Governance, Risk and Compliance

Practical guidance for governance, risk and compliance

In Search of a Compelling Reason for GRC

Posted by brucemccuaig on September 1, 2010

 A few days ago in my last blog I recounted a personal incident that made me believe that GRC would never reach its promise unless the movement could find a compelling reason to exist. My personal experience was watching the intense collaboration of diverse medical professionals in dealing with my medical emergency.

 Some commenters believed I had missed the point. They believed that the major obstacles to GRC convergence were the siloed structures of participants, failure to share best practices, lack of common tools and so on.

 I shared those beliefs until recently. I thought if only GRC professionals would collaborate, share tools, use a common language, etc. etc., we would achieve the vision of GRC.

 My medical made me realize these just symptoms and were not the problem.

 The medical professionals who saved my life didn’t collaborate because they had the tools. They had the tools because they had a reason to collaborate. That reason was a shared, compelling goal to cure illness and restore health. The goal drove collaboration. Collaboration did not drive the goal. The goal drove the innovations in medical science we have seen since the discovery that viruses cause illness and infection could be prevented and cured. Health professionals are committed to that goal. I am on the board of a health care organization and they are the most committed people I have ever worked with.

 GRC professionals have no common goal and are committed largely to their particular practice.  Worse, GRC professional frameworks are perfectly designed to maintain the status quo and prevent innovation. GRC professionals are some of the finest, most capable people I have ever met. They are dedicated and competent. They lack a compelling shared vision.

 Look at the goal definition of any GRC profession or group and ask yourself if it is inspiring, let alone sharable.

Here is a starter from COSO… “COSO’s Mission is to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations”.

Bad? Of course not. Compelling? Don’t give it to my surgeon.

 Compare COSO’s statement to the goal of the US National Transportation Safety Board

   NTSB – SAVING LIVES

“…investigate transportation accidents, find out what happened, and issue safety recommendations to make sure that similar accidents don’t happen in the future.”

 Years ago, we accepted unsafe automobiles as a fact of life until auto safety became a cause, thanks to Ralph Nader. We used to think that drunk driving was a joke until Candy Lightner took up the cause and created MADD. Workplace injuries, pollution, harassment, discrimination were all things we felt we had to live with.

 I don’t think GRC is going anywhere without a compelling goal. It will struggle and eventually fall flat.  I believe the only reason for pursuing GRC is to drive down avoidable corporate failures. There may be better ways to state it. There may be other goals. But right now GRC is a great idea without a compelling reason.

 Please share your comments with me.

Posted in GRC | 2 Comments »

The Real Definition of GRC Convergence

Posted by brucemccuaig on August 27, 2010

 Like a number of others with a similar vision I have spent a lot of time in recent years evangelizing the concept of GRC Convergence. The definition of what we mean by GRC convergence varies by practitioner and changes over time, but it generally goes something like this…

 GRC convergence is the integration and classification of siloed management assurance information into a unified framework”.

 What a mouthful. It may be technically correct, but it misses the point by a mile.

 I’ll illustrate the problems and the promise of GRC Convergence with a personal story.

 Three months ago I woke up on a Sunday morning, and literally between sips of coffee I was struck with a sudden, overwhelming pain in my stomach. I could barely stand and I could barely speak.

 Twenty minutes later, after my wife had driven me to the emergency department of a nearby hospital, I found myself on a gurney, hooked up to an intravenous drip. I had been quickly assessed by an emergency admissions clerk, sent directly to an emergency admitting nurse who took my vital signs and asked a few questions, shuttled on a wheel chair to a ward, examined by an emergency room physician and injected with morphine. I provided a blood sample which was quickly sent to the hospital lab and I was then wheeled in for an MRI image and an x-ray.  Within an hour I was told I had a ruptured appendix. Following three hours of surgery, attended by a surgeon, a surgical nurse or two and an anesthetist I was resting comfortably with three tiny scars in my abdomen and some slight discomfort.

 The medical profession is a perfect example of “convergence” at work.

