feb2008 monthly slides 1
TRANSCRIPT
Risk Advisory Services
From Compliance to Competitive EdgeThe Paradigm ShiftLeveraging Risk Investments to Improve Business
02/26/2008
1
AgendaThe Current State
Navigating Through The Confusion
What We Are Hearing About Risk
The Current StateMarket ChallengesCosts and Budgeting
Risk Convergence
A Fresh Look At The “Internal Controls”
Maximizing The Role of IT In Compliance
Leading IT Practices In Successful Organizations
2
The Current State
Navigating through The Confusion
3
"The nice thing about standards is that there are so many of them to choose from.”
– Andrew S. Tannenbaum
Standards? What Standards?Standards? What Standards?
4
Logical and Coordinated
Process
Navigating Through the ConfusionRegulators
Laws, Regulations, and Standards
Frameworks
**Frequently-used examples
Reputationand Brand
Revenue and Market Share
Assetand Capital
Management
Earnings and OperatingMargins
Business Drivers and Initiatives
Ever-increasing Laws, Regulations, and Standards, and Multiple Frameworks
EEOC
PCAO
B
DHS
OSHA
EPA
DOJ
Section 404CFO Act
OMB A-123FMFIAHIPAA
American Productivity and Quality Center
(APQC)
Environmental and Social
Product Liability Laws
1933 and 1934 Securities ActAnti-Trust Act
Software Engineering
Institute (Capability Maturity Model)
FRC
FTC
PTO
IFRSE-Gov Act
IP—Protection Laws
Tax RegulationsAnti-Money
Laundering LawsSupply Chain
Council (SCOR)
SECNASD/N
YSEIRS
EBSA
COSOCOSO ERM
OCEGCOBITUSSGISOCSR
5
Now Consider This Example:Nicole is an equity division manager in global bank
The work day has barely begunDiscovered that a recent spike in trading volume has jolted the firm’s trading platform resulting in a multitude of trade breaks and delayed executionsShe checks her e-mail and sees a barrage of requests to provide risk information to various departments
Compliance department wants an urgent meeting to discuss its plan to conduct several business reviews during the yearIT risk unit has sent a questionnaire on business continuity planning and data securityInternal audit is asking to review its risk assessment of her business and agree to four audits of her group in the next 12 months
How can Nicole effectively increase the top line if she is hampered by inefficient business processes?
6
What We Are Hearing About Risk
All too confusing and overdone… Except when
we get in trouble
Must do it…But how do we do it
better?
Keep Us Out of Trouble Make Our Business Better
goalGrowing Number of Restatements
Defense of Intellectual Property
CatastrophicReputational
Consequences
Bigger Fines and
Settlements
OMB Management Watch List &
GAO High Risk List
Effective Use of Technology
Coordinated Sales Activities-
Services, Software and
HardwareContinuing Funding Of
Projects
Inter-Agency Coordination & Focus On Core Mission
Optimized Governance
Structure/Program Performance
Optimized Controls
Improved Risk Reporting and
Disclosure
OptionBackdating
Relevant Research
& DevelopmentSpend
Accessing Emerging Markets
Decrease Cost of
Corporate Compliance
Activities
Changes in Compliance Regulations
Just-In-Time Inventory
Management
7
The Current State
Market Challenges
8
Top Challenges: Six challenges dominate senior management agendas
Category IncludesImproving efficiency/Program Performance
Achieving greater efficiencies in risk and control processes; inter-agency coordination; improving coordination; unifying and streamlining approaches
Challenging regulatory environment
Shifting regulatory demands, high degree of regulatory scrutiny, variation of regulations across jurisdictions. Keeping pace with
business growth and complexity
Rapid business growth, competitive intensity, M&A activity, global expansion, increasing product complexity, raised customer expectations
Attracting and retaining talent/Human capitalcrisis
Shortage of good talent in competitive markets, especially in specialized areas or emerging geographies
