Recent Coverage Of Risk Assessments And ERM

A sweeping new study from the Institute of Internal Auditors paints quite a picture for the future of internal auditors: a world of younger, better-educated professionals who should focus more on risk and governance—and on their communications skills. Full details inside.

Last month the Committee of Sponsoring Organizations issued two reports designed to help companies improve their enterprise risk management processes. Inside, Columnist Richard Steinberg culls the reports for valuable nuggets for getting ERM started or for improving an existing program.

Two new studies published by COSO indicate that boards still lag when carrying out their risk oversight responsibilities. The reports say directors are too confident in management's ability to manage risk and that risk management processes are still too informal. More survey results inside.

There’s no doubt shareholders have made great strides in gaining more information and power. They’ve won more disclosure on a series of points, including the experience and skills of director candidates, what the board does to oversee risk management, the role of compensation consultants, and the structure of board leadership, just to name a few. Yes, shareholders have worked long and hard to obtain relevant information, and to wield greater influence on what happens in the boardroom.

As Compliance Week readers know, Mark Hurd, the hard-charging chief of Hewlett-Packard—who through acquisitions, layoffs, and cost cutting raised the company’s fortunes—was recently fired. The surrounding circumstances are the stuff of tabloids, including allegations of sexual harassment by a female consultant. We may never know exactly what transpired, and we probably don’t need to. But there are some lessons here worth examining.

Earlier this summer I participated on a panel at the Institute of Internal Auditors international conference, held this year in Atlanta. The subject of the panel was governance, risk, and compliance, covering a range of matters raised by the moderator and enthusiastic participants. Compliance Week readers often have similar issues on their minds, so I’d like to share my responses to some of the questions raised. Since I don’t have notes, I’ll do my best in reconstructing my remarks.

To quote just one of the 1,200 directors and business leaders attending our recent 28-city Audit Committee Roundtable Series: “Every company should be taking a step back and thinking hard about where it needs to go, and its strategy for getting there. And every audit committee needs to be asking, what are the risks in our growth strategy, and where are the controls?”

Any chief compliance officer worth his or her salt knows that the compliance function is supposed to report directly to the CEO or the audit committee—and that idea sounds great in theory. Most corporations, however, are not hurrying to achieve that transition.

When the Securities and Exchange Commission first published guidance on how to comply with the infamous Section 404 of the Sarbanes-Oxley Act, which requires companies to assess and disclose the strength of their internal control over financial reporting, the agency pointed to the Committee of Sponsoring Organizations’ 1992-era Internal Control-Integrated Framework as an example of a “suitable” control assessment framework. At the time, the agency did also state that other control frameworks met its suitability criteria, but the strong endorsement of the SEC (and the Public Company Accounting Oversight Board) has resulted in the now-dated COSO framework becoming, for all intents and purposes, the only official control criteria public companies use to assess the effectiveness of their accounting controls.

We all know the damage caused so far by the explosion of BP’s Deepwater Horizon offshore oil rig in April: 11 workers killed, economic ruin across the Gulf Coast states, environmental ruin along the Gulf Coast itself. And efforts to stop the continuing undersea oil spill keep falling far short of the solution that’s desperately needed.

Forward-thinking companies know that the next generation of data technology—online social media services, cloud computing, shared data storage centers, and the like—can be valuable business tools if used wisely.

I’m pleased to be participating—for the fifth time—in Compliance Week’s annual conference. Saying that makes me feel a bit like Phil Connors, the weatherman played by Bill Murray in the movie “Groundhog Day,” who had to repeat the same day over and over again, until he finally got it right. In my case, I hope the folks at Compliance Week keep inviting me back, based on their assumption that, while I still haven’t gotten it right, I eventually might!

A federal district court judge is letting the Securities and Exchange Commission proceed with a novel lawsuit testing just how far the agency can go to claw back compensation executives receive improperly.

The question of whether to combine the roles of board chairman and CEO or to separate them generates robust debate, with visceral feelings and often-strained relationships. Many institutional investors and leading governance experts, and indeed many sitting directors, argue in favor of splitting the jobs; many CEOs holding the chairman title insist their authority and the company itself would be badly damaged should they be forced to wear only one hat.

