Integrated ERM Becomes Critically Important to CFOs

Chief Financial Officers in corporations across the globe are becoming more involved in how their enterprises are managing both risk and information. There are many reasons for their greater involvement. However, the primary reason is that both risk and information have been managed historically in a fragmented way. As a result, the CFO has had great difficulty in understanding the broader financial implications of risk and performance across the enterprise. This need has been highlighted by IBM in their 2010 Global CFO Survey. The survey notes that from 2005 to 2010, there has been a 93% increase in the number of CFOs who view risk management as critically important and a 109% increase for those who view information integration as critically important (see chart below). These results from more than 1,900 CFOs demonstrate the pressing need for more integration and, as you can read below, the changing role of the CFO.

Across the Finance agenda, two activities – information integration and risk management – have become remarkably more prominent. Since 2005, the importance of integrating information has more than doubled, mirroring the exponential rise in information volume and velocity within businesses today. As one CFO from China asserted, “If I had complete freedom, integration of information would be my number one priority. Unfortunately, there are too many IT and business unit barriers at present.”

Among CFOs, managing enterprise risk also garners almost twice the attention it did in 2005. This is not a recent reaction. Back in our 2008 study, CFOs acknowledged serious shortcomings with risk management. Two out of three companies with revenues over US$5 billion had encountered material risk events within the prior three years. Of those, 42 percent admitted they were not well prepared.

We believe this sharp rise in the importance of risk management is further evidence of CFOs’ expanding purview. Finance leaders are no longer focused solely on financial risk but are becoming more involved in mitigating corporate risk in all its many forms – whether strategic, operational, geopolitical, legal or environmental. All forms of risk ultimately have a financial consequence, which is why it is essential for CFOs to be engaged in risk management.

With strategic partners such as Apptio, Approva and OpenPages, Wheelhouse Advisors can provide a total solution for CFOs who are seeking an integrated enterprise risk management platform.  For more information, please visit www.WheelhouseAdvisors.com or email us at NavigateSuccessfully@WheelhouseAdvisors.com.

FASB Chairman Steps Down

Yesterday, Robert Herz, Chairman of the Financial Accounting Standards Board ("FASB"), announced his resignation amidst a number of critical issues requiring resolution by the board.  It is interesting timing given that Mr. Herz had two years remaining for his term as Chairman.  It certainly adds to the uncertainty about the direction the board will take in the areas of mark-to-market accounting and the convergence of GAAP and IFRS.  Here is the Wall Street Journal's view.

Mr. Herz's departure, set for Oct. 1, also comes as the body is enmeshed in a battle over a proposal to expand the use of mark-to-market accounting, which requires companies to use market prices rather than management estimates to value financial holdings. Some investors say this practice brings a more realistic view to the numbers that public companies report, but banks have vigorously opposed the practice. They say it will introduce unnecessary volatility into results and exacerbated the financial crisis.

At the same time, Mr. Herz's departure may affect the board's ability to complete projects designed to bring together its rules and those set by the London-based International Accounting Standards Board. Mr. Herz's long-stated goal was to make both accounting regimes similar enough that U.S. public companies could abide by the international standards.

Mr. Herz may be stepping down now rather than succumb to continuing political pressure being placed on the board. We may never know if that is the case, but one thing is for certain - the new Chairman will certainly have his or her hands full when they begin their term.

Many Financial Services Companies Lack a Clear Risk Strategy

In a recently published study by the Economist Intelligence Unit, the current maturity of risk management practices in financial services companies is examined. For long-time readers of this blog, most of the key findings (see a complete list below) will not be surprising.  According to the study, companies have realized the need for greater investment in risk management, both in terms of people and technology.

However, a surprising 40% of companies still have yet to define their overall risk strategy.  This may indicate that some companies are taking a "bottoms-up" approach to improving their risk management practices.  By doing so, these companies will ultimately spend more time and money on risks that may not be material or emerging as a future threat.  Senior management and board members of these companies should refocus efforts to address risks that are inherent in strategic objectives of the overall enterprise.

