COMPLIANCE WEEK

T H E L E A D I N G I N F O R M AT I O N S E R V I C E O N C O R P O R AT E G OV E R N A N C E , R I S K A N D C O M P L I A N C E

A supplement to COMPLIANCE WEEK

T H E L E A D I N G I N F O R M AT I O N S E R V I C E O N C O R P O R AT E G O V E R A N C E , R I S K A N D C O M P L I A N C E

INSIDE THIS PuBlICATION:

Building a Strong Risk-

Management Team

ERM vs. Risk Analysis

Auditing Your ERM Program

Learning to Talk About IT Risk

Rick Steinberg on Why CEOs
Always Miss the Biggest Risks

Guide to
Enterprise Risk Management
© 2007 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative.

Identifying, analyzing,
prioritizing, quantifying,
reporting, monitoring,
and optimizing risks.

She has natural instincts.

You need ERM.
It’s a dangerous and complex world out there for any business,
but with a keen ERM program you can protect yourself from
danger—and take advantage of business opportunities.

KPMG’s Enterprise Risk Management services can help you

hone your ERM skills to make ERM a daily activity—a way of
life—for your company. Gain ERM prowess with KPMG, so
your risk leadership and tone at the top can become clear, your
assessments forward-looking, your information actionable,
your monitoring ruthlessly efficient. It’s the path to sound
corporate governance and improved business performance.

You need KPMG. Because only the fittest survive.

KPMG named a leader
in The Forrester Wave :
TM
Contact John M. Farrell, National Lead Partner, ERM,
Risk Consulting Services, at 212-872-3047 or johnmichaelfarrell@kpmg.com.
Q2 2007.
To learn more, and receive us.kpmg.com
a copy of the independent
Forrester Report,
contact KPMG today.
 Enterprise Risk Management

A Sharp Reminder That ERM

Isn’t Just Theory; It Matters Editorial

I
Publisher
swear: Compliance Week never intended to publish a special supplement on en- Scott S. Cohen
terprise risk management just as the global financial system went to pieces. scohen@complianceweek.com
For better or worse, however, the credit crisis has given compliance and financial
reporting executives everywhere a very real reminder of how vital risk manage- Editor-in-Chief
Matt Kelly
ment is. Your financing may suddenly vanish. Your key supplier might go bankrupt. mkelly@complianceweek.com
That super-cool acquisition you made last year might drag your whole enterprise
to ruin. Assistant Editor
The trouble is that ERM has been done in piecemeal, largely below the radar of Jaclyn Jaeger
jjaeger@complianceweek.com
top executives or boards of directors. A vice president patrols manufacturing plants
for environmental hazards here, a deputy general counsel warns employees about Copy Editor
illegal bribery payments there. But now, senior management increasingly needs to DeAnn Orie
collect all those risk-management efforts under one umbrella—because, as we’ve all dorie@complianceweek.com
painfully witnessed in the last several months, one corporate misstep can quickly
Director, Production & Design
threaten the whole enterprise. Cohesive strategy and planning around risk isn’t easy, Erin Lynch
but it’s the only way to survive in a hyper-connected business world.
To that end, this Compliance Week supplement aims to be a primer on ERM in Contributors
all its forms. Inside you will find articles examining the idea of ERM as a whole, Christine Dunn Dan Swanson
from how much board directors worry about it to how companies can establish, Todd Neff Richard M. Steinberg
staff, and audit their own ERM functions. We also have white papers from accom- Kathrine Schmidt
plished experts and a list of resources that can help you move forward with ERM at Advertising
your own speed.
Vice President, Sales
Compliance Week will continue to cover ERM on many fronts, picking apart
Barry Greenfield
individual risks and analyzing how boards can weigh and manage them against all bgreenfield@complianceweek.com
the other risks modern companies face. The credit crisis of 2008 may have brought
enterprise risk management into sharp relief, but the reality is that companies have Director, Advertising Sales
already been doing this for a long time, and always will. After all, you can’t reap the Doug Juenemann
djuenemann@complianceweek.com
reward without taking the risk. ■
Advertising Production Manager
Carrie O’Connor
coconnor@complianceweek.com

Subscriptions & Circulation

Matt Kelly, Editor-in-Chief Subscription Sales Manager
Lori McMahon
lmcmahon@complianceweek.com

Contents Circulation & Customer Service Manager

Jaclyn Strycharz
Building a Strong Risk-Management Team 4 jackie@complianceweek.com
S&P Starts Including ERM in Credit Ratings 6 ______________________________
Building ERM Bridges for Boards, C-Suite 7 Contacting Compliance Week
SOX and ERM Risk Assessments: An Analysis 8 Phone: (888) 519-9200
Fax: (800) 675-1887
Dan Swanson: Auditing Your ERM Program 10 Mail: Compliance Week
Innovation in Difficult Times (Strategic Thought Group) 13 77 No. Washington Street
Boston, MA 02114
Rick Steinberg: The Big Risk: CEOs Never See It Coming 14
Learning to Talk About IT Risk in Common Terms 16 Circulation Audited By

Authors of knowledge leadership articles listed in red

Compliance Week (ISSN: 1549-957X) is distributed monthly by Haymarket Media, Inc., 77 No. Washington Street, Boston, Massachusetts 02114. Copyright ©2008, Haymarket Media,
Inc. All rights reserved. Neither this publication nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical,
photocopying, recording, or otherwise, without the prior permission of Haymarket Media, Inc. Requests for reprints and permissions should be directed to Compliance Week at the
address noted above, or by calling (888) 519-9200. Subscriptions to Compliance Week include a weekly e-mail newsletter, full access to resources at ComplianceWeek.com, and this
monthly print magazine. Basic annual subscription fees start at $999. To subscribe, go to http://subscribe.complianceweek.com. Postmaster: Send address changes to Compliance
Week, Circulation Department, 77 No. Washington Street, Boston, Massachusetts 02114, e-mail Compliance Week at info@complianceweek.com, or call (888) 519-9200. “Compliance
Week” is a registered mark of Haymarket Media, Inc.
Important Notice: Compliance Week does not provide legal advice. Content is for general information and discussion only, and is not a full analysis of the matters presented. The
information provided by Compliance Week may not be applicable in all situations, and readers should always seek specific advice from lawyers, auditors and/or appropriate governance
and compliance experts before taking any action with respect to any matters discussed herein. In addition, columns and opinion articles solely reflect the views of their respective
authors, and should also not be regarded as legal advice.

NOVEMBER 2008 www.complianceweek.com » 888.519.9200 3

 Enterprise Risk Management

Building a Strong Risk-Management Team

By Jaclyn Jaeger “Once you step back and understand “Facilitating is not something all people
the purpose of the program, it allows you are good at.” In addition, she said, choos-

