The Story of the Risk Manager’s Increasing Value Continues...

A few months ago I wrote about the rising visibility and responsibility of risk management professionals, linking to articles about the growing demand for risk training and talent. Along that train of thought, I was just able to get to this month’s edition of Risk Management, which along with a great photographic review of the last year in risk management, has an article outlining the progress the profession has made over the last decade. It’s interesting to think that 10 years ago risk management was a much smaller discipline focused on relatively narrow problems like the Y2K software flaw. Things have changed a lot.

Case in point, the SEC announced this week the approval of new rules that will, among other things, require companies to disclose the relationship between their compensation policies and risk management, as well as describe the board of directors’ role in risk oversight.

Understanding what compensation policies have a material impact on an organization’s risk and developing policies for board-level oversight of risk will require guidance from internal and/or external risk experts... good news for any risk experts who appreciate gainful employment. And of course, many additional regulations and SEC rules expected to come together early next year are also likely to continue this trend.

Read more

Transparency and compliance . . . US Congress votes on financial oversight, and the OECD unveils ideas for new see-through fina

Today the US House of Representatives will vote on a bill bringing broad changes to financial regulations, which most experts expect will pass, pushing matter to the Senate.

As the debate continues between what’s best for businesses and consumers as we look for economic recovery, a few of the amendments expected to come to a vote today involve the creation of a new consumer financial protection agency, a Sarbanes Oxley exemption for small firms, and new power for the Government Accountability Office to audit the Federal Reserve.

While this debate is going on, the Organization for Economic Cooperation and Development released a framework last week to guide policymakers in the reform of international financial markets. According to the announcement, “Increasing transparency is key. The complexity and opaqueness of products made risk assessment difficult for firms and investors and hindered market transparency, a major cause of the crisis.”

The framework’s explanation of the financial landscape includes principles for 1) A definition of the financial system, 2) Transparency, and 3) Surveillance and analysis. Responsibilities for the collection and distribution of relevant data are described for government authorities, industry groups, and international organizations.  These principles mirror the focus of other potential regulatory changes and will have a substantial impact in the way organizations document and track a wide range of business processes and transactions if they are carried out in legislation.

Read more

The new ISO 31000 risk management standard . . . well-written, but not earth-shattering

By now, many of you have read the newly released ISO 31000 Risk management - Principles and guidelines standard. (Others may have seen its release draft or be familiar with its predecessor the AS/NZS 4360 standard.)

It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”

But if we expect the availability of ISO 31000 to have any sort of revolutionary or game-changing impact in the immediate future, we’re getting way ahead of ourselves.

Read more

Categories:

The Madoff Scandal Widens to Include IT

The SEC announced on Friday that it is charging two computer programmers for their alleged participation in the Ponzi scheme for which Bernard Madoff pleaded guilty and headed off to jail last March.

In its complaint, the SEC alleges that, “Madoff and his lieutenant Frank DiPascali, Jr., routinely asked (Jerome) O'Hara and (George) Perez for their help in creating records that, among other things, combined actual positions and activity from... market-making and proprietary trading businesses with the fictional balances maintained in investor accounts.”

The SEC further alleges that O’Hara and Perez tried to cover their tracks by deleting hundreds of files, withdrew hundreds of thousands of dollars from their investments through the company, told Madoff they wanted to stop helping him, and then accepted larger salaries and substantial bonuses for their promise to keep quiet.

It will be interesting to watch this case unfold. I was hoping it would get into issues of whether the IT professionals were considered just uninvolved support staff or key participants in the scheme. Considering the evidence SEC claims to have, I don’t think we’ll hear those arguments in this case, but keep an eye out for how the defense comes together. Fraud prevention is a growing area of concern for government, health care, insurance, financial services, and other industries... which means we could be seeing more cases questioning the responsibility of IT to identify and/or prevent such issues.

Categories:

The GRC Groundswell

Chris McClean

As GRC practices continue to gain traction, I’ve had a lot of great conversations lately with clients about the importance of peer interaction for professionals in governance, risk, and compliance roles. With his finger apparently on the pulse of all major technology trends, Forrester’s Josh Bernoff must see this as well. This week he announced the winners of the 2009 Forrester Groundswell Awards, with two top GRC vendors among the winners. (For those of you not familiar with Josh Bernoff or Groundswell, check out the book info here.)

Read more

Categories:

How Should Auditors Deal With Such Oddities?

Chris McClean

Two weeks ago, I commented on the changing role of the risk management professional, and thought it would be worthwhile to spend a few moments discussing the auditor as well. In a contest of which job is likely to see more change in the next two years, I would expect a photo finish.

Read more

From Scapegoat to Savior: The Risk Manager Story

Chris McClean

Even in the toughest times, winners will invariably emerge. With the way expectations are changing regarding corporate controls and disclosure, risk management professionals (whose lack of influence was seen as a substantial cause of our current state of affairs to begin with) will likely be among the first beneficiaries of our new outlook on business.

Forrester customer inquiries seem to have taken a step back when it comes to risk management. While there are still plenty of incoming technology and vendor selection questions, there has been a noticeable spike in calls about fundamental issues, such as how to build and organize risk management programs. Knowledge and experience in risk management basics is in high demand.

Last week, the New York Times emphasized this demand by highlighting the current value of graduate degrees or certification related to risk management. The article explains:

Read more

Please Fill Out These Forms...The SEC Will See You Now

Chris McClean

Is regulatory oversight more or less invasive than oral surgery? Sure, both are necessary sometimes. But however you feel about the current level of corporate scrutiny, it’s clearly increasing, and that means the jobs of corporate governance, risk management, and compliance professionals are going to get even tougher.

The last month has seen some dramatic news related to corporate disclosure, most notably a bill approved by the House Financial Services committee that would require public companies to explain executive and employee compensation packages, and to write rules that would prohibit any compensation that could have a substantial, negative effect on financial markets. Lawmakers expect that this bill, if approved, will be rolled up with other legislation.

Read more

Is IT Risk Management Compatible With ERM?

Chris McClean

Every month or so, news events (attacks on government sites, massive privacy breaches, etc.) provide a ‘wake-up call’... a proof point used by vendors and practitioners alike that protecting our national and corporate information assets has never been more critical. On occasion we even see these incidents yield promises of action, for example the anticipated appointment of a US Cybersecurity Czar, which my colleague Khalid Kark discusses here

But in spite of these warnings, my conversations with enterprise risk and IT risk professionals still reveal many disconnects, including that IT risks are not measured consistently with other enterprise risks. In addition, many IT risk professionals do not see their biggest risks showing up on the corporate risk register.

Read more

And the results are in... The Forrester Enterprise GRC Platform Wave 2009

Chris McClean

The launch of any new research report is exciting, but I’m especially happy to see the publication of the The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009.

The evaluation speaks for itself. Forrester goes through great pains to assure a fair, detailed process that looks into the strengths and weaknesses customers care about most — and this Wave is no exception. But considering the amount of time and effort we spent putting this report together, I wanted to provide some additional thoughts on what I learned during the process:

Read more

Categories: