Top Challenges in Enterprise Risk Management

As I close out my client inquiry records for the quarter, it’s interesting to review some of the common challenges risk management professionals are currently facing. I was impressed to see how closely the issues I deal with were covered in the month’s edition of Risk Management Magazine. In an article entitled, “10 Common ERM Challenges,” KPMG’s Jim Negus called out the following issues:

  • Assessing ERM’s value
  • Privilege (of access to risk information)
  • Defining risk
  • (Selecting a) risk assessment method
  • Qualitative versus quantitative (assessment metrics)
  • Time horizon (for risk assessments)
  • Multiple possible scenarios
  • ERM ownership
  • Risk reporting
  • Simulations and stress tests

 

Negus provides good perspective on these challenges as well as some ideas for solutions. The list is fairly comprehensive, but there are several other challenges that I would have included based on the inquiries I get. First and foremost, the role of technology in risk management – whether for assessments, aggregation, or analytics – comes up very frequently, and vendor selection initiatives have been plentiful since mid-Q4 of last year.

Defining risk management’s role within the business (and vice versa) is also an extremely common topic of conversation. As rules and standards keep changing, this will remain a top challenge. Other frequent issues include event/loss management, building a risk taxonomy, and evaluating vendor/partner risk. 

Read more

The Fear Of Four... And The Future Of Fraud Detection

I had a few great conversations yesterday about the increasing role analytics will play in risk and compliance programs, which brought to mind the article, For Some Firms, a Case of 'Quadrophobia' appearing earlier this week in the Wall Street Journal and referenced yesterday by the NY Times’ Freakonomics blog.

The article covers a study of quarterly earnings reports over a nearly 30 year period, which found a statistically low number of results ending in four-tenths of a cent. The implication here is that companies fudge their numbers slightly to report earnings ending in five-tenths, which can then be rounded up... clever. Even more interesting, authors of the study found that these “quadrophobes” are “more likely to restate financials and to be named as defendants in SEC Accounting and Auditing Enforcement Releases (AAER)”... not clever.

The report encourages the SEC to enhance its oversight with a new department dedicated solely to detailed quantitative analysis that might catch this type of behavior. It also occurs to me that many corporations would like to identify such trends within their four walls to detect and prevent potentially damaging behavior.

Clearly, the cultural/human aspects of risk management and compliance – policies, attestations, training, awareness, whistleblowing, etc. – are essential. But as the number and complexity of business transactions continue to grow, companies will be looking more and more for ways to analyze massive amounts of data for damaging patterns and trends.

Categories:

The changing nature of governance, risk, and compliance

In my ongoing work with clients, I try as often as possible to stress the importance of flexibility in GRC programs. Internal processes and technology implementations must be able to accommodate the perpetually fluctuating aspects of business, compliance requirements, and risk factors. If GRC investments are made without consideration for likely requirements 1 to 2 years down the road, decision makers aren’t doing their job. And if vendors don’t offer that flexibility, they shouldn’t be on the shortlist.

News outlets over the past year have given us almost daily examples of change in the GRC landscape. The recent stories coming out of Davos have been no exception... giving us some truly fascinating debates on the necessity and detriment of regulations. As quoted in a Wall Street Journal article on Sunday, Deutsche Bank AG Chief Executive Josef Ackermann argued against heavy-handed regulation, saying, "We should stop the blame game and we should start looking forward... if you don't have a strong financial sector to support the this recovery... you're making a huge mistake and you will regret that later on," he said. French President Nicholas Sarkozy summed up the opposing argument in his keynote, explaining, "There is indecent behavior that will no longer be tolerated by public opinion in any country of the world... That those who create jobs and wealth may earn a lot of money is not shocking. But that those who contribute to destroying jobs and wealth also earn a lot of money is morally indefensible."

Read more

Categories:

Growing Concern Over Risks To (And Of) The System

By the end of this year, we will likely all be sick of the phrase “systemic risk.” Referring to the complex and interconnected nature of risks that brought down the financial services sector, the phrase has been a focal point in the discussions on how to prevent such failures in the future. (And in my experience, this increased attention means that service and software vendors will be using the term in their marketing literature with increasing frequency in 2010.)

Policy makers are recommending systemic risk solutions such as new oversight bodies to assess for systemic risks or penalties for companies that are perceived to threaten the system. European Central Bank president Jean-Claude Trichet even suggested that financial institutions help avoid systemic risks by "putting aside their own profit" and being "moderate in remuneration behavior," in order to reinforce their balance sheets.

Read more

Categories:

Thoughts on EMC’s acquisition of Archer

What a good way to kick off what should be another exciting year in GRC. Just less than a year ago, Archer Technologies brought consolidation to the IT GRC market with its acquisition of rival Brabeion. The vendor food chain continued today as EMC announced an agreement to acquire Archer into its RSA product division.