I n one form or another, enterprise risk

management has always been an essen-
tial part of an organization’s operations.
to step back and decide who should do
what to what extent and how many people
in your organization should get involved,”
ing a candidate who has worked at the or-
ganization a long time and has credibility
is more important than hiring somebody
But that is arguably more true today than said Farrell. “Risk committees are really who knows the technical aspects of risk
ever before. important to organizations today to really management.
Expanding business risks and regula- get the quality of information up.”
tions, growing awareness by media and As with much else in governance, tone Getting on the Same Page
stakeholders, and increased focus on cor-
porate sustainability all make risk manage-
ment a top business priority today, said Dave
at the top is critical. “Management needs
to be playing an ongoing, aggressive role,”
said Bruce McCuaig, chief risk officer for
A fter you’ve put a framework in place,
you want to make sure every depart-
ment within an organization is on the same
Anderson, vice president of GRC business governance, risk, and compliance software page by establishing a “common language of
strategy at SAP. firm Paisley. risk and control,” McCuaig said. That means
Anderson and But tone at the top is not everything, establishing common definitions, standards,
numerous other risk- noted Christine Schwab, vice president and and methodologies in all risk areas—strate-
management experts chief risk officer of Dominion Resources. gic, operating, compliance, and reporting
at the third annual “It is important that our CEO and CFO risks. “That, to me, is one of the greatest
Compliance Week care about this, absolutely, but all of your problems with convergence,” he said.
conference in Wash- leaders have to engage to get true value add- Andy Anderson, chief audit executive at
ington in June shared ed,” she said. “I don’t need anyone on my Axis Capital, added that what makes con-
some best practices team who doesn’t see the value of this.” vergence so difficult is that organizations
for developing an ef- Schwab also cautioned companies to usually have a whole series of risk assess-
D. Anderson fective risk-manage- choose a risk-management leader wisely.
ment program. “They’ve got to be facilitators,” she said. Continued on Page 18
“Enterprise risk management is really
about having a vision of how to see risk
ERM DRIVERS
management fitting into your organization
as opposed to your organization fitting into
enterprise risk management,” said John Role of ERM in Today’s Business Environment
Farrell, head of the enterprise risk manage-
ment practice for KPMG. Most organiza- Governance
tions, he said, don’t step back and ask why
they are doing risk management. »» Facilitate better corporate stewardship over strategic priorities and non-financial aspects of per-
A truly effective risk-management pro- formance
gram begins with the development of a »» Meet credit rating agencies’ expectations with regard to risk, to ensure “no surprises”culture
framework. This is particularly essential »» Meet enhanced securities exchange listing requirements
given that every organization’s program »» Meet SEC requirements: 10-K description of “Risk Factors”in plain English
will be different. “There is no one size fits »» Satisfy evolving risk-based capital adequacy frameworks, e.g., Basel II
all,” said John Rostern, director of technol-
ogy risk management at Jefferson Wells In- Strategy
ternational.
As a starting point, some of the ques- »» Beyond regulation: provides a competitive advantage versus industry peers
tions experts recommended asking in- »» Re-align strategy through evaluation of prioritized risks
clude: »» Link to risk: cannot develop strategy without understanding enterprise risks

»» What is our strategy? Have we built Performance

the right strategy?
»» Who is the target audience for our »» Improve accountability and transparency through coordinated enterprise risk monitoring and re-
work? porting
»» What is it that we need to gather infor- »» Reduce cash flow volatility using derivatives, insurance, or improved controls
mation about, and at what level? »» Allocate and evaluate capital based on risk-based performance
»» What are the guiding principles of the »» Reduce costs through risk consolidation and cross-functional efficiencies
program?
»» What are the guiding objectives of the Source: KPMG & TIAA-CREF (June 5, 2008). For additional information, go to www.complianceweek.
program? com and enter Print Reference Code: 090824.

4 www.complianceweek.com » 888.519.9200 NOVEMBER 2008

Big decisions follow you around.

How c
a nw
em
ak
eo
ur
in
ter
na
lc
on
tro
ls
ys
tem
mo
re
effe
ctiv
eA
ND
efficien
t?

How do you support the conclusion that your internal control

system is effective? Are your monitoring procedures efficient enough
to prevent unnecessary testing at the end of the year? Now there
is a way to know. The Committee of Sponsoring Organizations of
the Treadway Commission (COSO) put a team in place to develop
guidance on monitoring internal controls. Grant Thornton LLP is
proud to have been chosen as the project leader for creating COSO’s
Guidance on Monitoring Internal Control Systems.
For more information on COSO’s guidance, please visit
GrantThornton.com/COSO.
Grant Thornton...known for distinctive client service and partner
attention for over 80 years.
Find out what it’s like to work with people who love what they do! Audit • Tax • Advisory
Grant Thornton LLP U.S. member firm of Grant Thornton International Ltd
 Enterprise Risk Management

S&P Starts Including ERM in Credit Ratings

S&P sends warning to may encourage S&P analysts to be more
predictive in their thinking, according to
First, S&P plans to test concepts about
how companies deal with risk and how
companies: ERM to factor Steve Dreyer, head of U.S. utilities and they manage it. For example, analysts will
infrastructure ratings at S&P. Currently, look at whether a company has a chief risk
into their credit ratings he says, the agency’s ratings process is ef- officer in place and for how long; whether
ficient at responding to events as they hap- the company makes a formal declaration
pen; a few bad quarters, for example, can about its risk appetite; and whether it has
By Christine Dunn send a company’s rating downward after had regular communications with share-
the fact. holders, the board, and employees about

S tandard & Poor’s is giving companies

a new financial incentive to take enter-
prise risk management more seriously: It
The ERM component, however, should
help analysts anticipate which companies
are more resilient and in a better position
risk, Dreyer says.
Analysts also will analyze statements
made by management and historical per-
will affect their credit ratings. to respond to changing circumstances, formance to see how the companies have
S&P has been working since last year Dreyer says. By gaining more insight into handled risk in the past. The analysts will
to incorporate ERM into how it decides a company’s resilience, analysts might not do frequent follow-up meetings, especially
a company’s credit ratings. The agency need to change credit ratings so severely after major earnings drops or asset write-
finally released a report in May saying it in response to specific events, since they’ll downs, Dreyer adds.
will now treat ERM as “an additional di- have a better sense of how well the com- Most importantly, he adds, analysts
mension to our analysis of management pany in question can cope.
and corporate governance, creating a more “The hope is that we would report less
systematic framework for an inherently about actual events, and do more talking
subjective topic.” on a forward looking basis,” Dreyer says.
S&P began rating insurers and finan- “What we would see is the companies’ “I think that many companies
cial institutions on risk-management prac- ability to respond to future events.”
tices more than two years ago, since their S&P had been pondering the inclusion will receive more negative
heavy exposure to financial risks has made of ERM in its ratings for several years. ratings than they would have
ERM more prominent in those sectors. The agency started with financial com-
S&P’s decision will expand ERM analysis panies, who asked S&P to examine—and expected or anticipated.”
to non-financial firms. recognize—the changes they had made to
“Companies have a further economic identify and manage their risk. — Arnold Schanfield,
incentive now to do ERM. If their credit “Insurance companies brow beat us to Head of the ERM Practice,
rating is lowered, their cost of capital will look at this,” Dreyer explains. “Our ana- ERM Associates
increase,” says Dan Helming, a partner lysts started the process skeptically, but in
at the Weiser accounting firm. “S&P is looking at the differences between compa-
thinking proactively in taking this step.” nies that previously had the same rating, will talk with companies to confirm that
S&P’s decision reflects the increasing and noticing the marked differences in executives have an understanding of how
importance of a company’s ability to iden- management practices … it convinced us the company should handle risk and
tify and manage its risk across the whole that including ERM had merit.” whether management is comfortable with
of its enterprise, according to Miles Ever- the company’s net risk position.
son, a partner at PricewaterhouseCoopers. Why Do This? S&P is currently training analysts so
ERM is more crucial now because busi-
nesses are competing in ever more chang-
ing environments, so they must be more
R egulators worldwide have taken a
stronger interest in risk management
in recent years, forcing companies to re-
that they question companies consistently.
Companies will be provided with an out-
line ahead of each meeting with S&P to
agile and responsive to threats as they evaluate the ERM processes they had in help them prepare.
emerge, he says. place (assuming they did any ERM at all). “You’ll see some shocks by compa-
“The ratings agencies play an impor- Many companies have warmed to the idea nies once this is rolled out,” says Arnold
tant role in the capital flows of the global anyway, since events such as the Sept. 11 Schanfield of the accounting and consult-
market system,” Everson says. “A compa- attacks, Hurricane Katrina, and the en- ing firm ERM Associates in New Jersey.
ny’s ability to take and manage risk, and ergy crisis have all shown how companies “I think that many companies will receive
articulating that to investors, is critical to can be caught unprepared by swift, sud- more negative ratings than they would
their long-term success.” den changes in fortune. have expected or anticipated.”
Moody’s and Fitch’s ratings services Standard & Poor’s says it has no set Many companies believe that invest-
did not return calls seeking comment on formula for ERM that it will immediately ments made to comply with Sarbanes-
whether they plan to incorporate ERM in incorporate into its ratings. Instead, the Oxley—specifically Section 404, its clause
their rating calculations. agency plans to implement ERM analysis requiring testing of internal controls over
Analyzing a company’s ERM efforts in phases.
Continued on Page 18

