1. Risk Advisory Services
02/26/2008
From Compliance to Competitive
Edge
The Paradigm Shift to Improve
Leveraging Risk Investments
Business
2. Agenda
The Current State
Navigating Through The Confusion
What We Are Hearing About Risk
The Current State
Market Challenges
Costs and Budgeting
Risk Convergence
A Fresh Look At The “Internal Controls”
Maximizing The Role of IT In Compliance
Leading IT Practices In Successful Organizations
1
4. Standards? What Standards?
"The nice thing about standards is
that there are so many of them to
choose from.”
– Andrew S. Tannenbaum
3
5. Navigating Through the Confusion
Regulators
SEC EEOC OSHA FRC
Frameworks
NASD/N PCAO EPA FTC
YSE B DOJ PTO
IRS COSO
DHS
EBSA COSO
Business Drivers and Initiatives
ERM Logical and
Asset Earnings and
Revenue and Reputation OCEG
and Capital
Management
Operating
Margins
Market Share and Brand Coordinated
COBIT Process
Section 404 IFRS Environmental USSG
CFO Act E-Gov Act and Social
OMB A-123 IP—Protection Product Liability ISO
FMFIA Laws Laws
HIPAA Tax Regulations 1933 and 1934 CSR
Anti-Money Securities Act
American **Frequently-used examples
Productivity and Laundering Laws Anti-Trust Act
Quality Center Supply Chain Software
(APQC) Council (SCOR) Engineering
Laws, Institute (Capability
Regulations, and Model)
Maturity
Standards
Ever-increasing Laws, Regulations, and Standards, and Multiple
Frameworks
4
6. Now Consider This Example:
Nicole is an equity division manager in global bank
The work day has barely begun
Discovered that a recent spike in trading volume has jolted the firm’s
trading platform resulting in a multitude of trade breaks and delayed
executions
She checks her e-mail and sees a barrage of requests to provide risk
information to various departments
Compliance department wants an urgent meeting to discuss its plan
to conduct several business reviews during the year
IT risk unit has sent a questionnaire on business continuity planning
and data security
Internal audit is asking to review its risk assessment of her business
and agree to four audits of her group in the next 12 months
How can Nicole effectively increase the top line if she is hampered by
inefficient business processes?
5
7. What We Are Hearing About Risk
Keep Us Out of Trouble Make Our Business
Growing Number
Better Inter-Agency
Coordinated
Bigger Fines
of Restatements Sales Activities- Coordination
and
Changes in
Compliance
Settlements
goal Services,
Software and
Hardware
& Focus On
Core Mission
Continuing Regulations Optimized
Defense of Effective Use
Funding Of Relevant Controls of Technology
Projects Intellectual Research
Property &
Option Decrease
Developm Cost of Accessing
Backdating entSpend Emerging
Corporate
Compliance Markets
OMB Just-In-Time
Catastrophic Management Activities Optimized
Inventory
Reputational Watch List & Management Improved Risk Governance
Consequences GAO High Risk Reporting and Structure/Program
List Disclosure Performance
All too confusing and Must do it…
overdone… Except when But how do we do it
we get in trouble better?
6
9. Top Challenges: Six challenges dominate senior
management agendas
Category Includes
Improving Achieving greater efficiencies in risk and control
efficiency/Program processes; inter-agency coordination; improving
Performance coordination; unifying and streamlining approaches
Challenging Shifting regulatory demands, high degree of
regulatory regulatory scrutiny, variation of regulations across
environment with
Keeping pace jurisdictions.
