2008-erm
Content
Guide to
Enterprise Risk Management
A supplement to
COMPLIANCE WEEK
T H E L E A D I N G I N F O R M A T I O N S E R V I C E O N C O R P O R A T E G O V E R N A N C E , R I S K A N D C O M P L I A N C E
T H E LEADI NG I N F OR MAT I ON S E RVI C E ON C OR POR AT E GOVE R ANC E, R I S K AN D C OMP LI ANC E
COMPLIANCE WEEK
INSIDE THIS PuBlICATION:
Building a Strong Risk-
Management Team
ERM vs. Risk Analysis
Auditing Your ERM Program
Learning to Talk About IT Risk
Rick Steinberg on Why CEOs
Always Miss the Biggest Risks
© 2007 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative.
It’s a dangerous and complex world out there for any business,
but with a keen ERM program you can protect yourself from
danger—and take advantage of business opportunities.
KPMG’s Enterprise Risk Management services can help you
hone your ERM skills to make ERM a daily activity—a way of
life—for your company. Gain ERM prowess with KPMG, so
your risk leadership and tone at the top can become clear, your
assessments forward-looking, your information actionable,
your monitoring ruthlessly efficient. It’s the path to sound
corporate governance and improved business performance.
You need KPMG. Because only the fittest survive.
Contact John M. Farrell, National Lead Partner, ERM,
at 212-872-3047 or [email protected].
us.kpmg.com
She has natural instincts.
You need ERM.
Identifying, analyzing,
prioritizing, quantifying,
reporting, monitoring,
and optimizing risks.
KPMG named a leader
in The Forrester Wave :
Risk Consulting Services,
Q2 2007.
To learn more, and receive
a copy of the independent
Forrester Report,
contact KPMG today.
TM
071105_KPMG_ERM_LionAd.indd 1 11/27/07 2:58:08 PM
CW0308.indd 49 2/13/08 3:08:18 PM
NOVEMBER 2008 www.complianceweek.com » 888.519.9200 3
compliance week (iSSn: 1549-957X) is distributed monthly by Haymarket media, inc., 77 no. washington Street, Boston, massachusetts 02114. copyright ©2008, Haymarket media,
inc. all rights reserved. neither this publication nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical,
photocopying, recording, or otherwise, without the prior permission of Haymarket media, inc. Requests for reprints and permissions should be directed to compliance week at the
address noted above, or by calling (888) 519-9200. Subscriptions to compliance week include a weekly e-mail newsletter, full access to resources at complianceweek.com, and this
monthly print magazine. Basic annual subscription fees start at $999. To subscribe, go to http://subscribe.complianceweek.com. postmaster: Send address changes to compliance
week, circulation Department, 77 no. washington Street, Boston, massachusetts 02114, e-mail compliance week at [email protected], or call (888) 519-9200. “compliance
week” is a registered mark of Haymarket media, inc.
Important Notice: compliance week does not provide legal advice. content is for general information and discussion only, and is not a full analysis of the matters presented. The
information provided by compliance week may not be applicable in all situations, and readers should always seek specifc advice from lawyers, auditors and/or appropriate governance
and compliance experts before taking any action with respect to any matters discussed herein. in addition, columns and opinion articles solely refect the views of their respective
authors, and should also not be regarded as legal advice.
Editorial
Publisher
Scott S. Cohen
[email protected]
Editor-in-Chief
Matt Kelly
[email protected]
Assistant Editor
Jaclyn Jaeger
[email protected]
Copy Editor
DeAnn Orie
[email protected]
Director, Production & Design
Erin Lynch
Contributors
advErtising
Vice President, Sales
Barry Greenfeld
[email protected]
Director, Advertising Sales
Doug Juenemann
[email protected]
Advertising Production Manager
Carrie O’Connor
[email protected]
subscriptions & circulation
Subscription Sales Manager
Lori McMahon
[email protected]
Circulation & Customer Service Manager
Jaclyn Strycharz
[email protected]
______________________________
conTacTing compliance week
Phone: (888) 519-9200
Fax: (800) 675-1887
Mail: Compliance Week
77 No. Washington Street
Boston, MA 02114
CirCuLAtiON AuDitED By
A Sharp Reminder That ERM
Isn’t Just Theory; It Matters
I
swear: Compliance Week never intended to publish a special supplement on en-
terprise risk management just as the global fnancial system went to pieces.
For better or worse, however, the credit crisis has given compliance and fnancial
reporting executives everywhere a very real reminder of how vital risk manage-
ment is. Your fnancing may suddenly vanish. Your key supplier might go bankrupt.
That super-cool acquisition you made last year might drag your whole enterprise
to ruin.
The trouble is that ERM has been done in piecemeal, largely below the radar of
top executives or boards of directors. A vice president patrols manufacturing plants
for environmental hazards here, a deputy general counsel warns employees about
illegal bribery payments there. But now, senior management increasingly needs to
collect all those risk-management efforts under one umbrella—because, as we’ve all
painfully witnessed in the last several months, one corporate misstep can quickly
threaten the whole enterprise. Cohesive strategy and planning around risk isn’t easy,
but it’s the only way to survive in a hyper-connected business world.
To that end, this Compliance Week supplement aims to be a primer on ERM in
all its forms. Inside you will fnd articles examining the idea of ERM as a whole,
from how much board directors worry about it to how companies can establish,
staff, and audit their own ERM functions. We also have white papers from accom-
plished experts and a list of resources that can help you move forward with ERM at
your own speed.
Compliance Week will continue to cover ERM on many fronts, picking apart
individual risks and analyzing how boards can weigh and manage them against all
the other risks modern companies face. The credit crisis of 2008 may have brought
enterprise risk management into sharp relief, but the reality is that companies have
already been doing this for a long time, and always will. After all, you can’t reap the
reward without taking the risk. ■
matt kelly, editor-in-chief
Contents
Building a Strong Risk-management Team 4
S&p Starts including eRm in credit Ratings 6
Building eRm Bridges for Boards, c-Suite 7
SoX and eRm Risk assessments: an analysis 8
Dan Swanson: auditing Your eRm program 10
innovation in Diffcult Times (Strategic Thought Group) 13
Rick Steinberg: The Big Risk: ceos never See it coming 14
learning to Talk about iT Risk in common Terms 16
authors of knowledge leadership articles listed in red
Enterprise risk Management
Christine Dunn
todd Neff
Kathrine Schmidt
Dan Swanson
richard M. Steinberg
© 2007 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative.
It’s a dangerous and complex world out there for any business,
but with a keen ERM program you can protect yourself from
danger—and take advantage of business opportunities.
KPMG’s Enterprise Risk Management services can help you
hone your ERM skills to make ERM a daily activity—a way of
life—for your company. Gain ERM prowess with KPMG, so
your risk leadership and tone at the top can become clear, your
assessments forward-looking, your information actionable,
your monitoring ruthlessly efficient. It’s the path to sound
corporate governance and improved business performance.
You need KPMG. Because only the fittest survive.
Contact John M. Farrell, National Lead Partner, ERM,
at 212-872-3047 or [email protected].
us.kpmg.com
She has natural instincts.
You need ERM.
Identifying, analyzing,
prioritizing, quantifying,
reporting, monitoring,
and optimizing risks.
KPMG named a leader
in The Forrester Wave :
Risk Consulting Services,
Q2 2007.
To learn more, and receive
a copy of the independent
Forrester Report,
contact KPMG today.
TM
071105_KPMG_ERM_LionAd.indd 1 11/27/07 2:58:08 PM
CW0308.indd 49 2/13/08 3:08:18 PM
4 www.complianceweek.com » 888.519.9200 NOVEMBER 2008
Enterprise risk Management
Audit
•
Tax
•
Advisory
Big decisions follow you around.
H
o
w
c
a
n
w
e
m
a
k
e
o
u
r
i
n
t
e
r
n
a
l
c
o
n
t
r
o
l
s
y
s
t
e
m
m
o
r
e
e
f
f
e
c
t
i
v
e
A
N
D
e
f
fi
c
i
e
n
t
?
Grant Thornton LLP U.S. member firm of Grant Thornton International Ltd
How do you support the conclusion that your internal control
system is effective? Are your monitoring procedures efficient enough
to prevent unnecessary testing at the end of the year? Now there
is a way to know. The Committee of Sponsoring Organizations of
the Treadway Commission (COSO) put a team in place to develop
guidance on monitoring internal controls. Grant Thornton LLP is
proud to have been chosen as the project leader for creating COSO’s
Guidance on Monitoring Internal Control Systems.
For more information on COSO’s guidance, please visit
GrantThornton.com/COSO.
Grant Thornton...known for distinctive client service and partner
attention for over 80 years.
Find out what it’s like to work with people who love what they do!