6 www.complianceweek.com » 888.519.9200 NOVEMBER 2008

Building ERM Bridges for Boards, C-Suite
By Kathrine Schmidt A different structure can often work and ends with internal audit. The internal
better, the consultants say. auditor “will take an operational view, not

L ots of corporate boards put enterprise

risk management on their agenda in
some way or another. How to flesh out the
“Some of the practices we’re seeing
emerge: There’s a very high-level risk pro-
file that’s connected to the strategic objec-
just a financial reporting view. So they may
look at operational risk and they’ll report
back to the audit committee, and that will
details beyond that, however, still remains tives of the business [presented] at the board satisfy the audit committee’s needs.”
elusive. level and then as it relates to individual risk Some committees push harder, he says,
Some companies tack ERM onto the although that’s less common. “In other in-
charter of the audit committee and leave stances, the audit committee may decide
the members to deal with it. Others parcel to go further than the internal auditor and
out specific risks to different committees, may decide to interview a series of people
and some address risks as a whole board. “Most audit committees are at the company they’re governing to assure
“We’re seeing organizations really struggle that it all seems to work together and that
with [this]. There’s a lot to cover when it
making their best business there’s a message that sounds consistent in
comes to enterprise risk management,” says judgment as to what needs terms of what’s being done,” Wagner says.
Shawn Tebben of consulting firm Protiviti. Other common tactics include talking
Guidance from the Securities and Ex- to be done. But oftentimes to an external auditor or hiring a consul-
change Commission released last year they lack a way in which tant specific to the risk being managed, like
emphasizes that companies should take an engineer or an actuary. Boards “should
a risk-based approach to designing, test- to execute that governance not solely rely on information presented
ing, and auditing their internal controls responsibility.” from management,” Everson said, but also
over financial reporting. That, in turn, has corroborate it with outside data or insist
heightened the awareness of ERM’s useful- that management provide specific informa-
ness, even if companies don’t know exactly — Stephen Wagner, tion they need.
how to embrace it. Managing Partner, “The dynamic in many cases is that
Audit committees and boards, Tebben Deloitte & Touche boards today are increasingly diligent and
says, “are really struggling with the bal- persistent in pushing when they think that
ance of their work- they’re not getting an appropriate under-
load in terms of what standing or when they want more informa-
they can accomplish categories,” Tebben says. “Then you have tion,” Everson said.
in the allotted time committees of the board or designated man- The problem: While corporate execu-
they have with man- agement committees who will dig deeper tives have frameworks like COSO for man-
agement.” into the individual risks themselves.” aging risk, boards have no similar roadmap
Primary responsi- In one example at a major arts and lei- for supervising it, Wagner says.
bility for ERM typi- sure company, the board as a whole took on “Most audit committees are doing their
cally falls to the audit major strategic risks while the audit com- best. They’re making their best business
committee right now. mittee covered financial reporting; a sub- judgment as to what needs to be done and
Tebben But that’s usually be- committee handled environmental health to satisfy their requirements,” says Wagner.
cause boards don’t and safety risks, Tebben says. Others have “But oftentimes they lack a way in which to
know where else to assign it, experts say, formed risk committees, either as part of execute that governance responsibility.”
and it’s not always a good idea. the board or part of the management struc- Conversely, management isn’t always
“Audit committees … are dealing with ture. clear on what facts and level of detail the
one category of risk; that is, financial state- board expects. On that front, open com-
ment risk,” says Stephen Wagner, a managing ERM, Part II munication and dialogue is a must, Tebben
partner at Deloitte & Touche. “But now you
layer on top of that all of the risk manage-
ment oversight for the entire organization,
B ut even when authority for risk man-
agement is settled, committees can be
unclear on what they should look for and
says.
“You need to take a macro view when
presenting to the board,” Wagner says.
and that can be a pretty big responsibility.” how far inquiries should go. “Make sure that the presentation that gets
Miles Everson, a partner at Pricewa- “I’ve seen a really broad range of re- put together is put together in a way that
terhouseCoopers, says the same. “When sponse to that responsibility being ex- satisfies the board’s needs or the commit-
it comes to strategic risk and operational ecuted by the board,” Wagner says. “The tee’s needs, and is at a high enough level so
efficiency—financial performance as op- response really needs to be tailored to the they can get a picture of how the company
posed to financial reporting—that risk ap- type of business that’s being governed and is approaching risk management from a
petite, or tolerance for risk, is frequently in to the types of issues the organization is process point of view.”
the domain of the broader board instead of subjected to.” And while IT can be important and
the audit committee.” In some cases, he says, the process begins
Continued on Page 18

NOVEMBER 2008 www.complianceweek.com » 888.519.9200 7

 Enterprise Risk Management

Risk Assessments for SOX and ERM: An Analysis

By Jaclyn Jaeger with potentially severe consequences for SOX.
the ones that don’t. That has driven com- “Basically, a proper ERM program

E ver wonder what the risk is that

you’ve wrongly assessed how you’re
supposed to do risk assessments?
panies to focus only on their compliance
risks (since those are the most immediate
worries), “which is only one component
is a perfect marriage of the Sentencing
Guidelines and Sarbanes-Oxley,” Integ-
rity’s Cellini says. It requires companies
Sarbanes-Oxley has certainly put of the overall risk profile that a business to assess risks that are both criminal and
the concept of analyzing risks at the may be incurring,” says Richards. civil, within a broad range of categories
forefront of most compliance execu- Richard Cellini, head of marketing both financial and non-financial, he
tives’ minds. But many companies often at compliance software firm Integrity says.
conflate the idea of a risk assessment un- Interactive, agrees. In fact, he stresses, Another major difference is that
der SOX (or under the U.S. Sentencing while an ethics and compliance risk as-
Guidelines, for that matter) with enter- sessment can be an annual process under
prise risk management. If you’re in com- Sarbanes-Oxley, ERM should be a con-
pliance with SOX risk assessments, this stant process since organizations change
thinking goes, you’re “doing ERM,” “Basically, a proper ERM and new risks are always evolving, Rich-
and vice-versa. ards says. “It’s not necessarily clear-cut,
In fact, experts tell Compliance Week, program is a perfect marriage and that’s why it needs to be reviewed
the two terms are very different. of the Sentencing Guidelines on an ongoing basis,” he says.
“The phrase ‘ERM’ is being used for
more than what it is,” says Kristina Stie- and Sarbanes-Oxley.” SOX as ERM Framework
lau, a compliance
manager at Teleflex,
a $1.9 billion indus-
—Richard Cellini,
Head of Marketing,
B ut while a SOX risk assessment may
be limited in scope, the elements that
make it up can be used as a framework to
trial parts manu- Integrity Interactive apply more rigor to other areas of risk
facturer. “ERM management within a company, Teb-
is coined as a best ben says. For example, other than a risk
practice, but I don’t assessment, SOX also requires that or-
know a large per- ganizations evaluate the design of their
centage of compa- SOX only dwells on assessing financial internal controls to ensure effectiveness
nies out there that reporting risks, an even narrower focus and that they can validate that those
Stielau actually perform than the U.S. Sentencing Guidelines. “A controls operate effectively, she says.
true ERM.” lot of people think Sarbanes-Oxley is “So, when you think about those el-
David Richards, president of the In- sort of a tremendously vast statute. It re- ements that companies had to focus on
stitute for Internal Auditors, surmises ally isn’t,” he says. to get and stay compliant, they are the
that the reason stems from the amount The primary focus of SOX is on ma- same kinds of things you would want to
of time and energy it takes to establish terial misstatements in financial reports, think through and mature in your other
a well-defined ERM program. “I know plus any information that readers of a risk areas,” Tebben says. “Using those
from having gone through one, it is a financial statement might find “incom- lessons learned would definitely be a
long-term initiative, and anyone who’s plete, inaccurate, or in some way dis- best practice.”
gone down the path of establishing an torted,” Richards says. And unlike the Another best practice when think-
enterprise-wide risk management pro- Sentencing Guidelines, which only ad- ing about ERM is to consider compli-
gram knows that you’re not talking dress criminal conduct, SOX focuses on ance with SOX Sections 302 and 404
about something that you’re going to violations that are both civil and crimi- as a single component of continuous
put in place within a year.” nal in nature. reporting, “because the two are inextri-
But Richards is also quick to add: An ERM program, on the other cably linked,” Tebben says. Section 404
“That does not mean that companies hand, is “more far-reaching than a true governs internal controls over financial
that don’t have an enterprise-wide risk ethics and compliance risk assessment,” reporting, while Section 302 addresses
management program do not have risk- says Stielau. “It delves deeper into stra- “disclosure controls” to ensure that all
management philosophies in place. It tegic planning, operational, and internal corporate data that should be disclosed
may just be less formal, and it could be controls, as well.” does get captured in company filings.
incomplete.” Shawn Tebben, of the consulting firm But, Tebben says, “Internal controls
That less formal, incomplete view of Protiviti, describes risk assessments as a over financial reporting are a subset of
what a risk assessment is may come from funnel: the broad ERM risk assessment the disclosure controls.”
the advent of SOX and the U.S. Sentenc- is information at the top of the funnel, Basically, Cellini says, internal con-
ing Guidelines. Both regulations require which eventually narrows down to the trols are “a set of controls the company
companies to assess their risks annually, financial reporting risks associated with uses to direct its own employees and of-

8 www.complianceweek.com » 888.519.9200 NOVEMBER 2008

ficers in the proper handling and distri- oversee the process. “It’s definitely not have a well-defined structure of objec-
bution of financial resources.” This in- a one-solution-fits-every-company kind tives and expectations of what’s needed
cludes how money is spent, how funds of a thing,” Tebben says. for an ERM. You need the appropriate
are accounted for, and how accounting In general, best practice for large cor- staffing, you need the funding, and the
is done internally. porations is to establish a risk depart- buy-in from all levels of the organiza-
Disclosure controls, on the other ment and appoint a chief risk officer, tion from top-down.”
hand, apply more broadly to material, Richards says; smaller organizations of- “So having that commitment at man-
non-financial, and financial information ten can appoint one key person in charge agement level is going to take some work,
that a company needs to disclose, Teb- of the whole process. not only resource wise, but time wise to
ben says. “You’re involving more your That key person, Tebben says, should accomplish it and to make the necessary
operational, your legal, and your com- have a good understanding of “what adjustments,” Richards says.
pliance folks in a broader context than makes the company work and what’s By continuously monitoring and
their involvement in internal control effective for the organization so they improving your organization’s ERM
over financial reporting,” she says. can help bring risk information to the activities, Tebben says, senior manage-
Sections 302 and 404 “are the yin and decision-making process,” she says. “It’s ment “can have greater confidence in
yang to each other,” Cellini says. “They more about the person being culturally taking on new or increased risk, because
should dovetail completely and entirely; astute and being very action-orientated they’re comfortable that their capabili-
what you’re saying externally should be and having the ear and trust of the exec- ties to manage those new risks are in
consistent to what you’re doing inter- utive team that really makes for a more place and, therefore, are able to position
nally, and what you’re doing internally successful oversight.” the company to create enterprise value
should be consistent with what you’re Agreed, but a good risk-management that will be for the benefit of all stake-
saying externally.” program involves several years of in- holders.”
An additional element common to tense effort. “To even embark on that For more information on best prac-
both SOX and ERM is the involvement process, there is a lot of work that needs tices for risk assessments, please go to
of senior management, even though dis- to be done upfront,” Stielau of Teleflex www.complianceweek.com and enter
agreements can arise over who should says. “For instance, you really need to Print Reference Code: 050825. ■

NOVEMBER 2008 www.complianceweek.com » 888.519.9200 9

 Enterprise Risk Management

The Basics of Auditing Risk-Management Programs

By Dan Swanson address uncertainty around organiza- The Guts of an ERM Audit
Compliance Week Columnist tional goals.
From an internal audit perspective, A n audit can focus solely on the effec-
tiveness of the ERM program if you

E veryone talks about the need for

good risk-management programs,
but nobody seems to know how to audit
inadequate identification of key risks to
an organization increases the likelihood
of bad events occurring. Improper iden-
want, but it can also be extended to look
at ERM efficiency. Auditors can provide
assurance that information about risks
them to ensure they actually work. tification can result in wasting resources and the management of them is collected,
Who bears responsibility for setting on areas of low risk with little reward. summarized, and reported properly to
the parameters of an ERM program is Conversely, it can leave a company more the appropriate level of the governance
pretty clear: the board of directors and exposed to negative events. (An example structure.
the C-level executives. They decide what from the financial industry: At banks There are two distinct elements to
the risks are, what level of risk they’re and mortgage companies, how much of most ERM audits: evaluating the design
willing to tolerate, and what risks they a priority did the boards place on over- and implementation of the program as a
do not want to toler- sight of lending activities? Not much, I’d management system and evaluating the
ate. They are responsi- say, and look where it got them.) operational practices of the program, in-
ble for monitoring and Still, even if top management effec- cluding an assessment of the risks cur-
responding to ERM tively identifies its key risks, the compa- rently being managed.
outputs and obtaining ny still needs assurance that its response In general, internal auditors should as-
assurance that the or- to those risks is effective. Effective re- sure management and the board that ev-
ganization’s risks are sponse is a crucial part of ERM, and that
acceptably managed means attention to the design and opera-
within the boundaries tion of internal controls. Indeed, infor-
specified. Also remem- mal response to key risks increases your
ber that risk manage- vulnerability to something going awry.
There are two distinct
ment is not an end in Strong controls must exist and work for elements to most ERM
itself; it has value only ERM to be effective—so, enter the inter-
if it assists a company to achieve its busi- nal auditor. audits: evaluating the design
ness objectives over the long term. Risk is perfectly fine at an acceptable and implementation of the
Internal auditors, in both their assur- level, but management must define what
ance and consulting roles, contribute to that acceptable level is in the interest of program as a management
ERM in a variety of ways. They spend achieving the company’s goals. Using system, and evaluating
most of their time assessing how effec- another banking example, management
tively management has responded to key might challenge the board to define the the operational practices
risks by developing adequate operations point at which losses from bad loans be- of the program, including
and control structures. Fundamentally, come unacceptable. If a $1 million loan
the audit team provides the board and goes bad, will the board become con- an assessment of the risks
management with an objective assess- cerned? What about a $10 million loan? currently being managed.
ment of the company’s ERM efforts, The specific number tends to change
including where the company can im- over time, so the question must be asked
prove. periodically to maintain an understand-
ing of the correct risk appetite. Further- erything that should be done to manage
Why Care Whether ERM Works? more, banks face many other potential risks is being done. Auditors should also

A ccording to the Committee of

Sponsoring Organizations, ERM is
“a process, effected by an entity’s board
causes of loss as well, and some of them
cannot be expressed in pure dollar terms.
(Think of the cost of adverse publicity
provide guidance on control effectiveness
and feedback on managerial decisions and
results. Further issues worth considering
of directors, management, and other after a customer data theft.) in an ERM audit include:
personnel, applied in strategy setting An audit of ERM should determine
and across the enterprise, designed to whether significant risks to the organiza- »» Are the organization’s risk-manage-
identify potential events that may affect tion are appropriately identified and as- ment efforts appropriate to its needs?
the entity, manage risk to be within its sessed on an ongoing basis. It should also This includes management’s recog-
risk appetite, and to provide reasonable confirm that those risks are monitored nition of, and response to, emerging
assurance regarding the achievement of for possible changes, that risk-manage- obligations and opportunities in risk
entity objectives.” Notice the process ment techniques (insurance, hedging, management and corporate gover-
view—that is, risk management is more and the like) are in place, and that man- nance.
than a risk-management system. Or, as a agement has the ability to recognize and
friend of mine puts it, ERM is how you respond to new risks as they arise. »» Has an effective risk-management

