IT Risk Tops List of Concerns for Board Members

A recent survey of Public Company Audit Committee Board Members about risk highlights the desire to focus more heavily on Information Technology ("IT") related risks. This is not surprising given that technological innovation continues at a rapid pace while it is also increasingly impacting every key facet of business today. The survey, conducted by the National Association of Corporate Directors and sponsored by KPMG, uncovered the following common board-level views about IT and other risk areas.

• They are not satisfied that their oversight of various IT risks is effective, or that the company's strategic planning process deals effectively with the pace of technology change and innovation.
• The one person they would most like to hear from more frequently is the CIO.
• They want to spend more time with the CRO and mid-level management/business-unit leaders; and few are satisfied that they hear dissenting views about the company's risks and control environment, or rate their company's crisis response plan as "robust and ready to go."
• The audit committee is devoting significant agenda time to legal/regulatory compliance risk, with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and impact of the SEC's whistleblower "bounty" program of particular concern.

An integrated, enterprise-wide risk program is the key to addressing these items in a holistic and practical way.  If your company has not implemented such a program, meeting the demands of the board will be challenging.

A Call to Action for Risk Managers

Risk managers are waking up to the fact that as the world continues to change, they must also change. Upgrades to skill sets as well as the overall approach to risk management is essential for these professionals to provide the value that companies are demanding in the tumultuous global economic environment. Just this week, at the Federation of European Risk Management Associations annual conference in Sweden, a call to action is being made to risk managers around the world.  Here's a sample of the views expressed during the conference as reported by Business Insurance magazine.

During a news conference at FERMA's forum in Stockholm, FERMA executives said risk managers cannot isolate themselves from the financial turmoil in many parts of the world or the rapid changes in many industries because of technology. “You cannot put your head in the sand; you have to understand and live with it,” said Julia Graham, chief risk officer for London-based law firm DLA Piper U.K. L.L.P. and VP of FERMA.

Ms. Graham said the skills that risk managers need have changed in the past five years. Now, she said, risk managers need to look forward more than backward, have greater financial literacy to understand and talk the language that company boards use, and improve their management skills, among other things.

The purely quantitative, historical view of risk is no longer adequate in today's complex global marketplace.  Strong business acumen is required for risk managers to provide a better view of potential risks and opportunities facing companies today.

Rebuilding Trust Through Better Risk Monitoring

A recent op-ed article in the Financial Times by noted author and professor, Frank Portnoy, raises the question about the need to hold corporate managers personally accountable for gross negligence when they do not monitor risks. Mr. Portnoy proposes having senior executives at major banks certify that they are actively monitoring the risks taken in areas such as trading desks that have resulted in recent losses due to rogue trading activities. He summarizes his view in the following way.

Current rules permit directors and officers to avoid personal liability for gross negligence. That is a wise rule for most business decisions: courts are generally not skilled at assessing business judgment. But risk is different. Why should a bank manager who is grossly negligent in supervising risk avoid liability?

Shareholders might never be able to understand the risks of modern banks, and current regulatory approaches will not give them much confidence. But if they knew that senior managers had agreed to be personally liable for gross negligence in monitoring risk, they might trust the banks more. Without trust, it is hard to see how banks can recover.

Mr. Portnoy is correct to promote the notion of greater accountability for monitoring risk. However, attaching personal liability to executives may not necessarily be the best method. It would be very difficult to define what is an adequate level of risk monitoring since it really differs for every institution. That is why the industry is so heavily regulated. However, Mr. Portnoy is certainly on point in the fact that stronger risk monitoring is needed to rebuild trust in banks.

Another Example of the Value of Risk Management

It seems that some financial institutions have not fully learned the lessons from past rogue trading incidents such as the ones that occurred at Societe Generale and Barings. Officials at UBS announced today that they are facing massive losses at the hands of a lone trader. Here's what BBC reported this morning.

Police in London have arrested a 31-year-old man in connection with allegations of unauthorised trading which has cost Swiss banking group UBS an estimated $2bn (£1.3bn). Kweku Adoboli, believed to work in the European equities division, was detained in the early hours of Thursday and remains in custody. UBS shares fell 8% after it announced it was investigating rogue trades. ZKB trading analyst Claude Zehnder said the news would damage confidence in UBS. "They obviously have a problem with risk management."

This is yet another example of the value of having a strong risk and control program. While it is difficult to control external events, companies can certainly implement proper internal controls to protect from massive losses such as this one.

Sarbanes-Oxley Executive Compensation Clawbacks Continue

Yesterday, the U.S. Securities & Exchange Commission ("SEC") announced another successful "clawback" of executive compensation under the Sarbanes-Oxley Act of 2002. James O'Leary, former Chief Financial Officer of Atlanta-based Beazer Homes USA, was forced to return over $1.4 million in bonus payments and stock sale profits that he made as a result of fraudulent financial reporting in 2006. What is somewhat unique about the case is the fact that the CFO was not implicated in any wrongdoing other than certifying that the financial statements were accurate. The individual who is being criminally prosecuted for the fraud is the Chief Accounting Officer who reported to the CFO during the time period in question.

“Section 304 of the Sarbanes-Oxley Act encourages senior management to take affirmative steps to prevent fraudulent accounting schemes from occurring on their watch,” said Rhea Kemble Dignam, Director of the SEC’s Atlanta Regional Office. “O’Leary received substantial incentive compensation and stock sale profits while Beazer was misleading investors and fraudulently overstating its income.”

This announcement comes on the heels of a related clawback from the CEO of Beazer Homes that totaled more than $6.4 million. Again, in this case, the CEO was not implicated in any criminal wrongdoing. The SEC's enforcement approach regarding both the CEO and the CFO in this case serve as a reminder to senior executives to ensure their annual certifications are accurate. The only way to know is to have a strong risk and control program in place. Wheelhouse Advisors can help. Visit www.WheelhouseAdvisors.com to learn more.

Increasing Your Risk Awareness

Companies of all sizes are searching for direction as they seek growth during these tumultuous economic times. Some companies are looking for better ways to deploy capital while others are simply fighting for survival. It is during times such as these that many do not take the time to seek perspective on the risks that they face. However, the strongest companies realize that having a solid understanding of their unique risks is vital to their continued success. These companies also realize that the risks they face are ever-changing - both internally and externally.

The first step to developing a better understanding of risk is to conduct an Enterprise Risk Assessment based on the company's strategic objectives. This risk assessment will serve as the baseline for measuring risk responses going forward and also as the foundation for a broader Enterprise Risk Management ("ERM") program. As a company implements their ERM program, it is critical that a culture of risk awareness rather than risk aversion is promoted. A "risk aware" culture embraces risk as the flip side to the reward they seek.

However, simply identifying, measuring and mitigating risks is only part of achieving "risk awareness". An effective way to gain this perspective is to examine how the business is evolving in relation to its overall strategic direction through the Risk Awareness Cycle (see figure below). At any given time, a product, service or an entire company is in one of four stages of evolution - Order, Complexity, Chaos or Simplicity. Within each of these stages, risks take different forms. In addition, to continue as a viable enterprise, movement from one stage to the other is essential. Without movement, an enterprise will lose forward momentum and ultimately fail.

