on the evaluation criteria for selection of Enterprise Risk Management technology in my ebizQ column, The Dos and Don’ts of Enterprise Risk Management

Posted by stevenminsky in Compliance • Enterprise Risk Management • Software | Permalink | Comments (1) | TrackBacks (0)