10 www.complianceweek.com » 888.519.9200 NOVEMBER 2008

 program been developed and imple- sibilities. tion’s entire operations from board over-
mented? Is accountability well estab- Fundamentally, enterprise risk man- sight to senior management’s strategic
lished and acknowledged by those to agement is not a new concept. What per- planning and leadership to the operating
be held accountable? Has manage- haps is new is the importance of bringing management’s day-to-day operational
ment and audit agreed on the pro- risk management into the management control. And perhaps this is nothing new,
gram’s definition? decision-making process and ensuring but certainly it is important to the organi-
a corporate view of the relationships be- zation’s long-term success and worthy of
»» Are there appropriate systems, poli- tween risks in different parts of the or- a formal evaluation by internal audit. ■
cies, procedures, and guidelines re- ganization is regularly evaluated and re-
lating to ERM, supported by suitable sponded to.
awareness, training, and compliance Risk management is inherent in every Dan Swanson is a 26-year internal audit vet-
activities? organization. Any manager or employee eran, who most recently was director of profes-
who have been given objectives will almost sional practices at the Institute of Internal Auditors.
»» Has the organization embraced the unconsciously assess the things that will Prior to his work at the Institute, Swanson was an
risk-management philosophy? Is ex- prevent them from reaching their goal. At independent management consultant for more than
ecutive management seen as a strong a minimum they will manage those risks 10 years.
proponent, and is the consideration in an informal ad hoc way. ERM is a high- Swanson has completed audit projects for more
of risk an integral part of day-to-day level formalization of this natural process. than 30 different organizations, spending almost 10
business decisions? As a formal process, it needs a coordina- years in government auditing, at the federal, provin-
tor to draw out of all areas of the orga- cial, and municipal levels, and the rest in the private
»» How successful are the risk-manage- nization key risks and current efforts to sector, mainly in the financial services, transporta-
ment efforts? This is a tricky ques- mitigate them. We also need to move from tion, and health sectors. He has completed nearly 100
tion to answer given the inherent un- a focus on risk identification to a focus on internal audits in his career including: operational au-
certainties in risk, but a retrospective how best to manage our significant risks. dits, system audits, financial audits, value-for-money
review of the organization’s identi- Finally, the goal of risk management is not audits, comprehensive audits, and many more. He
fication of and response to risks, in- to reduce uncertainty. It is, rather, to help has completed almost 50 IT conversion audits and a
cluding incidents that indicate inad- organizations make better decisions and dozen comprehensive audits of the information tech-
equate controls, should be revealing. to respond more intelligently when the nology function.
unexpected inevitably occurs. Dan Swanson is the author of more than 70
»» Do we need to increase the under- The bottom line: Risk management articles on internal auditing, and he can be reached
standing of our key risks and what needs to be integrated into the organiza- via e-mail at dswanson@complianceweek.com.
else needs to be done? Have we done
everything necessary to get a grip on
enterprise-level risks? RECENT DAN SWANSON COLUMNs

Below are recent columns by Compliance Week Columnist Dan Swanson. To read more from Dan Swanson,
please go to www.complianceweek.com and select “Columnists“ from the Compliance Week toolbar.
Internal Audit’s Role in Risk Management

T he Institute of Internal Auditors pro-

poses that risk-management activities
be divided into three groups. One in-
Giving Finance Dept. the Audit It Deserves
Usually I write a column about how to audit some aspect of a whole enterprise—say, how the company
manages risk, or how executives invest their IT dollars. That’s important. But we shouldn’t lose sight of the
cludes internal auditors providing assur- nuts and bolts: Companies are run by specific departments doing specific jobs, and they need auditing too.
ances as discussed above. A second group We’re going to get back to our internal auditing roots this month, starting with the finance department.
includes activities exclusively related to Published online 07/01/08
management decisions, such as selecting
risk appetite and risk responses. (This Auditing a Company’s IT Strategies
second group of risk-management activi- Today’s IT solutions are complex, and they are getting more challenging to implement all the time. One of
ties should not be done by internal audit the great questions for management at any company these days is simply whether all the investment in
as they are deemed to be management those systems is worth it. Internal auditing can play a critical role there, measuring and inspecting how the
activities.) The third group includes risk IT investment process—specifically, how IT investment is managed—works.
management activities that may be per- Published online 06/03/08
formed by internal audit when there are
safeguards in place. Safeguards may be Auditing Your ERM Program
things like changing the internal audit Everyone talks about the need for good risk-management programs, but nobody seems to know how to
charter to include these added responsi- audit them to ensure they actually work.
bilities and receiving acknowledgements Published online 05/06/08
from management regarding their respon-

NOVEMBER 2008 www.complianceweek.com » 888.519.9200 11

 Strategic Thought Group

Innovation in Difficult Times

Martin Metcalf, CEO of global economic climate may well make
this strategy of inertia even more likely.
Nothing left to chance
The goal in business, as in aerospace, is
ERM software providers This rationale is entirely understandable: innovation with resilience. The two are
History tells us that there are bound to inseparable and interdependent. Achiev-
Strategic Thought Group, be surprises and that some unknown fac- ing innovation with resilience is only pos-
looks at the role of tor will catch us out. So it may seem best sible if a culture is created that maximizes
to limit our exposure to things we know, knowledge about every aspect of organi-
innovation in enterprise to things that our experience and judg- zational performance and within which
risk management. ment tell us we are certain about—to
things about which we think we have reli-
deliberate action is taken to control,
mitigate, and adapt. It means top man-
able evidence. This may have been true agement must map and understand risks

R
ecent events in the financial mar- in the past, but the vital issue is whether that can often be dispersed throughout
kets have brought into stark relief this caution can be justified today. Will the business; interrelated; and worse, as
the tensions between performance, sitting tight and doing as little as possible is being illustrated by some of the bank-
innovation, and risk. Yet the search for help you through difficult times? ing post mortems, could be invisible and
rewards—competitive edge, differentia- therefore missed. By aggregating risks
tion, sustainable growth, return on capi- Enterprise performance we can avoid and mitigate for the cata-
tal, and market share—remains critical. It The critical question shared by every strophic effects of any ‘perfect storm’
characterizes every industry, from retail CEO and CFO must be centred on ‘push- where the simultaneous occurrence of
to manufacturing, aerospace to construc- ing the envelope’ of what we mean by events, which taken individually would be
tion. Current market conditions mean that performance, risk, and reward: How can far less powerful, combine by chance to
being paralyzed by an aversion to risk is innovation be controlled without stifling potentially devastating effect.
still not an option. Even in uncertain times, it? In aeronautics, where the expression In ERM terms, we tend to call it ‘risk-
investors continually apply pressure to originated, ‘the envelope’ describes the adjusted corporate performance.’ Al-
achieve better performance and higher outer limits of aircraft performance—the ternatively, we might put performance
returns. And so the goal must be to have boundaries of safety. In military circles, first and call it ‘performance adjusted
the best information possible to enable the these boundaries are about life and death. for risk.’ However ywou view it, re-
balancing of risk and reward and to high- In civil aviation, only rarely are those cording and acting upon the cumulative
light emerging threats and opportunities. boundaries tested. Innovation is critical; judgment of individuals, work groups,
it is part of the DNA. Innovation must functions, and divisions are the ultimate
Can ‘do nothing’ ever be a valid strategy? be about increasing speed, manoeuvrabil- goals of enterprise risk management.
In globalized, interconnected, intensively ity, economy, or reliability. Every compo- Risk intelligence delivered by ERM em-
competitive, and volatile markets, the nent, every process, every measurement, bedded throughout an organization will
old saying ‘innovate or die’ has never and monitoring device is set to stretch put it in the best position to weather
been more apt. Clearly, uncontrolled in- the performance envelope—but safely, the storm. Innovation can still be deliv-
novation can expose individual compa- within preset tolerance levels. Innovation ered but with the information needed to
nies, even entire markets, to unwelcome is driven by taking risks to improve per- balance risk with reward. As Standard &
downsides. Yet too often investment de- formance but also to advance safety and Poor’s put it recently, ERM is not a pass-
cisions, particularly in the face of uncer- reliability. The vital thing is having the in- ing fad; it is a new way of doing business
tainty, are shaped first and foremost by formation needed to know when to push and vital in the new economic reality we
cultures that favor caution. The prevailing harder and when to hold back. are all facing. ■