To learn more about how you can increase your company's risk awareness, visit www.WheelhouseAdvisors.com.

SEC Launches Office of the Whistleblower

Just more than a year after the Dodd Frank Wall Street Reform and Consumer Protection Act was signed into law, the Securities & Exchange Commission ("SEC") has established a new office to handle one of the major provisions of the act.  The Office of the Whistleblower was publicly launched last week.

To aid in the submission of whistleblower tips, the new office has created a website that provides details on how whistleblowers should provide information and what whistleblowers should expect. According to the website the SEC, "... is authorized by Congress to provide monetary awards to eligible individuals who come forward with high-quality original information that leads to a Commission enforcement action in which over $1,000,000 in sanctions is ordered. The range for awards is between 10% and 30% of the money collected."

Potential whistleblowers are encouraged to report their issue through a company's internal compliance program before contacting the SEC.  In fact, according to the final rules, the SEC will consider increasing the overall award amount if the whistleblower utilizes the internal compliance channels.  The following is an excerpt from the SEC's whistleblower rule book.

Participation in internal compliance systems. The Commission will assess whether, and the extent to which, the whistleblower and any legal representative of the whistleblower participated in internal compliance systems. In considering this factor, the Commission may take into account, among other things:
(i) Whether, and the extent to which, a whistleblower reported the possible securities violations through internal whistleblower, legal or compliance procedures before, or at the same time as, reporting them to the Commission; and
(ii) Whether, and the extent to which, a whistleblower assisted any internal investigation or inquiry concerning the reported securities violations.

Companies should use this opportunity to communicate the importance of reporting issues through internal channels before reporting to the SEC.  For those companies that do not have a well constructed compliance program, now is the time to build one.

Perilous Times Require Strong ERM Programs

Each day as we read the news across the globe, it is apparent that the business environment continues to be laden with a myriad of risks. Without advance preparation, companies looking to advance their strategies will find themselves at the mercy of some unforeseen event that will threaten their success or perhaps their very survival. In times like these, it is critical to have a strong enterprise risk management ("ERM") program that is woven into the fabric of a company's strategy as well as its day-to-day business operations.

However, implementing an effective ERM program today is no easy task. Faced with an uncertain regulatory and economic outlook, many companies struggle to create a cost-effective, focused program that will provide the necessary insight to anticipate the most critical risks.  While each company and industry may be unique, there are a few common steps that can be taken that will lead to a more effective ERM program.

1. Start with the strategic plan - focus ERM efforts on where the company is going, not where it has already been

2. Create a simple framework and process that is easily understood - too many companies try to make ERM more complicated than it needs to be

3. Demonstrate importance of the program with a C-level champion - whether it is a new Chief Risk Officer, the CFO or even the CEO, a key leader must lead the charge

4. Tie risk management objectives and metrics to existing performance metrics - business goals require incentives and risk management objectives are no different

5. Invest in cost-effective enabling technologies - a wide range of risk management technology solutions exist today and choosing the wrong solution can result in cost overruns and poor results

By taking these steps, you will certainly be headed in the right direction on your ERM journey. However, the ultimate success factor is maintaining a long-term commitment to ERM as a valued business discipline. To learn more about creating a successful ERM program, visit www.WheelhouseAdvisors.com.

ERM Adds Strategic Value

As enterprise risk management ("ERM") becomes a more widely accepted practice, many companies are realizing the value of including a risk viewpoint in their strategic planning exercises. In the past, many executives viewed risk management purely as a loss avoidance exercise.  However, now that ERM is providing a broader view of risks and allowing companies to become more resilient, companies are more willing to incorporate the employment of calculated risks into their strategy formation.  A recent study by the Economist Intelligence Unit provides the following insight into this changing view of ERM.

One important indication that a shift might be occurring, however, is that 75% of executives think that risk considerations are playing an increasingly important role in strategy at their organisations. This suggests that rather than playing a preventative role—avoiding financial losses, for example—risk management could be moving towards an enabling role that contributes more fully to corporate strategy.

To navigate risks for both the shorter and the longer term, many firms are beefing up their risk management systems. ABB, for one, is increasingly moving away from a decentralized risk management model and putting in place a more group-wide strategy. “We’ve put in place a centralized enterprise risk management program over the last 12 months, and viewing holistically all the risks we face in the organisation,” confirms Mr Hall. “What we realized in the financial crisis, particularly from a financial point of view, is that the best way to manage risk is centrally.”

Martin ten Brink, a director at Shell, a British oil giant, says his company intends to refine some aspects of its enterprise risk management system in the coming year, particularly the pricing of risk. Furthermore, he says, Shell is improving the way it gauges risk velocity. The firm is targeting “a better understanding of the speed with which a risk can materialize and impact business performance.”

Wheelhouse Advisors is uniquely qualified to help companies build ERM programs that can be a source of strategic value. To learn more, visit www.WheelhouseAdvisors.com.

Demand for ERM Continues to Grow

More companies are beginning to realize the value of Enterprise Risk Management ("ERM") as a discipline that can propel a business forward rather than hold it back. In the recent past, many ERM programs focused primarily on revisiting problems from the past or examining all risks regardless of size. While these types of exercises can keep people busy, they rarely benefit a company that is trying to navigate forward to achieve successful outcomes. However, according to recent comments by a risk expert at the Risk and Insurance Management Society, ERM is evolving into a highly valued business practice. Here is what she had to say in an interview conducted by propertycasualty360.com.

Today, a growing perception that ERM “is a business discipline that can advance an organization’s [big-picture] objectives” is driving higher adoption rates across all types of organizations, says Carol Fox, director of strategic and enterprise-risk practice with the Risk and Insurance Management Society.

While there is also a perception that risk managers are having difficulty getting invited to a seat at the C-suite table, Fox believes that most corporate leaders, with only rare pockets of resistance, are eager for expert input about the strategic risks the organization faces.

“With all the external pressures—whether it’s Dodd-Frank, shareholders or the disclosures required now by the SEC for public companies—there is plenty of demand, visibility and support at the board level and at senior-management level” for ERM, she says.

As more board members and senior executives become acquainted with the usefulness of a well-designed ERM program, the discipline will become a "must have" for companies looking to compete in the new economy.

When Assessing Risk, Don't Forget the People

The Conference Board released a report today about the need for stronger integration of human capital risks into a company's overall enterprise risk management program.  Too often, these risks are left to the human resources department to manage alone with little understanding of the potential impact to a company's entire operation.  After surveying 161 leading companies worldwide, here is what the researchers discovered.

At most companies, human capital accounts for at least half of operating costs and can have a significant impact on business results. However, the study finds that human capital risk (HCR) — which can range from unionization/labor relations to offshoring and outsourcing to staffing in a pandemic — tends to be siloed in human resources departments, away from the companywide assessment and mitigation processes of enterprise risk management (ERM). This arrangement prevents information about HCR from having a role in the comprehensive, aggregate view of risks, root causes, interactions, and impacts through which leaders set priorities and determine overall strategy.