PLEASE CALL IF JOB SPECS DON’T MATCH INFO IN HEADER
FILE NAME: GTHO 436 COSO CW
CLIENT: Grant Thornton
DATE: 09.25.08
PUBLICATION: Compliance Week
INSERT DATE: November 2008
SIZE: 8.375˝ x 10.8125˝
TRIM: 8.375˝ x 10.8125˝
LIVE: 7.875˝ x 10.3125˝
BLEED: YES
LPI: 133
COIL COUNTS FORD & CHENEY
150 EAST HURON, STE. 1250
CHICAGO, IL 60611
312.649-6300 FAX:312.649-6316 C M Y
K
GTHO 436 COSO CW.indd 1 9/25/08 4:09:58 PM
By Jaclyn Jaeger
I
n one form or another, enterprise risk
management has always been an essen-
tial part of an organization’s operations.
But that is arguably more true today than
ever before.
Expanding business risks and regula-
tions, growing awareness by media and
stakeholders, and increased focus on cor-
porate sustainability all make risk manage-
ment a top business priority today, said Dave
Anderson, vice president of GRC business
strategy at SAP.
Anderson and
numerous other risk-
management experts
at the third annual
Compliance Week
conference in Wash-
ington in June shared
some best practices
for developing an ef-
fective risk-manage-
ment program.
“Enterprise risk management is really
about having a vision of how to see risk
management ftting into your organization
as opposed to your organization ftting into
enterprise risk management,” said John
Farrell, head of the enterprise risk manage-
ment practice for KPMG. Most organiza-
tions, he said, don’t step back and ask why
they are doing risk management.
A truly effective risk-management pro-
gram begins with the development of a
framework. This is particularly essential
given that every organization’s program
will be different. “There is no one size fts
all,” said John Rostern, director of technol-
ogy risk management at Jefferson Wells In-
ternational.
As a starting point, some of the ques-
tions experts recommended asking in-
clude:
What is our strategy? Have we built »
the right strategy?
Who is the target audience for our »
work?
What is it that we need to gather infor- »
mation about, and at what level?
What are the guiding principles of the »
program?
What are the guiding objectives of the »
program?
“Once you step back and understand
the purpose of the program, it allows you
to step back and decide who should do
what to what extent and how many people
in your organization should get involved,”
said Farrell. “Risk committees are really
important to organizations today to really
get the quality of information up.”
As with much else in governance, tone
at the top is critical. “Management needs
to be playing an ongoing, aggressive role,”
said Bruce McCuaig, chief risk offcer for
governance, risk, and compliance software
frm Paisley.
But tone at the top is not everything,
noted Christine Schwab, vice president and
chief risk offcer of Dominion Resources.
“It is important that our CEO and CFO
care about this, absolutely, but all of your
leaders have to engage to get true value add-
ed,” she said. “I don’t need anyone on my
team who doesn’t see the value of this.”
Schwab also cautioned companies to
choose a risk-management leader wisely.
“They’ve got to be facilitators,” she said.
“Facilitating is not something all people
are good at.” In addition, she said, choos-
ing a candidate who has worked at the or-
ganization a long time and has credibility
is more important than hiring somebody
who knows the technical aspects of risk
management.
Getting on the Same Page
A
fter you’ve put a framework in place,
you want to make sure every depart-
ment within an organization is on the same
page by establishing a “common language of
risk and control,” McCuaig said. That means
establishing common defnitions, standards,
and methodologies in all risk areas—strate-
gic, operating, compliance, and reporting
risks. “That, to me, is one of the greatest
problems with convergence,” he said.
Andy Anderson, chief audit executive at
Axis Capital, added that what makes con-
vergence so diffcult is that organizations
usually have a whole series of risk assess-
Building a Strong Risk-Management Team
ROlE OF ERM IN TODAy’S BuSINESS ENVIRONMENT
Governance
Facilitate better corporate stewardship over strategic priorities and non-fnancial aspects of per- »
formance
Meet credit rating agencies’ expectations with regard to risk, to ensure “no surprises”culture »
Meet enhanced securities exchange listing requirements »
Meet SEC requirements: 10-K description of “Risk Factors”in plain English »
Satisfy evolving risk-based capital adequacy frameworks, e.g., Basel II »
Strategy
Beyond regulation: provides a competitive advantage versus industry peers »
Re-align strategy through evaluation of prioritized risks »
Link to risk: cannot develop strategy without understanding enterprise risks »
Performance
Improve accountability and transparency through coordinated enterprise risk monitoring and re- »
porting
Reduce cash fow volatility using derivatives, insurance, or improved controls »
Allocate and evaluate capital based on risk-based performance »
Reduce costs through risk consolidation and cross-functional effciencies »
Source: KPMG & TIAA-CREF (June 5, 2008). For additional information, go to www.complianceweek.
com and enter Print Reference Code: 090824.
ERM DRIVERS
Continued on Page 18
D. Anderson
Audit
•
Tax
•
Advisory
Big decisions follow you around.
H
o
w
c
a
n
w
e
m
a
k
e
o
u
r
i
n
t
e
r
n
a
l
c
o
n
t
r
o
l
s
y
s
t
e
m
m
o
r
e
e
f
f
e
c
t
i
v
e
A
N
D
e
f
fi
c
i
e
n
t
?
Grant Thornton LLP U.S. member firm of Grant Thornton International Ltd
How do you support the conclusion that your internal control
system is effective? Are your monitoring procedures efficient enough
to prevent unnecessary testing at the end of the year? Now there
is a way to know. The Committee of Sponsoring Organizations of
the Treadway Commission (COSO) put a team in place to develop
guidance on monitoring internal controls. Grant Thornton LLP is
proud to have been chosen as the project leader for creating COSO’s
Guidance on Monitoring Internal Control Systems.
For more information on COSO’s guidance, please visit
GrantThornton.com/COSO.
Grant Thornton...known for distinctive client service and partner
attention for over 80 years.
Find out what it’s like to work with people who love what they do!
PLEASE CALL IF JOB SPECS DON’T MATCH INFO IN HEADER
FILE NAME: GTHO 436 COSO CW
CLIENT: Grant Thornton
DATE: 09.25.08
PUBLICATION: Compliance Week
INSERT DATE: November 2008
SIZE: 8.375˝ x 10.8125˝
TRIM: 8.375˝ x 10.8125˝
LIVE: 7.875˝ x 10.3125˝
BLEED: YES
LPI: 133
COIL COUNTS FORD & CHENEY
150 EAST HURON, STE. 1250
CHICAGO, IL 60611
312.649-6300 FAX:312.649-6316 C M Y
K
GTHO 436 COSO CW.indd 1 9/25/08 4:09:58 PM
6 www.complianceweek.com » 888.519.9200 NOVEMBER 2008
Enterprise risk Management
S&p sends warning to
companies: eRm to factor
into their credit ratings
By christine Dunn
S
tandard & Poor’s is giving companies
a new fnancial incentive to take enter-
prise risk management more seriously: It
will affect their credit ratings.
S&P has been working since last year
to incorporate ERM into how it decides
a company’s credit ratings. The agency
fnally released a report in May saying it
will now treat ERM as “an additional di-
mension to our analysis of management
and corporate governance, creating a more
systematic framework for an inherently
subjective topic.”
S&P began rating insurers and fnan-
cial institutions on risk-management prac-
tices more than two years ago, since their
heavy exposure to fnancial risks has made
ERM more prominent in those sectors.
S&P’s decision will expand ERM analysis
to non-fnancial frms.
“Companies have a further economic
incentive now to do ERM. If their credit
rating is lowered, their cost of capital will
increase,” says Dan Helming, a partner
at the Weiser accounting frm. “S&P is
thinking proactively in taking this step.”
S&P’s decision refects the increasing
importance of a company’s ability to iden-
tify and manage its risk across the whole
of its enterprise, according to Miles Ever-
son, a partner at PricewaterhouseCoopers.
ERM is more crucial now because busi-
nesses are competing in ever more chang-
ing environments, so they must be more
agile and responsive to threats as they
emerge, he says.
“The ratings agencies play an impor-
tant role in the capital fows of the global
market system,” Everson says. “A compa-
ny’s ability to take and manage risk, and
articulating that to investors, is critical to
their long-term success.”
Moody’s and Fitch’s ratings services
did not return calls seeking comment on
whether they plan to incorporate ERM in
their rating calculations.
Analyzing a company’s ERM efforts
may encourage S&P analysts to be more
predictive in their thinking, according to
Steve Dreyer, head of U.S. utilities and
infrastructure ratings at S&P. Currently,
he says, the agency’s ratings process is ef-
fcient at responding to events as they hap-
pen; a few bad quarters, for example, can
send a company’s rating downward after
the fact.
The ERM component, however, should
help analysts anticipate which companies
are more resilient and in a better position
to respond to changing circumstances,
Dreyer says. By gaining more insight into
a company’s resilience, analysts might not
need to change credit ratings so severely
in response to specifc events, since they’ll
have a better sense of how well the com-
pany in question can cope.
“The hope is that we would report less
about actual events, and do more talking
on a forward looking basis,” Dreyer says.
“What we would see is the companies’
ability to respond to future events.”
S&P had been pondering the inclusion
of ERM in its ratings for several years.