NOVEMBER 2008 www.complianceweek.com » 888.519.9200 13

 Enterprise Risk Management

The Big Risk: CEOs and Boards Never See It Coming

By Richard M. Steinberg How is that possible? Aren’t these senior levels.
Compliance Week Columnist companies supposed to have some of the
most sophisticated risk-management sys- While there are many companies where

W hen the fraud at Societe Generale

burst into view at the start of this
year, I analyzed what went wrong and why
tems anywhere? We know they deal with
ongoing market risk, counterparty risk,
liquidity risk, credit risk, operational risk,
this is not the case, in too many businesses
it is. It’s worth looking into why.

in “Why It’s So Shocking Societe Gener- and so forth and so on. Yet, the losses these Going for the Gusto
ale Was Shocked” (in the March 2008 edi-
tion). Then, CEO Daniel Bouton stepped
down, which came as no surprise. He was
institutions suffered stagger the imagina-
tion, and have cost the chief executives
their jobs and possibly their reputations.
O f course no single management style
or personality profile fits all CEOs.
Nevertheless, in many instances there are
at the helm when the SocGen ship hit an some commonalities, which influences
iceberg that clearly should have been seen How Good Is Risk Management? the focus on risk. First, chief executives
and avoided. Management knew the com-
pany was in dangerous waters (regulators
and others apprised them
A ny company is in business to take
risk. How well the C-suite manages
that risk directly drives the company’s
typically have a laser-like focus on major
growth and return objectives and the stra-
tegic and tactical plans needed to achieve
that damage appeared to success or failure. Yes, a sound strategy is them. They look at the positive, identify-
have already been done), critical, as are the people and processes for ing opportunities to open new markets,
but did nothing to inves- effective implementation. But identifying bring new products to the marketplace,
tigate and steer clear of and recognize and satisfy customer needs
disaster. and wants. On top of that, they’re deal-
With the more than $7 doers, looking to develop new alliances
billion in losses incurred or partners or to build further growth
on Bouton’s watch, calls Any company is in business through acquisition. And of course, they
for his ouster started al- to take risk. How well the spend significant amounts of time with
most immediately, and the company’s board of directors on an
it seemed inevitable that C-suite manages that risk array of governance issues.
he would leave. True, he directly drives the company’s The point is, the chief executive’s mind-
stayed on as board chairman, but he was set is ”forward-moving,” seizing oppor-
replaced as chief executive by the CFO, success or failure. tunities and motivating direct reports and
who now has responsibility for running other senior managers to climb aboard a
the bank. ship that’s going as fast as possible to the
As we’ve seen in a number of the identified goal.
world’s largest financial institutions—in- and managing risks to achieving the com- Yes, chief executives are well aware
cluding Citigroup and Merrill Lynch, to pany’s business objectives plays a crucial that risks exist. They or their company
name just two—boards of directors, regu- role in whether the company will succeed, might have been previously burned, and
lators, and investors are holding CEOs and indeed whether it will survive. they may well spend some time on the
accountable for major fiascos. Losing tens All too often, however, the problem is discussion of risk factors in their annual
of billions of dollars, and consequently that the chief executive truly believes his reports’ Management’s Discussion and
requiring huge capital injections at fire- or her senior management team under- Analysis. But what we’ve seen time and
sale prices, certainly qualifies as a major stands what the risks are, has analyzed again is that many CEOs presume other
fiasco. At Bear Stearns, not only is the them, and is effectively managing them— senior managers are dealing with the pos-
CEO gone, but also the whole, once pres- when, in fact, the team doesn’t know the sibility that things can go wrong and that
tigious firm no longer exists. risks as well as they should. I’ve seen this they are well positioned and equipped to
In today’s environment, this result first-hand in major companies in advising manage those risks. That presumption,
should surprise no one. But the reality is how to enhance risk-management pro- made unconsciously or otherwise, has re-
that in many such cases, the CEO never cesses. Corollary realities are: sulted in disaster for too many CEOs and
saw it coming. the businesses they’ve run.
There are many reasons why that’s the »» The board of directors often is not ap-
case. From years of experience working prised of the risks, because the chief The Reality
with CEOs of some of the largest compa-
nies, I believe perhaps the most relevant
underlying cause is that these business
executive isn’t positioned to provide
relevant information to the board. W hat we’ve seen is that other manag-
ers indeed do recognize that risks
are inherent in what they’re doing (more
leaders truly didn’t know the nature or »» Managers at lower levels in the orga- so as we move away from the C-suite).
extent of risk their companies were taking nization usually do know what the These managers deal with day-to-day
on. Worse, they didn’t know what they risks are, but are not reacting to them implementation, working toward their
didn’t know. nor communicating them up to more individual and business unit goals. They

14 www.complianceweek.com » 888.519.9200 NOVEMBER 2008

usually recognize the pitfalls that exist, »» The board doesn’t probe sufficiently money directly into one’s pocket. The
and depending on the risk-management and fails to make sure it gets complete other motivations (fame, respect, career
process in place, may or may not take and accurate information about the advancement, to name a few) have been
the necessary actions to counteract those risks. long recognized, and indeed are obvious.
risks. An important point is that any com-
But even where appropriate risk-man- »» The board is apprised of risk fac- pany considering developing or upgrad-
agement activities occur at some levels in tors, but does not, for one reason or ing its risk-management process should
an organization, a problem that happens another, receive relevant information recognize the critical relevance of person-
too often—and which seems to be the on the aggregate risks, on a “portfo- nel policies and programs, including their
culprit of major breakdowns in the large lio” basis, related to the company’s measurement and motivating factors, to
financial institutions recently—is that the established risk appetite. be sure they have a positive effect not only
communication simply isn’t there. If the on goal achievement, but also managing
risks are known within an organization Motivations related risks.
(which often is the case) but aren’t known
at the top, then communication is lacking. I ’ve mentioned in previous columns the
crucial importance of how reward sys- Moving On
And if the CEO doesn’t recognize the na-
ture and magnitude of risk the company
faces, then it’s highly unlikely that the
tems can provide unintended motivations
for people to do bad things. That includes
taking chances with shareholder resourc-
I t’s interesting to note that one week af-
ter SocGen announced Bouton’s step-
ping aside as CEO and it held a farewell
board is appropriately apprised. es for personal gain, whether in the form party for two managers of the derivatives
There’s little doubt in my mind that of positive recognition, bonuses, promo- trading desk who “resigned” in the wake
directors ask many of the right questions tions, or stock price appreciation. of the scandal, “rouge” trader Kerviel
of the CEO. Experienced directors have a Looking back at what Chairman Bou- started work at a consulting firm special-
great sense of whether the chief executive ton said soon after learning of the unau- izing in computer security.
is being straight and forthcoming. Where, thorized trades, one of the more telling Kerviel certainly did bad things. But
then, is the problem at the board level? In statements was: “We have no explanation as we know, banks and other businesses
several areas: for why [rouge trader Jerome Kerviel] must have the processes in place and peo-
took these positions, and we have no rea- ple sufficiently tuned into what’s going on
»» The chief executive truly has not been son to believe he benefited from a finan- in their business units to manage the risks,
apprised of the severity of the risks cial point of view. We don’t understand in addition to effective internal communi-
facing the business and so honestly why he took such a massive position.” It’s cation systems. SocGen didn’t, and many
provides misleading information to truly amazing that anyone would think have paid the price. Managers ignored the
the board. the only motivation of a trader is to put radar screen. Thus, the ship hit the iceberg
and took on massive amounts of water,
with some officers jumping overboard—
RECENT STEINBERG COLUMNs and leaving to others who remain the
struggle to save the ship and get it back on
Below are some recent columns by Compliance Week Columnist Richard M. Steinberg. To read more from course. ■
Steinberg, please go to www.complianceweek.com and select “Richard M. Steinberg“ from the Compliance
Week toolbar.
Rick Steinberg  is founder and principal of Stein-
Debunking SOX Theories One Misconception at a Time berg Governance Advisors in Westport, Conn., where
Having worked with many boards of directors, it’s clear that most directors now understand what he advises directors and executives on board respon-
Sarbanes-Oxley is all about. They’ve spent the last few years dealing with many of its provisions, with sibilities, governance best practices, and compliance
audit committees spending significant time on Section 404’s internal control requirements. Some ini- and risk issues. Steinberg was previously a senior
tially lost sight of other important responsibilities, although generally boards have returned to a more partner at PricewaterhouseCoopers, where he served
balanced approach of providing effective advice, counsel, and direction on strategic business issues in as PwC’s corporate governance practice leader.
addition to their compliance monitoring roles. The author of numerous governance reports,
Published online 09/16/08 including Corporate Governance and the Board—
What Works Best, Steinberg served as the lead
When Executives Discuss ERM Challenges project partner in developing the Committee of
Recently I had the privilege of leading a forum of senior executives experienced in risk management Sponsoring Organizations’ (COSO) Internal Control—
in a discussion of the challenges of developing, implementing, and gaining the benefits of Enterprise Integrated Framework, now recognized as a
Risk Management. landmark representing the standard of internal con-
Published online 08/19/08 trols.
Steinberg can be reached by e-mail at rms@com-
plianceweek.com, or at (203) 222-9330.