Out of eleven risk categories, executives ranked HCR as having the fourth highest impact on business results, ahead of financial, reputational, supply chain, and IT risks. This high ranking is evidence that HCR should be taken seriously as an enterprise risk.  However, less than one-third (31 percent) of companies believe they effectively assess human capital risk, and 24 percent believe they do an ineffective job.

During an economic crisis such as the one we have experienced, many companies lose sight of what really drives a business - people.  Understanding the risks associated with the primary business driver is certainly a no-brainer.

Now Is Not The Time to Reduce Investment in Risk Management

As we head into the second half of 2011, the economic recovery here in the US and abroad is taking hold much more slowly than most expected. Given the modest recovery, some executives may be looking to slash expenses to boost profitability and achieve their near-term goals. However, while tempting, cutting staff and investment in the wrong areas may prove to be a company’s undoing. For financial services companies, this is particularly true in the area of risk management because they are still mending their practices in the wake of the recent financial crisis.

According to the Financial Times, US regulators are keenly aware of what may be on the minds of bank executives and are issuing warnings to avoid cutting risk management budgets. According to Michael Alix, a senior vice-president at the Federal Reserve Bank of New York who heads the risk-management function within the regulator’s financial-institutions supervision group, the regulators are paying close attention to any plans to lower investment in risk management programs. “We haven’t seen it yet, but we’re vigilant,” says Alix.

Sacrificing the progress made in strengthening risk management programs at this precarious stage of recovery is certainly short-sighted and could lead to even greater problems for companies looking to weather the next storm.

New Proposed Guidance on Stress Testing for Banks

Yesterday, the Office for the Comptroller of the Currency (”OCC”), the Federal Reserve and the Federal Deposit Insurance Corporation (”FDIC”) issued proposed guidance for banking institutions to create a robust stress testing framework to adequately assess potential risks. The largest financial institutions have been subject to direct stress testing during the financial crisis in association with the administration of the Troubled Asset Relief Program (”TARP”). This new guidance formally outlines requirements for a broader population of institutions, specifically those with $10 billion or more in assets. According to the guidance, all banks of this size should structure their framework in the following manner.

“….. a banking organization’s stress testing framework should include, but are not limited to, augmenting risk identification and measurement; estimating business line revenues and losses and informing business line strategies; identifying vulnerabilities and assessing their potential impact; assessing capital adequacy and enhancing capital planning; assessing liquidity adequacy and informing contingency funding plans; contributing to strategic planning; enabling senior management to better integrate strategy, risk management, and capital and liquidity planning decisions; and assisting with recovery planning.”

While this guidance does not explicitly meet the requirements of section 165(i) of the Dodd-Frank Wall Street Reform and Consumer Protection Act for non-bank companies, the OCC, Federal Reserve and FDIC plan to issue rules consistent with this guidance for those companies. So, this serves as a preview of what is to come. Public commentary on this proposed guidance is requested by June 29, 2011.

Collaboration is Key for GRC Success

An interesting study on the current state of Governance, Risk Management & Compliance ("GRC") programs has just been released and the results are quite revealing. Entitled "The Role of Governance, Risk Management & Compliance in Organizations", the study was conducted independently by the Ponemon Institute for EMC.  The study covered four primary domains - IT GRC, Operations GRC, Finance GRC and Legal GRC - and surveyed 190 GRC practitioners across the United States.

One of the primary findings was the fact that organizations are still limited by their ability to collaborate and communicate risk information across the enterprise. Part of the problem lies in the lack of a comprehensive strategy to improve collaboration. Beyond the lack of a strategy, organizations are also limited by their technological support of GRC programs. Here's what the Ponemon Institute surmised.

We believe this study reveals the importance of an enterprise-wide strategy and increased collaboration among domains to meeting eGRC objectives. Currently, only 20 percent have an enterprise-wide strategy and collaboration among GRC areas is far from perfect. Only 28 percent of respondents say their organizations enjoy frequent collaboration or cooperation among GRC areas. However, the good news is that only 12 percent say GRC areas operate in silos in their organizations.

In order to address the barriers related to collaboration, it has been recommended that organizations make it a priority to encourage people from the various lines of business to talk together and establish “risk ambassadors”. The need to gain visibility and control through effective cross-enterprise eGRC collaboration is important to reducing gaps in how risk is assessed and managed.

Finally, according to respondents, managing risk is and will continue to be the biggest eGRC focus for their organizations. This is understandable because organizations are finding that the cost of complying with the plethora of regulations can be daunting. Taking a risk-based approach toward compliance requirements enables them to focus their resources on the most at-risk areas of their business and achieve real value from their eGRC activities.

Building the right processes, involving the right people and utilizing the right technology are all key to achieving the sort of value that GRC programs should provide. Wheelhouse Advisors is uniquely qualified to bring these key elements together for your organization. Email us at NavigateSuccessfully@WheelhouseAdvisors.com to learn more.

SEC Proposes New Credit Rating Rules

This week, the U.S. Securities and Exchange Commission (”SEC”) issued proposed rules that will have a great impact on the integrity of credit ratings going forward. The quality of credit ratings were highly suspect in the aftermath of the financial crisis of 2008. Many of the greatest losses incurred by financial institutions, municipalities and pension funds resulted from investments in securities that were touted as “investment grade”. However, as we know now, those investments were anything but. Now, the SEC will require Nationally Recognized Statistical Rating Organizations (”NRSROs”) like Moody’s and Standard & Poors to adhere to stricter controls and disclose more information about how the ratings are derived. The SEC issued the following statement supporting the approval of these new rules.

“In passing the Dodd-Frank Act, Congress noted that credit ratings applied to structured financial products proved inaccurate and contributed significantly to the mismanagement of risks by financial institutions and investors,” said SEC Chairman Mary L. Schapiro. “Our proposed rules are intended to strengthen the integrity and improve the transparency of credit ratings.”

Under the SEC’s proposal, NRSROs would be required to:

1. Report on internal controls.
2. Protect against conflicts of interest.
3. Establish professional standards for credit analysts.
4. Publicly provide – along with the publication of the credit rating – disclosure about the credit rating and the methodology used to determine it.
5. Enhance their public disclosures about the performance of their credit ratings.

Let’s hope these rules help to restore integrity to the marketplace and help investors better understand the risks involved in a given investment.

Waves of Reform Impacting ERM Efforts

As Enterprise Risk Management ("ERM") has evolved as a discipline over the last decade, it has been largely shaped by waves of reform efforts resulting from corporate fraud in the early 2000's to economic catastrophes and widespread corruption in the latter half of the decade. According to a recent article by Mary Driscoll in Business Finance Magazine (a partner publication of The ERM Current), a new wave of ERM change and focus is at hand. Through several sources, Mary offers her view of the most recent wave and the one on the horizon.

The third wave, which is proving just as significant, came in early 2010 in the form of SEC Rule 33-9089, which "mandates disclosure of risk oversight and risk reporting lines, risk assessment by business unit, and assessment of the risk associated with compensation plans," explains Paul Walker, Associate Professor of Commerce at the University of Virginia and a leading academic in the field.