Rapid business growth, competitive intensity, M&A
business growth and activity, global expansion, increasing product
complexity complexity, raised customer expectations
Attracting and Shortage of good talent in competitive markets,
retaining especially in specialized areas or emerging
talent/Human capital geographies
crisis
Managing change Dealing with people and organizational issues as
new processes demand new methods of work
Fear of compliance Fear of compliance failures despite best efforts, due
failures and to human error or unanticipated events; identifying
emerging risks and preparing for future risks
8
10. Top Challenges: Improving efficiency is the
leading
concern for all respondents followed by
regulatory issues PERCENT RESPONDING – ALL RESPONDENTS
Improving efficiency 50%
* Challenging regulatory
environment/ 30% 13%
Implementing Basel II
Keeping pace with
business growth & 30%
complexity
Attracting & retaining
talent
20%
Managing change 20%
Fear of compliance
failure
17%
Identifying emerging
13% * The dark bar represents those respondents who mentioned general regulatory
risks
challenges; the light bar represents those respondents who specifically cited Basel II
implementation
9
11. Challenge #1: Inefficiency is acting as a
“drag on the system”
There is unanimous recognition that rapid growth of
business – mergers, global expansion – together
with SOX and the complex regulatory environment,
have resulted in inefficient structures, and
redundant systems and processes
There is an extremely high desire to fix this problem
10
12. Challenge #2: There is a growing
frustration with regulators
Respondents see no letup in the regulatory
environment – Sarbanes Oxley, Basel, privacy,
HIPAA, IFRS, Anti-money Laundering etc., etc…
Organizations are pushing back
11
13. Challenge #3: Keeping pace with
business growth and complexity
The requirement for speed to market creates pressure
on all types of fronts, from credit and market risk
related approvals to compliance or regulatory or legal
approvals
How do we do our part to support revenue
growth and the growth of our company and
have the proper risk/reward balance?
There is a proliferation of new products
which are becoming increasingly sophisticated
12
14. Challenge #4: The complex
environment is driving the need to
attract and retain talent
Definitely a major concern for the leadership
Good talent is hard to find
Competition for talent is intense, and the supply of
risk professionals is not keeping up with demand
13
15. Challenge #5: Dealing with people and
organizational change issues is
daunting
Inefficiencies, the complex regulatory and business
environment, and the shortage of talent, are stressing
current systems and driving demand for more robust
solutions
“Moving the supertanker” requires a common
understanding of risk and control procedures across the
enterprise, senior management buy-in, and clear
definitions of roles
People’s natural resistance to change is a constant
struggle
14
16. Challenge #6: Identifying emerging risks
and fear of compliance failures keep
many respondents up at night
Despite significant investments, many
acknowledge they continue to worry about
breaches in compliance due to human error,
regulatory surprises, or unknown emerging risks
– “We operate in so many different jurisdictions, in 50 countries, and
with various different products. We have about 130,000 employees.
And if you think that everybody is doing everything they should, the
way they should be doing it, you know that's not happening.”
- Head of Internal Audit, Commercial Bank
15
18. Costs and Budgeting: Half of all
respondents believe costs will continue to
rise; the other half see costs stabilizing
ALL RESPONDENTS
Increasing 48% Reasons cited include:
Continued business
growth and global
expansion
Decreasing 21%
Rigorous regulatory
environment
Need for more
Staying the same 25% expensive senior talent
Don't know 7%
17
19. Costs and Budgeting: Very few can estimate
time
business spends on risk and control
management
Most feel that time spent in the business units is too
embedded to track
Time spent depends on the job and the type of
business
– “Our industry is plagued with this: we don’t have a good
understanding of what our key processes are and we don’t
have the ability to measure our unit costs. If you went to
Toyota or Coca Cola, they have a whole science, but when
you ask about processes here people look at you as if you
were speaking Swahili.”
- Head of Operational Risk, Commercial
Bank
18
20. Top Challenges: Six challenges dominate
senior
management agendas
Category Includes
Improving efficiency Achieving greater efficiencies in risk and control
processes; improving coordination; unifying and
Challenging streamlining approaches
Shifting regulatory demands, high degree of
regulatory regulatory scrutiny, variation of regulations across
environment with
Keeping pace jurisdictions.