 If the medical professionals followed the standard behaviors and practices of GRC professionals I would be dead.

 In fact, if we consider corporations to be the “patients” of GRC professionals, it is difficult to believe that the GRC professions do much to keep their “patients” alive or even particularly healthy. Corporations “die” or suffer disabling “illness” regularly. None of the GRC professions even keep track of those “deaths and “illnesses”. That’s because they don’t consider the health and survival of their patients to be their job.

 Here is my new definition of GRC Convergence: “GRC professionals dedicated to working together to achieve a common goal”.

 I encountered 8-10 different medical professionals representing as many medical specialties in my little emergency. They were all united in the common goal of keeping me alive and making me well.

 I know of no GRC profession with the goal of maintaining let alone improving the general “health” of corporations.

 The goal of auditors, internal or external is to do audits. If there was ever any connection between the performance of an audit and the “health” and survival of a corporation, it has been lost long ago. Just look at the number of corporations that fail after receiving clean audit opinions.

 The goal of SOX professionals is not to improve the reliability of financial reporting. Their job is to test controls and report deficiencies. There is no requirement whatsoever for SOX professionals to track the performance of financial processes.

 The goal of risk professionals is to understand risk and provide for sufficient reserves to protect the corporation if the risk occurs. The ongoing financial crisis is a good measure of their success.

 The goal of compliance people is to promote, if not ensure compliance. It is hard to tell if they are succeeding.

 Because GRC professionals do not have a common goal, they seldom talk to each other. In fact, in my experience they often avoid each other. Without a common goal, there is nothing to discuss.

 GRC professionals rarely collaborate. No need to. They practice their professions on their patient, not for their patient.

 Read the new PCAOB Audit Standards on Auditor Risk Assessment. They have virtually nothing to do with the “health” of the “patient”. They are designed for the benefit of the auditor.

 I didn’t want my surgeon to promise me he would follow the best surgical standards. That is the lowest possible standard. I demand it as a starting point. I wanted my surgeon to make me well. With the help of his team, many of whom I never even saw, he was successful. My situation was no different than dozens of others they see every day. It is standard practice.

 I know how important it is for GRC professionals to be “independent”. But when I seek medical advice and medical treatment, I don’t want someone who is just dedicated to following their professional standards. I want someone who cares if I live or die and is willing to work with others to achieve that goal.

 When that is true, we will have GRC convergence.

Posted in GRC | 8 Comments »

Principles of ERM: A Common Risk Language is Good; But Grammar Comes First

Posted by brucemccuaig on June 22, 2010

We hear time and time again about the importance of a “common language of risk” as an essential element of risk management. It is certainly true that people need to express their thoughts and concerns about risk and to communicate properly.

My experience with risk management is that what is needed is really more grammar and syntax. Grammar is what gives language meaning. We have the language. We don’t have the grammar.

Here is an example of what I mean: The example below contains 4 distinct pieces of data about risk. Yet time and time again, all of this data is gathered and lumped into a risk library as if it was all the same. All of this information is about risk, but not all of the data describes what the risk is.

Diagram - Principles of ERM - 06.22.2010

My argument is that the risk event that needs to be managed above is the “trip and fall”. We need to understand the root causes of trips and falls (and there are many more than broken shoelaces) and we need to understand the direct and indirect consequences of trips and falls. This is the grammar of risk management – the study of cause/effect relationships. Risk language without structure does not create information or knowledge.

Root Cause/Control
Control models such as COSO or CobIT (or many others) do a good job of classifying what controls should exist. Controls are the inverse of root causes. COSO Integrated Control came about through an analysis of causal factors of the bank failures in the late 1980′s.

Risk Event
The best risk event taxonomy I have seen is the Standard & Poor’s sample risk types contained in their 2007 paper proposing the evaluation of ERM practices as part of the credit rating process.

Consequences
Risk taxonomies help us classify the risk events into logical groups so we can manage them better. By classifying risks as Strategic, Operational, Reporting or Compliance, COSO ERM is recognizing areas of consequence (or business objective) of enterprise risks.