Managing change Dealing with people and organizational issues as new processes demand new methods of work
Fear of compliance failures and emerging risks
Fear of compliance failures despite best efforts, due to human error or unanticipated events; identifying and preparing for future risks
9
17%
20%
20%
30%
30%
50%
13%
13%
Identifying emergingrisks
Fear of compliancefailure
Managing change
Attracting & retainingtalent
Keeping pace withbusiness growth &
complexity
Challenging regulatoryenvironment/
Implementing Basel II
Improving efficiency
Top Challenges: Improving efficiency is the leading concern for all respondents followed by regulatory issues PERCENT RESPONDING – ALL RESPONDENTS
*
* The dark bar represents those respondents who mentioned general regulatory challenges; the light bar represents those respondents who specifically cited Basel II implementation
10
Challenge #1: Inefficiency is acting as a “drag on the system”
There is unanimous recognition that rapid growth of business – mergers, global expansion – together with SOX and the complex regulatory environment, have resulted in inefficient structures, and redundant systems and processes
There is an extremely high desire to fix this problem
11
Challenge #2: There is a growing frustration with regulators
Respondents see no letup in the regulatory environment – Sarbanes Oxley, Basel, privacy, HIPAA, IFRS, Anti-money Laundering etc., etc…
Organizations are pushing back
12
Challenge #3: Keeping pace with business growth and complexity
The requirement for speed to market creates pressure on all types of fronts, from credit and market risk related approvals to compliance or regulatory or legal approvals
How do we do our part to support revenue growth and the growth of our company and have the proper risk/reward balance?
There is a proliferation of new products which are becoming increasingly sophisticated
13
Challenge #4: The complex environment is driving the need to attract and retain talent
Definitely a major concern for the leadership
Good talent is hard to find
Competition for talent is intense, and the supply of risk professionals is not keeping up with demand
14
Challenge #5: Dealing with people and organizational change issues is daunting
Inefficiencies, the complex regulatory and business environment, and the shortage of talent, are stressing current systems and driving demand for more robust solutions
“Moving the supertanker” requires a common understanding of risk and control procedures across the enterprise, senior management buy-in, and clear definitions of roles
People’s natural resistance to change is a constant struggle
15
Challenge #6: Identifying emerging risks and fear of compliance failures keep many respondents up at night
Despite significant investments, many acknowledge they continue to worry about breaches in compliance due to human error,
– “We operate in so many different jurisdictions, in 50 countries, and with various different products. We have about 130,000 employees. And if you think that everybody is doing everything they should, the way they should be doing it, you know that's not happening.”
- Head of Internal Audit, Commercial Bank
regulatory surprises, or unknown emerging risks
16
The Current State Costs and Budgeting
17
Costs and Budgeting: Half of all respondents believe costs will continue to rise; the other half see costs stabilizing
7%
25%
21%
48%
Don't know
Staying the same
Decreasing
Increasing
ALL RESPONDENTS
Reasons cited include:
Continued business growth and global expansion
Rigorous regulatory environment
Need for more expensive senior talent
18
Costs and Budgeting: Very few can estimate time business spends on risk and control management
– “Our industry is plagued with this: we don’t have a good understanding of what our key processes are and we don’t have the ability to measure our unit costs. If you went to Toyota or Coca Cola, they have a whole science, but when you ask about processes here people look at you as if you were speaking Swahili.”
- Head of Operational Risk, Commercial Bank
Most feel that time spent in the business units is too embedded to track
Time spent depends on the job and the type of business
19
Top Challenges: Six challenges dominate senior management agendas
Category IncludesImproving efficiency Achieving greater efficiencies in risk and control
processes; improving coordination; unifying and streamlining approachesChallenging
regulatory environment
Shifting regulatory demands, high degree of regulatory scrutiny, variation of regulations across jurisdictions. Keeping pace with
business growth and complexity
Rapid business growth, competitive intensity, M&A activity, global expansion, increasing product complexity, raised customer expectations
Attracting and retaining talent
Shortage of good talent in competitive markets, especially in specialized areas or emerging geographiesManaging change Dealing with people and organizational issues as new processes demand new methods of work
Fear of compliance failures and emerging risks
Fear of compliance failures despite best efforts, due to human error or unanticipated events; identifying and preparing for future risks
20
Now Consider This Example:Nicole is an equity division manager in global bank
The work day has barely begunDiscovered that a recent spike in trading volume has jolted the firm’s trading platform resulting in a multitude of trade breaks and delayed executionsShe checks her e-mail and sees a barrage of requests to provide risk information to various departments
Compliance department wants an urgent meeting to discuss its plan to conduct several business reviews during the yearIT risk unit has sent a questionnaire on business continuity planning and data securityInternal audit is asking to review its risk assessment of her business and agree to four audits of her group in the next 12 months
How can Nicole effectively increase the top line if she is hampered by inefficient business processes?
21
Risk Convergence –Streamlining Governance, Risk and
Compliance (GRC)
22
What Is Risk Convergence?
Common framework to assess and monitor the organization’s risks:
Reduce redundant risk management and control activitiesEliminate duplication among business unitsDrive down costs
23
Why Risk Convergence??
“It is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change.”
— Charles Darwin
24
Why Risk Convergence??Standard & Poor’s, Moody’s and other credit-rating agencies measure an Enterprise Risk Management program as a lead risk indicator and a majorscoring factor.
Standard & Poor’s credit ratingChallenging to determine management capability and capacity to manage riskProposal to introduce enterprise risk management analysis into the corporate debt rating process
25
Why Risk Convergence - Aligning to Your Business DriversKeep Us Out of Trouble/Make the Business Better
business drivers
Earnings and Operating Margins
How profitable is the organization?
Asset and Capital Management
How efficient is the organization?
Revenue and Market ShareHow does the
organization grow?
Reputation and BrandDo our stakeholders
have a favorable view?
Entering new markets—particularly emerging marketsPrioritizing R&D spend to ultimately align with customer needsIntegrating large scale acquisitionsSimplification of multi-element sales, e.g., software, hardware and servicesChannel management
Maintaining gross margins through new product introductionsImproving operating marginsManaging warranty terms and product returnsManaging third-party contractor relationships
Improving inventory and receivable managementCoordinating supply chain/lean manufacturingIntegrating global processes and IT systemsUsing finance arrangements to access new markets
Maintaining strong ethical tone at the topProtecting and defending intellectual property rightsManaging customer and employee information, e.g., privacy concernsOrganizing regulatory compliance/governance in an efficient manner
26
Why Risk Convergence??
Mitigate riskDespite significant investments, compliance failures continue torepresent a major threat – both monetary and reputational Streamlining risk and control operations reduces compliance gapsand enables more effective ongoing risk management
Increase efficiency / reduce costsStreamlining risk and control programs and processes reduces theenormous time commitments and frustration levels throughout the organization, and ultimately will result in better cost management and control
Support strategic decision-makingGreater coordination and information sharing among corporate control units and business units provides senior management and board committees with more effective multi-dimensional risk information that supports decision-making
27
State of Convergence: All organizations are underway with some form of convergence
Terminology may vary, but all understand the concept of streamlining governance, risk and control processes
Each organization is forging its own way, based on culture, business imperatives, appetite for change, and regulatory history
Most are in the early stages and the majority of activities are driven by short-term objectives
28
State of Convergence: There are no best practices
There are some organizations that are fairly far down the path, however, no one considers themselves ‘converged’
Currently there are no best practices or established methodologies
Most convergence activities are being led by the CFO, CRO, or the head of one or two functions
29
State of Convergence: Efficiency is the primary driver of convergence
Desire for greater efficiency is the main driver for risk convergence
Reducing risk fatigue in the business units is considered but this has eased since the early SOX days
Surprisingly, cost reduction is not a major driver
30
State of Convergence: Convergence is evolutionary not revolutionaryMost organizations are addressing convergence in
incremental stages
The appetite for a massive enterprise transformation is low
31
State of Convergence: People issues are the primary barriers to convergence
Overcoming people’s natural resistance to, and fear of, change is the biggest obstacle to convergence
• “People don’t like converging. In their minds it tends to dilute their efforts. If it is a significant risk to them, they want and demand the resources to deal with it.”