Rapid business growth, competitive intensity, M&A
business growth and activity, global expansion, increasing product
complexity complexity, raised customer expectations
Attracting and Shortage of good talent in competitive markets,
retaining talent especially in specialized areas or emerging
Managing change geographies
Dealing with people and organizational issues as
new processes demand new methods of work
Fear of compliance Fear of compliance failures despite best efforts, due
failures and to human error or unanticipated events; identifying
emerging risks and preparing for future risks
19
21. Now Consider This Example:
Nicole is an equity division manager in global bank
The work day has barely begun
Discovered that a recent spike in trading volume has jolted the firm’s
trading platform resulting in a multitude of trade breaks and delayed
executions
She checks her e-mail and sees a barrage of requests to provide risk
information to various departments
Compliance department wants an urgent meeting to discuss its plan
to conduct several business reviews during the year
IT risk unit has sent a questionnaire on business continuity planning
and data security
Internal audit is asking to review its risk assessment of her business
and agree to four audits of her group in the next 12 months
How can Nicole effectively increase the top line if she is hampered by
inefficient business processes?
20
23. What Is Risk Convergence?
Common framework to assess and monitor the
organization’s risks:
Reduce redundant risk management and control activities
Eliminate duplication among business units
Drive down costs
22
24. Why Risk Convergence??
“It is not the strongest of the species that survives, nor the
most intelligent, but the one most responsive to change.”
— Charles Darwin
23
25. Why Risk Convergence??
Standard & Poor’s, Moody’s and other credit-rating agencies measure an
Enterprise Risk Management program as a lead risk indicator and a major
scoring factor.
Standard & Poor’s credit rating
Challenging to determine management capability and capacity to
manage risk
Proposal to introduce enterprise risk management analysis into the
corporate debt rating process
24
26. Why Risk Convergence - Aligning to Your Business
Drivers
Keep Us Out of Trouble/Make the Business Better
Maintaining strong ethical tone at the top
Reputation and Brand Protecting and defending intellectual property
Do our stakeholders rights
have a favorable view? Managing customer and employee
information, e.g., privacy
concerns
Organizing regulatory compliance/governance
in an efficient manner
Revenue and Asset and
Market Share business Capital Management
How does the How efficient
organization grow? drivers is the organization?
Entering new markets— Improving inventory and
particularly emerging markets receivable management
Prioritizing R&D spend to Earnings and Coordinating supply
ultimately align with customer chain/lean manufacturing
needs
Operating Margins Integrating global processes
How profitable is and IT systems
Integrating large scale
acquisitions the organization? Using finance arrangements
Simplification of multi-element Maintaining gross margins through new to access new markets
sales, e.g., software, product introductions
hardware and services Improving operating margins
Channel management Managing warranty terms and product
returns
Managing third-party contractor
relationships
25
27. Why Risk Convergence??
Mitigate risk
Despite significant investments, compliance failures continue to
represent a major threat – both monetary and reputational
Streamlining risk and control operations reduces compliance gaps
and enables more effective ongoing risk management
Increase efficiency / reduce costs
Streamlining risk and control programs and processes reduces the
enormous time commitments and frustration levels throughout the
organization, and ultimately will result in better cost management
and control
Support strategic decision-making
Greater coordination and information sharing among corporate
control units and business units provides senior management and
board committees with more effective multi-dimensional risk
information that supports decision-making
26
28. State of Convergence: All
organizations are underway with some
form of convergence
Terminology may vary, but all understand the concept of
streamlining governance, risk and control processes
Each organization is forging its own way, based on
culture, business imperatives, appetite for change, and
regulatory history
Most are in the early stages and the majority of activities
are driven by short-term objectives
27
29. State of Convergence: There are no best
practices
There are some organizations that are fairly far
down the path, however, no one considers
themselves ‘converged’
Currently there are no best practices or
established methodologies
Most convergence activities are being led by the
CFO, CRO, or the head of one or two functions
28
30. State of Convergence: Efficiency is the
primary
driver of convergence
Desire for greater efficiency is the main driver for
risk convergence
Reducing risk fatigue in the business units is
considered but this has eased since the early
SOX days
Surprisingly, cost reduction is not a major driver
29
31. State of Convergence: Convergence is
evolutionary
not revolutionary are addressing convergence in
Most organizations
incremental stages
The appetite for a massive enterprise
transformation is low
30
32. State of Convergence: People issues
are the primary barriers to convergence
Overcoming people’s natural resistance to, and fear
of, change is the biggest obstacle to convergence
• “People don’t like converging. In their minds it tends to dilute their
efforts. If it is a significant risk to them, they want and demand the
resources to deal with it.”