If we don’t structure our risk information, we will never understand cause/effect relationships. If we don’t understand cause/effect relationships, risk management will not link to business performance. If risk management does not improve performance, or reduce avoidable losses, it has no value.

Risk management really isn’t that complicated. It just requires thoughtful approaches, sound tools and consistency.

All comments are appreciated.

Posted in GRC, Risk Management | 3 Comments »

Risk Rating the Audit Universe: Focus on Economic Value

Posted by brucemccuaig on May 21, 2010

 It will soon be time for most Chief Audit Executives to prepare another version of the Risk Based Audit Plan.

As a CAE, I encouraged the use of a risk based approach to allocate resources to the annual work plan. Looking back with the benefit of many years of hindsight, I realize now that the factors I considered were completely wrong.

Most risk models use risk factors such as impact, likelihood, materiality, asset liquidity, management competence, quality of and adherence to internal controls, degree of change or stability, timing and results of last audit engagement, complexity, and employee and government relations.

I’ll come back to those variables in a moment. But the first thing a CAE must determine is what constitutes the audit universe. Usually that begins with a copy of the organization chart and a copy of the financial statements or chart of accounts. That is a mistake.

I often use an anecdote to illustrate how wrong I got it as a CAE. As Chief Auditor of an upstream oil and gas company, my audit plan consisted of the usual audits of capital expenditures, computer systems and business activities. Never in my years as CAE did I direct my staff to  audit the company’s oil and gas reserves.

 I made the mistake of looking at the financial assets of the business and the organization structure when considering my audit plan. I should have been building my audit universe based on the economic value of the business and the activities that created that value. That would have led me straight to the oil and gas reserve booking process and a review of the complex engineering, geological and economic factors involved. It would have led me to the land acquisition process and an evaluation of geological and seismic activity. I looked at none of those things. I’m sure other people did, but I was the one reporting to the board audit committee on the state of internal control. And I was examining internal control over some relatively trivial activities.

As for the risk models that give weight to such things as liquidity, complexity, degree of change or stability etc. they are probably equally wrong as well. I have found that the risk factors whose presence or absence is most predictive of success or failure are these;

1. Control Environment as defined by COSO: Look for Capability, Integrity and Accountability.

2. Monitoring business performance. COSO Monitoring focuses on control monitoring. Business performance is a good indicator of effective control.

3. Risk assessment. Look for the quality of the risk assessment processes management has in place.

In my view an audit universe that focuses on the economic value and value adding processes and uses these three criteria to allocate resources is the key to risk based planning. The economic value may not lie on the balance sheet. It could lie in  intellectual propert, contracts, or other things that are not represented on the balance sheet. And the value adding processes may not be the financial processes defined in SOX.

I spoke recently with an IT audit executive who wanted to build an audit universe  and 5 year audit plan based on his company’s 4,000 servers.  A few years ago I may have considered such an approach. Today I believe it is fundamentally wrong.

Most companies seem to have their own version of a risk based approach and have developed or use their own risk rating criteria. I’d love to hear what you consider to be best practices in this area.

Posted in Internal Audit, Risk Management | 2 Comments »

People Risk: The Impact of Human failure in GRC and what to do about it. Part 1

Posted by brucemccuaig on April 30, 2010

After years of practice I have several broad observations about causes about traditional GRC practices and our success in driving down failure rates.

  •  People Risk (human failure) is the single largest driver of loss events across the broad spectrum of human activity.  Studies of SOX deficiencies, bank failures, broad governance failures, aviation disasters, car accidents all point to human failure as leading causes of failure, accounting for approximately 50% of failures of all types.
  •  Most GRC practices are based on a Control paradigm. It assumes that People Risk (human failure) can be managed with what GRC professionals consider controls. Traditional “hard” controls, so loved by many GRC professionals are used to prevent or detect human failure. People Risk, when it occurs is not recognized as human failure, it is considered a control failure and evidence that more controls are needed.

 Unfortunately attempts by GRC professionals to manage People Risk with a Control paradigm are failing.