"Furthermore, the recent Dodd-Frank Wall Street Reform and Consumer Protection Act has raised the risk bar by mandating risk committees and risk experts on those committees. Add to this the fiduciary duty pressure on boards and the potential risk-related lawsuits, and you end up with risk getting attention at every level of the organization," adds Walker.

Now consider this twist. According to an article by Deloitte Financial Advisory Services LLP's Toby Bishop, "The Dodd-Frank Act has created a large financial incentive for whistle-blowing in companies across all industries." An area of particular concern relates to violations of the Foreign Corrupt Practices Act, and that could mean higher potential liabilities for companies moving aggressively into emerging markets where local officials expect to trade access for cash.

What has your company done to prepare for the potential impacts of these waves?  If you would like to learn more about practical, cost-effective solutions, let us know by emailing us at NavigateSuccessfully@WheelhouseAdvisors.com.

Wheelhouse Announces New Strategic Alliance

Wheelhouse Advisors and Xactium are pleased to announce their new strategic alliance for the implementation of Xactium's Force.com Governance, Risk and Compliance applications.

Wheelhouse, a professional services firm specializing in Enterprise Risk Management & Control will be Xactium’s first US-based partner, operating in Atlanta, Georgia.

John A Wheeler, founder and Managing Principal of Wheelhouse Advisors brings over twenty years of strategic, operations and risk management professional to the firm. Prior to founding his company, John served as a Senior Vice President within the Corporate Risk Management division at a major U.S financial services company.

Dr. Andy Evans, Managing Director of Xactium, said: “This is a great opportunity for collaboration and signals the widening interest in our Force.com GRC Suite. Working with Wheelhouse will enable us to extend our reach to American markets and reinforce our position as a leading cloud risk solution provider. ”

John added: “We recognise the power of Xactium’s cloud-based solutions to provide clients with a complete, robust solution in a time frame they want. We look forward to extending our level of customer support with our new implementation services.”

The partnership follows a period of growth from Xactium, whose customer numbers have more than doubled in the last year. The potential for a future Xactium North America division will also be considered.

About Xactium: Xactium is a leading cloud-computing software company specialising in Governance, Risk and Compliance (GRC) solutions. Xactium helps customers efficiently and effectively access and manage risk and compliance activities without the need for complex, expensive risk software. Recent significant business wins include insurance brokers Jardine Lloyd Thompson; insurance and reinsurance group, RiverStone Europe; and Scottish water retailer, Business Stream.

About Wheelhouse Advisors: Founded in 2007, Wheelhouse Advisors serves corporate clients across the United States with the implementation and continuous improvement of their Enterprise Risk Management (“ERM”) programs. Their service offerings include: Bespoke Enterprise Risk Assessment, Independent Risk & Control Program Analysis, Financial Process Compliance; and Governance, Risk & Compliance Automation.

The Path to ERM Success

The path to success in implementing an Enterprise Risk Management (”ERM”) program can be found in greater integration and better technology - that’s according to a recent survey presented at the 2011 Risk and Insurance Management Society (”RIMS”) Conference in Vancouver, British Columbia. Entitled “Excellence in Risk Management VIII”, this is an annual independent survey of executives conducted for RIMS by Marsh. The most common focus area noted in the survey is a desire to strengthen enterprise or strategic risk management approaches. While more than half of the survey respondents indicated this desire, a majority saw the primary barrier to achieving this goal was a lack of understanding of the risk landscape across numerous silos of information.

As a result, 55% of the respondents expect to integrate risk management deeper into and across operations and 54% of respondents expect to perform day-to-day risk management activities more efficiently. To meet these expectations, organizations will need to improve the way they gather and report risk data through more cost-effective technology. The survey report supports this notion through the following observation. “It’s worth noting to risk managers that their counterparts in the C-suite were the most likely to view technology upgrades as a focus area. This should help pave the way for technology that can ease the time spent on mundane tasks and open the door to developing the deeper integration of risk management with other departments.”

Source: Risk & Insurance Management Society, Excellence in Risk Management VIII

FDIC Calls for Risk Management Improvements

This week, the Federal Deposit Insurance Corporation (”FDIC”) released a special edition of its Supervisory Insights publication focusing on the recent foreclosure crisis in mortgage banking. In the report, the FDIC provides additional perspective on the deficiencies in internal processes, staffing and control that resulted in a foreclosure moratorium by several of the largest mortgage servicing institutions in late 2010. The FDIC worked with the lead regulatory agencies of the fourteen largest mortgage servicers in the United States to conduct extensive reviews of current foreclosure practices.

The reviews uncovered many common issues among the mortgage servicers. The FDIC noted the following, “concerns included lax foreclosure documentation, ineffective controls over foreclosure procedures, and deficient loss mitigation procedures and controls. Many institutions failed to commit resources sufficient to manage responsibly the rapidly growing volume of mortgage loans in default or at risk of default. Weak governance and controls increased legal, reputational, operational, and financial risks while creating unnecessary confusion for borrowers.”

While the report focuses specifically on the foreclosure shortcomings, it can also serve as a reminder of the value of strong internal controls and risk management practices. As our business processes grow to be more complex and interconnected, the risks inherent in the processes grow exponentially. Unchecked, these risks can quickly propel a business into a full-blown crisis.

How to Strengthen Your IT Risk Management Program

An essential component of any Enterprise Risk Management (ERM) program today is IT risk management. With ever-increasing threats to privacy and information security, companies are looking to strengthen their risk governance processes in many ways.

A recent survey by Carnegie Mellon University’s CyLab highlights ten key steps to building a stronger ERM program with a focus on IT Risk. The CyLab 2010 survey is based on results received from 66 respondents at the board or senior executive level from Fortune 1000 companies. Twenty-seven percent of the respondents were board chairmen; 3 percent were outside directors; 47 percent were inside directors; and 50 percent were senior executives but not a board member. Forty-five percent of the participants were from critical infrastructure companies.

The survey revealed that governance of enterprise security is lacking in most corporations, with gaps in critical areas. If boards and senior management take the following ten actions, they can significantly improve their organizations’ security posture and reduce risk:

1. Establish a board risk committee separate from the audit committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with risk and IT governance expertise.

2. Ensure that privacy and security roles within the organization are separated and responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.

3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO (or CRO), the CPO, and business line executives.

4. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing these as corporate social responsibilities.

5. Review the components of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, disaster recovery, and breach response plans.

6. Establish privacy and security requirements for vendors based on key aspects of the organization’s security program, including annual audits or security reviews.

7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the audit committee.

8. Conduct an annual review of the enterprise security program and the effectiveness of controls, to be reviewed by the board risk committee, and ensure that identified gaps or weaknesses are addressed.

9. Require regular reports from senior management on privacy and security risks and review annual budgets for IT risk management.

10. Conduct annual privacy compliance audits and review incident response and security breach notification plans.

These steps should be integrated into a holistic enterprise risk management approach to provide an effective and seamless program that is fully embraced at all levels within the organization. Doing so will not only raise a company’s risk mindfulness level, but also secure positive returns for key investors and stakeholders for years to come.

