Recent Coverage Of Risk Assessments And ERM

Below is some of the most recent Compliance Week coverage on issues related to enterprise risk management, risk assessments, continuous auditing, the COSO guidance, and more. Don't forget to access risk-related templates in our Resource Exchange. Also, see ERM columns by Richard Steinberg, who was involved in developing COSO's Enterprise Risk Management—Integrated Framework.

How Compliance and HR Can Get It Together

April 16, 2013

Compliance and human resources have always had a love-hate relationship. Now some companies are finding that getting them aligned can yield large benefits for both functions and improve the organizational culture. That collaboration, while vital, can be hard won, however. Inside, we look at ways to break down the barriers and foster better communication and cooperation between compliance and HR.
 

Internal Audit Continues a Push Into Risk Management

April 02, 2013

The role of internal audit continues to evolve. New requirements from Nasdaq and the Federal Reserve emphasize practices such as analyzing the effectiveness of risk management, monitoring compliance with stated risk tolerances, and other risk-based responsibilities. "Stakeholders are stepping up their expectations of internal auditors," says Richard Chambers, CEO of the Institute of Internal Auditors.
 

Developing an Effective Approach to Third-Party Due Diligence

March 05, 2013

More than 90 percent of reported Foreign Corrupt Practices Act cases involve third parties, such as sales affiliates and resellers, acting on the company's behalf, yet many companies focus their anti-corruption efforts on their own employees. These companies need to focus in on the riskiest business partners doing business in the riskiest nations. Inside, lessons on building an effective third-party due diligence program.
 

Info Governance: Get Data Classification Right First

March 05, 2013

Data classification is one of the most crucial elements of information governance—yet one that many companies fail to implement well. They want to put adequate security controls around the most sensitive data, but they have no process for determining what that data is, or where it resides. In part three of our six-part series on information governance, we look at common mistakes in data classification.
 

Info Governance: Crafting an Effective Data Security Policy

February 12, 2013

In this first installment of a series on information governance, we look at the hallmarks of a good data security policy. How much should it cover? Should it be tailored to specific regions or business units? Who should have a hand in crafting it? We also look at some common pitfalls, including promising too much. Details inside.
 

Top 10 Global Compliance Trends to Watch in 2013

January 02, 2013

Compliance developments outside the United States continue to have a big influence on the increasingly global operations of U.S. companies. Inside, we take a look at the top ten global compliance trends to watch for in 2013, including more U.K. Bribery Act litigation, deferred prosecutions in Britain, increased global IT attacks, renewed shareholder activism in Europe, and much more.
 

Battling Escalating Risks With Emerging Technology

November 27, 2012

Adapting to the increasing speed and complexity of risk was a common theme throughout the Compliance Week West conference earlier this month in Palo Alto, Calif. While evolving technology was touted as part of the solution, compliance officers also warned about its potential to create new problems. Follow the discussion inside.
 

Internal Audit Departments Preparing for Rapid Change in 2013

November 20, 2012

Chief audit executives are developing their 2013 audit strategy, and the plans are shaping up to look very different than they did in 2012, say audit advisers. Companies expect to devote more resources to internal audit next year, given the larger mandate to focus on areas like data security. "Internal audit is being asked to play a more active role in that space," says Jason Pett, internal audit services leader for PwC.
 

Disclosure Questions Arise After a Cyber-Attack

November 13, 2012

When hit with a cyber-attack, many companies choose to remain tight-lipped on the incident, despite guidance from the SEC that requires disclosure of cyber-security risks and attacks that result in material losses. "Companies may find that the risk of actual disclosure is much higher than the penalties for not disclosing," says Josh Walderbach, senior network security and compliance analyst at data security company LogRhythm.
 

Effective Policy Enforcement Involves Technology

October 30, 2012

Document-centric approaches to policies—that lack technology to manage communication and enforcement—are a recipe for disaster, and could actually cost companies more, since they expose them to ineffective policy management. In the latest installment of our GRC Illustrated series, we look at how IT systems can be put to work for policy management, so the compliance team can, you know, actually enforce things.
 