Today’s volatile markets and sluggish economy have strained companies’ traditional risk-forecasting techniques to the breaking point—and many have just outright broken down, according to a recent Webcast hosted by Deloitte.

The Compliance Week 2010 conference provided a series of “conversations” on risk assessment that revealed how far along leading companies have come in implementing that process, and gave some valuable insight into how executives can improve the information that boards of directors need to exercise their risk-management role.

For most companies these days, working with third parties is critical to doing business. But at a time when anti-corruption enforcement has never been more stringent, those third parties can also pose huge risks.

The structure of corporate compliance departments has become a hot topic lately, thanks in particular to amendments to the U.S. Sentencing Guidelines that put a spotlight on compliance officer’s reporting authority and independence.

At hearings of the Senate Permanent Sub-committee on Investigations looking into causes of the financial crisis, Kerry Killinger, CEO of the now-defunct bank Washington Mutual, contended that his company hadn’t been treated fairly. Documents were released that disclosed how he compared liquidity to oxygen—which, he complained, was provided to other banks in distress, but not to WaMu.

A new survey of internal auditors finds that they are most concerned about improving their mastery of IT risks and global accounting standards, but seem to be less worried about their expertise in enterprise risk management.

Does your company have the right directors comprising the board? As a member of the senior management team, it’s certainly of concern to you—and of course the company’s shareholders—to determine whether the men and women providing corporate oversight do the job well. And board members themselves, as they look around the boardroom table, must be comfortable that fellow directors are people you can “go to war” with, your reputation (and possibly personal assets) in their hands.

Corporate compliance in the life sciences industry can be quite the headache these days.

The pace of settlements in class-action securities settlements crept up last year and the actual payouts of those deals ballooned 35 percent, a probable harbinger of more litigation to come.

Corporate America now knows the menace of liquidity risks all too well, thanks to the financial crisis that gripped Wall Street in 2008. Actually evaluating and managing those risks, however, is still mostly mystery.

Pharmaceutical giant Eli Lilly & Co. has agreed to create four new senior-level ethics and compliance positions as part of a deal to settle various shareholder lawsuits stemming from the illegal marketing and promotion of a handful of its drugs.

As the sluggish economy continues to take a heavy toll on manufacturing, global corporations are stepping up scrutiny of the integrity and resiliency of their complex supply chains.

Internal auditors and chief compliance officers appear to have differing opinions about the internal audit department’s ability to assess risk and compliance functions.

Oh, how the mighty have fallen—or at least seen their reputations for quality products and “doing the right thing” for customers badly damaged. Let’s take a look at two recent high-profile cases.

Statistics differ over whether or not fraud rises in a difficult economy. For ethics and compliance officers, however, the true answer is also somewhat beside the point: the challenges of fighting fraud are rising, regardless.

Every chief compliance or chief risk officer knows how a company gets started on risk management. First, senior executives and the board dodge the question. Then some risk they didn’t foresee suddenly goes sour. Then they panic and decide that enterprise risk management is the company’s salvation.

Good news for chief risk officers: enterprise risk management programs appear to be improving.

In the 1996 movie “Mother,” Albert Brooks plays John Henderson, a writer of questionable talent, who’s just been through his second divorce, due to his fundamental inability to relate to women. To probe his back-to-back marital failures, Brooks moves in with his mother, Beatrice, played by Debbie Reynolds, to examine his most important female relationship, and the source (he believes) of his problems. John and Beatrice’s relationship is unlike any mother-son relationship with which most of us are familiar, perhaps epitomized by Beatrice’s unthinking reference to John, when introducing him to friends, as her “other” son. At one point, Beatrice reassuringly offers John a rote platitude, saying, “I love you.” Not missing a beat, John caustically replies, “I know you think you do, Mother!”

My column last month outlined the kind of information boards of directors need to execute their responsibilities, viewed from the director’s perspective. This month I want to continue that discussion, but looking at the opposite side of the coin: what information chief executives, chief compliance officers, chief risk officers, and other top executives should be providing to help directors in their oversight activities.