SEC Releases Long-Awaited Study on SOX

This week, the U.S. Securities and Exchange Commission ("SEC") released its study on the impacts of section 404(b) of the Sarbanes-Oxley Act ("SOX"). The SEC concluded that section 404(b) which requires an external auditor to issue an opinion on a company's internal control over financial reporting should remain effective for mid-sized companies with a market capitalization of $75 to $250 million. Here is a summary of their conclusion and recommendations:

The work performed by the Staff reinforces our understanding that the costs of Section 404(b) have declined since the Commission first implemented Section 404, particularly in response to the 2007 reforms, that investors generally view the auditor‘s attestation on ICFR as beneficial, and that financial reporting is more reliable when the auditor is involved with ICFR assessments.

1. Maintain existing investor protections of Section 404(b) for accelerated filers, which have been in place since 2004 for domestic issuers and 2007 for foreign private issuers.

2. Encourage activities that have potential to further improve both effectiveness and efficiency of Section 404(b) implementation.

Since the Dodd-Frank Act exempted small companies with a market capitalization less than $75 million from section 404(b), this study should effectively end the debate over Sarbanes-Oxley section 404 requirements. For mid-size companies looking to gain efficiencies in complying with section 404(b), Wheelhouse Advisors can help. Email us at NavigateSuccessfully@WheelhouseAdvisors.com to learn more.

Cloud Security Concerns Are Diminishing

As software vendors look for ways to improve their product offerings, many are venturing into the cloud. However, for the most of the last decade as cloud computing (also known as Software as a Service or "SaaS") has evolved, some companies would not even consider the notion of using these products due to fears about data security. Now that the major cloud providers have refined their technological infrastructures, that fear is unwarranted. In this month's issue of Treasury & Risk Magazine, more evidence is provided to support the integrity of cloud-based software products. Here's an excerpt:

As cloud vendors mature, Web-based delivery of applications, storage and infrastructure is getting more secure and trustworthy. That doesn’t mean that the risks are gone—they’ve just migrated to a more difficult-to-manage form. Today, big-name cloud providers like Salesforce.com offer top-notch security, auditability and compliance. Even Google provides a compliant e-mail hosting solution for regulated industries such as healthcare and finance.

In fact, clouds can offer a security advantage over traditional software, since cloud providers specialize in making their application as secure as possible, spreading the costs of that effort among many customers. On their own, companies might not be able to afford the same level of security.

Coupled with the benefits of little or no maintenance as well as the minimal initial investment, the fact that cloud-based software is highly secure makes the business case for moving to the cloud a no-brainer for businesses looking for efficient and effective software solutions.

How the Dodd-Frank Act Could Impact Your Weekend

On a Friday like today, most folks are looking forward to a relaxing, fun-filled weekend away from work and the myriad of regulations with which we have to comply.  Now, it looks like the new financial reform regulations may have an impact on our leisure time activities.  What you say?  How could that be?  Well, according to an article this week in the Wall Street Journal, the Dodd-Frank Act could force companies who use derivatives to hedge commodity price fluctuations to provide cash collateral on the transactions.  If that happens, then the cost will be transferred to the consumer in the form of higher prices.  One company that anticipates price increases is MillerCoors LLC.  Here's what the head of risk management at MillerCoors had to say according to the Wall Street Journal.

Craig Reiners, director of risk management at beer giant MillerCoors LLC, said the derivatives rules were designed to reduce threats to financial stability, whereas companies such as his "pose no systemic risks." If end users aren't shielded, the rules "would have a very harmful effect on our risk-management of the business and for that matter ultimately the cost of a six-pack of beer." MillerCoors uses over-the-counter derivatives to hedge against price volatility in areas such as aluminum, hops and energy.

So, as you head out to a sporting event or simply plan to kick back with a cold beverage in your back yard this weekend, beware of the possible negative and unintended impact to your wallet as a result of financial reform.

U.S. Senate Releases Financial Crisis Report

Yesterday, the United States Senate Subcommittee on Investigations released its report covering the events leading to the financial crisis of 2008. The Subcommittee began its investigation in November 2008 and held several high-profile hearings in April 2010.  The lengthy report includes an analysis into all of the major players involved in the crisis - Mortgage Lenders, Investment Banks, Regulators and Credit Rating Agencies. What is notable about the report is the fact that it received full, bipartisan support unlike the report issued recently by the Financial Crisis Inquiry Commission. In addition, the report is clear and specific in its recommendations.  As noted in the following excerpt, the focus of the report is to prevent a repeat occurrence of a painful shock that could have been averted.

Nearly three years later, the U.S. economy has yet to recover from the damage caused by the 2008 financial crisis.  This Report is intended to help analysts, market participants, policymakers, and the public gain a deeper understanding of the origins of the crisis and take the steps needed to prevent excessive risk taking and conflicts of interest from causing similar damage in the future.

Understanding the 2011 Top Global Risks

Earlier this year, the World Economic Forum established a Risk Response Network ("RRN") to facilitate dialogue among global leaders about the most important risks impacting our environment and economy. Kevin Steinberg, Chief Operating Officer, World Economic Forum USA, and Head of the Risk Response Network provided the following thoughts on the goals of the RRN. "Throughout the extreme shocks of recent years, both public and private sector leaders have been struggling to avoid collapse and keep the economy afloat. The World Economic Forum is launching the Risk Response Network: an umbrella of projects and initiatives all designed to help global leaders better understand, prepare for and respond to risk.”

With the launch of this new initiative, the World Economic Forum published a report on the most critical global risks that must be addressed in 2011. This report draws upon a risk perception survey of 580 global leaders, 18 risk analysis workshops and 50 risk expert consultations resulting in an assessment of 37 global risks. The resulting analysis is very intriguing and represents a true opportunity to begin addressing risks in a more proactive manner.

New Standards for Assessing Risks

As more companies continue to look to external service organizations to provide non-core operational support, auditors have recognized a need for better internal control auditing standards. In the past, the primary audit standard for these external service providers was the Statement on Audit Standards No. 70, better known as SAS 70. In the absence of another internal control audit standard, SAS 70 became the de facto standard for companies seeking assurance that their service provider was secure and well-controlled. Service providers also touted their SAS 70 reports from auditors as though it were a “Good Housekeeping” seal of approval. The main problem was the fact that SAS 70 reports focused only on internal control over financial reporting. They did not provide any assurance on items such as information security, operational control or regulatory compliance.

To fill this vacuum, the American Institute of Certified Public Accountants has developed new standards to replace the outdated SAS 70. Now known as Service Organization Control (”SOC”) reporting standards, these new guidelines provide for three separate and unique reports to address the full complement of internal controls at an external service provider.

The first standard report, SOC 1, essentially replaces the SAS 70 report that focused solely on financial controls. However, SOC 2 and SOC 3 are new reports that will provide opinions on the effectiveness of controls related to operations and compliance. SOC 2 is a restricted use report intended for use between auditors of the service provider and their clients. SOC 3 is a general use report that can be used by the service providers in providing assurance to potential clients as a “seal of approval”.