The agency started with fnancial com-
panies, who asked S&P to examine—and
recognize—the changes they had made to
identify and manage their risk.
“Insurance companies brow beat us to
look at this,” Dreyer explains. “Our ana-
lysts started the process skeptically, but in
looking at the differences between compa-
nies that previously had the same rating,
and noticing the marked differences in
management practices … it convinced us
that including ERM had merit.”
Why Do This?
R
egulators worldwide have taken a
stronger interest in risk management
in recent years, forcing companies to re-
evaluate the ERM processes they had in
place (assuming they did any ERM at all).
Many companies have warmed to the idea
anyway, since events such as the Sept. 11
attacks, Hurricane Katrina, and the en-
ergy crisis have all shown how companies
can be caught unprepared by swift, sud-
den changes in fortune.
Standard & Poor’s says it has no set
formula for ERM that it will immediately
incorporate into its ratings. Instead, the
agency plans to implement ERM analysis
in phases.
First, S&P plans to test concepts about
how companies deal with risk and how
they manage it. For example, analysts will
look at whether a company has a chief risk
offcer in place and for how long; whether
the company makes a formal declaration
about its risk appetite; and whether it has
had regular communications with share-
holders, the board, and employees about
risk, Dreyer says.
Analysts also will analyze statements
made by management and historical per-
formance to see how the companies have
handled risk in the past. The analysts will
do frequent follow-up meetings, especially
after major earnings drops or asset write-
downs, Dreyer adds.
Most importantly, he adds, analysts
will talk with companies to confrm that
executives have an understanding of how
the company should handle risk and
whether management is comfortable with
the company’s net risk position.
S&P is currently training analysts so
that they question companies consistently.
Companies will be provided with an out-
line ahead of each meeting with S&P to
help them prepare.
“You’ll see some shocks by compa-
nies once this is rolled out,” says Arnold
Schanfeld of the accounting and consult-
ing frm ERM Associates in New Jersey.
“I think that many companies will receive
more negative ratings than they would
have expected or anticipated.”
Many companies believe that invest-
ments made to comply with Sarbanes-
Oxley—specifcally Section 404, its clause
requiring testing of internal controls over
S&P Starts Including ERM in Credit Ratings
“I think that many companies
will receive more negative
ratings than they would have
expected or anticipated.”
— Arnold Schanfeld,
Head of the ERM Practice,
ERM Associates
Continued on Page 18
NOVEMBER 2008 www.complianceweek.com » 888.519.9200 7
By kathrine Schmidt
L
ots of corporate boards put enterprise
risk management on their agenda in
some way or another. How to fesh out the
details beyond that, however, still remains
elusive.
Some companies tack ERM onto the
charter of the audit committee and leave
the members to deal with it. Others parcel
out specifc risks to different committees,
and some address risks as a whole board.
“We’re seeing organizations really struggle
with [this]. There’s a lot to cover when it
comes to enterprise risk management,” says
Shawn Tebben of consulting frm Protiviti.
Guidance from the Securities and Ex-
change Commission released last year
emphasizes that companies should take
a risk-based approach to designing, test-
ing, and auditing their internal controls
over fnancial reporting. That, in turn, has
heightened the awareness of ERM’s useful-
ness, even if companies don’t know exactly
how to embrace it.
Audit committees and boards, Tebben
says, “are really struggling with the bal-
ance of their work-
load in terms of what
they can accomplish
in the allotted time
they have with man-
agement.”
Primary responsi-
bility for ERM typi-
cally falls to the audit
committee right now.
But that’s usually be-
cause boards don’t
know where else to assign it, experts say,
and it’s not always a good idea.
“Audit committees … are dealing with
one category of risk; that is, fnancial state-
ment risk,” says Stephen Wagner, a managing
partner at Deloitte & Touche. “But now you
layer on top of that all of the risk manage-
ment oversight for the entire organization,
and that can be a pretty big responsibility.”
Miles Everson, a partner at Pricewa-
terhouseCoopers, says the same. “When
it comes to strategic risk and operational
effciency—fnancial performance as op-
posed to fnancial reporting—that risk ap-
petite, or tolerance for risk, is frequently in
the domain of the broader board instead of
the audit committee.”
A different structure can often work
better, the consultants say.
“Some of the practices we’re seeing
emerge: There’s a very high-level risk pro-
fle that’s connected to the strategic objec-
tives of the business [presented] at the board
level and then as it relates to individual risk
categories,” Tebben says. “Then you have
committees of the board or designated man-
agement committees who will dig deeper
into the individual risks themselves.”
In one example at a major arts and lei-
sure company, the board as a whole took on
major strategic risks while the audit com-
mittee covered fnancial reporting; a sub-
committee handled environmental health
and safety risks, Tebben says. Others have
formed risk committees, either as part of
the board or part of the management struc-
ture.
ERM, Part II
B
ut even when authority for risk man-
agement is settled, committees can be
unclear on what they should look for and
how far inquiries should go.
“I’ve seen a really broad range of re-
sponse to that responsibility being ex-
ecuted by the board,” Wagner says. “The
response really needs to be tailored to the
type of business that’s being governed and
to the types of issues the organization is
subjected to.”
In some cases, he says, the process begins
and ends with internal audit. The internal
auditor “will take an operational view, not
just a fnancial reporting view. So they may
look at operational risk and they’ll report
back to the audit committee, and that will
satisfy the audit committee’s needs.”
Some committees push harder, he says,
although that’s less common. “In other in-
stances, the audit committee may decide
to go further than the internal auditor and
may decide to interview a series of people
at the company they’re governing to assure
that it all seems to work together and that
there’s a message that sounds consistent in
terms of what’s being done,” Wagner says.
Other common tactics include talking
to an external auditor or hiring a consul-
tant specifc to the risk being managed, like
an engineer or an actuary. Boards “should
not solely rely on information presented
from management,” Everson said, but also
corroborate it with outside data or insist
that management provide specifc informa-
tion they need.
“The dynamic in many cases is that
boards today are increasingly diligent and
persistent in pushing when they think that
they’re not getting an appropriate under-
standing or when they want more informa-
tion,” Everson said.
The problem: While corporate execu-
tives have frameworks like COSO for man-
aging risk, boards have no similar roadmap
for supervising it, Wagner says.
“Most audit committees are doing their
best. They’re making their best business
judgment as to what needs to be done and
to satisfy their requirements,” says Wagner.
“But oftentimes they lack a way in which to
execute that governance responsibility.”
Conversely, management isn’t always
clear on what facts and level of detail the
board expects. On that front, open com-
munication and dialogue is a must, Tebben
says.
“You need to take a macro view when
presenting to the board,” Wagner says.
“Make sure that the presentation that gets
put together is put together in a way that
satisfes the board’s needs or the commit-
tee’s needs, and is at a high enough level so
they can get a picture of how the company
is approaching risk management from a
process point of view.”
And while IT can be important and
Building ERM Bridges for Boards, C-Suite
“Most audit committees are
making their best business
judgment as to what needs
to be done. But oftentimes
they lack a way in which
to execute that governance
responsibility.”
— Stephen Wagner,
Managing Partner,
Deloitte & Touche
Continued on Page 18
Tebben
8 www.complianceweek.com » 888.519.9200 NOVEMBER 2008
Enterprise risk Management
By Jaclyn Jaeger
E
ver wonder what the risk is that
you’ve wrongly assessed how you’re
supposed to do risk assessments?
Sarbanes-Oxley has certainly put
the concept of analyzing risks at the
forefront of most compliance execu-
tives’ minds. But many companies often
confate the idea of a risk assessment un-
der SOX (or under the U.S. Sentencing
Guidelines, for that matter) with enter-
prise risk management. If you’re in com-
pliance with SOX risk assessments, this
thinking goes, you’re “doing ERM,”
and vice-versa.
In fact, experts tell Compliance Week,
the two terms are very different.
“The phrase ‘ERM’ is being used for
more than what it is,” says Kristina Stie-
lau, a compliance
manager at Telefex,
a $1.9 billion indus-
trial parts manu-
facturer. “ERM
is coined as a best
practice, but I don’t
know a large per-
centage of compa-
nies out there that
actually perform
true ERM.”
David Richards, president of the In-
stitute for Internal Auditors, surmises
that the reason stems from the amount
of time and energy it takes to establish
a well-defned ERM program. “I know
from having gone through one, it is a
long-term initiative, and anyone who’s
gone down the path of establishing an
enterprise-wide risk management pro-
gram knows that you’re not talking
about something that you’re going to
put in place within a year.”
But Richards is also quick to add:
“That does not mean that companies
that don’t have an enterprise-wide risk
management program do not have risk-
management philosophies in place. It
may just be less formal, and it could be
incomplete.”
That less formal, incomplete view of
what a risk assessment is may come from
the advent of SOX and the U.S. Sentenc-
ing Guidelines. Both regulations require
companies to assess their risks annually,
with potentially severe consequences for
the ones that don’t. That has driven com-
panies to focus only on their compliance
risks (since those are the most immediate
worries), “which is only one component
of the overall risk profle that a business
may be incurring,” says Richards.