Key Findings

1. Confidence levels are high but there is a risk of complacency. Financial institutions are feeling much more confident about the future compared with 12 months ago. Around three-quarters of respondents believe that prospects for revenue growth over the next year are good, whereas 68% are positive about the prospects for profitability. These levels of confidence, which are around double the levels reported in a similar survey conducted last year, reflect a widely held view that the financial system has stabilised. There is a risk of complacency, however. As governments withdraw stimulus packages and liquidity support for the financial sector, revenues and profitability could yet fail to meet expectations.


2. The focus on regulatory compliance could distract attention from emerging risks. Around the world, regulators have stepped up their scrutiny of financial institutions. While few people would argue against a tougher regulatory regime in financial services, respondents to the survey highlight uncertainty regarding regulation as the main barrier to effective risk management. There is a danger that the focus on compliance could be “crowding out” day-to-day risk management at a time when formerly low probability risks, such as sovereign debt crises, are becoming more commonplace.


3. A clearly defined risk strategy is in place at most institutions, but significant areas of weakness remain. Investment in risk management is increasing almost across the board, with risk processes, data, information systems and training being key areas of focus for the majority of institutions. Six out of 10 respondents now say that they have a clearly defined risk strategy in place at their organisations that is updated on a regular basis. However, this still leaves a worrying 40% whose companies do not conduct regular updates or do not have a clear risk strategy in place.


4. Banks and insurers are filling gaps in risk expertise with investment in training and recruitment. Respondents recognise that shortfalls in the quality and quantity of risk experts have been an important part of the problem in risk management. Asked about key areas in which shortcomings need to be addressed, respondents list issues related to expertise as three of their top four priorities. More than one-half of respondents say that they are increasing their investment in training, both of risk professionals and across the broader business, and a similar proportion say that they are spending more on recruitment.


5. Financial institutions need to further improve data quality and availability. An over-reliance on risk models, and problems with the data used to populate those models, have been widely seen as a key failure in financial risk management. Financial services firms recognise that data quality and availability need to improve further. Collecting, storing and aggregating data is an area of weakness for many institutions, with only 39% of respondents believing that they are effective at all these activities.


6. The silo-based approach to risk management continues to pose problems. In the days leading up to the financial crisis, the separation of risk management into separate departments led many financial institutions to underestimate risk concentrations and correlations. Even now, less than one half of respondents to our survey are confident that they understand the interaction of risks across business lines and poor communication between departments is seen as a key barrier to effective risk management.

The Risks of Cloud Computing

As we emerge from the economic downturn, more and more companies are considering “cloud computing” solutions as a way to keep information technology costs in control.  However, some companies are fearful of the unknown aspects of managing information within the cloud.  These fears may be justified, but they can certainly be alleviated by conducting a thorough risk assessment and vendor due diligence exercise prior to venturing into the cloud.

It all starts with what the company is looking to achieve through cloud computing and whether the investment is worth the risk.  For example, will the application hosted in the cloud be customer facing and subject to strict regulatory standards?  If so, then the risk assessment should include the probability and impact of events such as a data breach or unplanned downtime.

Once the risk assessment has been completed and the investment decision has been made, then a comprehensive due diligence exercise should be conducted.  Some vendors may suggest simply relying on their SAS 70 report from their external auditing firm rather than performing a due diligence exercise.  While SAS 70 reports are useful, they are not specific to the relationship between the two companies.  It is imperative that the following areas are examined in relation to a company’s current information security policies and overall operating expectations.

1. Organizational and Human Resource Security


2. Access Control


3. Asset Management


4. Physical and Environmental Security


5. Operations and Change Management


6. Disaster Recovery and Business Continuity


7. Privacy


8. Regulatory Compliance

Like any other partnership or outsourcing agreement, the time to address potential risks and issues with cloud computing is at the very beginning of the relationship.  By doing so, both the company and the vendor will benefit from the opportunity to understand each other’s expectations.  It will also serve as the foundation for a successful cloud computing solution.

If your company would like to learn more about performing a cloud computing risk assessment and due diligence exercise, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

The Quality of Internal Auditing is Critical

Over the past decade, great emphasis has been placed on determining the quality and effectiveness of risk and control programs. It started with Sarbanes-Oxley compliance and has gained new meaning and momentum as a result of the financial crisis of 2008.  However, as is often said, beauty is in the eye of the beholder. In this case, the beholder is often the Internal Audit (“IA”) function since the evaluation of the quality and effectiveness of the risk and control program typically rests with the Internal Audit function within a company. So, to ensure that your company is performing a quality evaluation, your company must have a solid understanding of the quality of its IA function.