These new reporting standards become effective June 15, 2011, so the ubiquitous SAS 70 will soon become a relic of the past. More importantly, companies will soon gain a better understanding of how well their service providers are managing their risks.

Viewing Risk in a Different Way

Several previous blog entries have explored the notion of approaching Risk Management in a new way. Rather than simply focusing on mitigating risk through various methods, companies and individuals alike should strive to seek a greater understanding of risk to improve their decision-making and maximize value to the organization. By doing so, an ever-present view of risk and opportunity will propel an organization from focusing purely on Risk Management to a new state of Risk Mindfulness.

David Spiegelhalter, leading risk expert and professor at Cambridge University, supports this view in a recent video (see below) that is both enlightening and humorous. Through his real-life examples, Professor Spiegelhalter provides a unique view of how we as humans typically view risk. His lessons are particularly relevant as we continue our struggle to emerge from the financial crisis of 2008. As he concludes, "One of the biggest risks is being too cautious."

New Breeding Ground for Risk Topics

Board members of public companies are accustomed to passing along any risk related issues to the Audit Committee and/or Risk Committee. However, many of these directors are discovering risk related issues are not necessarily the specific purview of those groups. One committee in particular is becoming a breeding ground for risk topics - the Compensation Committee. With incentive programs entering the spotlight through greater disclosure about their impact on risk taking and heightened investor scrutiny, a new set of board directors need to be concerned with risk management. Here is what a leading expert had to say recently about the change.

Finally, an important means for compensation committees to address the risks that they now face is to ensure that they and the compensation-setting process are fully integrated into the overall risk-oversight activities of the board and the company. The financial crisis and its legislative and regulatory aftermath have focused considerable attention on the relationship between incentives in compensation programs and the risks that arise for companies, and as a result the compensation committee has become a crucial component of the risk-oversight process. The compensation committee’s attention to risks—through a periodic evaluation of the compensation program and how pay elements could create risks—has now become a regular part of the analytical framework.

How is your Compensation Committee addressing risk? Having the ability to articulate the linkage between incentive programs and a company's risk appetite is critical to proactively addressing investor concerns.  If you or someone else in your company is interested in learning more about bridging this gap, contact us at NavigateSuccessfully@WheelhouseAdvisors.com.

SEC Resumes Clawback of Executive Pay

Financial reporting risk has returned to the headlines with a recent announcement by the Securities & Exchange Commission ("SEC") that it will be "clawing back" prior bonus payments made to a prominent CEO who falsely certified to the effectiveness of internal controls within the company. Section 304 of the Sarbanes-Oxley Act of 2002 allows the SEC to seek reimbursement of bonus payments and/or profits from the sale of securities by certifying executives during the time period when the internal controls are found to be ineffective. Here is an excerpt from the SEC's action:

"The Securities and Exchange Commission today announced a settlement with the chief executive officer of an Atlanta-based homebuilder to recover several million dollars in bonus compensation and stock profits that he received while the company was committing accounting fraud.

According to the SEC’s complaint filed today in federal court in Atlanta, CEO Ian J. McCarthy previously failed to reimburse Beazer Homes USA Inc. for bonuses, other incentive-based or equity-based compensation, and profits from Beazer stock sales that he received during the 12-month periods after his company filed fraudulent financial statements during fiscal year 2006."

During the financial crisis of the past few years, Sarbanes-Oxley has taken a back seat to other more pressing issues. However, now that the dust has settled, we can expect to see more actions such as this one.

Stepping Back to Move Forward

New survey results on Enterprise Risk Management ("ERM") practices at global financial institutions was released last week by Deloitte.  The survey points to the changing attitudes towards ERM as well as the continued challenges many institutions face as they implement ERM programs.  Here is a summary of the survey results.

The seventh edition of the report, titled "Navigating in a Changed World," surveyed chief risk officers–or their equivalent – from 131 financial institutions from around the world, with aggregate assets of more than $17 trillion and representing a range of financial services sectors including banks, insurers and asset managers.

Among other major findings in the survey:

• While the majority considered their institution to be either extremely or very effective in risk management overall, one-third of survey participants graded themselves below that level.


• Not only is the chief risk officer (CRO) role more prevalent at financial institutions, but he or she is reporting to higher levels in the organization. According to the survey, 86 percent of institutions had a CRO in place, up from 73 percent in 2008, and reports to the board level or to the CEO (or both) at 85 percent of institutions. In addition, they are playing a more strategic role.


• More institutions have adopted enterprise risk management (ERM) programs -- 79 percent of institutions reported having a program or equivalent in place or in progress, an increase from 59 percent in 2008.


• While the value of ERM has increased, so have the challenges of implementing the information and technology infrastructures to support a comprehensive program; the importance of information and technology management in effective risk management has only been emphasized by the events of the global financial crisis.


• The top-rated risk management technology challenge among those surveyed was integrating risk data across the organization, which was rated as an extremely or very significant issue by 74 percent of executives.


• More than 80 percent of institutions experienced significant impacts from regulatory changes in the countries where they operate; at 40 percent of responding institutions, these impacts included the need to maintain higher capital levels and the need to maintain higher liquidity ratios.

It seems that while ERM is gaining in prominence within these organizations, the primary challenges to a successful ERM implementation remain.  Many companies will find themselves needing to take a step back to streamline ERM processes before trying to tackle the gaps in information and technology.

Added Stress in the United Kingdom

Last week, the Wall Street Journal reported that financial institutions in the UK are being subjected to even more stringent stress testing requirements than their US counterparts. The Financial Services Authority (FSA) is requiring the largest financial institutions to conduct what it calls "reverse stress testing". These tests are designed to determine what an institution will need to recover from a catastrophic operational risk event such as a natural disaster or pandemic. Evidently, the UK bankers are none too pleased with the request according to the following report.

Bankers call it the latest example of regulatory overkill. Executives protest that they are wasting countless hours dreaming up outlandish doomsday scenarios. The chief executive of a major U.K. bank said the tests are predicated on "a massive confluence [of] absurd scenarios" in which executives passively watch events unfold rather than trying to stabilize the situation. Bankers are especially worried that the process could result in them being forced to hold more capital. The FSA said in a planning document that the tests "may result indirectly in changes to the levels of capital held by firms" if the exercise "identifies business model vulnerabilities that have not previously been considered."

An FSA spokeswoman defended the exercise. "It might seem outlandish to them, but the point is that it pushes the business model to the point it collapses," the spokeswoman said. She said the banks also should be evaluating relatively mundane situations like what they would do in the event of a major internal fraud.

What is somewhat surprising by this report is the fact that these financial institutions should have already conducted similar scenario planning and testing as part of the Basel II Capital Accord requirements. However, since the Basel II requirements were largely self-regulated, it appears that the banks did not do their homework the first time around. For those bankers in the US who did not do their homework as well, you might want to get started before the teacher asks for it.