Richard Cellini, head of marketing
at compliance software frm Integrity
Interactive, agrees. In fact, he stresses,
SOX only dwells on assessing fnancial
reporting risks, an even narrower focus
than the U.S. Sentencing Guidelines. “A
lot of people think Sarbanes-Oxley is
sort of a tremendously vast statute. It re-
ally isn’t,” he says.
The primary focus of SOX is on ma-
terial misstatements in fnancial reports,
plus any information that readers of a
fnancial statement might fnd “incom-
plete, inaccurate, or in some way dis-
torted,” Richards says. And unlike the
Sentencing Guidelines, which only ad-
dress criminal conduct, SOX focuses on
violations that are both civil and crimi-
nal in nature.
An ERM program, on the other
hand, is “more far-reaching than a true
ethics and compliance risk assessment,”
says Stielau. “It delves deeper into stra-
tegic planning, operational, and internal
controls, as well.”
Shawn Tebben, of the consulting frm
Protiviti, describes risk assessments as a
funnel: the broad ERM risk assessment
is information at the top of the funnel,
which eventually narrows down to the
fnancial reporting risks associated with
SOX.
“Basically, a proper ERM program
is a perfect marriage of the Sentencing
Guidelines and Sarbanes-Oxley,” Integ-
rity’s Cellini says. It requires companies
to assess risks that are both criminal and
civil, within a broad range of categories
both fnancial and non-fnancial, he
says.
Another major difference is that
while an ethics and compliance risk as-
sessment can be an annual process under
Sarbanes-Oxley, ERM should be a con-
stant process since organizations change
and new risks are always evolving, Rich-
ards says. “It’s not necessarily clear-cut,
and that’s why it needs to be reviewed
on an ongoing basis,” he says.
SOX as ERM Framework
B
ut while a SOX risk assessment may
be limited in scope, the elements that
make it up can be used as a framework to
apply more rigor to other areas of risk
management within a company, Teb-
ben says. For example, other than a risk
assessment, SOX also requires that or-
ganizations evaluate the design of their
internal controls to ensure effectiveness
and that they can validate that those
controls operate effectively, she says.
“So, when you think about those el-
ements that companies had to focus on
to get and stay compliant, they are the
same kinds of things you would want to
think through and mature in your other
risk areas,” Tebben says. “Using those
lessons learned would defnitely be a
best practice.”
Another best practice when think-
ing about ERM is to consider compli-
ance with SOX Sections 302 and 404
as a single component of continuous
reporting, “because the two are inextri-
cably linked,” Tebben says. Section 404
governs internal controls over fnancial
reporting, while Section 302 addresses
“disclosure controls” to ensure that all
corporate data that should be disclosed
does get captured in company flings.
But, Tebben says, “Internal controls
over fnancial reporting are a subset of
the disclosure controls.”
Basically, Cellini says, internal con-
trols are “a set of controls the company
uses to direct its own employees and of-
Risk Assessments for SOX and ERM: An Analysis
“Basically, a proper ERM
program is a perfect marriage
of the Sentencing Guidelines
and Sarbanes-Oxley.”
—Richard Cellini,
Head of Marketing,
Integrity Interactive
Stielau
NOVEMBER 2008 www.complianceweek.com » 888.519.9200 9
fcers in the proper handling and distri-
bution of fnancial resources.” This in-
cludes how money is spent, how funds
are accounted for, and how accounting
is done internally.
Disclosure controls, on the other
hand, apply more broadly to material,
non-fnancial, and fnancial information
that a company needs to disclose, Teb-
ben says. “You’re involving more your
operational, your legal, and your com-
pliance folks in a broader context than
their involvement in internal control
over fnancial reporting,” she says.
Sections 302 and 404 “are the yin and
yang to each other,” Cellini says. “They
should dovetail completely and entirely;
what you’re saying externally should be
consistent to what you’re doing inter-
nally, and what you’re doing internally
should be consistent with what you’re
saying externally.”
An additional element common to
both SOX and ERM is the involvement
of senior management, even though dis-
agreements can arise over who should
oversee the process. “It’s defnitely not
a one-solution-fts-every-company kind
of a thing,” Tebben says.
In general, best practice for large cor-
porations is to establish a risk depart-
ment and appoint a chief risk offcer,
Richards says; smaller organizations of-
ten can appoint one key person in charge
of the whole process.
That key person, Tebben says, should
have a good understanding of “what
makes the company work and what’s
effective for the organization so they
can help bring risk information to the
decision-making process,” she says. “It’s
more about the person being culturally
astute and being very action-orientated
and having the ear and trust of the exec-
utive team that really makes for a more
successful oversight.”
Agreed, but a good risk-management
program involves several years of in-
tense effort. “To even embark on that
process, there is a lot of work that needs
to be done upfront,” Stielau of Telefex
says. “For instance, you really need to
have a well-defned structure of objec-
tives and expectations of what’s needed
for an ERM. You need the appropriate
staffng, you need the funding, and the
buy-in from all levels of the organiza-
tion from top-down.”
“So having that commitment at man-
agement level is going to take some work,
not only resource wise, but time wise to
accomplish it and to make the necessary
adjustments,” Richards says.
By continuously monitoring and
improving your organization’s ERM
activities, Tebben says, senior manage-
ment “can have greater confdence in
taking on new or increased risk, because
they’re comfortable that their capabili-
ties to manage those new risks are in
place and, therefore, are able to position
the company to create enterprise value
that will be for the beneft of all stake-
holders.”
For more information on best prac-
tices for risk assessments, please go to
www.complianceweek.com and enter
Print Reference Code: 050825. ■
10 www.complianceweek.com » 888.519.9200 NOVEMBER 2008
Enterprise risk Management
By Dan Swanson
compliance week columnist
E
veryone talks about the need for
good risk-management programs,
but nobody seems to know how to audit
them to ensure they actually work.
Who bears responsibility for setting
the parameters of an ERM program is
pretty clear: the board of directors and
the C-level executives. They decide what
the risks are, what level of risk they’re
willing to tolerate, and what risks they
do not want to toler-
ate. They are responsi-
ble for monitoring and
responding to ERM
outputs and obtaining
assurance that the or-
ganization’s risks are
acceptably managed
within the boundaries
specifed. Also remem-
ber that risk manage-
ment is not an end in
itself; it has value only
if it assists a company to achieve its busi-
ness objectives over the long term.
Internal auditors, in both their assur-
ance and consulting roles, contribute to
ERM in a variety of ways. They spend
most of their time assessing how effec-
tively management has responded to key
risks by developing adequate operations
and control structures. Fundamentally,
the audit team provides the board and
management with an objective assess-
ment of the company’s ERM efforts,
including where the company can im-
prove.
Why Care Whether ERM Works?
A
ccording to the Committee of
Sponsoring Organizations, ERM is
“a process, effected by an entity’s board
of directors, management, and other
personnel, applied in strategy setting
and across the enterprise, designed to
identify potential events that may affect
the entity, manage risk to be within its
risk appetite, and to provide reasonable
assurance regarding the achievement of
entity objectives.” Notice the process
view—that is, risk management is more
than a risk-management system. Or, as a
friend of mine puts it, ERM is how you
The Basics of Auditing Risk-Management Programs
The Guts of an ERM Audit
A
n audit can focus solely on the effec-
tiveness of the ERM program if you
want, but it can also be extended to look
at ERM effciency. Auditors can provide
assurance that information about risks
and the management of them is collected,
summarized, and reported properly to
the appropriate level of the governance
structure.
There are two distinct elements to
most ERM audits: evaluating the design
and implementation of the program as a
management system and evaluating the
operational practices of the program, in-
cluding an assessment of the risks cur-
rently being managed.
In general, internal auditors should as-
sure management and the board that ev-
erything that should be done to manage
risks is being done. Auditors should also
provide guidance on control effectiveness
and feedback on managerial decisions and
results. Further issues worth considering
in an ERM audit include:
Are the organization’s risk-manage- »
ment efforts appropriate to its needs?
This includes management’s recog-
nition of, and response to, emerging
obligations and opportunities in risk
management and corporate gover-
nance.
Has an effective risk-management »
address uncertainty around organiza-
tional goals.
From an internal audit perspective,
inadequate identifcation of key risks to
an organization increases the likelihood
of bad events occurring. Improper iden-
tifcation can result in wasting resources
on areas of low risk with little reward.
Conversely, it can leave a company more
exposed to negative events. (An example
from the fnancial industry: At banks
and mortgage companies, how much of
a priority did the boards place on over-
sight of lending activities? Not much, I’d
say, and look where it got them.)
Still, even if top management effec-
tively identifes its key risks, the compa-
ny still needs assurance that its response
to those risks is effective. Effective re-
sponse is a crucial part of ERM, and that
means attention to the design and opera-
tion of internal controls. Indeed, infor-
mal response to key risks increases your
vulnerability to something going awry.