 Substantial and compelling evidence exists that People Risk based approaches drive down failure rates. Examples are abundant in safety (especially air safety where statistics abound), environmental incidents, and quality.

 There is no evidence whatsoever that Control based approaches to failures are effective. Control based failures persist across the spectrum of GRC activities, across industry verticals and across geographies.

Human failure falls into one or more of four broad categories. None of them are susceptible to traditional “hard” controls.

  •  Purpose Risk – People or groups do not understand the objectives they should be achieving or why they are important. As a result they pursue activities not aligned with corporate objectives.
  • Capability Risk – People or groups do not have the knowledge and skills necessary to perform their responsibilities.
  • Commitment Risk – The SEC calls this compensation risk and has addressed it at least partly in the issue of 33-9089 Enhanced Proxy Disclosure Rules. Reward systems (or the lack of disincentives) skew individual or group behavior to a dangerous level.
  • Integrity Risk – People or groups may engage in dishonest or unethical activity.   

 Here is an example. Several months ago the press reported an incident where two pilots apparently took an in flight nap in the cockpit and overshot their destination by 150 miles.

 I will illustrate, with a little tongue in cheek, how the People Risk and Control based paradigms might respond.

  •  Control paradigm – make cockpit alarm clocks mandatory. Inspect and test them regularly. Investigate the feasibility of Continuous Control Monitoring (CCM) using motion detectors for long haul flights.
  • People Risk paradigm – fire the pilots. This behavior is unacceptable.

   A People Risk paradigm assumes that if people are given specific objectives, if they are trained to perform those objectives, if their accountability and reward system is aligned with the goals, and if standards of behavior are set and enforced, then the risk of human failure risk will be managed.It embraces a much more optimistic philosophy of human beings.

 The People Risk paradigm suggests that if people are the cause of failure, deal with the people. It’s actually quite refreshing.

 I understand, by the way, that the pilots in this anecdote were fired and their pilots’ licenses revoked. They knew what to do, they knew how to do it, they knew they were accountable and they knew the behavior expected of them. The root cause of the failure was human failure.

 “Alarm clocks”, or “hard” controls, figuratively speaking, do not address the root cause. If these pilots had not been fired, if their behavior had been tolerated, what would the impact be on Commitment Risk? What message would be sent?

 The control paradigm suggests that people failure is the result of a control failure and more controls are required.  “Hard”controls    can be audited. Assurance is visible.

 Our corporations have plenty of very useful “hard” controls. We have monitoring reports, we have restricted access, we have      passwords etc. Many of these are efficient and necessary. Having     the right kind and the right mix of “hard” controls makes sense.   I wear a seat belt when I drive my car. Seat belts are cheap,         unobtrusive and effective.

 Here are some examples of People Risk misidentified as control failure.

Thousands of reported SOX deficiencies, point to incompetent or dishonest CFOs, CEO’s or Audit Committees or compensation systems that rewarded bad behavior. They are reported a control deficiencies. I suggest AS5 create a new category of reportable deficiency called People Risks. Analyses of SOX deficiencies suggest that about 50% or more          failures are in COSO Control environment – People Risk.

 Very few, if any internal or external audit reports include findings and recommendations related to People Risk. They report control failures.

 “Management override”, a popular AS5 notion is not a control failure; it is a People Risk.

 Breakdowns in segregation of duties are not control failures, they are People Risk.

 Massive compliance breaches are not control failures, they are People Risks.

 And in all these cases, the People, not the controls need to be dealt with through coaching, training accountability and reward systems or job change.

 The SEC has specifically recognized Commitment Risk, one component of People Risk in 33- 9089 Enhance Proxy Disclosure    Requirements.

 It would be interesting to explore how regulatory      frameworks and GRC professions could address the other people Risks.

 I’ll address this topic in future blog.

 Please send me your comments and questions.

Posted in Compliance, GRC, Internal Audit, Risk Management | Leave a Comment »

Continuous Control Monitoring (CCM): Should we be using it to monitor behaviors too?