Managing Compliance Risks in the Supply Chain

October 23, 2012

Lapses in ethics and compliance by major suppliers or contract manufacturers not only cause embarrassment and anger consumers, as companies like Apple and Samsung can attest; they also create exposure to potential violations of anti-bribery and corruption laws. Increasingly, companies are improving processes and systems to manage risk in the supply chain. How? More details inside.
 

Sharpening Third-Party Risk Mitigation

October 16, 2012

Never has third-party risk management been as high a priority as it is in today's stringent anti-corruption enforcement environment. Yet many companies still have not refined the processes used to mitigate third-party risks. The first step is to establish a credible and defensible risk model. More details inside.
 

Identifying Compliance Risks and Trends

October 10, 2012

Analyzing data for emerging risks, trends, and remediation is no easy task. First, companies must know what data they have and where it is, and then how to turn it into useful knowledge. To help get the job done, companies are increasingly turning to governance, risk, and compliance systems that give them more visibility into risks and provide reporting to the units that manage those risks. Details inside.
 

Tyco in Hot Water Once Again After FCPA Settlement

October 02, 2012

Tyco's $27 million settlement on FCPA charges last week could be a bit dispiriting to compliance officers; after all of that company's prior troubles and attempts to improve, it's in trouble again? Take heart in the silver lining that Tyco's vigorous efforts at self-disclosure and cooperation do seem to have led to much less punishment than what could have been meted out. Our full look at the case is inside.
 

Elements of Effective Compliance

September 25, 2012

There's no shortage of guidance from regulators around the world on what a good compliance program should entail. Directives, such as the U.S. Sentencing Guidelines, are becoming more common and can pull companies in different directions. Understanding and effectively applying their shared concepts can help compliance officers meet, or even exceed, the expectations set by government entities across the globe.
 

Anti-Bribery Enforcement on the Rise

September 18, 2012

Tougher enforcement of anti-bribery laws around the world has resulted in more companies facing prosecutions, according to a new report. Globally, there were 144 new open cases related to bribery of foreign officials in 2011. "They're still not enforcing enough, but there is progress," says Gillian Dell, program manager of global outreach at corruption watchdog Transparency International, which conducted the study.
 

AML Compliance Back in the Spotlight

July 31, 2012

One explosive report about drug cartels funneling money through U.S. banks, plus one compliance officer announcing his resignation during a U.S. Senate committee hearing, and presto—anti-money laundering efforts, and the lack thereof, are back in the news. How to take a fresh look at the problem? Which firms must operate what sorts of programs? Details inside.
 

The Evolving Role of Internal Audit

July 24, 2012

Thousands of internal auditors convened in Boston earlier this month, and came away with one basic conclusion: The profession needs to expand its skills and expertise to prosper in today's data-soaked world. "We have a great challenge to push executive management and the board to respond to those changes," said Mark Carawan, chief audit executive for Citigroup. More on the state of internal audit is inside.
 

New COSO Guidance on Managing Risks From Cloud Computing

July 10, 2012

Companies looking for more help on the risks that result from cloud computing got some much needed help when the Committee of Sponsoring Organizations issued new guidance on the topic last month. The paper advises companies on how to conduct a detailed assessment of the internal and external risks long before making any decisions to move data to the cloud. Details inside.
 

FASB Calls for New Liquidity, Interest Rate Risk Disclosures

July 10, 2012

The Financial Accounting Standards Board has proposed a new standard that will require companies to present additional tables in the footnotes to explain liquidity risks, and banks to disclose their risks from potential fluctuations in interest rates. "The tables are trying to achieve a one-stop-shop view of an entity's obligations," says Chris Smith, a partner with audit firm BDO USA.
 

Companies Struggle to Manage Third-Party Corruption Risk

June 19, 2012

Compliance departments are increasingly uneasy about their exposure to bribery risks, and many say they are still not up to snuff when it comes to eliminating facilitation payments and policing third parties. "In general, companies are still incredibly uncomfortable about the process of managing third parties," says Bill Pollard, a partner in Deloitte's Foreign Corrupt Practices Act consulting practice.
 