Strong controls must exist and work for
ERM to be effective—so, enter the inter-
nal auditor.
Risk is perfectly fne at an acceptable
level, but management must defne what
that acceptable level is in the interest of
achieving the company’s goals. Using
another banking example, management
might challenge the board to defne the
point at which losses from bad loans be-
come unacceptable. If a $1 million loan
goes bad, will the board become con-
cerned? What about a $10 million loan?
The specifc number tends to change
over time, so the question must be asked
periodically to maintain an understand-
ing of the correct risk appetite. Further-
more, banks face many other potential
causes of loss as well, and some of them
cannot be expressed in pure dollar terms.
(Think of the cost of adverse publicity
after a customer data theft.)
An audit of ERM should determine
whether signifcant risks to the organiza-
tion are appropriately identifed and as-
sessed on an ongoing basis. It should also
confrm that those risks are monitored
for possible changes, that risk-manage-
ment techniques (insurance, hedging,
and the like) are in place, and that man-
agement has the ability to recognize and
respond to new risks as they arise.
There are two distinct
elements to most ERM
audits: evaluating the design
and implementation of the
program as a management
system, and evaluating
the operational practices
of the program, including
an assessment of the risks
currently being managed.
NOVEMBER 2008 www.complianceweek.com » 888.519.9200 11
program been developed and imple-
mented? Is accountability well estab-
lished and acknowledged by those to
be held accountable? Has manage-
ment and audit agreed on the pro-
gram’s defnition?
Are there appropriate systems, poli- »
cies, procedures, and guidelines re-
lating to ERM, supported by suitable
awareness, training, and compliance
activities?
Has the organization embraced the »
risk-management philosophy? Is ex-
ecutive management seen as a strong
proponent, and is the consideration
of risk an integral part of day-to-day
business decisions?
How successful are the risk-manage- »
ment efforts? This is a tricky ques-
tion to answer given the inherent un-
certainties in risk, but a retrospective
review of the organization’s identi-
fcation of and response to risks, in-
cluding incidents that indicate inad-
equate controls, should be revealing.
Do we need to increase the under- »
standing of our key risks and what
else needs to be done? Have we done
everything necessary to get a grip on
enterprise-level risks?
Internal Audit’s Role in Risk Management
T
he Institute of Internal Auditors pro-
poses that risk-management activities
be divided into three groups. One in-
cludes internal auditors providing assur-
ances as discussed above. A second group
includes activities exclusively related to
management decisions, such as selecting
risk appetite and risk responses. (This
second group of risk-management activi-
ties should not be done by internal audit
as they are deemed to be management
activities.) The third group includes risk
management activities that may be per-
formed by internal audit when there are
safeguards in place. Safeguards may be
things like changing the internal audit
charter to include these added responsi-
bilities and receiving acknowledgements
from management regarding their respon-
sibilities.
Fundamentally, enterprise risk man-
agement is not a new concept. What per-
haps is new is the importance of bringing
risk management into the management
decision-making process and ensuring
a corporate view of the relationships be-
tween risks in different parts of the or-
ganization is regularly evaluated and re-
sponded to.
Risk management is inherent in every
organization. Any manager or employee
who have been given objectives will almost
unconsciously assess the things that will
prevent them from reaching their goal. At
a minimum they will manage those risks
in an informal ad hoc way. ERM is a high-
level formalization of this natural process.
As a formal process, it needs a coordina-
tor to draw out of all areas of the orga-
nization key risks and current efforts to
mitigate them. We also need to move from
a focus on risk identifcation to a focus on
how best to manage our signifcant risks.
Finally, the goal of risk management is not
to reduce uncertainty. It is, rather, to help
organizations make better decisions and
to respond more intelligently when the
unexpected inevitably occurs.
The bottom line: Risk management
needs to be integrated into the organiza-
Below are recent columns by Compliance Week Columnist Dan Swanson. To read more from Dan Swanson,
please go to www.complianceweek.com and select “Columnists“ from the Compliance Week toolbar.
Giving Finance Dept. the Audit It Deserves
Usually I write a column about how to audit some aspect of a whole enterprise—say, how the company
manages risk, or how executives invest their IT dollars. That’s important. But we shouldn’t lose sight of the
nuts and bolts: Companies are run by specifc departments doing specifc jobs, and they need auditing too.
We’re going to get back to our internal auditing roots this month, starting with the fnance department.
Published online 07/01/08
Auditing a Company’s IT Strategies
Today’s IT solutions are complex, and they are getting more challenging to implement all the time. One of
the great questions for management at any company these days is simply whether all the investment in
those systems is worth it. Internal auditing can play a critical role there, measuring and inspecting how the
IT investment process—specifcally, how IT investment is managed—works.
Published online 06/03/08
Auditing Your ERM Program
Everyone talks about the need for good risk-management programs, but nobody seems to know how to
audit them to ensure they actually work.
Published online 05/06/08
RECENT DAN SWANSON COLUMNS
tion’s entire operations from board over-
sight to senior management’s strategic
planning and leadership to the operating
management’s day-to-day operational
control. And perhaps this is nothing new,
but certainly it is important to the organi-
zation’s long-term success and worthy of
a formal evaluation by internal audit. ■
Dan Swanson is a 26-year internal audit vet-
eran, who most recently was director of profes-
sional practices at the institute of internal auditors.
prior to his work at the institute, Swanson was an
independent management consultant for more than
10 years.
Swanson has completed audit projects for more
than 30 different organizations, spending almost 10
years in government auditing, at the federal, provin-
cial, and municipal levels, and the rest in the private
sector, mainly in the fnancial services, transporta-
tion, and health sectors. He has completed nearly 100
internal audits in his career including: operational au-
dits, system audits, fnancial audits, value-for-money
audits, comprehensive audits, and many more. He
has completed almost 50 iT conversion audits and a
dozen comprehensive audits of the information tech-
nology function.
Dan Swanson is the author of more than 70
articles on internal auditing, and he can be reached
via e-mail at [email protected].
NOVEMBER 2008 www.complianceweek.com » 888.519.9200 13
Innovation in Diffcult Times
R
ecent events in the fnancial mar-
kets have brought into stark relief
the tensions between performance,
innovation, and risk. Yet the search for
rewards—competitive edge, differentia-
tion, sustainable growth, return on capi-
tal, and market share—remains critical. It
characterizes every industry, from retail
to manufacturing, aerospace to construc-
tion. Current market conditions mean that
being paralyzed by an aversion to risk is
still not an option. Even in uncertain times,
investors continually apply pressure to
achieve better performance and higher
returns. And so the goal must be to have
the best information possible to enable the
balancing of risk and reward and to high-
light emerging threats and opportunities.
Can ‘do nothing’ ever be a valid strategy?
In globalized, interconnected, intensively
competitive, and volatile markets, the
old saying ‘innovate or die’ has never
been more apt. Clearly, uncontrolled in-
novation can expose individual compa-
nies, even entire markets, to unwelcome
downsides. Yet too often investment de-
cisions, particularly in the face of uncer-
tainty, are shaped frst and foremost by
cultures that favor caution. The prevailing
global economic climate may well make
this strategy of inertia even more likely.
This rationale is entirely understandable:
History tells us that there are bound to
be surprises and that some unknown fac-
tor will catch us out. So it may seem best
to limit our exposure to things we know,
to things that our experience and judg-
ment tell us we are certain about—to
things about which we think we have reli-
able evidence. This may have been true
in the past, but the vital issue is whether
this caution can be justifed today. Will
sitting tight and doing as little as possible
help you through diffcult times?
Enterprise performance
The critical question shared by every
CEO and CFO must be centred on ‘push-
ing the envelope’ of what we mean by
performance, risk, and reward: How can
innovation be controlled without stifing
it? In aeronautics, where the expression
originated, ‘the envelope’ describes the
outer limits of aircraft performance—the
boundaries of safety. In military circles,
these boundaries are about life and death.
In civil aviation, only rarely are those
boundaries tested. Innovation is critical;
it is part of the DNA. Innovation must
be about increasing speed, manoeuvrabil-
ity, economy, or reliability. Every compo-
nent, every process, every measurement,
and monitoring device is set to stretch
the performance envelope—but safely,
within preset tolerance levels. Innovation
is driven by taking risks to improve per-
formance but also to advance safety and
reliability. The vital thing is having the in-
formation needed to know when to push
harder and when to hold back.
Nothing left to chance
The goal in business, as in aerospace, is
innovation with resilience. The two are
inseparable and interdependent. Achiev-
ing innovation with resilience is only pos-
sible if a culture is created that maximizes
knowledge about every aspect of organi-
zational performance and within which
deliberate action is taken to control,
mitigate, and adapt. It means top man-
agement must map and understand risks
that can often be dispersed throughout
the business; interrelated; and worse, as
is being illustrated by some of the bank-
ing post mortems, could be invisible and
therefore missed. By aggregating risks
we can avoid and mitigate for the cata-
strophic effects of any ‘perfect storm’
where the simultaneous occurrence of
events, which taken individually would be
far less powerful, combine by chance to
potentially devastating effect.