Posted by brucemccuaig on April 27, 2010

Continuous control monitoring technology is powerful, efficient and grossly underused. Many GRC professionals automatically assume that controls should be continuously monitored. Of all the things that this technology could be used for, control monitoring is possibly the least valuable overall. I believe that properly used, continuous monitoring of risk indicators, business performance and customer and employee behaviors is far more valuable. The payback is streamlined controls, better business decisions and a dramatic reduction in human error as a cause of losses.

In 2004 I was asked to write a review for a publication of the IIA Research Foundation titled “Changing Internal Audit Practices in the New Paradigm.” One case study in particular caught my attention. Internal Auditors at Kinko’s (as it was called at that time) had developed what they called data mining techniques that allowed them to monitor daily Point of Sale (POS) transaction data and identify situations where fraud was likely based on an analysis of the timing, frequency and sequence of certain transaction types. In other words, fraudulent employee behavior could be detected early and at very low levels.

Two benefits were achieved. One was that onerous manual controls to prevent such fraud could be streamlined. The second benefit was that dishonest employees left the organization.

In 2007, Protiviti published a white paper titled “The Shift To Behavior Monitoring : A New Paradigm for Exception Based Reporting (EBR)” outlining the basic principles of the technique and giving it an appropriate name. Found mainly in retailing and used for loss prevention the technique, the white paper described important principles and techniques. Let me give you a personal example.

A few years ago we left my adult son at home and went on vacation. I left him one of my credit cards in case he ran short of cash. Three days later, sitting beside a pool in Palm Springs, my credit card company notified me my card had been stolen and had been used to but about $50.00 worth of textbooks at a college bookstore.

Behavioral monitoring was able to separate 2-3 miniscule transactions from among many thousands of transactions totaling many millions of dollars based on a pattern of spending that differed from my historical patterns.

I may be an optimist, but I believe with more refinement and extensive research, this technology just might be able to detect a bogus $10 million transaction by a rogue trader or maybe a $50 million dollar fraudulent entry by a CFO. If we could achieve that goal, we could eliminate costly but far less efficient and effective controls and at the same time eliminate some bad apples.

There is little evidence to suggest that the techniques described in the Protiviti paper are being broadly applied by GRC professionals.

In February 2010, The Economist magazine published a special report titled “Data, data everywhere a special report on managing information”. It is an exhaustive analysis and discussion of the problems and opportunities presented by the enormous amount of data we are creating. According to the article, Best Buy discovered that 7% of its customers accounted for 43% of its sales and began to focus on those customers. Cablecom, a Swiss telecom operator, was able to reduce defections from about 20% of subscribers per year to less than 5% by analyzing calls to customer support early in the client life cycle and identifying which customers were likely to leave. The Economist article contains numerous examples of benefits from monitoring data for such patterns.

On April 22 I presented a webcast for Compliance Week on People Risk. (http://video.webcasts.com/events/pmny001/viewer/index.jsp?eventid=34431) . My premise was that as GRC professionals we had pushed our ntraditional “hard” control to their limits. Human erro, not “hard” control failure accounts for the majority of losses across most fields of human endeavor and channeling the right kinds of human behaviors to accomplish the right goals offers huge promise and lower costs.

Continuous monitoring holds great potential. The only question is whether it will be used wisely to drive down the cost of control, identify undesirable behaviors and drive better business performance, or whether its use will be limited to perpetuating and continuously monitoring the controls we have today.

I believe GRC professionals have an opportunity to dramatically change their paradigm and add value.

Your comments are most welcome

Posted in Uncategorized | 1 Comment »

Continuous Control Monitoring (CCM): What’s Wrong?

Posted by brucemccuaig on April 12, 2010

 With great trepidation I’m stepping into the Continuous Control Monitoring debate.

In March Gartner issued their “Magic Quadrant for Continuous Controls Monitoring” report. Following their pattern of Magic Quadrant reports, Gartner in this report analyzes the CMM market and assesses the leading vendors in the space.

I don’t have the right to distribute the Gartner report. Among the sites where it is posted is the Approva web site at http://www.approva.net/ .

I am accepting the report and its conclusions at face value. I am not endorsing or criticizing any vendors. I think the report is clear and compelling.

As long as I have been in the GRC field, Continuous Control Monitoring has been sort of a holy grail for auditors. If I recall correctly, as a CAE I authorized the purchase of ACL for my audit staff back in the mid 1980’s. The theory was, I recall, that if we had early warning of control failure we could fix the problems before they grew. (Thinking about it now it’s kind of like saying if we had good speedometers in our cars, we wouldn’t speed.)

Control Monitoring was even the subject of a COSO report (COSO Guidance on Monitoring Internal Control Systems) in 2009. I have not seen clients jumping to implement that reports recommendations either. An earlier blog states my opinion of that study.

Let me quote the section of Gartner’s report that caught my attention. “The CMM market is relatively small and immature”. More particularly, Gartner reports the market penetration for CCM products designed to monitor ERM and financial application transaction information to improve performance and automate audit processes is estimated to be 10%.

In the year 2010, given the financial crises we have experienced, this is incredibly low.

My question is this. Why is market penetration for CMM not 90%? What is blocking the implementation and maturation of CMM technology?

Is it because companies do not rely on automated systems to process transactions? In other words, is it because there is nothing to continuously monitor? The answer to that must be no, businesses today are highly automated. Relevant information is certainly available for monitoring using CMM’

Is it because the current CMM technology doesn’t work? Gartner has listed only a few players in the coveted Magic Quadrant, (and that is surprising as well) but they rate most of the CMM vendors I am familiar with at or near the “Ability to Execute” threshold. To varying degrees, the technology does work. I have seen it work. It is possible to monitor certain controls continuously and some people do so. Is it because the market is saying rather resoundingly “we don’t want or don’t need CMM”? The environment exists to use CMM. Adequate CMM technology exists and to varying degrees works. Clearly we have control failures, some of them massive and devastating. But CMM it is not penetrating the market. Is it because management already has a good handle on the state of controls and doesn’t need more help?

Is it because we are using the technology to do the wrong thing? Is there something more useful to look at than controls?

I have some suspicions as to the answer to some of these questions. And I have some thoughts about what to do.

But before I do so I want to hear from you. I’d like to hear some success stories about CMM. I know there are some. I’d like to hear experiences from people who have looked at and rejected CMM. I’d like to hear alternatives to CMM. I’ll hold off offering my insights until I hear a few stories and experiences from you.

Please respond with a comment.

Posted in GRC, Internal Audit | 2 Comments »

33-9089 Proxy Disclosure Enhancement Rules and the Role of Risk Management Technology

Posted by brucemccuaig on April 5, 2010

The new SEC Proxy Disclosure Enhancement Rules reaffirm the board’s responsibility for overseeing risk management. One consideration for boards in overseeing the risk management activity is to understand what risk management technology, if any, being used by management, and how they are using it.

 I am a board member of a small organization. I have some personal experience and responsibility in this area. We pay attention to our governance requirements. A few months my board was presented with a risk management report. I suspect it is similar to what many boards receive.

 Let’s start with an analogy. Suppose you were in charge of managing retail inventories across your company. The amount, nature and value of the inventory changes daily; but the right inventory management decisions, what to buy, when to buy it, where to stock, when to discount, is the essence of your business value model.

 Suppose you had a system where once or twice each year, a team of people went out and counted and listed the inventories at a certain date and presented you with their results in a summarized form several months later. What you would see is a “tally” of the inventory. It’s changed by the time you see it. Inventory levels may be bigger or smaller, better or worse, but you, as an overseer would not necessarily know.

 That is similar to how risks are presented to many boards. It is not risk oversight. It’s quite possible in this analogy that inventory management practices are in fact very good. But the inventory (or risk) tally sheet isn’t evidence of that and is probably not the oversight the SEC intended.

 It’s not likely that risk management or risk oversight can be achieved without the use of technology.