The Metrics System: Measuring Compliance Effectiveness

June 12, 2012

Compliance officers are under increasing pressure to demonstrate to senior officers, their boards, and regulators that the compliance function works. That means finding ways to measure compliance program effectiveness. At the Compliance Week 2012 conference, compliance executives shared their approaches to capturing and reporting compliance metrics. Details inside.
 

Risk-Management Failures Highlight the Need for More Scrutiny

June 05, 2012

As recent problems at Walmart and JPMorgan indicate, companies still have more work to do on refining risk-management systems. A new survey from research firm Lexakos finds that companies are expanding risk-management committees to include more functions. Yet nearly half of those surveyed say they don't have a dedicated chief risk officer, and 43 percent say it's not a budget priority. More survey results inside.
 

Best Buy Debacle Offers Lessons in Crisis Management

May 30, 2012

When allegations arise against a CEO of an inappropriate relationship or other misdeeds, the compliance officer is often forced into a difficult balancing act. The CCO, in assisting the board, must weigh the need for quick action with the need for a thorough and fair investigation. Best Buy recently faced such a situation, and how the company responded may serve as a model for good crisis management. Details inside.
 

Electronic Information Deluge Putting a Strain on Records Management

May 22, 2012

Despite increased resources and good intentions, companies are still fumbling when it comes to executing a comprehensive information management program that balances the unique needs of physical and electronic documents. A recent survey from Iron Mountain found that nearly three-quarters of respondents said they lacked a cohesive, multi-year strategy for records and information management. More survey results inside.
 

Maintaining an Effective Compliance Program

May 22, 2012

Building out a first-rate compliance program is no easy task, but it's still only the start of the process. Maintaining its effectiveness by keeping up with rapidly changing regulations, assessing compliance gaps and filling them, and mitigating ongoing compliance risks are all necessary to ensuring that a compliance program stays on track. Details inside.
 

JPMorgan Loss Illustrates Difficulties of Adopting the Volcker Rule

May 22, 2012

JPMorgan Chase's $3 billion loss on derivatives trades has reignited a debate over what the final version of the Volcker Rule should include. A problem flagged by the bank's debacle is that there is no clear-cut answer to whether its actions would have violated the rule in its current form. "The fact is that proprietary trades and hedges look very much alike," says Peter Wallison, former general counsel of the Treasury Department.
 

Integrating Risk Appetite and Risk Management

May 15, 2012

Three years after the financial crisis, it's clear that companies still struggle with how to manage risk in the organization; just ask JPMorgan. Part of the difficulty: Getting a handle on risk across the organization is a complex undertaking which requires a careful balancing act. Integrating a formal statement of risk appetite with the risk-management program is an important step. Details inside.
 

Recipe for Anti-Corruption Successes: Due Diligence, Diverse Messaging

May 08, 2012

Much goes into doing anti-corruption properly, but there are four broad categories that top companies focus on: assessing corruption risks, devising controls against them, implementing those controls and procedures with the local workforce, and then following up with constant monitoring. Inside, more lessons for building an effective anti-corruption program.
 

Enterprise GRC Systems: Ready When You Are

May 01, 2012

After years of industry consolidation, integrated enterprise governance, risk, and compliance systems are ready for prime time. The systems can produce sophisticated risk analytics, real-time reports, and alerts on control failures. To take advantage of these GRC system features, however, internal processes must be thoroughly understood and cataloged. Details inside.
 

Finding FCPA Violations in Employee Expense Reports

May 01, 2012

Travel and entertainment expenses have long been a haven for abuse, but since the dollar amounts are often insubstantial, companies don't always pay close attention to them. Companies are now finding, though, that they can be a conduit for bribes. "If T&E goes unchecked, it can make a company susceptible to allegations of corruption," says Andrew Levi, head of the Miami office at investigation firm Nardello & Co. How to root out fraud? More inside.
 

International Compliance Programs: Think Globally, Act Locally

April 24, 2012

Squaring the need for a single global ethics and compliance program with the diverse range of cultures around the world has never been easy. Monitoring and reporting tools help, but there's no substitute for in-person visits. "All too often compliance teams make themselves unapproachable. You have to avoid that at all costs," says Greg Triguba, principal at Compliance Integrity Solutions.
 