- CRO, Commercial Bank
32
State of Convergence: Convergence is creating a need for more senior talent
As convergence initiatives begin to reduce redundancies and inefficiencies, organizations are finding that they need more senior talent and less junior staff
This represents a major shift in the skill base and exasperates the shortage of talent in the industry
33
Stages of Risk Convergence
34
The Path to ConvergenceIm
plem
enta
tion
Sophistication
Reportingstreamlined
Methodologiesaligned
Alignment Phase
Convergence institutionalizedTechnology
optionsimplemented
Roles and responsibilities
redefined
Integration Phase
While there is not one clear approach to convergence, companies are following somewhat similar paths
Vision defined
Redundanciesbeing
addressed
Groupsinteracting
Owner identified and committee
formed
Coordination Phase
35
The Path to ConvergenceIm
plem
enta
tion
Sophistication
Vision defined
Redundanciesbeing
addressed
Groupsinteracting
Owner identified and committee
formed
Coordination Phase
Most respondents are in “Coordination Phase”
Reportingstreamlined
Methodologiesaligned
Alignment Phase
Convergence institutionalizedTechnology
optionsimplemented
Roles and responsibilities
redefined
Integration Phase
36
The Path to ConvergenceIm
plem
enta
tion
Sophistication
Reportingstreamlined
Methodologiesaligned
Alignment Phase
Convergence institutionalizedTechnology
optionsimplemented
Roles and responsibilities
redefined
Integration Phase
Vision defined
Redundanciesbeing
addressed
Groupsinteracting
Owner identified and committee
formed
Coordination Phase
As organizations make progress in reducing redundancy, they begin to tackle more difficult aspects of efficiency improvement
37
The Path to ConvergenceIm
plem
enta
tion
Sophistication
Reportingstreamlined
Methodologiesaligned
Alignment Phase
Convergence institutionalizedTechnology
optionsimplemented
Roles and responsibilities
redefined
Integration Phase
Vision defined
Redundanciesbeing
addressed
Groupsinteracting
Owner identified and committee
formed
Coordination Phase
Even for those furthest along the convergence path, redefining roles, implementing new technologies, and embedding new practices remains a goal
38
Risk Convergence Evolution - A Fresh Look at the “Internal Controls”
Effective internal control environment means:The company is working and performing wellCommunicates performance to capital markets and investors in a transparent manner
Note: Transparency and certainty over risk and internal controls in strategic, operational and financial reporting areas
Management understand major risks and has processes in place to address/mitigate these risks
Changing perception of Internal ControlsFrom being viewed as “burdensome” to “strategic information” for driving business decisions
39
Do the current internal controls investments provide the following business benefits?
40
Aligning Internal Control Investment with Risk AssessmentHow frequently does the company conduct an enterprise risk assessment?
41
What is the focus of the risk assessment?
42
Room for improvement?
How effective are internal controls over the following financial reporting areas?
43
How effective are internal controls over the following business and operational areas?
44
How effective are internal controls over the following information technology areas?
45
Where are Leading Companies Investing?What are the key business drivers justifying future investments to strengthen internal controls?
46
Better Understanding of Major Risk AreasWhat is the impact and probability of your top strategic risks?