NOVEMBER 2008 www.complianceweek.com » 888.519.9200 15

 Enterprise Risk Management

Learning to Talk About IT Risk in Common Terms

By Todd Neff where mutual risks intercede,” he says. mation Risk” (FAIR) framework devel-
IT risk management has been around oped by Risk Management Insight. Alex

E xplaining IT risk to senior execu-

tives and board directors in a mean-
ingful way has always been difficult for
for years under various names. It was
about running a tight IT ship, with good
data security, access controls, and change
Hutton, Risk Management Insight’s
CEO, says FAIR evolved from work
done by the CIO of a major financial
computer folks. Now two major inde- management processes in application services firm to draft common expres-
pendent efforts to bridge the language development, among many examples. sions for risk across business lines. The
gap have begun, with a third to follow A slew of standards and frameworks premise is that risk is about how often
later this year. emerged to help IT departments do the bad things can happen, and the probable
Both the Open Group—long a ma- right thing: the ISO 27000 series, ISO loss should they happen, Hutton says.
jor force in software standardization— 17799, COBIT, ITIL, PCI, NIST’s 800 Fred Lee, head of information risk
and the International Organization series, the Center for Internet Security’s management at National City Corp.,
for Standardization announced their configuration standards, and others. used FAIR to traverse what he sees as
gap-bridging efforts in June. The Open Some, such as COBIT, start with a two major gaps.
Group introduced its Risk Management strategy and have a holistic tone; ISA- First, he says, is the psychological gap
and Analysis Taxonomy; ISO rolled out CA, COBIT’s creator, has even mapped separating true risk management from
its ISO 38500 standard for corporate COBIT with ITIL, ISO 17799 and oth- traditional IT security, such as firewalls,
governance and IT. er models for good, nuts-and-bolts IT encryption, anti-virus software and the
Both aim to reduce IT-related risks implementation and maintenance. But like. “The traditional security model has
by helping top management and board none really address the vocabulary dis- allowed IT implementers to get away
members comprehend—and ultimately, connect between IT departments on the with prescribing and opining more than
react intelligently to—the risks inherent front lines of IT risk, and senior manag- you had in traditional security roles,”
in the computer systems companies now ers responsible for risk overall, IT and Lee says. “If they say, ‘Hackers will
depend on. otherwise, says Jim Hietala, the Open come in!’ people eat it up.”
The Information Systems Audit and Group’s vice president of security. The second gap is how senior manag-
Control Association is the third player, “We looked at the landscape and real- ers and IT executives fail to discuss IT
which wants to tackle the language gap ized we needed to develop a taxonomy risk in a common language. If corporate
and more. Its proposed enterprise risk that enabled IT folks to communicate leaders truly understand what their IT
management framework will “close the with senior management about what risk risks entail, they can steer resources
gap in the whole IT governance area,” is, to define a common set of terms that to prevent those risks. And the “right”
says Urs Fischer, Swiss Life’s vice presi- everybody agrees on,” Hietala says. amount of resources can mean less, too.
dent of IT governance and risk manage- The Open Group final taxonomy “You have to ensure that you re-
ment, who is spearheading the ISACA- became freely available in October, ac- main compliant, but you also have to
IT Governance Institute work. cording to the company Website. make sure your IT performance actu-
The growing ubiquity of computer The ISO 38500 standard is avail- ally matches the organizational need,”
power in business and the arrival of Sar- able on the ISO Website for 84 Swiss Holt says. “Because if you’re over-
banes-Oxley have made painfully clear francs (about $82). It stems from an ISO supplying, you’re paying; if you’re
just how important a solid understand- study group led by IT risk-management under-supplying, you’re paying in a dif-
ing of IT risk is. and governance expert Alison Holt of ferent way.”
“Risk management is a hot topic right New Zealand. Holt says that with the The language gap has thrown a
now,” says Robert Stroud, a “governance new standard, her group wants to cre- wrench in attempts to match IT risk-
evangelist” at CA and also happens to be ate “what would be the absolutely core management supply and demand, Lee
international vice president of ISACA. principles of IT governance we want se- says. He points to software-jockey
“One of the challenges that IT manag- nior management to understand.” terms such as “threat landscape.” Top
ers are trying to get a handle on is how The forthcoming IT enterprise risk managers might think of “threat” and
IT risk may affect business risk and how management framework from ISACA fear some Central Asian thugs trying to
the two are tied together.” should be public by the end of the year. blackmail the company; IT profession-
If management can get a strong grasp Fischer says the framework will develop als might only mean an Internet worm.
of the broader business, legal, and repu- COBIT’s relatively thin treatment of When the language gap is finally
tational problems an untended IT risk comprehensive risk management, ad- bridged, the real work can begin, Lee
poses, Stroud says, then the company dressing language but also delving into says. “Once we know how to speak
can beat that risk down to some toler- the “why to do it and how to do it.” ‘risk,’ we can start writing them down
able level before it ends up on the finan- and working with them.”
cial reports as a material weakness. Speaking Up on IT Risk For related coverage, please go to
“Sound risk management is depen-
dent on the business understanding T he Open Group taxonomy is based
on the “Factor Analysis and Infor-
www.complianceweek.com and enter
Print Reference Code: 080826. ■

16 www.complianceweek.com » 888.519.9200 NOVEMBER 2008

 Enabling Best-in-Class Enterprise
Governance, Risk and Compliance Programs

Archer’s out-of-the-box solutions provide the foundation

Ranked on the Inc. 5000
for a best-in-class enterprise governance, risk and in 2007 and 2008
compliance (GRC) program.