Best practice dictated by the Institute of Internal Auditors requires an independent quality assessment of the IA function at least once every five years.  A more frequent assessment may be considered if significant changes have occurred to impact how the IA function performs its responsibilities – e.g. change in IA leadership and/or oversight, change in IA methodology, significant merger and/or acquisition, etc.

The quality assessment should address the following objectives:

1. Assess the effectiveness of an IA function in providing assurance and consulting services to the board, senior executives, and other interested parties. This includes the adequacy of the IA activity’s charter, goals, objectives, policies and procedures as well as the IA activity’s contribution to the organization’s governance, risk management and control processes.


2. Assess conformance to the Institute of Internal Auditors’ Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (“Standards”) and provide an opinion as to whether the IA activity generally conforms to all.


3. Identify opportunities, offer recommendations for improvement, and provide counsel to the Chief Audit Executive (“CAE”) and staff for improving their performance and services and promoting the image and credibility of the internal audit function.

In addition, a well-designed quality assessment will include an evaluation of the following key IA function elements:

1. The expectations of the IA activity expressed by the board, executive management, and its other “customers” (i.e., management of operational and support units).


2. The entity’s control environment and the CAE’s audit practice environment.


3. The focus on evaluating enterprise risk, assessing organizational controls, and including aspects of the governance process in audit plans to assure that audit activities add value to the enterprise.


4. The integration of internal auditing into the organization’s governance process, including the attendant relationships and communications between and among the key groups involved in that process and aligning audit objectives and plans with the strategic objectives of the entity as a whole.


5. The International Standards for the Professional Practice of Internal Auditing.


6. The mix of knowledge, experience, and disciplines among the staff, including staff focus on process improvement and value-added activities.


7. The tools and techniques employed by the department, with emphasis on the use of technology.

The final key element is often one that typically receives the least focus, but can yield the greatest benefit to the IA function and the company as a whole.  By automating the IA management processes such as scheduling, planning, workpaper preparation, reporting and issue follow-up, IA functions can dramatically increase their ability to perform their responsibilities in concert with a company’s operation and risk profile.  Open Pages’ Internal Audit Management solution is a great example of a solid platform that can support a high quality IA function.

If you are interested in learning more about conducting an IA quality assessment for your company, please email us at NavigateSuccessfully@WheelhouseAdvisors.com.

Risk Management Receiving More Attention & Investment

The New York Times reported this week that senior executives at major corporations are now investing more time and money to develop effective risk management practices at their companies.  Here is what they had to say.

Corporate leaders are focusing more attention on risk management after excessive risk-taking during the boom times helped bring about the global financial crisis, according to a survey of senior executives by Korn/Ferry International, the world’s largest recruiting firm. About 57 percent of senior executives surveyed said their companies were spending more time dealing with risk management, while 26 percent said there had been no change at all. Only 14 percent said their companies were actually spending less time on risk management.

The chief executive is usually called out first if a company runs into trouble with its risk management. That led to some prominent resignations in the banking sector in 2007, including E. Stanley O’Neal from Merrill Lynch and Charles O. Prince III from Citigroup.  Corporate boards are largely seen as weak when it comes to making tough decisions, especially in cases where the chief executive is also the chairman. The study indicates that boards today are more aware of how important risk management is to a company’s survival than they were during the boom times.

The reasons for this increase in investment should come as no surprise given the crisis we have experienced. However, it is imperative that the focus on remains on risk management long after the crisis has faded from our memories. Otherwise, the increased investment will certainly be wasted.

H-P CEO Resignation Highlights a Bigger Risk

Hewlett-Packard's announcement last week that its CEO had resigned as a result of code of conduct violations was a clear sign that corporate boards are taking their governance role more seriously.  However, in the aftermath of the resignation, a bigger and more pervasive risk throughout many corporate C-suites has been highlighted - the lack of a clear succession plan.  Here is what the Wall Street Journal reported today.