Incentive Pay & Risk Back in the Spotlight

Yesterday, the Federal Deposit Insurance Corporation (FDIC) approved a proposal to limit excessive risk taking that is tied to incentive programs at large financial institution. The proposed rules are a result of the Dodd-Frank Act of 2010. Here is a summary of the new rules from the FDIC's website.

The Board of Directors of the Federal Deposit Insurance Corporation (FDIC) today approved a joint proposed rulemaking to implement Section 956 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Section 956 prohibits incentive-based compensation arrangements that encourage inappropriate risk taking by covered financial institutions and are deemed to be excessive, or that may lead to material losses.

Consistent with Dodd-Frank, the proposed rule does not apply to banks with total consolidated assets of less than $1 billion, and contains heightened standards for institutions with $50 billion or more in total consolidated assets. For these larger institutions, the rule requires that at least 50 percent of incentive-based payments be deferred for a minimum of three years for designated executives. Moreover, boards of directors of these larger institutions must identify employees who individually have the ability to expose the institution to substantial risk, and must determine that the incentive compensation for these employees appropriately balances risk and rewards according to enumerated standards.

Chairman Bair said "This proposed rule will help address a key safety and soundness issue which contributed to the recent financial crisis – that poorly designed compensation structures can misalign incentives and induce excessive risk-taking within financial organizations. Importantly, we believe the rule will accomplish its objectives in a way that appropriately reflects the size and complexity of individual institutions. Importantly, this inter-agency proposal will apply across all types of US financial institutions, limiting the opportunity for regulatory arbitrage. Similarly, it will better align US compensation standards with those which have been adopted internationally under the framework approved by the Financial Stability Board in 2009."

Public comment will be accepted for 45 days prior to final approval. In addition, the rules are a joint effort of the Federal Financial Institutions Examination Council (FFIEC), the Securities & Exchange Commission (SEC) and the Federal Housing Finance Agency (FHFA) who each must also approve the rules. These rules are a step in the right direction for those more interested in long-term results, but they will certainly be the subject of intense debate.

Risk Won't Wait

After several years of delaying funding on risk management and IT security due to economic pressures, more and more companies are realizing that they cannot wait any longer. The stakes are simply too high to rely on outdated technology and a bare-bones approach to addressing ever-increasing risks.  Here is what was reported in InformationWeek magazine earlier this week,

A unique convergence of circumstances makes this the perfect time to bring IT and business units together under the flag of a risk-oriented approach to security. Economic stress and cutthroat competition on a global scale mean every dollar you spend on security had better matter. Executives are increasingly being held personally accountable, and unified risk management as a discipline is finally reaching maturity.

Plus, the money is there. Thirty-five percent of the 563 respondents to our InformationWeek Analytics IT Risk Management Survey say their companies' IT risk management programs will get more funding in 2011 than they did last year. Very few will see cuts.

Don't be left behind. With leaps in technology occurring in a matter of months rather than years, no company can afford to delay their improvements in risk management.

CNBC Profiles Internal Audit & Risk Management Practices

Earlier this week, the Institute of Internal Auditors' Richard Chambers was interviewed by CNBC on the evolving nature of risk management practices in light of the recent financial crisis. Mr. Chambers emphasized the need for corporate boards to set the risk appetite and work with management as well as the internal auditors to monitor the level of risks. In addition, he noted that compensation programs still need to be improved such that risk metrics are included in pay determination.  To view the entire interview, click below.

Too Little, Too Late?

At long last, the Financial Crisis Inquiry Commission released its final report today on the causes of the great financial crisis of 2008. Unfortunately, the report probably raises more questions than answers due to the fact that the commission was split on the true cause of the crisis. The Democrat majority provided their view that the crisis was ultimately caused by greedy Wall Street bankers coupled with a lax regulatory system. On the other hand, the Republican minority of three panel members portrayed the following more complicated series of causes in their dissenting view.

1. Credit bubble. Starting in the late 1990s, China, other large developing countries, and the big oil-producing nations built up large capital surpluses. They loaned these savings to the United States and Europe, causing interest rates to fall. Credit spreads narrowed, meaning that the cost of borrowing to finance risky investments declined. A credit bubble formed in the United States and Europe, the most notable manifestation of which was increased investment in high-risk mortgages. U.S. monetary policy may have contributed to the credit bubble but did not cause it.


2. Housing bubble. Beginning in the late 1990s and accelerating in the 2000s, there was a large and sustained housing bubble in the United States. The bubble was characterized both by national increases in house prices well above the historical trend and by rapid regional boom-and-bust cycles in California, Nevada, Arizona, and Florida. Many factors contributed to the housing bubble, the bursting of which created enormous losses for homeowners and investors.


3. Nontraditional mortgages. Tightening credit spreads, overly optimistic assumptions about U.S. housing prices, and flaws in primary and secondary mortgage markets led to poor origination practices and combined to increase the flow of credit to U.S. housing finance. Fueled by cheap credit, firms like Countrywide, Washington Mutual, Ameriquest, and HSBC Finance originated vast numbers of high-risk, nontraditional mortgages that were in some cases deceptive, in many cases confusing, and often beyond borrowers’ ability to repay. At the same time, many homebuyers and homeowners did not live up to their responsibilities to understand the terms of their mortgages and to make prudent financial decisions. These factors further amplified the housing bubble.


4. Credit ratings and securitization. Failures in credit rating and securitization transformed bad mortgages into toxic financial assets. Securitizers lowered the credit quality of the mortgages they securitized. Credit rating agencies erroneously rated mortgage-backed securities and their derivatives as safe investments. Buyers failed to look behind the credit ratings and do their own due diligence. These factors fueled the creation of more bad mortgages.


5. Financial institutions concentrated correlated risk. Managers of many large and midsize financial institutions in the United States amassed enormous concentrations of highly correlated housing risk. Some did this knowingly by betting on rising housing  prices, while others paid insufficient attention to the potential risk of carrying large amounts of housing risk on their balance sheets. This enabled large but seemingly manageable mortgage losses to precipitate the collapse of large financial institutions.


6. Leverage and liquidity risk. Managers of these financial firms amplified this concentrated housing risk by holding too little capital relative to the risks they were carrying on their balance sheets. Many placed their firms on a hair trigger by relying heavily on short-term financing in repo and commercial paper markets for their day-to-day liquidity. They placed solvency bets (sometimes unknowingly) that their housing investments were solid, and liquidity bets that overnight money would always be available. Both turned out to be bad bets. In several cases, failed solvency bets triggered liquidity crises, causing some of the largest financial firms to fail or nearly fail. Firms were insufficiently transparent about their housing risk, creating uncertainty in markets that made it difficult for some to access additional capital and liquidity when needed.


7. Risk of contagion. The risk of contagion was an essential cause of the crisis. In some cases, the financial system was vulnerable because policymakers were afraid of a large firm’s sudden and disorderly failure triggering balance sheet losses in its counterparties. These institutions were deemed too big and interconnected to other firms through counterparty credit risk for policymakers to be willing to allow them to fail suddenly.


