IT Risk Tops List of Concerns for Board Members

A recent survey of Public Company Audit Committee Board Members about risk highlights the desire to focus more heavily on Information Technology ("IT") related risks. This is not surprising given that technological innovation continues at a rapid pace while it is also increasingly impacting every key facet of business today. The survey, conducted by the National Association of Corporate Directors and sponsored by KPMG, uncovered the following common board-level views about IT and other risk areas.

• They are not satisfied that their oversight of various IT risks is effective, or that the company's strategic planning process deals effectively with the pace of technology change and innovation.
• The one person they would most like to hear from more frequently is the CIO.
• They want to spend more time with the CRO and mid-level management/business-unit leaders; and few are satisfied that they hear dissenting views about the company's risks and control environment, or rate their company's crisis response plan as "robust and ready to go."
• The audit committee is devoting significant agenda time to legal/regulatory compliance risk, with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and impact of the SEC's whistleblower "bounty" program of particular concern.

An integrated, enterprise-wide risk program is the key to addressing these items in a holistic and practical way.  If your company has not implemented such a program, meeting the demands of the board will be challenging.

A Call to Action for Risk Managers

Risk managers are waking up to the fact that as the world continues to change, they must also change. Upgrades to skill sets as well as the overall approach to risk management is essential for these professionals to provide the value that companies are demanding in the tumultuous global economic environment. Just this week, at the Federation of European Risk Management Associations annual conference in Sweden, a call to action is being made to risk managers around the world.  Here's a sample of the views expressed during the conference as reported by Business Insurance magazine.

During a news conference at FERMA's forum in Stockholm, FERMA executives said risk managers cannot isolate themselves from the financial turmoil in many parts of the world or the rapid changes in many industries because of technology. “You cannot put your head in the sand; you have to understand and live with it,” said Julia Graham, chief risk officer for London-based law firm DLA Piper U.K. L.L.P. and VP of FERMA.

Ms. Graham said the skills that risk managers need have changed in the past five years. Now, she said, risk managers need to look forward more than backward, have greater financial literacy to understand and talk the language that company boards use, and improve their management skills, among other things.

The purely quantitative, historical view of risk is no longer adequate in today's complex global marketplace.  Strong business acumen is required for risk managers to provide a better view of potential risks and opportunities facing companies today.

Rebuilding Trust Through Better Risk Monitoring

A recent op-ed article in the Financial Times by noted author and professor, Frank Portnoy, raises the question about the need to hold corporate managers personally accountable for gross negligence when they do not monitor risks. Mr. Portnoy proposes having senior executives at major banks certify that they are actively monitoring the risks taken in areas such as trading desks that have resulted in recent losses due to rogue trading activities. He summarizes his view in the following way.

Current rules permit directors and officers to avoid personal liability for gross negligence. That is a wise rule for most business decisions: courts are generally not skilled at assessing business judgment. But risk is different. Why should a bank manager who is grossly negligent in supervising risk avoid liability?

Shareholders might never be able to understand the risks of modern banks, and current regulatory approaches will not give them much confidence. But if they knew that senior managers had agreed to be personally liable for gross negligence in monitoring risk, they might trust the banks more. Without trust, it is hard to see how banks can recover.

Mr. Portnoy is correct to promote the notion of greater accountability for monitoring risk. However, attaching personal liability to executives may not necessarily be the best method. It would be very difficult to define what is an adequate level of risk monitoring since it really differs for every institution. That is why the industry is so heavily regulated. However, Mr. Portnoy is certainly on point in the fact that stronger risk monitoring is needed to rebuild trust in banks.

Another Example of the Value of Risk Management

It seems that some financial institutions have not fully learned the lessons from past rogue trading incidents such as the ones that occurred at Societe Generale and Barings. Officials at UBS announced today that they are facing massive losses at the hands of a lone trader. Here's what BBC reported this morning.

Police in London have arrested a 31-year-old man in connection with allegations of unauthorised trading which has cost Swiss banking group UBS an estimated $2bn (£1.3bn). Kweku Adoboli, believed to work in the European equities division, was detained in the early hours of Thursday and remains in custody. UBS shares fell 8% after it announced it was investigating rogue trades. ZKB trading analyst Claude Zehnder said the news would damage confidence in UBS. "They obviously have a problem with risk management."

This is yet another example of the value of having a strong risk and control program. While it is difficult to control external events, companies can certainly implement proper internal controls to protect from massive losses such as this one.

Sarbanes-Oxley Executive Compensation Clawbacks Continue

Yesterday, the U.S. Securities & Exchange Commission ("SEC") announced another successful "clawback" of executive compensation under the Sarbanes-Oxley Act of 2002. James O'Leary, former Chief Financial Officer of Atlanta-based Beazer Homes USA, was forced to return over $1.4 million in bonus payments and stock sale profits that he made as a result of fraudulent financial reporting in 2006. What is somewhat unique about the case is the fact that the CFO was not implicated in any wrongdoing other than certifying that the financial statements were accurate. The individual who is being criminally prosecuted for the fraud is the Chief Accounting Officer who reported to the CFO during the time period in question.

“Section 304 of the Sarbanes-Oxley Act encourages senior management to take affirmative steps to prevent fraudulent accounting schemes from occurring on their watch,” said Rhea Kemble Dignam, Director of the SEC’s Atlanta Regional Office. “O’Leary received substantial incentive compensation and stock sale profits while Beazer was misleading investors and fraudulently overstating its income.”

This announcement comes on the heels of a related clawback from the CEO of Beazer Homes that totaled more than $6.4 million. Again, in this case, the CEO was not implicated in any criminal wrongdoing. The SEC's enforcement approach regarding both the CEO and the CFO in this case serve as a reminder to senior executives to ensure their annual certifications are accurate. The only way to know is to have a strong risk and control program in place. Wheelhouse Advisors can help. Visit www.WheelhouseAdvisors.com to learn more.

Increasing Your Risk Awareness

Companies of all sizes are searching for direction as they seek growth during these tumultuous economic times. Some companies are looking for better ways to deploy capital while others are simply fighting for survival. It is during times such as these that many do not take the time to seek perspective on the risks that they face. However, the strongest companies realize that having a solid understanding of their unique risks is vital to their continued success. These companies also realize that the risks they face are ever-changing - both internally and externally.

The first step to developing a better understanding of risk is to conduct an Enterprise Risk Assessment based on the company's strategic objectives. This risk assessment will serve as the baseline for measuring risk responses going forward and also as the foundation for a broader Enterprise Risk Management ("ERM") program. As a company implements their ERM program, it is critical that a culture of risk awareness rather than risk aversion is promoted. A "risk aware" culture embraces risk as the flip side to the reward they seek.

However, simply identifying, measuring and mitigating risks is only part of achieving "risk awareness". An effective way to gain this perspective is to examine how the business is evolving in relation to its overall strategic direction through the Risk Awareness Cycle (see figure below). At any given time, a product, service or an entire company is in one of four stages of evolution - Order, Complexity, Chaos or Simplicity. Within each of these stages, risks take different forms. In addition, to continue as a viable enterprise, movement from one stage to the other is essential. Without movement, an enterprise will lose forward momentum and ultimately fail.

To learn more about how you can increase your company's risk awareness, visit www.WheelhouseAdvisors.com.

SEC Launches Office of the Whistleblower

Just more than a year after the Dodd Frank Wall Street Reform and Consumer Protection Act was signed into law, the Securities & Exchange Commission ("SEC") has established a new office to handle one of the major provisions of the act.  The Office of the Whistleblower was publicly launched last week.

To aid in the submission of whistleblower tips, the new office has created a website that provides details on how whistleblowers should provide information and what whistleblowers should expect. According to the website the SEC, "... is authorized by Congress to provide monetary awards to eligible individuals who come forward with high-quality original information that leads to a Commission enforcement action in which over $1,000,000 in sanctions is ordered. The range for awards is between 10% and 30% of the money collected."

Potential whistleblowers are encouraged to report their issue through a company's internal compliance program before contacting the SEC.  In fact, according to the final rules, the SEC will consider increasing the overall award amount if the whistleblower utilizes the internal compliance channels.  The following is an excerpt from the SEC's whistleblower rule book.

Participation in internal compliance systems. The Commission will assess whether, and the extent to which, the whistleblower and any legal representative of the whistleblower participated in internal compliance systems. In considering this factor, the Commission may take into account, among other things:
(i) Whether, and the extent to which, a whistleblower reported the possible securities violations through internal whistleblower, legal or compliance procedures before, or at the same time as, reporting them to the Commission; and
(ii) Whether, and the extent to which, a whistleblower assisted any internal investigation or inquiry concerning the reported securities violations.

Companies should use this opportunity to communicate the importance of reporting issues through internal channels before reporting to the SEC.  For those companies that do not have a well constructed compliance program, now is the time to build one.