In ERM terms, we tend to call it ‘risk-
adjusted corporate performance.’ Al-
ternatively, we might put performance
frst and call it ‘performance adjusted
for risk.’ However ywou view it, re-
cording and acting upon the cumulative
judgment of individuals, work groups,
functions, and divisions are the ultimate
goals of enterprise risk management.
Risk intelligence delivered by ERM em-
bedded throughout an organization will
put it in the best position to weather
the storm. Innovation can still be deliv-
ered but with the information needed to
balance risk with reward. As Standard &
Poor’s put it recently, ERM is not a pass-
ing fad; it is a new way of doing business
and vital in the new economic reality we
are all facing. ■
Martin Metcalf, CEO of
ERM software providers
Strategic Thought Group,
looks at the role of
innovation in enterprise
risk management.
strategic thought group
14 www.complianceweek.com » 888.519.9200 NOVEMBER 2008
Enterprise risk Management
The Big Risk: CEOs and Boards Never See It Coming
By Richard m. Steinberg
compliance week columnist
W
hen the fraud at Societe Generale
burst into view at the start of this
year, I analyzed what went wrong and why
in “Why It’s So Shocking Societe Gener-
ale Was Shocked” (in the March 2008 edi-
tion). Then, CEO Daniel Bouton stepped
down, which came as no surprise. He was
at the helm when the SocGen ship hit an
iceberg that clearly should have been seen
and avoided. Management knew the com-
pany was in dangerous waters (regulators
and others apprised them
that damage appeared to
have already been done),
but did nothing to inves-
tigate and steer clear of
disaster.
With the more than $7
billion in losses incurred
on Bouton’s watch, calls
for his ouster started al-
most immediately, and
it seemed inevitable that
he would leave. True, he
stayed on as board chairman, but he was
replaced as chief executive by the CFO,
who now has responsibility for running
the bank.
As we’ve seen in a number of the
world’s largest fnancial institutions—in-
cluding Citigroup and Merrill Lynch, to
name just two—boards of directors, regu-
lators, and investors are holding CEOs
accountable for major fascos. Losing tens
of billions of dollars, and consequently
requiring huge capital injections at fre-
sale prices, certainly qualifes as a major
fasco. At Bear Stearns, not only is the
CEO gone, but also the whole, once pres-
tigious frm no longer exists.
In today’s environment, this result
should surprise no one. But the reality is
that in many such cases, the CEO never
saw it coming.
There are many reasons why that’s the
case. From years of experience working
with CEOs of some of the largest compa-
nies, I believe perhaps the most relevant
underlying cause is that these business
leaders truly didn’t know the nature or
extent of risk their companies were taking
on. Worse, they didn’t know what they
didn’t know.
How is that possible? Aren’t these
companies supposed to have some of the
most sophisticated risk-management sys-
tems anywhere? We know they deal with
ongoing market risk, counterparty risk,
liquidity risk, credit risk, operational risk,
and so forth and so on. Yet, the losses these
institutions suffered stagger the imagina-
tion, and have cost the chief executives
their jobs and possibly their reputations.
How Good Is Risk Management?
A
ny company is in business to take
risk. How well the C-suite manages
that risk directly drives the company’s
success or failure. Yes, a sound strategy is
critical, as are the people and processes for
effective implementation. But identifying
and managing risks to achieving the com-
pany’s business objectives plays a crucial
role in whether the company will succeed,
and indeed whether it will survive.
All too often, however, the problem is
that the chief executive truly believes his
or her senior management team under-
stands what the risks are, has analyzed
them, and is effectively managing them—
when, in fact, the team doesn’t know the
risks as well as they should. I’ve seen this
frst-hand in major companies in advising
how to enhance risk-management pro-
cesses. Corollary realities are:
The board of directors often is not ap- »
prised of the risks, because the chief
executive isn’t positioned to provide
relevant information to the board.
Managers at lower levels in the orga- »
nization usually do know what the
risks are, but are not reacting to them
nor communicating them up to more
senior levels.
While there are many companies where
this is not the case, in too many businesses
it is. It’s worth looking into why.
Going for the Gusto
O
f course no single management style
or personality profle fts all CEOs.
Nevertheless, in many instances there are
some commonalities, which infuences
the focus on risk. First, chief executives
typically have a laser-like focus on major
growth and return objectives and the stra-
tegic and tactical plans needed to achieve
them. They look at the positive, identify-
ing opportunities to open new markets,
bring new products to the marketplace,
and recognize and satisfy customer needs
and wants. On top of that, they’re deal-
doers, looking to develop new alliances
or partners or to build further growth
through acquisition. And of course, they
spend signifcant amounts of time with
the company’s board of directors on an
array of governance issues.
The point is, the chief executive’s mind-
set is ”forward-moving,” seizing oppor-
tunities and motivating direct reports and
other senior managers to climb aboard a
ship that’s going as fast as possible to the
identifed goal.
Yes, chief executives are well aware
that risks exist. They or their company
might have been previously burned, and
they may well spend some time on the
discussion of risk factors in their annual
reports’ Management’s Discussion and
Analysis. But what we’ve seen time and
again is that many CEOs presume other
senior managers are dealing with the pos-
sibility that things can go wrong and that
they are well positioned and equipped to
manage those risks. That presumption,
made unconsciously or otherwise, has re-
sulted in disaster for too many CEOs and
the businesses they’ve run.
The Reality
W
hat we’ve seen is that other manag-
ers indeed do recognize that risks
are inherent in what they’re doing (more
so as we move away from the C-suite).
These managers deal with day-to-day
implementation, working toward their
individual and business unit goals. They
Any company is in business
to take risk. How well the
C-suite manages that risk
directly drives the company’s
success or failure.
NOVEMBER 2008 www.complianceweek.com » 888.519.9200 15
usually recognize the pitfalls that exist,
and depending on the risk-management
process in place, may or may not take
the necessary actions to counteract those
risks.
But even where appropriate risk-man-
agement activities occur at some levels in
an organization, a problem that happens
too often—and which seems to be the
culprit of major breakdowns in the large
fnancial institutions recently—is that the
communication simply isn’t there. If the
risks are known within an organization
(which often is the case) but aren’t known
at the top, then communication is lacking.
And if the CEO doesn’t recognize the na-
ture and magnitude of risk the company
faces, then it’s highly unlikely that the
board is appropriately apprised.
There’s little doubt in my mind that
directors ask many of the right questions
of the CEO. Experienced directors have a
great sense of whether the chief executive
is being straight and forthcoming. Where,
then, is the problem at the board level? In
several areas:
The chief executive truly has not been »
apprised of the severity of the risks
facing the business and so honestly
provides misleading information to
the board.
The board doesn’t probe suffciently »
and fails to make sure it gets complete
and accurate information about the
risks.
The board is apprised of risk fac- »
tors, but does not, for one reason or
another, receive relevant information
on the aggregate risks, on a “portfo-
lio” basis, related to the company’s
established risk appetite.
Motivations
I
’ve mentioned in previous columns the
crucial importance of how reward sys-
tems can provide unintended motivations
for people to do bad things. That includes
taking chances with shareholder resourc-
es for personal gain, whether in the form
of positive recognition, bonuses, promo-
tions, or stock price appreciation.
Looking back at what Chairman Bou-
ton said soon after learning of the unau-
thorized trades, one of the more telling
statements was: “We have no explanation
for why [rouge trader Jerome Kerviel]
took these positions, and we have no rea-
son to believe he benefted from a fnan-
cial point of view. We don’t understand
why he took such a massive position.” It’s
truly amazing that anyone would think
the only motivation of a trader is to put
money directly into one’s pocket. The
other motivations (fame, respect, career
advancement, to name a few) have been
long recognized, and indeed are obvious.
An important point is that any com-
pany considering developing or upgrad-
ing its risk-management process should
recognize the critical relevance of person-
nel policies and programs, including their
measurement and motivating factors, to
be sure they have a positive effect not only
on goal achievement, but also managing
related risks.
Moving On
I
t’s interesting to note that one week af-
ter SocGen announced Bouton’s step-
ping aside as CEO and it held a farewell
party for two managers of the derivatives
trading desk who “resigned” in the wake
of the scandal, “rouge” trader Kerviel
started work at a consulting frm special-
izing in computer security.
Kerviel certainly did bad things. But
as we know, banks and other businesses
must have the processes in place and peo-
ple suffciently tuned into what’s going on
in their business units to manage the risks,
in addition to effective internal communi-
cation systems. SocGen didn’t, and many
have paid the price. Managers ignored the
radar screen. Thus, the ship hit the iceberg
and took on massive amounts of water,
with some offcers jumping overboard—
and leaving to others who remain the
struggle to save the ship and get it back on
course. ■
Rick Steinberg is founder and principal of Stein-
berg governance advisors in westport, conn., where
he advises directors and executives on board respon-
sibilities, governance best practices, and compliance
and risk issues. Steinberg was previously a senior
partner at pricewaterhousecoopers, where he served
as pwc’s corporate governance practice leader.