 A few months ago, in his now defunct blog on the IIA web site, my former colleague and partner listed 10 Top Risk and Assurance Software “Should Do” Requirements.

(http://www.theiia.org/blogs/leech/index.cfm/post/Top%2010%20Must%20Dos%20for%20Risk%20&%20Assurance%20Software%20Wish%20Lists)

 I’ll excerpt just a few here to illustrate how they meet the requirements of 33-9089 and its oversight requirements. The text within quotation marks is from Leech’s blog.

  •  “The software should be capable of encouraging users to identify the full universe of assurance contexts”. The SEC has defined several specific contexts to assess in terms of compensation risk. Good risk management practices suggest a complete context description is a starting point for oversight.
  •  “The software should support the full range of risk management elements contained in global risk management guidance, particularly the recently issued ISO31000”. It would make no sense to buy a financial system that could not account for the full range of financial transactions facing a business. Risk management and related oversight have comprehensive information requirements.
  •  “The software should encourage and require that risks are identified by specialists and work units using a range of methods…” Boards in their oversight capacity need to know where the information came from and how it was created.
  •  “The software should be capable of capturing and integrating key performance indicator (KPI) information, including loss event data”. The board, in its oversight role must understand how risk drives performance generally. The SEC wants the connection between compensation and risk to be described.

 My experience with risk management is that once begun in an organized and strategic way, cast amounts of information is produced. Collaboration among various elements of the company is essential. All of that and a good deal more falls within managements role in risk management. But without some underlying technology to support it, risk management will become unverifiable, unreliable and unsustainable. It’s the role of the board, in its oversight capacity, to assess those factors.

As always, questions and comments are welcome.

Posted in Risk Management | Leave a Comment »

33-9089 Proxy Disclosure Enhancements Rules: Overseeing Risk Management

Posted by brucemccuaig on March 31, 2010

 In my last blog I asked whether risk oversight was possible without first firmly implementing risk management. A lot of evidence shows risk management isn’t being practiced well if at all. I’ll leave the question of what precisely to disclose to others. The SEC encourages additional disclosure. My purpose here is to suggest what directors should ask for and expect to see if risk management is, in fact in place. 
Building the Risk Universe 
The Enhanced Compensation Disclosure begins with a discussion of what I will call risk “context”. Specifically the rules identify specific organization attributes where compensation risk should be discussed. (… a business unit carrying a significant portion of the company’s risk profile, one where compensation is significantly different etc. ) The rules are good. I just don’t think they are complete. Compensation and other risks need to be assessed in a single context. I would add to the list of contexts identified here. I’d like to include strategically important organizations identified and I’d also like to see material business areas where loss events have been or are expected to be frequent or large. I’d also like to see poorly performing businesses described. I’d like these largely organizational contexts to be linked to geographic regions and legal entities. Going beyond that I’d like to see a discussion of risk based on the company’s business model. It’s important to know the context risk exists in. It’s also important to know the impact of risk on how the company makes money, how value is created and how things are connected. Directors should be able to ask for and management should be able to provide a “heat map” of the business broken into organizational and business process contexts and they should have a rational and consistent basis for assessing the “riskiness” of the contexts. I’d look for a single “universe” of risk context based on organization and business process attributes. It should be the basis of all risk reporting. If management needs to reconstruct the “universe” every year, I’d argue they are not practicing risk management. They are certainly not squeezing efficiencies out of their GRC service providers. 
Building the Risk Profile 
To me the risk profile is an aggregation of the types of risks faced by the organization. Risk types would be derived from a consistent taxonomy (e.g. 3rd Party Risks, Financial Risks, Data security Risks etc.) Standard & Poor’s published some good sample risk types a couple of years ago when they were first proposing to incorporate ERM into the credit rating process. The risk profile would associate the risk types with the business risk contexts described above. Where can risk occur? What kind of risk should we watch for in the future? What risk exists now? How is it impacting business performance? 
Comments and questions are always welcome

Posted in 1, Risk Management | Leave a Comment »

33-9089 Proxy Disclosure Enhancements Rules: Is Risk Oversight Possible Without Overhauling Risk Management?