Details such as product integration and go-to-market strategy will trickle out slowly of course, but so far, this is a significant deal for a couple of reasons:

  • Archer fills a substantial void in EMC’s product offering, which included many elements of GRC, but no central platform to pull it all together.
  • EMC will introduce the Archer products to a much larger set of potential customers...most notably as a platform to manage security and compliance, but also to customers with requirements for related areas like vendor management or business continuity.
  • It brings another IT heavy-weight fully into the GRC space, with substantial engineering resources to work on product development (but only if Archer continues to be seen as a top priority within RSA).

As we watch this acquisition come together, as well as other upcoming announcements that will make the GRC space even more competitive, here are a few questions to consider:

Read more

Categories:

The Story of the Risk Manager’s Increasing Value Continues...

A few months ago I wrote about the rising visibility and responsibility of risk management professionals, linking to articles about the growing demand for risk training and talent. Along that train of thought, I was just able to get to this month’s edition of Risk Management, which along with a great photographic review of the last year in risk management, has an article outlining the progress the profession has made over the last decade. It’s interesting to think that 10 years ago risk management was a much smaller discipline focused on relatively narrow problems like the Y2K software flaw. Things have changed a lot.

Case in point, the SEC announced this week the approval of new rules that will, among other things, require companies to disclose the relationship between their compensation policies and risk management, as well as describe the board of directors’ role in risk oversight.

Understanding what compensation policies have a material impact on an organization’s risk and developing policies for board-level oversight of risk will require guidance from internal and/or external risk experts... good news for any risk experts who appreciate gainful employment. And of course, many additional regulations and SEC rules expected to come together early next year are also likely to continue this trend.

Read more

Transparency and compliance . . . US Congress votes on financial oversight, and the OECD unveils ideas for new see-through fina

Today the US House of Representatives will vote on a bill bringing broad changes to financial regulations, which most experts expect will pass, pushing matter to the Senate.

As the debate continues between what’s best for businesses and consumers as we look for economic recovery, a few of the amendments expected to come to a vote today involve the creation of a new consumer financial protection agency, a Sarbanes Oxley exemption for small firms, and new power for the Government Accountability Office to audit the Federal Reserve.

While this debate is going on, the Organization for Economic Cooperation and Development released a framework last week to guide policymakers in the reform of international financial markets. According to the announcement, “Increasing transparency is key. The complexity and opaqueness of products made risk assessment difficult for firms and investors and hindered market transparency, a major cause of the crisis.”

The framework’s explanation of the financial landscape includes principles for 1) A definition of the financial system, 2) Transparency, and 3) Surveillance and analysis. Responsibilities for the collection and distribution of relevant data are described for government authorities, industry groups, and international organizations.  These principles mirror the focus of other potential regulatory changes and will have a substantial impact in the way organizations document and track a wide range of business processes and transactions if they are carried out in legislation.

Read more

The new ISO 31000 risk management standard . . . well-written, but not earth-shattering

By now, many of you have read the newly released ISO 31000 Risk management - Principles and guidelines standard. (Others may have seen its release draft or be familiar with its predecessor the AS/NZS 4360 standard.)

It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”

But if we expect the availability of ISO 31000 to have any sort of revolutionary or game-changing impact in the immediate future, we’re getting way ahead of ourselves.

Read more

Categories:

The Madoff Scandal Widens to Include IT

The SEC announced on Friday that it is charging two computer programmers for their alleged participation in the Ponzi scheme for which Bernard Madoff pleaded guilty and headed off to jail last March.

In its complaint, the SEC alleges that, “Madoff and his lieutenant Frank DiPascali, Jr., routinely asked (Jerome) O'Hara and (George) Perez for their help in creating records that, among other things, combined actual positions and activity from... market-making and proprietary trading businesses with the fictional balances maintained in investor accounts.”

The SEC further alleges that O’Hara and Perez tried to cover their tracks by deleting hundreds of files, withdrew hundreds of thousands of dollars from their investments through the company, told Madoff they wanted to stop helping him, and then accepted larger salaries and substantial bonuses for their promise to keep quiet.

It will be interesting to watch this case unfold. I was hoping it would get into issues of whether the IT professionals were considered just uninvolved support staff or key participants in the scheme. Considering the evidence SEC claims to have, I don’t think we’ll hear those arguments in this case, but keep an eye out for how the defense comes together. Fraud prevention is a growing area of concern for government, health care, insurance, financial services, and other industries... which means we could be seeing more cases questioning the responsibility of IT to identify and/or prevent such issues.

Categories:

The GRC Groundswell

Chris McClean

As GRC practices continue to gain traction, I’ve had a lot of great conversations lately with clients about the importance of peer interaction for professionals in governance, risk, and compliance roles. With his finger apparently on the pulse of all major technology trends, Forrester’s Josh Bernoff must see this as well. This week he announced the winners of the 2009 Forrester Groundswell Awards, with two top GRC vendors among the winners. (For those of you not familiar with Josh Bernoff or Groundswell, check out the book info here.)

Read more

Categories: