The Human Element of Risk Management

Over the past decade, risk management became more about quantitative models and less about behavioral models. Unfortunately, as we discovered during the recent financial crisis, even the best quantitative models cannot predict the result of misguided behavior. In this week's edition, Bloomberg Businessweek magazine provides a special focus on risk management with interesting viewpoints such as this:

As business has grown more complex, we have developed elaborate protocols, systems, frameworks, and approaches to manage risk. A consequence of putting science at the forefront of these risk management systems has been a stripping of human behavior out of the risk model.

The future of risk management lies in an ability to incorporate and inspire more of the behaviors we want, finding new models to map, monitor, intervene, support, and react to the behaviors of individuals and groups—both the behaviors we want to encourage and those we'd like to avoid. Critically, this taking account of behavior means we need a much sharper comprehensive strategy for corporate culture, so that our models are founded on the way "things really happen around this place."

Examining the human element of risk management is a key part of Wheelhouse Advisors' upcoming workshop, Navigating Risk: From Crisis to Innovation. To learn more about the workshop and enroll for this groundbreaking event, please visit www.oldedwardsinn.com/navigatingrisk.

Missed Opportunity on Stress Tests?

When the Federal Reserve Bank ("FRB" or "Fed") conducted stress tests of the 19 largest financial institutions back in 2009, many viewed it primarily as an exercise to restore the public's faith in the financial system. Now that the FRB has requested the financial institutions to perform the same tests again, some are wondering if the tests should be redesigned to be more realistic.  One of those raising questions is Sim Segal, an ERM expert who wrote an article on the subject this week in Forbes magazine. Here's his view:

....to be meaningful, the Fed stress tests must be changed to include (1) multiple simultaneous risks events, to capture the biggest potential threats, (2) all sources of risk, particularly strategic and operational ones, which represent the bulk of risks, (3) a full quantification of risk exposures, measuring the impact on value rather than on capital, (4) examination of the largest companies in all sectors that can threaten the economy, not just banks, and (5) worst-case scenarios provided by company insiders, to test each firm's most vulnerable spots.

Mr. Segal raises some very good points that should be considered by not only the FRB and the Financial Stability Oversight Council, but also the individual financial institutions.  For those financial institutions and other companies that are not performing stress tests in the manner suggested by Mr. Segal, it could represent a missed opportunity that could prove fatal.

Information Technology is a Core ERM Building Block

As the year nears an end, many folks are looking to 2011 in anticipation of the regulatory impact beset by the Dodd-Frank Act of 2010. One of the primary impacts discussed today in Bank Systems & Technology magazine is the specter of the new Office of Financial Reform. Financial services companies of all shapes and sizes will soon be subject to the requests for data from this new agency to support its mission of reporting emerging risks to the U.S. Congress. Here's an overview of what companies can expect.

The Dodd-Frank legislation establishes the Office of Financial Reform (OFR), a new department within the U.S. Department of the Treasury that is tasked with gathering and reporting to lawmakers information regarding potential risks and threats within the nation's financial industry. To accomplish this, the OFR's director can use his or her subpoena power to gather data from any financial institution.

Simply, says Michael Atkin, director of the Enterprise Data Management Council, a nonprofit trade association focused on managing and leveraging data, the regulation gives banks' corporate leadership a new opportunity to examine the growing problem of managing skyrocketing amounts of data and finally to budget appropriately to meet the challenge. "It kicked the practice of data management into high gear," Atkin says. "We're now set up for addressing the data dilemma that we have because we finally have a reason that is not subject to the whim of a business case. It is a regulatory requirement."

The OFR director, who has not yet been appointed, will make his or her report to Congress in 2012, adds Atkin. But that initial report, he notes, likely will be more on the state of the industry than a detailed analysis of its data, giving financial institutions a window of several years to prepare for potential requirements. "The implications from an infrastructure perspective are about getting the core building blocks of risk management in place," Atkin relates.

Now is the time, as Atkin says, to get your "core building blocks of risk management in place". Wheelhouse Advisors can help. Visit www.WheelhouseAdvisors.com to learn more.

Assessing Systemic Risk

New York University's Stern School of Business hosted a conference yesterday to discuss how systemic risk should be addressed under the Dodd-Frank Act.  One of the presenters at the conference, Stanford Finance Professor Darrell Duffie, proposed a new approach for identifying systemic risk.  Here's some detail on his proposal as reported by Bloomberg.

The world’s largest banks and investment firms should undergo quarterly stress tests to identify risks that could sink the financial system, according to a proposal by Stanford University finance professor Darrell Duffie. “I’m not talking about the ordinary, matter-of-course, risk management of institutions. We’re looking at what are the sources of risk and how are they flowing through the system. We want to connect the dots.”

Duffie calls his plan “10-by-10-by-10” because it’s based on 10 financial firms undergoing 10 stress tests that expose the banks’ 10 largest trading partners. For example, institutions would be tested on their ability to withstand the default of a single firm that they do business with, an idea replicating the 2008 Lehman bankruptcy.

“The objective is to alert regulators and the public to potential sources of financial instability before they reach dangerous levels,” Duffie wrote in a paper outlining the proposal. The tests, which would be adjusted over time to cover different scenarios, could flush out new systemically important firms as they arise, Duffie said. Central bankers could opt to conduct some of the stress tests using average financial numbers over a given timeframe “to mitigate period-end ‘window dressing,’” Duffie said. Regulators should also audit the way the banks measure the data they present, he said.

More specifics about the Duffie proposal are contained in his working paper, "Systemic Risk Exposures: A 10-by-10-by-10 Approach." By his own admission, Duffie notes that this proposal merely represents a first step for regulators to begin to analyze systemic risk. There are shortcomings to the proposal such as the current lack of data as well as the potential to exclude other entities that may pose risks to the system. However, the regulators must begin somewhere and this approach is a practical method for assessing systemic risk.

Is This Just the Tip of the Iceberg?

The Congressional Oversight Panel released its November report today and it focused on the continued foreclosure crisis. The panel is calling for additional investigation by regulators and is also requesting that the U.S. Treasury provide additional evidence of their claim that the crisis has been averted.  Below is an excerpt from their report as well as video commentary from the chairman of the panel, Senator Ted Kaufman.

At this point the ultimate implications remain unclear. It is possible, however, that “robo-signing” may have concealed much deeper problems in the mortgage market that could potentially threaten financial stability and undermine the government‟s efforts to mitigate the foreclosure crisis. Although it is not yet possible to determine whether such threats will materialize, the Panel urges Treasury and bank regulators to take immediate steps to understand and prepare for the potential risks.

In the best-case scenario, concerns about mortgage documentation irregularities may prove overblown. In this view, which has been embraced by the financial industry, a handful of employees failed to follow procedures in signing foreclosure-related affidavits, but the facts underlying the affidavits are demonstrably accurate. Foreclosures could proceed as soon as the invalid affidavits are replaced with properly executed paperwork.

The worst-case scenario is considerably grimmer. In this view, which has been articulated by academics and homeowner advocates, the “robo-signing” of affidavits served to cover up the fact that loan servicers cannot demonstrate the facts required to conduct a lawful foreclosure. In essence, banks may be unable to prove that they own the mortgage loans they claim to own.

Only time will tell whether the foreclosure issues are merely the tip of the iceberg.  However, if the issues are real, then the financial institutions and other involved parties will be best served to proactively address the problem now rather than hoping it goes away on its own.

The Need for ERM is Crystal Clear

Unlike the waters of the Gulf of Mexico, the need for companies to have robust enterprise risk management ("ERM") programs became crystal clear during an interview of former BP CEO Tony Hayward aired this week by the BBC. Here's some of the highlights from the interview.

Former BP PLC chief Tony Hayward has acknowledged that the company was unprepared for the disastrous Gulf of Mexico oil spill and the media frenzy it spawned, and said the firm came close to financial disaster as its credit sources evaporated.

In an interview with the BBC to be broadcast Tuesday, Hayward said company's contingency plans were inadequate and "we were making it up day to day."

Hayward said BP had found itself unable to borrow from international investors during the spill crisis, threatening its finances. He said that before a meeting with President Barack Obama at the White House in June, "the capital markets were effectively closed to BP." "We were not able to borrow in the capital markets, either short or medium term debt at all, " he said. "It was a classic financial crisis issue."

Hayward's successor, Bob Dudley, told the program that "these were frightening days" for BP. "With a company the size of BP, its reputation, what it does — you almost can't quite believe how close you are" to financial disaster, he said.

This interview demonstrates the catastrophic impacts of a risk event not only to the environment at large, but also to every corner of the company responsible for the event occurring. BP obviously did not have a comprehensive ERM program at the ready that resulted in improvisation and ultimately a full-blown crisis. Only a company of BP's size and resources could weather this type of event. So, how effective is your ERM program?

Navigating Risk: From Crisis to Innovation

A big challenge for many companies today emerging from the financial crisis is retaining their ability to innovate new products and services. The typical view is that the larger the company, the harder it is to innovate. Why is that? It seems counterintuitive given the vast resources of larger companies compared to their smaller competitors. This issue was recently highlighted in an article on CNN.com. Here are the views of a few who have examined the issue in greater detail.

Can companies grow and continue to be creative and innovative? Or will smaller operations always have a monopoly in the new-ideas department? "I don't think there's any reason why you can't be as big as Goliath and as nimble as David," said Jim Andrew, a senior partner at the Boston Consulting Group, which publishes a yearly list of the world's top innovative companies in conjunction with Bloomberg Businessweek. This year, Apple, Google, Microsoft and IBM led the list. Facebook and Twitter were nowhere to be found.

"Big companies have a tremendous number of advantages that should allow them to actually be, I would argue, more innovative than a given smaller company," Andrew said.  The tech giants tend to have a wide range of products or services to offer -- meaning they can take bets on new ideas without risking their entire business, Andrew said. Start-ups, in contrast, tend to base their future on a single product or concept. They bet big, but most of them "end up dying," said Karim Lakhani, an assistant professor at Harvard Business School. "They go out there, they try different things and then there's a large, large failure rate," he said.

Both Lakhani and Andrew said it's easy for big companies to get too comfortable and forgo the risks that are necessary for innovation to occur. "As companies get bigger that latitude [for employees to be creative] often unfortunately gets taken over by more rigid management structures and more rigid philosophies," Lakhani said.

For those interested in exploring this dilemma further, mark your calendars for an upcoming workshop that will help you navigate the risks associated with innovation.  On January 11 & 12, Wheelhouse Advisors will conduct an executive workshop entitled Navigating Risk: From Crisis to Innovation. The workshop will be held at the highly renowned Old Edwards Inn & Spa in beautiful Highlands, NC.  For more information, email Navigate@WheelhouseAdvisors.com or call 404-805-9203.

SEC Seeks to Shed Light on Foreclosure Crisis

The U.S. Securities & Exchange Commission ("SEC") has entered the foreclosure fray by requiring publicly traded financial services companies to disclose their estimated risk of foreclosure related losses. Here's what Bloomberg Business Week reported on the recent SEC actions.

Lenders must disclose circumstances that they “reasonably expect” to have an “unfavorable impact” on financial results, the SEC said in a letter posted on the agency’s website today. The letter was sent because of “concerns about potential risks and costs associated with mortgage and foreclosure-related activities,” the SEC said. Federal regulators and attorneys general from all 50 states are investigating whether loan-servicing companies used improper procedures during foreclosure proceedings, including so-called robo-signers who didn’t check documentation. Investors such as Pacific Investment Management Co. have demanded that banks buy back faulty loans that were bundled into bonds.

These forced disclosures will shed more light on the potential dollar impact of an operational risk that was neither fully anticipated nor proactively managed.

Obfuscating Operational Risk Management

Operational Risk Management is continuing to evolve as a key component of an Enterprise Risk Management ("ERM") program. However, it continues to be an area of great debate as a formal discipline due to its broad focus and impact across the business. One area that confuses and frustrates many businesspeople when confronted with operational risk is the notion of risk appetite vs. risk tolerance. In some cases, the two terms are used interchangeably. However, in other cases, risk appetite refers to the total amount of risk to be taken to achieve a given business objective and risk tolerance refers to specific risk limits associated with a given business activity. The Institute of Operational Risk has developed guidance that is practical and useful for risk practitioners in dealing with these terms. Here's their view.

In simple terms, expressing Operational Risk Appetite is a question of defining what is acceptable to an organisation and what is not. This could be achieved by deciding, for each type of risk, what is acceptable, what is unacceptable, and the parameters of the area between those two (i.e. what is tolerable).

Regardless of the way these terms are used, the key for operational risk managers is to help businesspeople understand risk in their own terms rather than in risk management vernacular. Otherwise, the focus will remain on terminology rather than what is really important - creating value for the business.

ERM Adds to Brand Image and Competitive Advantage

A recent report by the Aberdeen Group reveals the concerns of executives today and their interest in developing Enterprise Risk Management ("ERM") programs. The report includes survey results from 213 finance executives regarding their views of ERM.  One of the more telling results from the study is the listing of top catalysts for creating an ERM program (see figure 2 below). Rather than compliance requirements heading the list (as was the case for most companies before the financial crisis of 2008), now companies are more concerned about their brand image and competitive advantage. A close second on the list is the financial impact from the market upheaval as described in the report excerpt below.

With increased consumer and governmental scrutiny, today more than ever companies must be aware of events that directly impact their brand image. Maintaining credibility with investors and stakeholders can drive up the cost of capital; for publicly traded companies that are more regulated and expected to demonstrate good governance, this can translate to significant stock price movements and debt-rating downgrades.

Related to the issue of cost of capital, the economic upheaval also drove up the cost of credit and limited availability to the companies with the highest credit ratings. As capital is further constrained, businesses also need to be concerned about potential disruption and even failure.

The cost of not having an effective ERM program has certainly ratcheted up over the past few years.  The question now becomes "can you afford not to invest in an ERM program?"

Fear of Innovation is a Huge Risk

At a time when crisis management has been the primary focus, no other industry is better positioned for an innovation leader to emerge than is financial services. Most financial services companies have retrenched and allowed their product development and technology to wither on the vine. Customers have suffered from sharp declines in service quality as a result. The company (or companies) with the fortitude to make significant investments in innovation will capture significant market share and greater profits. Three areas of innovation have been hot topics at this week's 2010 Bank Administration Institute's Retail Banking Conference.

1) The mobile phone is the new branch. Twenty-five percent of consumers have ditched their wireline phone and gone completely wireless. This of course puts increased pressure on banks to invest in mobile banking and payments. Yet except for remote check capture via mobile phones from banks like USAA, real innovation remains elusive. Most of the industry innovations are being driven not by banks, but by specialist companies like mFoundry, ClariMail, Monitise, Mocapay, PayPal, Bling and Obopay.  This while bankers complain that their major tech suppliers, including First Data, Fidelity, Fiserv and Jack Henry, are just not moving fast enough to meet their needs.
2) Social Networking is a dangerous tool for customer interaction but necessary. Banks get that social networking are here to stay. And many believe it has the potential to be something other than a digital version of a call center. But social networking is not a controlled environment and that scares bankers. It should. Sites like Twitter and Facebook provide a podium for every whack job to speak his or her mind. The benefactors of the uncertainties that retail banks have about how to use and measure social media effectiveness are likely IBM, SAS, SAP and Microsoft and could provide a watershed year for a slew of nimble-footed specialist firms who are building business to consumer (B2C) enterprise grade measurement and engagement tools.
3) Cloud Computing: the outlook remains cloudy. Instinctively it would seem that cloud computing technology would be a critical weapon to break down the line of business silos that exist in retail banks. This seems especially true given consumer demands to have an experience they value, on their terms, on the bank interaction channel of choice — online, mobile, ATM or branch, irrespective of the type of business a consumer wants to transact with the bank. Consumers value convenience and they want to define what convenience looks like. But banks seem crippled to navigate the abyss of implementation schemes, cost sharing, regulatory compliance, security and customer ownership issues.

Fear of innovation is a very real risk that many companies face in today's uncertain environment. The value of innovation is at its maximum during times of complexity and chaos. Those companies that work to escape the fear and embrace innovation will be the ultimate winners, while those that do not will suffer a painful fate.

Companies Are Thinking About Risks In New Ways

Why do some companies loathe risk management? Well, many will say because it is a bureaucratic exercise devoted to minimizing risks at the expense of future growth and innovation - and in many cases they are right. This is due to the way risk management as a discipline has evolved as well as how risk management practitioners have been taught. For better or worse, risk management tends to lean towards insurance and compliance or, in other words, ways to minimize risk and increase paperwork.

So, when board directors and senior executives hear the words "risk management", they immediately shift their focus to the more commonly held view and neglect the real value of the discipline. The real value of risk management comes from developing a keen understanding of the critical risks related to a company's strategic objectives. With this understanding, companies can leap-frog the competition by addressing risks in an innovative and unique manner.

Wheelhouse Advisors has developed a tool set to help companies jump-start their new approach to understanding risks. Known as The ERM Compass™, the tool set is designed to identify opportunities to improve a company's "risk mindfulness."  Risk mindfulness is a new way of viewing risks - a forward-looking and continuous approach that allows a company to use risk as a driver of intelligent growth and innovation.  The level of a company's risk mindfulness is measured using The ERM Compass™ Scorecard.  The Scorecard focuses on four primary areas of risk as they relate to a company's strategic objectives (see figure below). Scores are calculated for each risk area using five critical components of risk mindfulness. With the scores in hand, companies can easily determine the direction they need to take in order to increase their risk mindfulness and create value.

To learn more about The ERM Compass™ and to schedule a complimentary review, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

Lessons Learned from the Foreclosure Crisis

The recent foreclosure crisis is just another chapter in the financial meltdown that began in 2007.  As a result of the frenzy to securitize mortgage loans back in the middle of the decade, the required paperwork to foreclose on a property is difficult, if not impossible, to retrieve. Now, financial institutions are finding that the outsourced foreclosure work is faulty at best and fraudulent in many cases. Here's what the Wall Street Journal reported today.

In recent days, some lenders named in the foreclosure inquiries have said they would no longer use the services of some of these law firms for new foreclosures. Ally Financial Inc.'s GMAC Mortgage has pulled business and dispatched executives and a new team of lawyers to Florida to ensure foreclosure cases are being handled correctly, according to a person familiar with the situation.

The law firms and a Lender Processing unit, Docx LLC, which did work at a suburban Atlanta office, handled the nitty-gritty paperwork necessary to verify key document batches, including ownership transfer of a loan, known as an assignment, and the amount owed by a borrower losing his home. That paperwork processing at the law firms and lenders allegedly didn't review all information needed, such as who owned the loan or borrower financial information, the Florida attorney general claims. The Florida attorney general's office is looking at possible use of "fabricated documents" used in foreclosure actions in court, according to the attorney general.

This situation provides a few lessons in risk management. First, it demonstrates the lingering effects of poor controls when dealing with massive amounts of transactions complicated by a highly complex securitization process. Second, it also shows that the operational risks to a given company extend well beyond its walls to its outsourcing partners' ability to properly control its business.  Finally, with the crisis today clearly rooted in the actions of the past, it demonstrates the need for more forward-looking risk management programs.

NYSE Issues Corporate Governance Principles

The New York Stock Exchange ("NYSE") recently completed a report detailing the corporate governance principles that member companies should adopt in the wake of the financial crisis of 2008.  In the report, the NYSE's Commission on Corporate Governance defines the following ten fundamental corporate governance principles and focuses on the interrelationships of what it calls the three cornerstones of the corporation - boards, management and shareholders.

1. The board’s fundamental objective should be to build long-term sustainable growth in shareholder value for the corporation and its shareholders and the board is accountable to shareholders in its effort to achieve this objective.

2. While the board’s responsibility for corporate governance has long been established, the critical role of management in establishing proper corporate governance has not been sufficiently recognized.  The Commission believes that a key aspect of successful governance depends upon successful management of the company, as management has primary responsibility for creating an environment in which a culture of performance with integrity can flourish.

3. Shareholders have the right, a responsibility and a long-term economic interest to vote their shares in a thoughtful manner, in recognition of the fact that voting decision influence director behavior, corporate governance and conduct, and that voting decision are one of the primary means of communicating with companies on issues of concern.

4. Good corporate governance should be integrated with the company’s business strategy and objectives and should not be viewed simply as a compliance obligation separate from the company’s long-term business prospects.

5. Legislation and agency rule-making are important to establish the basic tenets of corporate governance and ensure the efficiency of our markets.  Beyond these fundamental principles, however, the Commission has a preference for market-based solutions whenever possible.

6. Good corporate governance includes transparency for corporations and investors, sound disclosure policies and communication beyond disclosure through dialogue and engagement as necessary and appropriate.

7. While independence and objectivity are necessary attributes of board members, companies must also strike the right balance between the appointment of independent and non-independent directors to ensure that there is an appropriate range and mix of expertise, diversity and knowledge on the board.

8. The Commission recognizes the influence that proxy advisory firms have on the market, and believes that such firms should be held to appropriate standards of transparency and accountability.  The Commission commends the SEC for its issuance of the Concept Release on the U.S. Proxy System, which includes inviting comment on how such firms should be regulated.

9. The SEC should work with the NYSE and other exchanges to ease the burden of proxy voting and communication while encouraging greater participation by individual investors in the proxy voting process.

10. The SEC and/or the NYSE should consider a wide range of views to determine the impact of major corporate governance reforms on corporate performance over the last decade.  The SEC and/or the NYSE should periodically assess the impact of major corporate governance reforms on the promotion of sustainable, long-term corporate growth and sustained profitability.

This report is a wonderful guiding resource for board directors and management who are looking to strengthen corporate governance in a meaningful and practical way. It also provides some great recommendations for government regulators who are looking to implement new rules.  If adopted fully, these principles will go a long way to returning the U.S. and its capital markets to a position of prominence.

Who Is Really to Blame?

Yesterday, the infamous Jerome Kerviel was sentenced to three years in prison and ordered to repay the estimated €4.9 billion that the French financial institution Société Générale lost as a result of his failed derivative trades. What is surprising to many who have weighed-in on the verdict is the fact that the sole blame for the massive losses has been placed on the young trader.  Here's one common view as reported in the New York Times.

“It’s a whitewash,” Bradley D. Simon, a white-collar criminal defense attorney at Simon & Partners in New York who specializes in securities and bank fraud, said of the verdict. “The evidence does not support absolving the bank completely,” he said. “This was a lot larger than Kerviel.”

Société Générale had admitted to management failures and weaknesses in its risk control systems. An internal audit published in May 2008 described Mr. Kerviel’s immediate supervisors as “deficient” and acknowledged that the bank had failed to follow through on at least 74 internal alerts about Mr. Kerviel’s trading activities dating to mid-2006.

While an appeal of the verdict is virtually guaranteed, the larger question remains. How can a situation like this unfortunate one be prevented in the future?  The answer certainly begins with stronger risk and control programs as demonstrated by the numerous weaknesses found at Société Générale.

Clues to Board Ineffectiveness

The Harvard Business Review published a provocative article last week about the shortcomings of board directors in today's post financial crisis environment. The article was written by Roger Martin, dean of the Rotman School of Management at the University of Toronto. Mr. Martin is a frequent writer and expert in the field of Design Thinking. According to Mr. Martin, the following are six indicators of a bad board member.

1) They complain about how hard Sarbanes-Oxley has made it to be a director. Guess what? It has also become hard to be an investor. And hard to be a public company auditor and a capital markets regulator. It's hard all over. If your directors complain that they don't have time on the board to talk about strategy and succession and other important management issues because the formal SOX procedures have crowded that out, you have mice not men (or women) on the board. Every person in every organization has the personal choice to be a value-added contributor or turn into a useless bureaucrat. Directors have that choice; nobody is putting a gun to their heads. If they complain, they are likely to be useless to you.

2) They complain about how the fees for being a director aren't high enough to compensate for the onerous work involved. You don't want a director on the board because they think it is great money. If they complain about the money, it is because they are obsessed about making money by being on boards and want it to be a lucrative gig. If they think it is great money, they won't do anything to rock the boat and risk losing that gig.

3) They are paid in the top tertile of peer boards. Boards set their own compensation. If board members set their compensation significantly above the median of peer boards, they want to make the board a lucrative gig and that is a bad thing, per the point above.

4) They express excessive pride over being on the board. This is likely to mean that they are enamored with the prestige of being on the board. If that prestige is important to their sense of self then they won't do anything to rock the boat and risk losing the prestige associated with being on the board.

5) They express enthusiasm for the enjoyable social atmosphere on the board. This means they will be incline to avoid doing anything to rock the boat because that will reduce the enjoyment of the atmosphere on the board.

6) They express enthusiasm for the personal growth opportunities the board provides them. That is lovely for them, not for you.

As we continue to emerge from the rubble of the Great Recession, more companies will need to reflect on the effectiveness of their boards and, more importantly, their individual board members.

When Discussing Risk, Are Boards Well Informed?

Now that the economic outlook and regulatory uncertainties are beginning to stabilize, companies and their boards of directors are exiting crisis management mode and realizing the need for strong enterprise risk management programs to succeed going forward.  However, most board members in the U.S. still do not have a very good understanding of the enterprise risk management practices in their own companies.

A recent survey sponsored by the AICPA and the CIMA and conducted by North Carolina State University demonstrates this fact.  According to the survey, only 39% of U.S. companies indicated that top risk exposures facing the organization are formally discussed when the board of directors discusses the organization’s strategic plan. That’s compared with over 60% of global competitors who are discussing the top risk exposures.

There may be several reasons for this lack of risk discussion in the boardroom.  First, the board members may simply be avoiding the risk discussion by placing implicit trust in senior management.  The board members may also lack the interest and/or the requisite experience to engage senior management in a healthy debate.  However, most likely the company is not in a position to have a risk discussion because they lack the supporting enterprise risk management program to provide a clear articulation of the company’s risk profile.  So, the board of directors and senior management are left to review the strategic plan in a vacuum.

Most of these companies are reluctant to invest in an enterprise risk management program because they fear the onslaught of bureaucratic processes akin to the very early days of Sarbanes-Oxley compliance.  To be truly successful at providing the right risk information, the program should be highly practical and business-focused rather than a grandiose compliance exercise.  It also should be enabled through an intuitive, integrated business process and technology platform such as OpenPages’ Enterprise Risk Management solution set.

For board members who are interested in determining whether they are headed in the right direction when it comes to risk, Wheelhouse Advisors has developed a helpful roadmap called The ERM Compass™.   The ERM Compass™ is a simple, straightforward guide that will provide board members with valuable questions and insight to drive effective boardroom risk discussions.  If you are interested in learning more, send an email inquiry to NavigateSuccessfully@WheelhouseAdvisors.com.

Harvard Professor Agrees that Companies Need a Risk Scorecard

Earlier this year, Harvard professor Robert Kaplan (the originator of the Balanced Scorecard used by many companies in setting strategy and managing their businesses) sat down for an interview to discuss how companies can learn from the latest financial crisis. His answer to an inquiry into what has been lacking at companies is quite interesting and consistent with the thoughts of this blog. Here's what he had to say.

If I had to say there was one thing missing that has been revealed in the last few years, it's that there's nothing about risk assessment and risk management. My current thinking on that is that I think companies need a parallel scorecard to their strategy scorecard - a risk scorecard. The risk scorecard is to think about what are the things that could go wrong? What are hurdles that could jump up, and how do we get early warning signals to suggest when some of these barriers have suddenly appeared so you can act quickly to mitigate that. [Risk management] turned out to be an extremely important function that was not done well by many of the [financial services] companies we talked about earlier. Risk management was siloed and considered more of a compliance issue and not a strategic function. Now we see that identification, mitigation and management of risk has to be on an equal level with the strategic process.

Professor Kaplan is right on point with what is needed today by companies in the complex, globally competitive world we live in. Wheelhouse Advisors has developed The ERM Compass™- a simple, straightforward roadmap for companies looking to develop a risk scorecard. If you are interested in learning more, please email us at NavigateSuccessfully@WheelhouseAdvisors.com.

ERM Focus is Global

The increasing emphasis on enterprise risk management (ERM) in the wake of the latest financial crisis is global.  As evidence, the Institute of Actuaries of Australia conducted a survey last week on ERM practices with the following results.

The online Enterprise Risk Management (ERM) survey was conducted by the Institute of Actuaries a week before its ERM seminar held in Sydney yesterday. It showed that while more than 85 per cent of respondents, comprising senior financial services executives, actuaries and risk managers, revealed a heightened awareness of risk management, they still saw weaknesses in a number of risk management areas.

Some 60 per cent said the area of most improvement was reporting at board level, 50 per cent stated the greatest improvement was in risk governance processes and 50 per cent stated that the risk culture had changed and people were more likely to speak up about possible risks.

As companies and individuals become more interconnected across the globe, this added emphasis on ERM is critical in helping avert a crisis as severe as the last.

Boards Take the Lead on Risk Management

The Conference Board published a report this month about best practices in public company risk oversight. The report compiled interview insights from  20 members of U.S. public company boards, representing a variety of business sectors (including manufacturing, high tech, real estate, food services, retail, telecommunications, air travel, energy, health care, and banking) and ranging in size from $150 million to over $30 billion in revenues. The report ultimately demonstrates the need and desire of corporate boards to take the lead in improving risk oversight. The following ten insights are noted in the report with actual board member quotes in italics.

1. Assign the responsibility of risk oversight to the full board and the burden of risk oversight to the right committee(s). ("We are all collectively responsible for risk," said a board member, while another added: "Audit committees tend to have a checklist approach to risk oversight, which is dangerous; not enough prioritization, not enough of a business angle.")


2. Consider the full breadth of material risks that can impact the company. ("We benchmark against a range of companies to make sure we think.")


3. Push for a deep understanding of the key risks. ("We spend a lot of time reviewing the numbers and understanding risk processes: where the key numbers come from, how they get into the reports.")


4. Secure the right expertise on the board. ("Transformation of our risk approach was driven by two board members with risk experience elsewhere.")


5. Nurture a healthy tension borne by diversity. ("The biggest change we made in risk management over the last few years is focusing on having the most diverse board possible.")


6. Engage the broad management team. ("The board needs to interact with management in an open manner, not just hear what has been rehearsed three times.")


7. Embed risk discussions in all board processes. ("Every initiative presented to the board concludes with a simple page with three to four bullets on the key risks.")


8. Avoid the "bureaucratic trap"—more substance, less process. ("When you ask an executive to go in depth on a specific risk and you get a blank stare, you know risk management has become too bureaucratic.")


9. Make risk management actionable, not just an exercise. ("Follow-up is critical—managers come back to the board and are asked 'tell me what you have done'—it is more than just a plan.")


10. Take ownership of improving risk management in the organization. ("To make risk management a success at our company the board had to get involved—we never gave up.")

This represents the new shift by boards to become more risk focused.  How does your company stack up against these best practices?  What other insights should be included on the list?  How do you engage senior management to embrace practices such as these?  If you are interested in joining the discussion, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

New SEC Rules Are a Sign of the Times

According to a report today in the Wall Street Journal, the Securities and Exchange Commission is set to issue new disclosure rules for companies looking to reduce debt levels at the end of each quarter simply for reporting purposes. Inquiries into the use of repurchase agreements by financial services companies have revealed the widespread practice of reducing debt levels artificially.  Here is what the WSJ has discovered.

Federal regulators are poised to propose new disclosure rules targeting "window dressing," a practice undertaken by some large banks to temporarily lower their debt levels before reporting finances to the public.

The Securities and Exchange Commission is scheduled to take up the matter at a meeting Friday and is expected to issue proposals for public comment. The action follows a Wall Street Journal investigation into the practice, which isn't illegal but masks banks' true levels of borrowing and risk-taking.

A Journal analysis of financial data from 18 large banks known as primary dealers showed that as a group, they have consistently lowered debt at the end of each of the past six quarters, reducing it on average by 42% from quarterly peaks.

New rules like these are certainly a sign of the times and companies must be prepared for more to come.  To learn how Wheelhouse Advisors can help you prepare, visit www.WheelhouseAdvisors.com.

Risk Oversight at U.S. Companies Lags Behind

The American Institute of CPAs (AICPA) and the Chartered Institute of Management Accountants (CIMA) just released a study about the current state of enterprise risk oversight at major corporations across the globe.  The findings in the study that was conducted independently by North Carolina State University demonstrate the disparity in progress made by U.S. based companies versus the rest of the world.  The following are a few of the more telling results.

1. 84% of U.S. respondents assessed their risk oversight processes as ranging from very immature to only moderately mature. In contrast, 61% of the global respondents assessed their risk oversight as falling in those ranges. Only 1.5% of U.S. respondents and 8.2% of global respondents assessed their risk management oversights as ‘very mature/robust.’


2. There seems to be a noticeable difference in the extent that top risk exposures facing the organisation are formally discussed when the board of directors discusses the organisation’s strategic plan. Over 60% of global respondents indicated that the extent of discussion about top risk exposures facing the organisation was extensive to ‘a great deal.’ In contrast, only 39% of U.S. respondents rated the level of discussion to that extent.


3. 46% of global respondents describe their risk oversight process as systematic, robust, and repeatable in contrast to 11% of U.S. respondents who believe they have a complete enterprise-wide risk management process in place.


4. Most organisations have not formally designated an individual to serve as chief risk officer or equivalent, although global respondents indicated a higher occurrence (31%) in contrast to U.S. respondents (23%).


5. 50% of global respondents and just under one-third of U.S. respondents indicate that their boards of directors are increasing ‘extensively’ or ‘a great deal’ their focus on risk management activities and processes.

Based on these results, it is apparent that U.S. companies are lagging behind the rest of the world when it comes to risk oversight.  In order to successfully compete on the global stage, U.S. companies must begin to narrow the gap with increased investment in enterprise risk management programs.  Otherwise, a significant competitive advantage to manage risks in an increasingly complex world will be ceded to others.

Big Event in Basel

A major event for financial services companies across the globe is happening this weekend in Basel, Switzerland. Regulators from 27 countries are meeting there to finalize new rules that will impact how banks manage risk in the future.  Known as "Basel III", the new set of rules are a direct response to the financial crisis that began over two years ago.  The rules will take time to implement, but they are a significant shift from the Basel II Accord that allowed individual banks to determine their own capital levels based on their own internal rating system.  The Wall Street Journal reported the following today.

Convening in the Swiss city of Basel, the officials are hoping to cinch a deal this weekend. In one of the most far-reaching steps, the current proposal would require global banks to maintain basic levels of capital equal to at least 7% of their assets—much more than existing standards of roughly 4% for large U.S. banks.

The effort would transform banking, potentially forcing banks to take fewer risks, make less profit and face more government scrutiny. It comes nearly two years after the chaotic bankruptcy of Lehman Brothers convulsed the global economy and led to taxpayer-funded bailouts world-wide. U.S., European and Asian officials hope an accord will create new global standards designed to firm up the foundations of large international banks.

The hope of the Basel Committee on Banking Supervision is that the new rules will create a financial system that is more resilient and able to withstand future crises.  Only time will tell if this will be the case.

The CIA of Finance?

One of the new creations from the Dodd Frank Act of 2010 is the Office of Financial Research within the U.S. Department of Treasury. This new office's mission is to delve into the inner workings of the financial system to identify potential systemic risks. That means they have the power to secure any and all confidential information from financial services companies. As a result, many view the new office another CIA. Bloomberg Businessweek provided the following view in an article this week.

In a nod to its abilities to peer into the uncharted depths of the financial system, lobbyists are calling it the CIA of financial regulators. The analogy may not be far off. Housed within the Treasury, the office will have both data collection and analysis arms. The law says it can demand "all data necessary" from financial companies, including banks, hedge funds, private equity firms, and brokerages. That would include previously secret details such as who the counterparties are for credit default swaps and information on individual loans such as interest rate and maturity. If companies aren't forthcoming, the director of the office can issue subpoenas. Providing the staff support to the new Financial Stability Oversight Council—and holding a nonvoting seat on the council, which will monitor the banking system for risks—the research office can require companies to submit "periodic reports" to help it determine which firms to keep tabs on.

Proponents say the office's central mission is to help spot the next financial crisis as it is forming. "This gets to the essence of what really causes problems," says Clifford Rossi, a former chief risk officer at Citigroup (C) now with the University of Maryland's Center for Financial Policy. "No single agency was really looking holistically across the entire system, going 'holy smokes, we've got a bubble of monumental proportions here.' "

With new powers such as these, the U.S. government is increasing the level of regulatory risk for financial services companies and will certainly create a new sense of paranoia in the corporate world.

Now is a Great Time to Discuss Risks for 2011

As we head start to wrap-up the third quarter of 2010 and begin to finalize budgets and forecasts for 2011, it seems very appropriate to examine the big risks that are impacting companies and the overall economy.  A recent report by Ernst & Young on the top ten risks for 2010 is a great starting point for these types of discussion.  Below is their list for 2010 which will most likely change dramatically in 2011.

Regulation and compliance has resumed the Number 1 spot it last held in 2008, with concerns about this risk voiced across the majority of sectors. One of the most current worries among businesses is that the uncertainty surrounding regulation is stalling business decision-making and planning. (Rising from Number 2 in the 2009 report.)




Access to credit - Although this risk remains high, viewpoints regarding the availability of credit varied across sectors, with some interviewees indicating that the threat has receded. However, rising levels of government debt may have a strong impact on the cost of credit in the future. (Falling from Number 1 in the 2009 report.)




Slow recovery or double-dip recession - Although the financial crisis has abated, a fiscal crisis has emerged in its place. There is no guarantee that global growth will be sustained if stimulus packages are withdrawn. (No change from the 2009 report.)




Managing talent - Companies face a number of threats linked to the management of human capital. The global war for talent continues to pose a challenge in some sectors, the approaching retirement of the baby boomers looms over others and, the debate over compensation structures is ongoing, especially in the financial sector. (Rising from Number 7 in the 2009 report.)




Emerging markets - With emerging economies likely to dominate global growth, succeeding in these markets has become a strategic imperative. (Rising from Number 12 in the 2009 report.)




Cost cutting - Although this risk remains at Number 6, specific concerns among sectors have shifted from last year. Commodity price inflation and pressure from low cost competitors are now rising challenges. However, pressures to control costs to preserve financial viability have receded. (No change from the 2009 report.)




Non-traditional entrants - This risk fell two places from 2009, as higher costs of capital and declining demand sapped the strength of some emerging competitors. Further, incumbent firms in transitioning sectors, having had some years to adjust to new entrants, have been able to shore up their positions. (Falling from Number 5 in the 2009 report.)




Radical greening - In the current economic climate, environmental issues are not at the top of the agenda, and this challenge has slipped down the rankings this year. However, companies continue to strive to stay ahead of shifting consumer preferences and government regulation. (Falling from Number 4 in the 2009 report.)




Social acceptance and corporate social responsibility (CSR) have become increasingly important over the last decade and it is not a surprise to find this risk entering the top 10 this year. In the current business climate, where there are continuing reputational threats and a rising political backlash, firms will need to tread carefully to maintain (or rebuild) the trust of the public. (New this year.)




Executing alliances and transactions - Over the past year there has been a noticeable decline in merger and acquisition activity as finance has become costly. However, rescue mergers in the wake of the financial crisis and regulatory changes that may force new transactions remained topical. (Falling from Number 8 in the 2009 report.)

How do you see the list evolving next year?  Those who predict the changes and manage the risks successfully will have a significant competitive advantage resulting in major gains.  Those who do not have a forward-looking view of how these changing risks will impact their business will suffer as a result.  If you are interested in having a facilitated risk discussion, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

New SEC Rules Serve as a Warning to Boards

Large U.S. corporations were recently placed on notice by the Securities & Exchange Commission ("SEC") that shareholders will have a larger voice in determining board members going forward.  Just last week, the SEC adopted new proxy access rules that could have a significant impact on companies who anger their shareholders by not managing their risks well.  Crain's New York had a very interesting report on the potential impact of the changes on companies like Goldman Sachs.  Here's their view.

Goldman Sachs is target No. 1 for activist investors looking to shake up corporate boards now that the Securities and Exchange Commission has made it easier for shareholders to nominate directors.  Corporate governance activists are looking to replace Goldman directors at the firm's annual meeting next spring unless the board strips Chief Executive Lloyd Blankfein of his position as chairman.

The SEC determined that investors can nominate their own directors if they own as little as 3% of a company's stock and can combine their holdings with other shareholders to reach the threshold. It's a sea change for board elections, where candidates in most cases are selected by management only. While investors are limited to nominating 25% of directors in any year, the power they've been granted by the government is considered so worrisome that the U.S. Chamber of Commerce is threatening to sue.

Boards and senior management need to ensure that they are working well together to anticipate risk events like the one Goldman Sachs experienced to protect their shareholders and their positions.  The best way to achieve this goal is to have a strong enterprise risk management program in place.  To learn more about how Wheelhouse Advisors can help your company implement a strong ERM program, visit www.WheelhouseAdvisors.com.

Integrated ERM Becomes Critically Important to CFOs

Chief Financial Officers in corporations across the globe are becoming more involved in how their enterprises are managing both risk and information. There are many reasons for their greater involvement. However, the primary reason is that both risk and information have been managed historically in a fragmented way. As a result, the CFO has had great difficulty in understanding the broader financial implications of risk and performance across the enterprise. This need has been highlighted by IBM in their 2010 Global CFO Survey. The survey notes that from 2005 to 2010, there has been a 93% increase in the number of CFOs who view risk management as critically important and a 109% increase for those who view information integration as critically important (see chart below). These results from more than 1,900 CFOs demonstrate the pressing need for more integration and, as you can read below, the changing role of the CFO.

Across the Finance agenda, two activities – information integration and risk management – have become remarkably more prominent. Since 2005, the importance of integrating information has more than doubled, mirroring the exponential rise in information volume and velocity within businesses today. As one CFO from China asserted, “If I had complete freedom, integration of information would be my number one priority. Unfortunately, there are too many IT and business unit barriers at present.”

Among CFOs, managing enterprise risk also garners almost twice the attention it did in 2005. This is not a recent reaction. Back in our 2008 study, CFOs acknowledged serious shortcomings with risk management. Two out of three companies with revenues over US$5 billion had encountered material risk events within the prior three years. Of those, 42 percent admitted they were not well prepared.

We believe this sharp rise in the importance of risk management is further evidence of CFOs’ expanding purview. Finance leaders are no longer focused solely on financial risk but are becoming more involved in mitigating corporate risk in all its many forms – whether strategic, operational, geopolitical, legal or environmental. All forms of risk ultimately have a financial consequence, which is why it is essential for CFOs to be engaged in risk management.

With strategic partners such as Apptio, Approva and OpenPages, Wheelhouse Advisors can provide a total solution for CFOs who are seeking an integrated enterprise risk management platform.  For more information, please visit www.WheelhouseAdvisors.com or email us at NavigateSuccessfully@WheelhouseAdvisors.com.

FASB Chairman Steps Down

Yesterday, Robert Herz, Chairman of the Financial Accounting Standards Board ("FASB"), announced his resignation amidst a number of critical issues requiring resolution by the board.  It is interesting timing given that Mr. Herz had two years remaining for his term as Chairman.  It certainly adds to the uncertainty about the direction the board will take in the areas of mark-to-market accounting and the convergence of GAAP and IFRS.  Here is the Wall Street Journal's view.

Mr. Herz's departure, set for Oct. 1, also comes as the body is enmeshed in a battle over a proposal to expand the use of mark-to-market accounting, which requires companies to use market prices rather than management estimates to value financial holdings. Some investors say this practice brings a more realistic view to the numbers that public companies report, but banks have vigorously opposed the practice. They say it will introduce unnecessary volatility into results and exacerbated the financial crisis.

At the same time, Mr. Herz's departure may affect the board's ability to complete projects designed to bring together its rules and those set by the London-based International Accounting Standards Board. Mr. Herz's long-stated goal was to make both accounting regimes similar enough that U.S. public companies could abide by the international standards.