• Six million licensed users

• Clients that include 1 in 4 of the Fortune 100 Winner: Best Regulatory
Compliance Solution
• Industry-leading solutions built on the flexible
Archer SmartSuite Framework Winner: Best Policy Management
Solution for
the third straight year
Learn how MassMutual is automating GRC
processes, prioritizing risks and reducing the cost
by 97.5% with the Archer SmartSuite Framework at: Laureate in the 2008
www.archer-tech.com/complianceweek. Computerworld Honors Program

www.archer-tech.com
 Enterprise Risk Management

Building ERM S&P Includes Building a

Bridges for ERM in Credit Strong Corp.
Boards, C-Suite Rating Reports ERM Team
Continued from Page 7 Continued from Page 6 Continued from Page 4
helpful, depending too heavily on soft- financial reporting—will count as “doing” ments going on in their organization, each
ware can be counterproductive, says Tom ERM, Schanfield says. Then they’ll dis- with a very different and distinct purpose.
Wardell, of McKenna Long & Aldridge. cover that ERM encompasses many more In addition, most departments have their
“In my experience, those companies risks than those to financial reporting. own definitions of the phrase “risk manage-
who have set out to highly systematize this “There is a perception by companies ment,” Anderson said. “And they’re com-
process have found themselves frustrated that because they got SOX done, that they fortable with them. They believe everybody
by their own process,” he says. “You ul- have a good handle on all business risks. understands what they mean by that word.”
timately have all the emphasis upon what That’s not the case,” Schanfield says. “Only Often times, however, that’s not the case.
these systems tell you is in there, as op- 40 percent of business risks are assessed by “It’s the things that we think are there, that
posed to what you then do with all of that SOX. They don’t understand that they’re we think we have documented that we take
information to manage risk.” for granted,” said Dale Timmons, manag-
Wagner agrees. “You can risk manage ing director of UHY Advisors. “If they’re
yourself to death if you’re not careful,” he not on paper, and they’re not communicat-
warns. “You can suck all of the innovation ing in a standard way, then you’re probably
and all of the creativity out of an organiza-
“Companies have economic not as in sync as you think you are.”
tion if you overdo it.” incentive to do ERM. If their Valerie Radford, managing director of
An effective ERM process—not a laun- risk management at TIAA-CREF, under-
dry list of risks to manage—will really se- credit rating is lowered, their stands this well. Not until TIAA-CREF
cure board support, Tebben says. cost of capital will increase. “ first developed a centralized, independent
“Management can help demonstrate the risk-management function in 2003, she
effectiveness by explaining to the board said, did the company realize that its in-
how ERM is embedded into the business,” —Daniel Helming, ternal auditors had a much different idea of
she says, suggesting that management show Partner, risk assessment than the finance and com-
examples like addressing risk in quarterly Weiser Accounting pliance teams.
business review agendas, staff meetings, That detachment, in turn, drove many
capital project proposals, due diligence ac- other inconsistencies, including who
tivities, and the like. talked to whom within the organization.
With such examples, she says, “I think missing 60 percent of business risks, and Auditors, for example, only talked to se-
they start to really give the board and audit they don’t have a robust process in place.” nior management, while compliance only
committee a great deal of confidence that Schanfield also warns that leverag- talked to managers and process owners.
this isn’t just some process that’s been laid ing existing SOX controls and testing to “So we had this disconnect,” Radford said.
over the top to satisfy the board’s question achieve broader risk management can be “We were both saying we were doing risk
about what are your key risks.” difficult, since Section 404 is driven by assessment, but we really weren’t doing the
But a “cultural change” towards better process, controls, and documentation. same thing.”
ERM can take a while, says Dan Schroeder, ERM, in contrast, is driven by a top- The overall goal of good risk manage-
director of technology risk services at Am- down, holistic approach to much broader ment, Andy Anderson said, is to devise a
per, Politziner & Mattia, a New Jersey ac- business risks. single process that’s looked at from many
counting firm. “It takes a well-thought out Dreyer says S&P’s experience with fi- different perspectives, and to come up with
approach to make this happen. It’s going to nancial companies found that the inclusion solutions in a much more efficient and di-
take patience, it’s going to take discipline.” of ERM could help a company’s credit rat- rect manner.
“I think the biggest single potential mis- ing just as often as it could hurt a rating. “It’s a little bit like herding cats,” Tim-
take is believing that it’s so well-in-hand “Our existing process is fairly con- mons said. “We’re all independent. We all
that the process does not need review,” servative,” he says. “We tend to penalize have our own way of thinking. We’ve all
Wardell says. “This is not one of those companies for risk exposure. We may learn been successful at what we do, and how
things that you fix and turn your back on. more new things and new information on you pull that all together to be accountable
You never really are done.” the upside.” as an organization is very important.”
For more information, including related For more information, including re- For more best practices in risk manage-
coverage, please go to www.compliance- lated coverage, please go to www.compli- ment oversight, please go to www.compli-
week.com and enter Print Reference Code: anceweek.com and enter Print Reference anceweek.com and enter Print Reference
110721. ■ Code: 080823. ■ Code: 090824. ■

18 www.complianceweek.com » 888.519.9200 NOVEMBER 2008

 6G: NDJ
JH>C< >CI:<G6I:9 <G8
ID:CHJG:NDJ6G:CDI 

B>HH>C< 

I=:7><E>8IJG:

<
dkZgcVcXZ! G^h` VcY g^h`!gZ\jaVidgnXdbea^VcXZVcY
8dbea^VcXZ<G8^c^" [^cVcX^VaXdcigdahdcVh^c\aZeaVi"
i^Vi^kZhh]djaYYZa^kZg [dgb# LdgaYl^YZ! i]^h bdYjaVg
Vc^ciZ\gViZYeZgheZXi^kZdcg^h`# hdaji^dc]VhWZZc^beaZbZciZY
=dlZkZg! ZmZXji^kZh d[iZc hZZ VidkZg)%%XdbeVc^Zhl]dhZ
dcan]^\]XdhihVcY^cXdbeaZiZ <G8^c^i^Vi^kZhcdlgZfj^gZaZhh
^c[dgbVi^dc [gdb i]Z^g <G8 Z[[dgiVcY^ckZhibZciidegdYjXZ
egd\gVbh#6XXdgY^c\idVaZVY^c\ XdbeaZiZ^c[dgbVi^dc[dgYZX^h^dc
^cYZeZcYZcigZhZVgX][^gb!XdbeVc^Zhi]Vi^beaZbZci bV`^c\ l]^aZ YZa^kZg^c\ ^cXgZVhZY hjhiV^cVW^a^in!
bjai^eaZiddahVcYVeegdVX]Zh[dg<G8bVcV\ZbZci Xdch^hiZcXn!Z[[^X^ZcXnVcYigVcheVgZcXn#Hd^[ndjVgZ
heZcYjeid&%i^bZhbdgZi]Vci]dhZl^i]dcZ^ciZ" gZVYnidhZZi]ZW^\e^XijgZ VcY YZa^kZg dc Vaa ndjg
\gViZYeaVi[dgb#Egdi^k^i^¼h<dkZgcVcXZEdgiVa !Vc <G8dW_ZXi^kZh!\^kZjhVXVaa#
IB

^ciZ\gViZY <G8 iZX]cdad\n hjeedgiZY Wn djg \adWVa 

Id gZXZ^kZ V Xdbea^bZciVgn YZbd d[ i]Z <dkZgcVcXZ EdgiVa!
iZVbd[`cdlaZY\ZVWaZVcYgZhedch^kZegd[Zhh^dcVah! eaZVhZXdciVXiHXdii<gVXnVacnVihXdii#\gVXnVacn5egdi^k^i^#Xdb
egdk^YZhV(+%"YZ\gZZk^Zld[ZciZgeg^hZVcYdeZgVi^dcVa dgXVaa &#(&'#),+#+(-&#

© 2008 Protiviti Inc.

An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0608
IOC7DJ;9?I
7kjecWj[Z[d\ehY[c[dje\feb_Y_[ij^Wji[Ykh[WdZcWdW][oekh_d\ehcWj_edWdZ_d\hWijhkYjkh[$

9ECFB?7D9;$ IOC7DJ;9$9EC%;L;HOM>;H;

ž(&&.IocWdj[Y9ehfehWj_ed$7bbh_]^jih[i[hl[Z$IocWdj[YWdZj^[IocWdj[YBe]eWh[h[]_ij[h[ZjhWZ[cWhaie\IocWdj[Y9ehfehWj_edeh
_jiW\Ób_Wj[i_dj^[K$I$WdZej^[hYekdjh_[i$Ej^[hdWc[icWoX[jhWZ[cWhaie\j^[_hh[if[Yj_l[emd[hi$