- CRO, Commercial Bank
31
33. State of Convergence: Convergence is
creating a need for more senior talent
As convergence initiatives begin to reduce redundancies
and inefficiencies, organizations are finding that they need
more senior talent and less junior staff
This represents a major shift in the skill base and
exasperates the shortage of talent in the industry
32
35. The Path to Convergence
While there is not one clear
approach to convergence, Convergence
companies are following somewhat Technology
institutionalized
options
similar paths implemented
Roles and
Methodologies responsibilities
aligned redefined
Implementation
Redundancies
being Reporting
addressed streamlined
Integration Phase
Groups Owner identified
interacting and committee
formed
Alignment Phase
Vision
defined Coordination Phase
Sophistication
34
36. The Path to Convergence
Most respondents are in
“Coordination Phase” Convergence
institutionalized
Technology
options
implemented
Roles and
Methodologies responsibilities
aligned redefined
Implementation
Redundancies
being Reporting
addressed streamlined
Integration Phase
Groups Owner identified
interacting and committee
formed
Alignment Phase
Vision
defined Coordination Phase
Sophistication
35
37. The Path to Convergence
As organizations make
progress in reducing Convergence
institutionalized
redundancy, they begin to Technology
options
tackle more difficult aspects implemented
of efficiency improvement Roles and
Methodologies responsibilities
aligned redefined
Implementation
Redundancies
being Reporting
addressed streamlined
Integration Phase
Groups Owner identified
interacting and committee
formed
Alignment Phase
Vision
defined Coordination Phase
Sophistication
36
38. The Path to Convergence
Even for those furthest along the
convergence path, redefining roles, Convergence
implementing new technologies, and Technology
institutionalized
options
embedding new practices remains a implemented
goal
Roles and
Methodologies responsibilities
aligned redefined
Implementation
Redundancies
being Reporting
addressed streamlined
Integration Phase
Groups Owner identified
interacting and committee
formed
Alignment Phase
Vision
defined Coordination Phase
Sophistication
37
39. Risk Convergence Evolution - A Fresh Look at
the “Internal Controls”
Effective internal control environment means:
The company is working and performing well
Communicates performance to capital markets and
investors in a transparent manner
Note: Transparency and certainty over risk and internal
controls in strategic, operational and financial reporting
areas
Management understand major risks and has processes in
place to address/mitigate these risks
Changing perception of Internal Controls
From being viewed as “burdensome” to “strategic
information” for driving business decisions
38
40. Do the current internal controls
investments provide the following
business benefits?
39
41. Aligning Internal Control Investment with Risk
Assessment
How frequently does the company conduct an enterprise
risk assessment?
40
43. Room for improvement?
How effective are internal controls over the following
financial reporting areas?
42
44. How effective are internal controls over the
following business and operational areas?
43
45. How effective are internal controls over
the following information technology
areas?
44
46. Where are Leading Companies Investing?
What are the key business drivers justifying future
investments to strengthen internal controls?
45
47. Better Understanding of Major Risk Areas
What is the impact and probability of your top strategic risks?
Key Strategic Risks
Key Strategic Risks
Major
Inefficient management of contract
Loss of ability to
achieve any strategic
manufacturer relationship (e.g. – lead
objectives-worst case times, variance accounting, etc.)