The author of numerous governance reports,
including corporate governance and the Board—
what works Best, Steinberg served as the lead
project partner in developing the committee of
Sponsoring organizations’ (coSo) internal control—
integrated Framework, now recognized as a
landmark representing the standard of internal con-
trols.
Steinberg can be reached by e-mail at rms@com-
plianceweek.com, or at (203) 222-9330.
Below are some recent columns by Compliance Week Columnist Richard M. Steinberg. To read more from
Steinberg, please go to www.complianceweek.com and select “Richard M. Steinberg“ from the Compliance
Week toolbar.
Debunking SOX Theories One Misconception at a Time
Having worked with many boards of directors, it’s clear that most directors now understand what
Sarbanes-Oxley is all about. They’ve spent the last few years dealing with many of its provisions, with
audit committees spending signifcant time on Section 404’s internal control requirements. Some ini-
tially lost sight of other important responsibilities, although generally boards have returned to a more
balanced approach of providing effective advice, counsel, and direction on strategic business issues in
addition to their compliance monitoring roles.
Published online 09/16/08
When Executives Discuss ERM Challenges
Recently I had the privilege of leading a forum of senior executives experienced in risk management
in a discussion of the challenges of developing, implementing, and gaining the benefts of Enterprise
Risk Management.
Published online 08/19/08
RECENT STEINBERG COLUMNS
16 www.complianceweek.com » 888.519.9200 NOVEMBER 2008
Enterprise risk Management
By Todd neff
E
xplaining IT risk to senior execu-
tives and board directors in a mean-
ingful way has always been diffcult for
computer folks. Now two major inde-
pendent efforts to bridge the language
gap have begun, with a third to follow
later this year.
Both the Open Group—long a ma-
jor force in software standardization—
and the International Organization
for Standardization announced their
gap-bridging efforts in June. The Open
Group introduced its Risk Management
and Analysis Taxonomy; ISO rolled out
its ISO 38500 standard for corporate
governance and IT.
Both aim to reduce IT-related risks
by helping top management and board
members comprehend—and ultimately,
react intelligently to—the risks inherent
in the computer systems companies now
depend on.
The Information Systems Audit and
Control Association is the third player,
which wants to tackle the language gap
and more. Its proposed enterprise risk
management framework will “close the
gap in the whole IT governance area,”
says Urs Fischer, Swiss Life’s vice presi-
dent of IT governance and risk manage-
ment, who is spearheading the ISACA-
IT Governance Institute work.
The growing ubiquity of computer
power in business and the arrival of Sar-
banes-Oxley have made painfully clear
just how important a solid understand-
ing of IT risk is.
“Risk management is a hot topic right
now,” says Robert Stroud, a “governance
evangelist” at CA and also happens to be
international vice president of ISACA.
“One of the challenges that IT manag-
ers are trying to get a handle on is how
IT risk may affect business risk and how
the two are tied together.”
If management can get a strong grasp
of the broader business, legal, and repu-
tational problems an untended IT risk
poses, Stroud says, then the company
can beat that risk down to some toler-
able level before it ends up on the fnan-
cial reports as a material weakness.
“Sound risk management is depen-
dent on the business understanding
where mutual risks intercede,” he says.
IT risk management has been around
for years under various names. It was
about running a tight IT ship, with good
data security, access controls, and change
management processes in application
development, among many examples.
A slew of standards and frameworks
emerged to help IT departments do the
right thing: the ISO 27000 series, ISO
17799, COBIT, ITIL, PCI, NIST’s 800
series, the Center for Internet Security’s
confguration standards, and others.
Some, such as COBIT, start with a
strategy and have a holistic tone; ISA-
CA, COBIT’s creator, has even mapped
COBIT with ITIL, ISO 17799 and oth-
er models for good, nuts-and-bolts IT
implementation and maintenance. But
none really address the vocabulary dis-
connect between IT departments on the
front lines of IT risk, and senior manag-
ers responsible for risk overall, IT and
otherwise, says Jim Hietala, the Open
Group’s vice president of security.
“We looked at the landscape and real-
ized we needed to develop a taxonomy
that enabled IT folks to communicate
with senior management about what risk
is, to defne a common set of terms that
everybody agrees on,” Hietala says.
The Open Group fnal taxonomy
became freely available in October, ac-
cording to the company Website.
The ISO 38500 standard is avail-
able on the ISO Website for 84 Swiss
francs (about $82). It stems from an ISO
study group led by IT risk-management
and governance expert Alison Holt of
New Zealand. Holt says that with the
new standard, her group wants to cre-
ate “what would be the absolutely core
principles of IT governance we want se-
nior management to understand.”
The forthcoming IT enterprise risk
management framework from ISACA
should be public by the end of the year.
Fischer says the framework will develop
COBIT’s relatively thin treatment of
comprehensive risk management, ad-
dressing language but also delving into
the “why to do it and how to do it.”
Speaking up on IT Risk
T
he Open Group taxonomy is based
on the “Factor Analysis and Infor-
mation Risk” (FAIR) framework devel-
oped by Risk Management Insight. Alex
Hutton, Risk Management Insight’s
CEO, says FAIR evolved from work
done by the CIO of a major fnancial
services frm to draft common expres-
sions for risk across business lines. The
premise is that risk is about how often
bad things can happen, and the probable
loss should they happen, Hutton says.
Fred Lee, head of information risk
management at National City Corp.,
used FAIR to traverse what he sees as
two major gaps.
First, he says, is the psychological gap
separating true risk management from
traditional IT security, such as frewalls,
encryption, anti-virus software and the
like. “The traditional security model has
allowed IT implementers to get away
with prescribing and opining more than
you had in traditional security roles,”
Lee says. “If they say, ‘Hackers will
come in!’ people eat it up.”
The second gap is how senior manag-
ers and IT executives fail to discuss IT
risk in a common language. If corporate
leaders truly understand what their IT
risks entail, they can steer resources
to prevent those risks. And the “right”
amount of resources can mean less, too.
“You have to ensure that you re-
main compliant, but you also have to
make sure your IT performance actu-
ally matches the organizational need,”
Holt says. “Because if you’re over-
supplying, you’re paying; if you’re
under-supplying, you’re paying in a dif-
ferent way.”
The language gap has thrown a
wrench in attempts to match IT risk-
management supply and demand, Lee
says. He points to software-jockey
terms such as “threat landscape.” Top
managers might think of “threat” and
fear some Central Asian thugs trying to
blackmail the company; IT profession-
als might only mean an Internet worm.
When the language gap is fnally
bridged, the real work can begin, Lee
says. “Once we know how to speak
‘risk,’ we can start writing them down
and working with them.”
For related coverage, please go to
www.complianceweek.com and enter
Print Reference Code: 080826. ■
learning to Talk About IT Risk in Common Terms
www.archer-tech.com
Enabling Best-in-Class Enterprise
Governance, Risk and Compliance Programs
Archer’s out-of-the-box solutions provide the foundation
for a best-in-class enterprise governance, risk and
compliance (GRC) program.
• Six million licensed users
• Clients that include 1 in 4 of the Fortune 100
• Industry-leading solutions built on the flexible
Archer SmartSuite Framework
LearnhowMassMutual isautomatingGRC
processes, prioritizingrisksandreducingthecost
by97.5%withtheArcher SmartSuiteFrameworkat:
www.archer-tech.com/complianceweek.
RankedontheInc. 5000
in2007and2008
Winner: Best Regulatory
ComplianceSolution
Winner: Best PolicyManagement
Solutionfor
thethirdstraight year
Laureateinthe2008
ComputerworldHonorsProgram
archer_prev.qxd:Layout 1 9/26/08 5:13 PM Page 1
www.archer-tech.com
Enabling Best-in-Class Enterprise
Governance, Risk and Compliance Programs
Archer’s out-of-the-box solutions provide the foundation
for a best-in-class enterprise governance, risk and
compliance (GRC) program.
• Six million licensed users
• Clients that include 1 in 4 of the Fortune 100
• Industry-leading solutions built on the flexible
Archer SmartSuite Framework
LearnhowMassMutual isautomatingGRC
processes, prioritizingrisksandreducingthecost
by97.5%withtheArcher SmartSuiteFrameworkat:
www.archer-tech.com/complianceweek.
RankedontheInc. 5000
in2007and2008
Winner: Best Regulatory
ComplianceSolution
Winner: Best PolicyManagement
Solutionfor
thethirdstraight year
Laureateinthe2008
ComputerworldHonorsProgram
archer_prev.qxd:Layout 1 9/26/08 5:13 PM Page 1
18 www.complianceweek.com » 888.519.9200 NOVEMBER 2008
Enterprise risk Management
© 2008 Protiviti Inc.
An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0608
C
ovornanco, Bisk anu
Complianco (CBC) ini-
tiativos sloulu uolivor
an intogratou porspoctivo on risk.