Key Strategic Risks Key Strategic Risks
Impa
ct
InsignificantNo impact on strategic
objectives and only limited disruption to normal operations
MinorMinimal disruption to one
strategic objective and some impact on ability to conduct
normal operations
ModerateDisruption to achievement of one strategic objective and reduced ability to conduct
normal operations
SignificantSignificantly reduced ability to achieve all strategic objectives
ExpectedOver 75% chance of
occurrence
Highly LikelyBetween51-75%
chance of occurrence
LikelyBetween 21-50%% chance of
occurrence
UnlikelyBetween
11 - 20% chance of occurrence
Remoteless than 10%
chance of occurrence
MajorLoss of ability to
achieve any strategic objectives-worst case
Inefficient management of contract manufacturer relationship (e.g. – lead times, variance accounting, etc.)Inefficient JIT inventory management (e.g. – balancing with customer demand)Delays in new product development
Uncertainty due to increased off-shoring and business process outsourcing
International expansion/emerging market penetration
Intense competition in mature product lines
Price/gross margin erosion
Cost/operating expense management
Intellectual property protection and defense
Large scale mergers and acquisitions
Multi-element sales contract simplification and revenue recognition
Probability
47
Making the Business BetterInvesting in a Comprehensive Control Environment
e f f
i c
i e n
c y
Top-Down Risk Assessment
& Scoping
Risk Based Testing & Evaluation
Optimization & Standardizatio
nof Controls
Leveraging Monitoring Controls
Controls Automation& Continuous
Controls Monitoring
Risk Convergence-Consistent
Risk & Control Framework
Coverage of FraudRisk & Controls
Process & Controls
Improvement
strategic
operations
financial
compliance
c o s t i n v e s t m e n t
v a
l u e
48
Maximizing The Role of IT in Compliance Enterprise Risk Management
IT Integration
Continuous Controls Monitoring/ Controls Automation
Segregation of Duties
Change Management
Super User Access Rights – Identity and Access Management
Application Controls
Tools and Technologies – Seamless integration of disparate sources of information
Sophisticated Data Analytics
49
Continuous Controls Monitoring Another strategy for improving efficiency using IT
Automates the monitoring of financial and operational controls at the entity and transaction levels
Maximizing the full capabilities of the IT investment to controlthe flow of transactions and significantly leveraging these capabilities for the operating effectiveness of internal controls
Focused on application controls, segregation of duties, transactional data analysis, and IT general controls
50
BusinessRisk
TimeLow
High
AuditAudit
Moving Forward…ContinuousProactiveComprehensiveIntegratedBusiness Specific
ContinuousMonitoring
Audit
How do Companies Assess?How do Companies Assess?
In the Past…• Point in Time Audits• Reactive• Random• Sampling• Generic
51
Leading IT Practices in Successful Organizations
Three overarching principles seen in successful organizations
Risk Management
Manage the risk of IT
Leverage IT investments to reduce other risks that organization may face
Cost Rationalization
Rationalize the cost of IT
Leverage IT investments to rationalize costs elsewhere in the organization
Value Creation
Increase the strategic and operational value being created for the business by IT
52
Best/Leading Practices
View ODS Function
53
Leading IT Practices in Successful OrganizationsFour distinct traits seen in successful organizations
1. Strategic Alignment:
Viewing IT as strategic commitment vs. a utility activity
Viewing IT functions as technological framework which coordinates information, decision making, management and strategy
Achieved through executive sponsorship and linking IT to major processes and initiatives
54
Leading IT Practices in Successful OrganizationsFour distinct traits seen in successful
organizations
2. Effective Governance
Achieve formal implementation of IT Governance
Representation at Board of Directors meeting
Achieved through risk and resource management, board attention, use of leading standards
55
Leading IT Practices in Successful Organizations
Four distinct traits seen in successful organizations
3. Efficient Operations
Strategically utilize IT for revenue generating and cost saving objectives
This may include consolidating/standardizing IT functions
Achieved through revenue generating enhancements, reduction in service delivery costs, strategic and planned approach to IT function
4. Measured Performance
Facilitating strong realization of company’s performance through reporting/assessments
56
Questions