On Jan. 13, 2010, Compliance Week and Deloitte presented an exclusive editorial roundtable about the risk challenges facing compliance and risk executives in the financial sector. The biggest concern among participants at the forum, which was held at the The Ritz Carlton in New York City, is trying to predict what regulators want from them and how to meet regulatory demands. Moderated by CW Editor-in-Chief Matt Kelly, and featuring Deborah Parker Bailey, Director of the Governance, Regulatory & Risk Strategies Practice at Deloitte and Scott Baret, a partner with Deloitte’s Regulatory & Capital Markets division, the roundtable encouraged participants to share their concerns and offer up some solutions. The following article provides readers with a full recap of their discussion.

Every corporate director knows he or she needs relevant information to carry out oversight responsibilities effectively. But it’s not easy to know exactly what that information should be, the form it should take, or where it should come from. Unfortunately, experience shows that too often boards of directors don’t sufficiently focus on these issues, get caught by surprise, and pay a high price.

Of all the forms of white-collar crime, procurement fraud is probably the least visible yet the most costly. That’s largely because it’s a hidden byproduct of seemingly legitimate transactions, often involving millions of dollars, between a business and supposedly legitimate vendors. What’s more, the organizations victimized by procurement fraud often don’t report it and choose to settle privately with the alleged culprits.

Adhering to a year-end tradition, once again I offer a wish list of governance enhancements I’d like to see in the coming year. So, with fireplace aglow and coffee-mug close by, here’s what we can hope for in 2010.

The following executives participated in the Nov. 17 roundtable on what metrics to use when measuring risk and compliance. The roundtable, held at the Plaza Hotel in New York City, was moderated by CW Editor-in-Chief Matt Kelly, and featured Michael Duffy, President of OpenPages. Panelists were encouraged to discuss the challenges they face when measuring risk and what metrics they have employed for top-notch enterprise risk management. The following article provides readers with an in-depth look at their discussion.

Risk is a full-bodied presence in the boardroom and the C-suite, so it’s time risk management stopped being two-dimensional. Let’s add a third dimension to risk measurement.

With memories of the financial crisis still fresh in our minds and questions of “Where were the boards?” still abounding, today’s directors face extraordinary challenges.

Chief compliance officers apparently still have lots of work ahead to turn their compliance efforts into strong, mature programs that can handle the broad range of risks corporations face.

Without question, the internal auditing function is experiencing profound transformation these days. But transforming into what still seems a mystery.

Controlling e-discovery costs while minimizing litigation risks are two of the greatest challenges that in-house lawyers face—challenges that most companies aren’t equipped to handle.

To say that these are challenging times to be a corporate director is an understatement. Shareholders are clamoring for greater ability to determine what happens in the boardroom and who sits in the seats; the SEC is proposing a host of new rules requiring a broad range of expanded disclosures; the pace of new lawsuits continues unabated. All this occurs with memories still fresh of the financial system’s near collapse, against a backdrop of an economy still struggling emerge from the “Great Recession.”

Standard & Poor’s much-touted plan to evaluate companies’ risk management efforts as part of its credit-rating decisions seems to have stalled, as S&P analysts figure out how to scrutinize risk management and whether it’s worth the extra burden to companies.

In my 34 years of experience as an internal auditor, I’ve seen a wide variety of enterprise risk management control failures. And to my thinking, they all share one common denominator: a failure by the board or the CEO to implement an effective ERM program that addressed the right risks.

On Sept. 16, 2009, Compliance Week and Navigant Consulting presented an exclusive editorial roundtable about compliance practices at financial services firms. A top concern among the executives who appeared at the forum, held at The Mandarin Oriental Hotel in Boston, was how to ensure that compliance and risk-management programs keep pace with new and evolving regulatory changes in a challenging economy. Moderated by CW Editor-in-Chief Matt Kelly, and featuring Daniel Bender and John Schneider, director and managing director of Navigant Consulting, respectively, the roundtable encouraged panelists to discuss compliance challenges and solutions. The following article provides readers with an in-depth look at their discussion.

The Securities and Exchange Commission has received a flood of suggestions, complaints, praise, and other comments for its sweeping plans to revamp corporate proxy disclosures.

Like most people, I read the daily news … and, unfortunately, little shocks me anymore. Recently, however, I was especially distressed to read—in just one day—how many major companies were found to have gone terribly wrong! The reports shed light on what goes on behind closed doors, and how these organizations’ tone at the top had become so tainted.

Well, the shareholder rights express continues to roll down the track.