Posted by brucemccuaig on March 12, 2010

Late last year the SEC proposed new rules requiring more disclosure of, among other things, compensation policies and practices that present material risks to the company and the board’s role in risk oversight. The new rules,are in effect from February 28, 2010.

For calendar year companies, those new rules are beginning to bite right now as 2010 proxy material and other disclosures are being prepared and released. We will soon begin to see how companies are interpreting and responding.

Many people in the risk management community are cautiously optimistic that better disclosure will result. But some, me included, believe that an overhaul of risk management practices must precede effective risk oversight effective oversight. Quite apart from the global experience over the last 24 months, plenty of evidence exists to support my view.

Here are some examples:

• 85% of corporate executives say they need to overhaul their approach to risk management … (Accenture 2009 Global Risk Management Study)

• 62% of enterprises encountered material risk events in the last three years. Of those nearly half, 42%, admitted to not being prepared for it … (IBM CFO Study 2008)

• 44% of respondents have no enterprise-wide risk management in place and have no plans to implement one (2009 ERM Initiative at NC State University – conducted on behalf of the AICPA)

The evidence suggests that management isn’t happy with current practices, that today’s risk management results are unreliable and that many executives have thrown in the towel and don’t plan to even begin to implement risk management practices.

It’s against this background that directors are now required to oversee risk management and improve disclosures. Is risk oversight possible without an overhaul of current practices?

Over the next week or so I will explore that question in a series of blogs. First though, let’s see what the new rules say.

Enhanced Compensation Disclosure

 The notion that compensation practices drive behavior is simple to accept. Presumably that is what they are designed to do. But extreme compensation can drive extreme behavior and leave the reward with the employee and the risk with the stakeholder. Understanding and disclosure of that risk is now required. Much of the following is extracted directly from the new rules.

Companies will be required to discuss and analyze their broader compensation policies and overall actual compensation practices for employees generally, including non-executive officers, if risks arising from those compensation policies or practices may have a material effect on the company. The following examples of situations that potentially could trigger discussion include, among others, compensation policies and practices:

 • At a business unit of the company that carries a significant portion of the company’s risk profile;

• At a business unit with compensation structured significantly differently than other units within the company;

• At a business unit that is significantly more profitable than others within the company;

• At a business unit where the compensation expense is a significant percentage of the unit’s revenues; and

• That vary significantly from the overall risk and reward structure of the company, such as when bonuses are awarded upon accomplishment of a task, while the income and risk to the company from the task extend over a significantly longer period of time.

There may be other features of a company’s compensation policies and practices that have the potential to incentivize its employees to create risks that are reasonably likely to have a material adverse effect on the company. However, disclosure under the amendments is only required if the compensation policies and practices create risks that are reasonably likely to have a material adverse effect on the company.

Enhanced Disclosure about the Board’s Role in Risk Oversight

The SEC noted that risk oversight is a key competence of the board, and that additional disclosures would improve investor and shareholder understanding of the role of the board in the organization’s risk management practices. Accordingly “… disclosure about the board’s involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company. This disclosure requirement gives companies the flexibility to describe how the board administers its risk oversight function, such as through the whole board, or through a separate risk committee or the audit committee, for example. Where relevant, companies may want to address whether the individuals who supervise the day-to-day risk management responsibilities report directly to the board as a whole or to a board committee or how the board or committee otherwise receives information from such individuals. “

Far from prescriptive, the new rules are principle based. The question is, will today’s widely varied and fragmented risk management practices provide a foundation for the new disclosure requirements.

 Over the next two weeks I will discuss in this blog:

• What attributes and characteristics directors should consider in overseeing their risk management practices.

• What factors directors should consider in deciding to overhaul their risk management frameworks.

• How to ensure their risk management framework is producing reliable information.

• The role of technology in managing and overseeing risk.

As always, comments and suggestions are welcome.

Posted in 1, Risk Management | Leave a Comment »