Inefficient JIT inventory management
(e.g. – balancing with customer
Significant demand)
Significantly reduced
ability to achieve all Delays in new product development
strategic objectives
Uncertainty due to increased off-
shoring and business process
Impact
Moderate
Disruption to achievement of outsourcing
one strategic objective and
reduced ability to conduct International expansion/emerging
normal operations
market penetration
Minor
Intense competition in mature product
Minimal disruption to one
strategic objective and some
lines
impact on ability to conduct
normal operations Price/gross margin erosion
Insignificant Cost/operating expense management
No impact on strategic Intellectual property protection and
objectives and only
limited disruption to defense
normal operations
Remote Unlikely Likely Highly Likely Expected Large scale mergers and acquisitions
less than 10% Between Between Between Over 75%
chance of 11 - 20% chance 21-50%% 51-75% chance of Multi-element sales contract
occurrence of occurrence chance of chance of occurrence
occurrence occurrence simplification and revenue recognition
Probability
46
48. Making the Business Better
Investing in a Comprehensive Control Environment
strategic
value
Controls Automation
& Continuous
Controls Monitoring operations
Process &
Controls
efficiency
Improvement
Top-Down Risk
Assessment financial
& Scoping
Risk Convergence-
Risk Based Consistent
Testing & Risk & Control
Evaluation
Framework
Optimization & compliance
Standardizatio
n
of Controls Coverage of Fraud
Leveraging Risk & Controls
Monitoring Controls
cost investment
47
49. Maximizing The Role of IT in
Compliance Management
Enterprise Risk
IT Integration
Continuous Controls Monitoring/ Controls Automation
Segregation of Duties
Change Management
Super User Access Rights – Identity and Access
Management
Application Controls
Tools and Technologies – Seamless integration of disparate
sources of information
Sophisticated Data Analytics
48
50. Continuous Controls Monitoring
Another strategy for improving efficiency using IT
Automates the monitoring of financial and operational controls
at the entity and transaction levels
Maximizing the full capabilities of the IT investment to control
the flow of transactions and significantly leveraging these
capabilities for the operating effectiveness of internal controls
Focused on application controls, segregation of duties,
transactional data analysis, and IT general controls
49
51. How do Companies Assess?
Audit
Audit
In the Past…
Audit • Point in Time Audits
High • Reactive
• Random
• Sampling
• Generic
Business Moving Forward…
Risk Continuous
Continuous Proactive
Monitoring Comprehensive
Integrated
Low Business Specific
Time
50
52. Leading IT Practices in Successful
Organizations
Three overarching principles seen in successful
organizations
Risk Management
Manage the risk of IT
Leverage IT investments to reduce other risks that
organization may face
Cost Rationalization
Rationalize the cost of IT
Leverage IT investments to rationalize costs
elsewhere in the organization
Value Creation
Increase the strategic and operational value being
created for the business by IT
51
54. Leading IT Practices in Successful
Organizations
Four distinct traits seen in successful organizations
1. Strategic Alignment:
Viewing IT as strategic commitment vs. a utility
activity
Viewing IT functions as technological
framework which coordinates information,
decision making, management and strategy
Achieved through executive sponsorship
and linking IT to major processes and
initiatives
53
55. Leading IT Practices in Successful
Organizations
Four distinct traits seen in successful
organizations
2. Effective Governance
Achieve formal implementation of IT
Governance
Representation at Board of Directors
meeting
Achieved through risk and resource
management, board attention, use of leading
standards
54
56. Leading IT Practices in Successful
Organizations
Four distinct traits seen in successful organizations
3. Efficient Operations
Strategically utilize IT for revenue generating and cost
saving objectives
This may include consolidating/standardizing IT
functions
Achieved through revenue generating
enhancements, reduction in service delivery
costs, strategic and planned approach to IT
function
4. Measured Performance
Facilitating strong realization of company’s
performance through reporting/assessments
55