Remaking Internal Audit to Focus More on Strategic Risks

April 10, 2012

Once upon a time, internal audit departments were busy enough with reviewing financial statements and Sarbanes-Oxley compliance. But as company risks have exploded in recent years, the modern audit department has had to reconfigure its skills and priorities to match. The emerging result: audit departments pressured to understand what drives the business and to build deeper relationships with top managers. More inside.
 

Risk Study Outlines Strategic Shift

April 03, 2012

A new study of corporate risk-management efforts has spotlighted a burgeoning effort to shift toward a more strategic, board-level, "are we prepared to recover?" approach that might help companies withstand today's risk environment. "Risks are more interconnected, and the ramifications of risk are happening at a faster pace than they ever have in the past," says Ken Coy, U.S. leader for PwC's governance, risk, and compliance practice.
 

Many Struggling With Risk Disclosures

April 03, 2012

Two years after the Securities and Exchange Commission enacted new proxy disclosure rules requiring companies to reveal more about how their boards oversee risk, many companies are still struggling with how to communicate aspects of their risk-management programs effectively. According to a recent study, disclosures are too basic and lack details on the company's approach to risk.
 

A Holistic Approach to Diagnosing Corruption

March 06, 2012

Companies with the most sophisticated anti-corruption capabilities do more than resolve the issue and identify its direct cause; they also periodically examine their entire portfolio of corruption issues to better understand how those issues all interact. Inside, the latest installment of our GRC Illustrated series offers insights on the challenges of corruption issue management.
 

Rethinking Supply Chain Risk Management Strategies

February 22, 2012

Companies such as Cisco Systems are working to get more visibility into, and control over, supply chain disruption risks. The strategy: invest heavily in analytics and build risk management into the design and planning phase of that. Other businesses, alas, still lag. "Overall, most companies don't have a strategy for managing supply chain risks," says Jerry O'Dwyer, a principal at Deloitte.
 

Third-Party Corruption Risk: What You Should Know

January 31, 2012

Want to know one of the surest ways to strengthen your organization's anti-corruption capabilities? Start by discovering what you do not understand about the third parties that help you do business abroad. In the latest installment of our GRC Illustrated series, we offer some insights on how to get started on assessing third-party corruption risk.
 

SEC Calls for Companies to Disclose Europe Debt Exposure

December 13, 2011

Staff members of the Securities and Exchange Commission revealed the top items they are paying close attention to during filing reviews, including exposure to the European debt crisis, pension accounting, and goodwill impairment. The SEC is looking carefully at how troubles abroad might affect companies and how they are explaining it to investors, said staff members at a recent conference. Details inside.
 

Boards Continue to Struggle With Oversight of Risk Management

September 27, 2011

A new report suggests that boards haven't done all they would like to tackle risk-management issues. More than half of those surveyed say they don't spend enough time on them, and about the same amount say their companies still don't have a chief risk officer. Meanwhile, more than 60 percent say that personal liability risks for directors are increasing. More survey results inside.
 

Getting a Grip on 'People Risk'

September 07, 2011

A new report from the Conference Board analyzes the emerging category of "human capital risk" and how compliance departments can help steer management clear of that strategic business threat. "There is a huge opportunity for the business, HR, and risk and compliance to think much more strategically about human capital," says Mary Young, one of the authors of the report.
 

Studies Find Internal Audit Lacking in Leadership Skills

August 16, 2011

Two recent studies, one from the Institute of Internal Auditors and another from PwC, find that the internal audit profession lacks the "soft" skills needed in contemporary corporate life, such as critical thinking, communication, and leadership. "Internal audit needs to be part of a much more complex business environment, and it needs the skills to do that," says Jason Pett, a partner with PwC. More results inside.
 

Improving Risk Assessments and Audit Operations

June 07, 2011

OK, you've been managing Sarbanes-Oxley compliance for years and your internal controls over financial reporting are solid. What's next for the internal audit team? How do you monitor other risks? Audit and compliance executives from Disney, Office Depot, Timken, and elsewhere gave attendees at Compliance Week 2011 a glimpse into their programs. Full coverage inside.
 