8. Common shock. In other cases, unrelated financial institutions failed because of a common shock: they made similar failed bets on housing. Unconnected financial firms failed for the same reason and at roughly the same time because they had the same problem: large housing losses. This common shock meant that the problem was broader than a single failed bank–key large financial institutions were undercapitalized because of this common shock.


9. Financial shock and panic. In quick succession in September 2008, the failures, near-failures, and restructurings of ten firms triggered a global financial panic. Confidence and trust in the financial system began to evaporate as the health of almost every large and midsize financial institution in the United States and Europe was questioned.


10. Financial crisis causes economic crisis. The financial shock and panic caused a severe contraction in the real economy. The shock and panic ended in early 2009. Harm to the real economy continues through today.

In total, the report and dissenting viewpoints provide a great analysis of the risk event. However, both fail to provide a forward-looking view on how such a crisis can be avoided in the future. In addition, the results of their analysis have emerged months after the U.S. Congress finalized the Dodd-Frank Financial Reform Act of 2010. Unfortunately, this is too often the case when it comes to risk management exercises. Most people will spend an inordinate amount of time debating past events rather than determining strategies to prevent emerging risk events.

Getting the Most Out of ERM

The Committee of Sponsoring Organizations of the Treadway Commission, or more commonly known as COSO, released a report this month on how companies can derive the most benefit from their Enterprise Risk Management (ERM) programs.  Authored by two professors and risk practitioners from DePaul University, the report provides approaches and action steps for companies to follow as they embark on their ERM journey.  Here is a summary list of key activities to bolster the ongoing implementation of an effective ERM program.

1. A program of continuing ERM education for directors and executives


2. ERM education and training for business-unit management


3. Policies and action plans to embed ERM processes into the organization’s functional units such as procurement, IT,or supply chain units


4. Continuing communications across the organization on risk and risk management processes and expectations


5. Development and communication of a risk management philosophy for the organization


6. Identification of targeted benefits to be achieved by the next step of ERM deployment


7. Development of board and corporate policies and practices for ERM


8. Further discussion and articulation of a risk appetite for the organization and /or significant business units, including quantification


9. Establishment of clear linkage between strategic planning and risk management


10. Integration of risk management processes into an organization’s annual planning and budgeting processes


11. Expansion of the risk assessment process to include assessments of both inherent and residual levels of risk


12. Exploration of  the need for a dedicated Chief Risk Officer or ERM functional unit

Wheelhouse Advisors is fully equipped to help companies with activities such as these.  For more information, please visit www.WheelhouseAdvisors.com.

Making the Leap from Risk Management to Risk Mindfulness

Viewpoints on the practice of risk management have changed dramatically over the past several years.  The financial crisis of 2008 as well as other high-profile catastrophes like the Gulf Oil Spill have forced companies and boards to re-examine how they are addressing potential risks to their businesses. A recent study by the Economist Intelligence Unit highlights this fact as evidenced in the following excerpt.

Risk management can be a thankless task. Just ask Paul Moore, the former head of regulatory risk at HBOS, who claimed that he was sacked because he told the bank's board that it was taking too much risk. In the wake of the financial crisis, stories that banks would sidestep risk managers in order to get deals done were legion. Risk managers with legitimate concerns about the business were ignored and regarded as a brake on growth.

Three years on, the perception of risk management has changed. In the financial services industry, there is a clear consensus that serious mistakes were made with either risk management or risk governance. In response, banks and other financial institutions are beefing up risk departments and creating new governance structures that add to the risk function's authority and independence. Boards are creating risk committees and ensuring that non-executives are providing effective oversight of the company's risk exposure. Chief risk officers are being granted powers of veto over decisions made by executive management and reporting directly into non-executive directors.

This renewed zeal for risk management extends far beyond the banking sector. Events such as the financial crisis, and more recently the oil spill in the Gulf of Mexico, have reminded senior executives that failures in risk management can prove to be extremely costly, not just to a company's financial performance, but to their own careers and, sometimes, the lives of employees. The incentive to ensure that there is a clear and consistent approach to managing risk across the enterprise has never been greater.

However, although risk management is currently enjoying an unprecedented level of authority and visibility, it remains a function in transition. Examples of companies that take a genuinely strategic approach to their risk management remain few and far between. Communication between risk functions and the broader business can sometimes be fragmented, while an enterprise-wide culture and awareness of risk can be difficult to achieve.

What is needed is a new approach towards addressing risks or what we call “Risk Mindfulness”.  "Risk Mindfulness" is a term coined by Wheelhouse Advisors as a result of discussions with many companies about their approaches to gain a better understanding of their risk profiles.  What we have discovered is that many people have a very narrow (and sometimes negative) view of the term “Risk Management”.  The term “Risk Management” usually conjures up thoughts of insurance or compliance activities that have a very limited, historical focus on minimizing known risks.

“Risk Mindfulness” is meant to be more forward-looking and integrative.  Rather than seeking only to minimize or eliminate risk altogether, “Risk Mindfulness” supports the notion that the only bad risks are those that are not well understood and not fully incorporated in a company’s strategic plan.  Also, “Risk Mindfulness” should be company-wide and not restricted to certain individuals.  As the company as a whole becomes more mindful of how objectives will be successfully achieved given the potential risk, better decisions will be made and greater value will be realized.  To learn more about how your company can benefit from this new way of thinking, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

The ERM Current™ - 2010 in Review

The stats helper monkeys at WordPress.com mulled over how this blog did in 2010, and here's a high level summary of its overall blog health:

The Blog-Health-o-Meter™ reads Wow.

Crunchy numbers

About 3 million people visit the Taj Mahal every year. This blog was viewed about 51,000 times in 2010. If it were the Taj Mahal, it would take about 6 days for that many people to see it.

In 2010, there were 94 new posts, growing the total archive of this blog to 326 posts. The busiest day of the year was March 17th with 475 views. The most popular post that day was Winds of Corporate Governance Change Are Blowing.

Where did they come from?

The top referring sites in 2010 were en.wordpress.com, google.com, search.aol.com, linkedin.com, and wheelhouseadvisors.com.

Some visitors came searching, mostly for information technology, risk, and corporate.

Attractions in 2010

These are the posts and pages from 2010 that got the most views.

1

Ignoring Risk Management at Lehman BrothersMarch 2010

2

FASB Chairman Steps Down August 2010

3

Federal Reserve Focuses on Operational Risk March 2010

4

Now is a Great Time to Discuss Risks for 2011 September 2010

5

Reputation Risk Must Be Actively Managed January 2010

Wheelhouse Advisors Joins the Business Finance Expert Network

Business Finance Magazine recently invited John A. Wheeler, Managing Principal at Wheelhouse Advisors, to join its Expert Network as a regular columnist for their online publication called the Big Fat Finance Blog. John will be contributing articles and thought leadership on issues in Finance & Risk Management in his own blog called the Risk Vortex. Along with the other columnists, the blog is intended to arm finance professionals with innovative ideas and best practices that help finance organizations create value. For up to date information on the events and trends that may impact your Finance & Risk Management organizations, be sure to subscribe to the Risk Vortex by clicking here.