Mr. Herz may be stepping down now rather than succumb to continuing political pressure being placed on the board. We may never know if that is the case, but one thing is for certain - the new Chairman will certainly have his or her hands full when they begin their term.

Many Financial Services Companies Lack a Clear Risk Strategy

In a recently published study by the Economist Intelligence Unit, the current maturity of risk management practices in financial services companies is examined. For long-time readers of this blog, most of the key findings (see a complete list below) will not be surprising.  According to the study, companies have realized the need for greater investment in risk management, both in terms of people and technology.

However, a surprising 40% of companies still have yet to define their overall risk strategy.  This may indicate that some companies are taking a "bottoms-up" approach to improving their risk management practices.  By doing so, these companies will ultimately spend more time and money on risks that may not be material or emerging as a future threat.  Senior management and board members of these companies should refocus efforts to address risks that are inherent in strategic objectives of the overall enterprise.

Key Findings

1. Confidence levels are high but there is a risk of complacency. Financial institutions are feeling much more confident about the future compared with 12 months ago. Around three-quarters of respondents believe that prospects for revenue growth over the next year are good, whereas 68% are positive about the prospects for profitability. These levels of confidence, which are around double the levels reported in a similar survey conducted last year, reflect a widely held view that the financial system has stabilised. There is a risk of complacency, however. As governments withdraw stimulus packages and liquidity support for the financial sector, revenues and profitability could yet fail to meet expectations.


2. The focus on regulatory compliance could distract attention from emerging risks. Around the world, regulators have stepped up their scrutiny of financial institutions. While few people would argue against a tougher regulatory regime in financial services, respondents to the survey highlight uncertainty regarding regulation as the main barrier to effective risk management. There is a danger that the focus on compliance could be “crowding out” day-to-day risk management at a time when formerly low probability risks, such as sovereign debt crises, are becoming more commonplace.


3. A clearly defined risk strategy is in place at most institutions, but significant areas of weakness remain. Investment in risk management is increasing almost across the board, with risk processes, data, information systems and training being key areas of focus for the majority of institutions. Six out of 10 respondents now say that they have a clearly defined risk strategy in place at their organisations that is updated on a regular basis. However, this still leaves a worrying 40% whose companies do not conduct regular updates or do not have a clear risk strategy in place.


4. Banks and insurers are filling gaps in risk expertise with investment in training and recruitment. Respondents recognise that shortfalls in the quality and quantity of risk experts have been an important part of the problem in risk management. Asked about key areas in which shortcomings need to be addressed, respondents list issues related to expertise as three of their top four priorities. More than one-half of respondents say that they are increasing their investment in training, both of risk professionals and across the broader business, and a similar proportion say that they are spending more on recruitment.


5. Financial institutions need to further improve data quality and availability. An over-reliance on risk models, and problems with the data used to populate those models, have been widely seen as a key failure in financial risk management. Financial services firms recognise that data quality and availability need to improve further. Collecting, storing and aggregating data is an area of weakness for many institutions, with only 39% of respondents believing that they are effective at all these activities.


6. The silo-based approach to risk management continues to pose problems. In the days leading up to the financial crisis, the separation of risk management into separate departments led many financial institutions to underestimate risk concentrations and correlations. Even now, less than one half of respondents to our survey are confident that they understand the interaction of risks across business lines and poor communication between departments is seen as a key barrier to effective risk management.

The Risks of Cloud Computing

As we emerge from the economic downturn, more and more companies are considering “cloud computing” solutions as a way to keep information technology costs in control.  However, some companies are fearful of the unknown aspects of managing information within the cloud.  These fears may be justified, but they can certainly be alleviated by conducting a thorough risk assessment and vendor due diligence exercise prior to venturing into the cloud.

It all starts with what the company is looking to achieve through cloud computing and whether the investment is worth the risk.  For example, will the application hosted in the cloud be customer facing and subject to strict regulatory standards?  If so, then the risk assessment should include the probability and impact of events such as a data breach or unplanned downtime.

Once the risk assessment has been completed and the investment decision has been made, then a comprehensive due diligence exercise should be conducted.  Some vendors may suggest simply relying on their SAS 70 report from their external auditing firm rather than performing a due diligence exercise.  While SAS 70 reports are useful, they are not specific to the relationship between the two companies.  It is imperative that the following areas are examined in relation to a company’s current information security policies and overall operating expectations.

1. Organizational and Human Resource Security


2. Access Control


3. Asset Management


4. Physical and Environmental Security


5. Operations and Change Management


6. Disaster Recovery and Business Continuity


7. Privacy


8. Regulatory Compliance

Like any other partnership or outsourcing agreement, the time to address potential risks and issues with cloud computing is at the very beginning of the relationship.  By doing so, both the company and the vendor will benefit from the opportunity to understand each other’s expectations.  It will also serve as the foundation for a successful cloud computing solution.

If your company would like to learn more about performing a cloud computing risk assessment and due diligence exercise, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

The Quality of Internal Auditing is Critical

Over the past decade, great emphasis has been placed on determining the quality and effectiveness of risk and control programs. It started with Sarbanes-Oxley compliance and has gained new meaning and momentum as a result of the financial crisis of 2008.  However, as is often said, beauty is in the eye of the beholder. In this case, the beholder is often the Internal Audit (“IA”) function since the evaluation of the quality and effectiveness of the risk and control program typically rests with the Internal Audit function within a company. So, to ensure that your company is performing a quality evaluation, your company must have a solid understanding of the quality of its IA function.

Best practice dictated by the Institute of Internal Auditors requires an independent quality assessment of the IA function at least once every five years.  A more frequent assessment may be considered if significant changes have occurred to impact how the IA function performs its responsibilities – e.g. change in IA leadership and/or oversight, change in IA methodology, significant merger and/or acquisition, etc.

The quality assessment should address the following objectives:

1. Assess the effectiveness of an IA function in providing assurance and consulting services to the board, senior executives, and other interested parties. This includes the adequacy of the IA activity’s charter, goals, objectives, policies and procedures as well as the IA activity’s contribution to the organization’s governance, risk management and control processes.


2. Assess conformance to the Institute of Internal Auditors’ Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (“Standards”) and provide an opinion as to whether the IA activity generally conforms to all.


3. Identify opportunities, offer recommendations for improvement, and provide counsel to the Chief Audit Executive (“CAE”) and staff for improving their performance and services and promoting the image and credibility of the internal audit function.

In addition, a well-designed quality assessment will include an evaluation of the following key IA function elements:

1. The expectations of the IA activity expressed by the board, executive management, and its other “customers” (i.e., management of operational and support units).


2. The entity’s control environment and the CAE’s audit practice environment.


3. The focus on evaluating enterprise risk, assessing organizational controls, and including aspects of the governance process in audit plans to assure that audit activities add value to the enterprise.


4. The integration of internal auditing into the organization’s governance process, including the attendant relationships and communications between and among the key groups involved in that process and aligning audit objectives and plans with the strategic objectives of the entity as a whole.


5. The International Standards for the Professional Practice of Internal Auditing.


6. The mix of knowledge, experience, and disciplines among the staff, including staff focus on process improvement and value-added activities.


7. The tools and techniques employed by the department, with emphasis on the use of technology.

The final key element is often one that typically receives the least focus, but can yield the greatest benefit to the IA function and the company as a whole.  By automating the IA management processes such as scheduling, planning, workpaper preparation, reporting and issue follow-up, IA functions can dramatically increase their ability to perform their responsibilities in concert with a company’s operation and risk profile.  Open Pages’ Internal Audit Management solution is a great example of a solid platform that can support a high quality IA function.

If you are interested in learning more about conducting an IA quality assessment for your company, please email us at NavigateSuccessfully@WheelhouseAdvisors.com.

Risk Management Receiving More Attention & Investment

The New York Times reported this week that senior executives at major corporations are now investing more time and money to develop effective risk management practices at their companies.  Here is what they had to say.

Corporate leaders are focusing more attention on risk management after excessive risk-taking during the boom times helped bring about the global financial crisis, according to a survey of senior executives by Korn/Ferry International, the world’s largest recruiting firm. About 57 percent of senior executives surveyed said their companies were spending more time dealing with risk management, while 26 percent said there had been no change at all. Only 14 percent said their companies were actually spending less time on risk management.

The chief executive is usually called out first if a company runs into trouble with its risk management. That led to some prominent resignations in the banking sector in 2007, including E. Stanley O’Neal from Merrill Lynch and Charles O. Prince III from Citigroup.  Corporate boards are largely seen as weak when it comes to making tough decisions, especially in cases where the chief executive is also the chairman. The study indicates that boards today are more aware of how important risk management is to a company’s survival than they were during the boom times.

The reasons for this increase in investment should come as no surprise given the crisis we have experienced. However, it is imperative that the focus on remains on risk management long after the crisis has faded from our memories. Otherwise, the increased investment will certainly be wasted.

H-P CEO Resignation Highlights a Bigger Risk

Hewlett-Packard's announcement last week that its CEO had resigned as a result of code of conduct violations was a clear sign that corporate boards are taking their governance role more seriously.  However, in the aftermath of the resignation, a bigger and more pervasive risk throughout many corporate C-suites has been highlighted - the lack of a clear succession plan.  Here is what the Wall Street Journal reported today.

In the wake of Chief Executive Mark Hurd's sudden resignation, Hewlett-Packard Co. has declared that its focus on business remains intact. But its CEO's unexpected departure reopens questions about H-P's strategy and succession that had largely been absent over the past few years. On Friday, confidence over Hewlett-Packard's prospects appeared to slip following Mr. Hurd's resignation—which stemmed from misuse of corporate expense accounts, uncovered in an investigation into allegations of sexual harassment by an actress named Jodie Fisher who was hired as an event-planning contractor for H-P. The news, released after stock markets closed Friday, shocked investors and caused H-P shares to plunge 8.3% to $42.48 in after-hours trading.

Given the limited number of qualified external CEO candidates, it is imperative for companies to build their bench strength to support their succession plan in the event of a CEO's or other senior executive's untimely exit.

Geithner Issues a Call to Action

U.S. Treasury Secretary Timothy Geithner delivered a speech this week at New York University's Stern Business School to kick-off the massive effort to craft new financial regulations to comply with the Dodd-Frank Act of 2010.  In his speech, he promised to streamline and simply the rules while working to codify them at an expeditious pace.  He also provided the following call to action for the financial services industry.

For the financial industry, your core challenge is to restore the trust and confidence of the American people and your customers and investors around the world. You will have to make your own decisions about how best to do that, but, I thought, given that I'm here in New York, I'd offer a few suggestions as an interested observer.

Don't wait for Washington to draft every rule before you start changing how you do business. Get ahead of the process and out in front of your competitors. Find new ways to improve disclosure for your consumers.  End hidden fees. Don't push people into loans they can't afford.

Demonstrate to your business customers – small and large – that after running for cover during the peak of the crisis you are ready and willing to take a chance on them again. Change how you pay your executives so you are not rewarding them for taking risks that could threaten the stability of the financial system.

Make sure you have board members who understand your business and the risks you are taking. And, focus on improving your financial position so that your financial ratings, your cost of capital, the amount you have to pay to borrow, all reflect your own financial strength and earnings prospects, not the false expectation that the government will be there in the future to rescue you.

You can do all of that right now, even before the first new rule of financial reform is written.

Secretary Geithner is right to encourage banks to move now in the right direction as opposed to waiting for the rules to be written.  Doing so will not only better prepare the companies for the change to come, but will also provide a significant competitive advantage that will surely result in a similar increase in shareholder value.

Standard & Poor's Emphasizes ERM Importance

Since September 2008 when this blog was launched, Standard & Poor's has been evaluating enterprise risk management ("ERM") practices at both financial and non-financial companies as part of their credit rating evaluation process. Recently, Standard & Poor's issued a white paper discussing the importance of ERM and clarifying its review process of non-financial companies.  The white paper also contains a list of Frequently Asked Questions that provides a better understanding of the nature and scope of the reviews.  Here is their view of the importance of ERM today.

Managing enterprise-wide risks and capitalizing on opportunities are fundamental responsibilities of senior executives at all firms. Standard & Poor's Ratings Services' corporate credit ratings include evaluations of those managers' strategies, effectiveness, and credibility. These evaluations help us develop forward-looking opinions on credit strength by supplementing our fundamental analysis of the company's business and financial risk profile. Beginning in September 2008, we widened the scope of our analysis of some non-financial companies' management to enhance our review of managers' ability to identify, monitor, and manage key risks -- those endemic to its industry and those that managers elect to take when running their businesses. Specifically, we started to look at how a firm's culture (communications, structures, incentives, and risk appetite) affects the quality of its decisions and at the role risk considerations play when making strategic decisions. The public spotlight on risk management has intensified since we began this initiative.

1. The U.S. Securities and Exchange Commission (SEC) now requires that proxy statements that public companies file include disclosure of risk-based compensation policies, the role of the board of directors in risk oversight, and the nature of communications between executives and the board on risk issues.


2. The National Association of Corporate Directors' Blue Ribbon Report on Risk Governance urges boards to assess risk in strategy, closely monitor risks in culture and incentives, and consider emerging risks to the firm's business.


3. The International Organization for Standardization's ISO 31000 family of risk management standards define a common global approach to risk management.

Greater public scrutiny follows the extended global recession and accompanying wave of corporate defaults -- grim reminders of the consequences of unpreparedness and weak risk management.

Given the increased importance and added scrutiny, ERM is a certainly critical success factor for all companies today. If you are interested in how your ERM program measures up, Wheelhouse Advisors can provide a quick, complimentary diagnostic review.  To learn more, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

The Time for ERM is Now

The Dodd Frank Act of 2010 that was recently signed into law by President Obama will require not only banks but also nonbank financial companies to have a formal risk committee and enterprise wide risk management program. Specifically, the Act has a mandatory provision for public companies with total assets greater than $10 billion to have these risk management practices in place and an option for the Federal Reserve to require public companies with fewer assets to have the same.  Here is an excerpt directly from the new law pertaining to the new risk committee requirement.

RISK COMMITTEE.—A risk committee required by this subsection shall—

(A) be responsible for the oversight of the enterprise wide risk management practices of the nonbank financial company supervised by the Board of Governors or bank holding company described in subsection (a), as applicable;

(B) include such number of independent directors as the Board of Governors may determine appropriate, based on the nature of operations, size of assets, and other appropriate criteria related to the nonbank financial company supervised by the Board of Governors or a bank holding company described in subsection (a), as applicable; and

(C) include at least 1 risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.

These requirements will become effective in one year, so the time is now to begin working on your enterprise risk management practices.  Wheelhouse Advisors is uniquely qualified to help companies establish a practical, business-focused risk management program that is cost-effective.  Visit www.WheelhouseAdvisors.com to learn more.