Understanding the 2011 Top Global Risks

Earlier this year, the World Economic Forum established a Risk Response Network ("RRN") to facilitate dialogue among global leaders about the most important risks impacting our environment and economy. Kevin Steinberg, Chief Operating Officer, World Economic Forum USA, and Head of the Risk Response Network provided the following thoughts on the goals of the RRN. "Throughout the extreme shocks of recent years, both public and private sector leaders have been struggling to avoid collapse and keep the economy afloat. The World Economic Forum is launching the Risk Response Network: an umbrella of projects and initiatives all designed to help global leaders better understand, prepare for and respond to risk.”

With the launch of this new initiative, the World Economic Forum published a report on the most critical global risks that must be addressed in 2011. This report draws upon a risk perception survey of 580 global leaders, 18 risk analysis workshops and 50 risk expert consultations resulting in an assessment of 37 global risks. The resulting analysis is very intriguing and represents a true opportunity to begin addressing risks in a more proactive manner.

New Standards for Assessing Risks

As more companies continue to look to external service organizations to provide non-core operational support, auditors have recognized a need for better internal control auditing standards. In the past, the primary audit standard for these external service providers was the Statement on Audit Standards No. 70, better known as SAS 70. In the absence of another internal control audit standard, SAS 70 became the de facto standard for companies seeking assurance that their service provider was secure and well-controlled. Service providers also touted their SAS 70 reports from auditors as though it were a “Good Housekeeping” seal of approval. The main problem was the fact that SAS 70 reports focused only on internal control over financial reporting. They did not provide any assurance on items such as information security, operational control or regulatory compliance.

To fill this vacuum, the American Institute of Certified Public Accountants has developed new standards to replace the outdated SAS 70. Now known as Service Organization Control (”SOC”) reporting standards, these new guidelines provide for three separate and unique reports to address the full complement of internal controls at an external service provider.

The first standard report, SOC 1, essentially replaces the SAS 70 report that focused solely on financial controls. However, SOC 2 and SOC 3 are new reports that will provide opinions on the effectiveness of controls related to operations and compliance. SOC 2 is a restricted use report intended for use between auditors of the service provider and their clients. SOC 3 is a general use report that can be used by the service providers in providing assurance to potential clients as a “seal of approval”.

These new reporting standards become effective June 15, 2011, so the ubiquitous SAS 70 will soon become a relic of the past. More importantly, companies will soon gain a better understanding of how well their service providers are managing their risks.

Viewing Risk in a Different Way

Several previous blog entries have explored the notion of approaching Risk Management in a new way. Rather than simply focusing on mitigating risk through various methods, companies and individuals alike should strive to seek a greater understanding of risk to improve their decision-making and maximize value to the organization. By doing so, an ever-present view of risk and opportunity will propel an organization from focusing purely on Risk Management to a new state of Risk Mindfulness.

David Spiegelhalter, leading risk expert and professor at Cambridge University, supports this view in a recent video (see below) that is both enlightening and humorous. Through his real-life examples, Professor Spiegelhalter provides a unique view of how we as humans typically view risk. His lessons are particularly relevant as we continue our struggle to emerge from the financial crisis of 2008. As he concludes, "One of the biggest risks is being too cautious."

New Breeding Ground for Risk Topics

Board members of public companies are accustomed to passing along any risk related issues to the Audit Committee and/or Risk Committee. However, many of these directors are discovering risk related issues are not necessarily the specific purview of those groups. One committee in particular is becoming a breeding ground for risk topics - the Compensation Committee. With incentive programs entering the spotlight through greater disclosure about their impact on risk taking and heightened investor scrutiny, a new set of board directors need to be concerned with risk management. Here is what a leading expert had to say recently about the change.

Finally, an important means for compensation committees to address the risks that they now face is to ensure that they and the compensation-setting process are fully integrated into the overall risk-oversight activities of the board and the company. The financial crisis and its legislative and regulatory aftermath have focused considerable attention on the relationship between incentives in compensation programs and the risks that arise for companies, and as a result the compensation committee has become a crucial component of the risk-oversight process. The compensation committee’s attention to risks—through a periodic evaluation of the compensation program and how pay elements could create risks—has now become a regular part of the analytical framework.

How is your Compensation Committee addressing risk? Having the ability to articulate the linkage between incentive programs and a company's risk appetite is critical to proactively addressing investor concerns.  If you or someone else in your company is interested in learning more about bridging this gap, contact us at NavigateSuccessfully@WheelhouseAdvisors.com.

SEC Resumes Clawback of Executive Pay

Financial reporting risk has returned to the headlines with a recent announcement by the Securities & Exchange Commission ("SEC") that it will be "clawing back" prior bonus payments made to a prominent CEO who falsely certified to the effectiveness of internal controls within the company. Section 304 of the Sarbanes-Oxley Act of 2002 allows the SEC to seek reimbursement of bonus payments and/or profits from the sale of securities by certifying executives during the time period when the internal controls are found to be ineffective. Here is an excerpt from the SEC's action:

"The Securities and Exchange Commission today announced a settlement with the chief executive officer of an Atlanta-based homebuilder to recover several million dollars in bonus compensation and stock profits that he received while the company was committing accounting fraud.

According to the SEC’s complaint filed today in federal court in Atlanta, CEO Ian J. McCarthy previously failed to reimburse Beazer Homes USA Inc. for bonuses, other incentive-based or equity-based compensation, and profits from Beazer stock sales that he received during the 12-month periods after his company filed fraudulent financial statements during fiscal year 2006."

During the financial crisis of the past few years, Sarbanes-Oxley has taken a back seat to other more pressing issues. However, now that the dust has settled, we can expect to see more actions such as this one.