Howovor, oxocutivos olton soo
only ligl costs anu incomploto
inlormation lrom tloir CBC
programs. Accoruing to a loauing
inuoponuont rosoarcl lirm, companios tlat implomont
multiplo tools anu approaclos lor CBC managomont
sponu up to 10 timos moro tlan tloso witl ono into-
gratou platlorm. Protiviti`s Covornanco Portal
TM
, an
intogratou CBC toclnology supportou Iy our gloIal
toam ol knowlougoaIlo anu rosponsivo prolossionals,
proviuos a 360-uogroo viow ol ontorpriso anu oporational
risk, rogulatory complianco anu
linancial controls on a singlo plat-
lorm. Worluwiuo, tlis mouular
solution las Ioon implomontou
at ovor +00 companios wloso
CBC initiativos now roouiro loss
ollort anu invostmont to prouuco
comploto inlormation lor uocision
making wlilo uolivoring incroasou sustainaIility,
consistoncy, ollicioncy anu transparoncy. So il you aro
roauy to soo tlo Iig picturo anu uolivor on all your
CBC oIioctivos, givo us a call.
Id gZXZ^kZ V Xdbea^bZciVgn YZbd d[ i]Z Covornanco Portal!
eaZVhZXdciVXiHXdii<gVXnVacnVihXdii#\gVXnVacn5egdi^k^i^#Xdb
dgXVaa&#(&'#),+#+(-&#
AB£ YOU
USINC INT£CBAT£D CBC
TO £NSUB£ YOU AB£ NOT
MISSINC
TH£ BIC PICTUB£
ComplWk_RskSupp_Nov08.indd 1 9/26/08 10:03:05 AM
helpful, depending too heavily on soft-
ware can be counterproductive, says Tom
Wardell, of McKenna Long & Aldridge.
“In my experience, those companies
who have set out to highly systematize this
process have found themselves frustrated
by their own process,” he says. “You ul-
timately have all the emphasis upon what
these systems tell you is in there, as op-
posed to what you then do with all of that
information to manage risk.”
Wagner agrees. “You can risk manage
yourself to death if you’re not careful,” he
warns. “You can suck all of the innovation
and all of the creativity out of an organiza-
tion if you overdo it.”
An effective ERM process—not a laun-
dry list of risks to manage—will really se-
cure board support, Tebben says.
“Management can help demonstrate the
effectiveness by explaining to the board
how ERM is embedded into the business,”
she says, suggesting that management show
examples like addressing risk in quarterly
business review agendas, staff meetings,
capital project proposals, due diligence ac-
tivities, and the like.
With such examples, she says, “I think
they start to really give the board and audit
committee a great deal of confdence that
this isn’t just some process that’s been laid
over the top to satisfy the board’s question
about what are your key risks.”
But a “cultural change” towards better
ERM can take a while, says Dan Schroeder,
director of technology risk services at Am-
per, Politziner & Mattia, a New Jersey ac-
counting frm. “It takes a well-thought out
approach to make this happen. It’s going to
take patience, it’s going to take discipline.”
“I think the biggest single potential mis-
take is believing that it’s so well-in-hand
that the process does not need review,”
Wardell says. “This is not one of those
things that you fx and turn your back on.
You never really are done.”
For more information, including related
coverage, please go to www.compliance-
week.com and enter Print Reference Code:
110721. ■
Building ERM
Bridges for
Boards, C-Suite
Continued from Page 7
ments going on in their organization, each
with a very different and distinct purpose.
In addition, most departments have their
own defnitions of the phrase “risk manage-
ment,” Anderson said. “And they’re com-
fortable with them. They believe everybody
understands what they mean by that word.”
Often times, however, that’s not the case.
“It’s the things that we think are there, that
we think we have documented that we take
for granted,” said Dale Timmons, manag-
ing director of UHY Advisors. “If they’re
not on paper, and they’re not communicat-
ing in a standard way, then you’re probably
not as in sync as you think you are.”
Valerie Radford, managing director of
risk management at TIAA-CREF, under-
stands this well. Not until TIAA-CREF
frst developed a centralized, independent
risk-management function in 2003, she
said, did the company realize that its in-
ternal auditors had a much different idea of
risk assessment than the fnance and com-
pliance teams.
That detachment, in turn, drove many
other inconsistencies, including who
talked to whom within the organization.
Auditors, for example, only talked to se-
nior management, while compliance only
talked to managers and process owners.
“So we had this disconnect,” Radford said.
“We were both saying we were doing risk
assessment, but we really weren’t doing the
same thing.”
The overall goal of good risk manage-
ment, Andy Anderson said, is to devise a
single process that’s looked at from many
different perspectives, and to come up with
solutions in a much more effcient and di-
rect manner.
“It’s a little bit like herding cats,” Tim-
mons said. “We’re all independent. We all
have our own way of thinking. We’ve all
been successful at what we do, and how
you pull that all together to be accountable
as an organization is very important.”
For more best practices in risk manage-
ment oversight, please go to www.compli-
anceweek.com and enter Print Reference
Code: 090824. ■
Building a
Strong Corp.
ERM Team
Continued from Page 4
fnancial reporting—will count as “doing”
ERM, Schanfeld says. Then they’ll dis-
cover that ERM encompasses many more
risks than those to fnancial reporting.
“There is a perception by companies
that because they got SOX done, that they
have a good handle on all business risks.
That’s not the case,” Schanfeld says. “Only
40 percent of business risks are assessed by
SOX. They don’t understand that they’re
missing 60 percent of business risks, and
they don’t have a robust process in place.”
Schanfeld also warns that leverag-
ing existing SOX controls and testing to
achieve broader risk management can be
diffcult, since Section 404 is driven by
process, controls, and documentation.
ERM, in contrast, is driven by a top-
down, holistic approach to much broader
business risks.
Dreyer says S&P’s experience with f-
nancial companies found that the inclusion
of ERM could help a company’s credit rat-
ing just as often as it could hurt a rating.
“Our existing process is fairly con-
servative,” he says. “We tend to penalize
companies for risk exposure. We may learn
more new things and new information on
the upside.”
For more information, including re-
lated coverage, please go to www.compli-
anceweek.com and enter Print Reference
Code: 080823. ■
S&P Includes
ERM in Credit
Rating Reports
Continued from Page 6
“Companies have economic
incentive to do ERM. If their
credit rating is lowered, their
cost of capital will increase. “
—Daniel Helming,
Partner,
Weiser Accounting
© 2008 Protiviti Inc.
An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0608
C
ovornanco, Bisk anu
Complianco (CBC) ini-
tiativos sloulu uolivor
an intogratou porspoctivo on risk.
Howovor, oxocutivos olton soo
only ligl costs anu incomploto
inlormation lrom tloir CBC
programs. Accoruing to a loauing
inuoponuont rosoarcl lirm, companios tlat implomont
multiplo tools anu approaclos lor CBC managomont
sponu up to 10 timos moro tlan tloso witl ono into-
gratou platlorm. Protiviti`s Covornanco Portal
TM
, an
intogratou CBC toclnology supportou Iy our gloIal
toam ol knowlougoaIlo anu rosponsivo prolossionals,
proviuos a 360-uogroo viow ol ontorpriso anu oporational
risk, rogulatory complianco anu
linancial controls on a singlo plat-
lorm. Worluwiuo, tlis mouular
solution las Ioon implomontou
at ovor +00 companios wloso
CBC initiativos now roouiro loss
ollort anu invostmont to prouuco
comploto inlormation lor uocision
making wlilo uolivoring incroasou sustainaIility,
consistoncy, ollicioncy anu transparoncy. So il you aro
roauy to soo tlo Iig picturo anu uolivor on all your
CBC oIioctivos, givo us a call.
Id gZXZ^kZ V Xdbea^bZciVgn YZbd d[ i]Z Covornanco Portal!
eaZVhZXdciVXiHXdii<gVXnVacnVihXdii#\gVXnVacn5egdi^k^i^#Xdb
dgXVaa&#(&'#),+#+(-&#
AB£ YOU
USINC INT£CBAT£D CBC
TO £NSUB£ YOU AB£ NOT
MISSINC
TH£ BIC PICTUB£
ComplWk_RskSupp_Nov08.indd 1 9/26/08 10:03:05 AM
IOC7DJ;9$9EC%;L;HOM>;H;
IOC7DJ;9?I
9ECFB?7D9;$
7kjecWj[Z[d\ehY[c[dje\feb_Y_[ij^Wji[Ykh[WdZcWdW][oekh_d\ehcWj_edWdZ_d\hWijhkYjkh[$
(&&.IocWdj[Y9ehfehWj_ed$7bbh_]^jih[i[hl[Z$IocWdj[YWdZj^[IocWdj[YBe]eWh[h[]_ij[h[ZjhWZ[cWhaie\IocWdj[Y9ehfehWj_edeh
_jiW\Ób_Wj[i_dj^[K$I$WdZej^[hYekdjh_[i$Ej^[hdWc[icWoX[jhWZ[cWhaie\j^[_hh[if[Yj_l[emd[hi$
Sponsor Documents
Recommended
No recommend documents