In the wake of Chief Executive Mark Hurd's sudden resignation, Hewlett-Packard Co. has declared that its focus on business remains intact. But its CEO's unexpected departure reopens questions about H-P's strategy and succession that had largely been absent over the past few years. On Friday, confidence over Hewlett-Packard's prospects appeared to slip following Mr. Hurd's resignation—which stemmed from misuse of corporate expense accounts, uncovered in an investigation into allegations of sexual harassment by an actress named Jodie Fisher who was hired as an event-planning contractor for H-P. The news, released after stock markets closed Friday, shocked investors and caused H-P shares to plunge 8.3% to $42.48 in after-hours trading.

Given the limited number of qualified external CEO candidates, it is imperative for companies to build their bench strength to support their succession plan in the event of a CEO's or other senior executive's untimely exit.

Geithner Issues a Call to Action

U.S. Treasury Secretary Timothy Geithner delivered a speech this week at New York University's Stern Business School to kick-off the massive effort to craft new financial regulations to comply with the Dodd-Frank Act of 2010.  In his speech, he promised to streamline and simply the rules while working to codify them at an expeditious pace.  He also provided the following call to action for the financial services industry.

For the financial industry, your core challenge is to restore the trust and confidence of the American people and your customers and investors around the world. You will have to make your own decisions about how best to do that, but, I thought, given that I'm here in New York, I'd offer a few suggestions as an interested observer.

Don't wait for Washington to draft every rule before you start changing how you do business. Get ahead of the process and out in front of your competitors. Find new ways to improve disclosure for your consumers.  End hidden fees. Don't push people into loans they can't afford.

Demonstrate to your business customers – small and large – that after running for cover during the peak of the crisis you are ready and willing to take a chance on them again. Change how you pay your executives so you are not rewarding them for taking risks that could threaten the stability of the financial system.

Make sure you have board members who understand your business and the risks you are taking. And, focus on improving your financial position so that your financial ratings, your cost of capital, the amount you have to pay to borrow, all reflect your own financial strength and earnings prospects, not the false expectation that the government will be there in the future to rescue you.

You can do all of that right now, even before the first new rule of financial reform is written.

Secretary Geithner is right to encourage banks to move now in the right direction as opposed to waiting for the rules to be written.  Doing so will not only better prepare the companies for the change to come, but will also provide a significant competitive advantage that will surely result in a similar increase in shareholder value.

Standard & Poor's Emphasizes ERM Importance

Since September 2008 when this blog was launched, Standard & Poor's has been evaluating enterprise risk management ("ERM") practices at both financial and non-financial companies as part of their credit rating evaluation process. Recently, Standard & Poor's issued a white paper discussing the importance of ERM and clarifying its review process of non-financial companies.  The white paper also contains a list of Frequently Asked Questions that provides a better understanding of the nature and scope of the reviews.  Here is their view of the importance of ERM today.

Managing enterprise-wide risks and capitalizing on opportunities are fundamental responsibilities of senior executives at all firms. Standard & Poor's Ratings Services' corporate credit ratings include evaluations of those managers' strategies, effectiveness, and credibility. These evaluations help us develop forward-looking opinions on credit strength by supplementing our fundamental analysis of the company's business and financial risk profile. Beginning in September 2008, we widened the scope of our analysis of some non-financial companies' management to enhance our review of managers' ability to identify, monitor, and manage key risks -- those endemic to its industry and those that managers elect to take when running their businesses. Specifically, we started to look at how a firm's culture (communications, structures, incentives, and risk appetite) affects the quality of its decisions and at the role risk considerations play when making strategic decisions. The public spotlight on risk management has intensified since we began this initiative.

1. The U.S. Securities and Exchange Commission (SEC) now requires that proxy statements that public companies file include disclosure of risk-based compensation policies, the role of the board of directors in risk oversight, and the nature of communications between executives and the board on risk issues.


2. The National Association of Corporate Directors' Blue Ribbon Report on Risk Governance urges boards to assess risk in strategy, closely monitor risks in culture and incentives, and consider emerging risks to the firm's business.


3. The International Organization for Standardization's ISO 31000 family of risk management standards define a common global approach to risk management.

Greater public scrutiny follows the extended global recession and accompanying wave of corporate defaults -- grim reminders of the consequences of unpreparedness and weak risk management.

Given the increased importance and added scrutiny, ERM is a certainly critical success factor for all companies today. If you are interested in how your ERM program measures up, Wheelhouse Advisors can provide a quick, complimentary diagnostic review.  To learn more, email us at NavigateSuccessfully@WheelhouseAdvisors.com.