High-Profile Data Breaches Raise Security Alerts

May 03, 2011

The data security theft at Sony, which compromised the personal information of as many as 77 million users, is just the latest in a string of attacks on corporate databases. Even before that breach, Treasury officials were urging companies, especially those in the financial sector, to conduct periodic risk assessments of their information security programs and to institute other safeguards. Details inside.
 

Study: Internal Audit Needs to Expand Its Horizons

March 22, 2011

A sweeping new study from the Institute of Internal Auditors paints quite a picture for the future of internal auditors: a world of younger, better-educated professionals who should focus more on risk and governance—and on their communications skills. Full details inside.
 

This Proxy Season, Excluding Shareholder Proposals Gets Trickier

March 08, 2011

Two significant trends about which shareholder proposals companies can or cannot exclude from the proxy statement are already setting the tone for this year's proxy season; companies should read regulators' response letters carefully to stay on top of developing precedents.
 

Report: Compliance Risks Growing in Emerging Markets

February 15, 2011

Compliance and integrity risks are rising for acquisitions, investments, and joint ventures in emerging markets, a recent study by Deloitte finds. "Companies are either reevaluating the costs and benefits of these deals, or are scuttling those that present unacceptably high risks," says Ed Rial of Deloitte. More survey results inside.
 

Using the New COSO Risk-Management Guidance

February 15, 2011

Last month the Committee of Sponsoring Organizations issued two reports designed to help companies improve their enterprise risk management processes. Inside, Columnist Richard Steinberg culls the reports for valuable nuggets for getting ERM started or for improving an existing program.
 

Take Advantage of the Hiatus In Corporate Governance Changes

February 08, 2011

This year, what wasn't on the agenda at the World Economic Forum in Davos might be as important as what was. The absence of executive compensation and Wall Street regulatory reform topics may signal a period of calm in corporate governance changes. Inside, Columnists Stephen Davis and Jon Lukomnik give advice on how to take advantage of the hiatus.
 

Directors Still Failing to Bring Risk Oversight Up to Par

February 01, 2011

Two new studies published by COSO indicate that boards still lag when carrying out their risk oversight responsibilities. The reports say directors are too confident in management's ability to manage risk and that risk management processes are still too informal. More survey results inside.
 
 Subscribe to the RSS for this page  [view all our RSS feeds here]

Compliance Week LinkedIn Group

Compliance Week now has a companion group on LinkedIn, where members can network and discuss the compliance and governance news of the day. Open to all compliance professionals, free to join.

Events of the Week

Addressing the Challenges of Solvency II Pillars 2 and 3
Sponsored by IBM

Information Governance: Managing the Lifecycle of Data
Sponsored by HP Autonomy

Who's Minding the Files? Managing the File Transfer Explosion
Sponsored by IBM

e-Books

Getting It In Writing: The Art of Policy Management
Sponsored by NAVEX Global

Information Governance: Managing the Lifecycle of Data
Sponsored by HP Autonomy

Anti-Money Laundering Illustrated: Visualizing an Effective Capability
Sponsored by OCEG

Thought Leadership

Today's Chief Audit Executive: Continuing on a Path to Value Creation
Sponsored by Grant Thornton

What Does an Effective Customer Risk Assessment Program Look Like?
Sponsored by OCEG

Getting Ready for the Physician Payment 'Sunshine' Rule
Sponsored by Bloomberg BNA

New Compliance Week and Kroll Benchmarking Report on Anti-Bribery & Corruption
Sponsored by Kroll

Upcoming Webcasts

Strengthening Controls in 2013, Part 3: Purchase-to-Pay Cycle
Sponsored by ACL

Evolution of Compliance: 2013 State of Compliance Survey Results
Sponsored by PwC

Compliance Week Podcasts ...

Every week we chat with leading thinkers in compliance, auditing, risk management, public policy and more. These short (10-15 minutes) interviews are free to all. Follow Compliance Week podcasts on iTunes.