Your SlideShare is downloading. ×
  • Like
Feb2008 Monthly Slides 1
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Feb2008 Monthly Slides 1

  • 188 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
188
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Risk Advisory Services 02/26/2008 From Compliance to Competitive Edge The Paradigm Shift to Improve Leveraging Risk Investments Business
  • 2. Agenda The Current State Navigating Through The Confusion What We Are Hearing About Risk The Current State Market Challenges Costs and Budgeting Risk Convergence A Fresh Look At The “Internal Controls” Maximizing The Role of IT In Compliance Leading IT Practices In Successful Organizations 1
  • 3. The Current State Navigating through The Confusion 2
  • 4. Standards? What Standards? "The nice thing about standards is that there are so many of them to choose from.” – Andrew S. Tannenbaum 3
  • 5. Navigating Through the Confusion Regulators SEC EEOC OSHA FRC Frameworks NASD/N PCAO EPA FTC YSE B DOJ PTO IRS COSO DHS EBSA COSO Business Drivers and Initiatives ERM Logical and Asset Earnings and Revenue and Reputation OCEG and Capital Management Operating Margins Market Share and Brand Coordinated COBIT Process Section 404 IFRS Environmental USSG CFO Act E-Gov Act and Social OMB A-123 IP—Protection Product Liability ISO FMFIA Laws Laws HIPAA Tax Regulations 1933 and 1934 CSR Anti-Money Securities Act American **Frequently-used examples Productivity and Laundering Laws Anti-Trust Act Quality Center Supply Chain Software (APQC) Council (SCOR) Engineering Laws, Institute (Capability Regulations, and Model) Maturity Standards Ever-increasing Laws, Regulations, and Standards, and Multiple Frameworks 4
  • 6. Now Consider This Example: Nicole is an equity division manager in global bank The work day has barely begun Discovered that a recent spike in trading volume has jolted the firm’s trading platform resulting in a multitude of trade breaks and delayed executions She checks her e-mail and sees a barrage of requests to provide risk information to various departments Compliance department wants an urgent meeting to discuss its plan to conduct several business reviews during the year IT risk unit has sent a questionnaire on business continuity planning and data security Internal audit is asking to review its risk assessment of her business and agree to four audits of her group in the next 12 months How can Nicole effectively increase the top line if she is hampered by inefficient business processes? 5
  • 7. What We Are Hearing About Risk Keep Us Out of Trouble Make Our Business Growing Number Better Inter-Agency Coordinated Bigger Fines of Restatements Sales Activities- Coordination and Changes in Compliance Settlements goal Services, Software and Hardware & Focus On Core Mission Continuing Regulations Optimized Defense of Effective Use Funding Of Relevant Controls of Technology Projects Intellectual Research Property & Option Decrease Developm Cost of Accessing Backdating entSpend Emerging Corporate Compliance Markets OMB Just-In-Time Catastrophic Management Activities Optimized Inventory Reputational Watch List & Management Improved Risk Governance Consequences GAO High Risk Reporting and Structure/Program List Disclosure Performance All too confusing and Must do it… overdone… Except when But how do we do it we get in trouble better? 6
  • 8. The Current State Market Challenges 7
  • 9. Top Challenges: Six challenges dominate senior management agendas Category Includes Improving Achieving greater efficiencies in risk and control efficiency/Program processes; inter-agency coordination; improving Performance coordination; unifying and streamlining approaches Challenging Shifting regulatory demands, high degree of regulatory regulatory scrutiny, variation of regulations across environment with Keeping pace jurisdictions. Rapid business growth, competitive intensity, M&A business growth and activity, global expansion, increasing product complexity complexity, raised customer expectations Attracting and Shortage of good talent in competitive markets, retaining especially in specialized areas or emerging talent/Human capital geographies crisis Managing change Dealing with people and organizational issues as new processes demand new methods of work Fear of compliance Fear of compliance failures despite best efforts, due failures and to human error or unanticipated events; identifying emerging risks and preparing for future risks 8
  • 10. Top Challenges: Improving efficiency is the leading concern for all respondents followed by regulatory issues PERCENT RESPONDING – ALL RESPONDENTS Improving efficiency 50% * Challenging regulatory environment/ 30% 13% Implementing Basel II Keeping pace with business growth & 30% complexity Attracting & retaining talent 20% Managing change 20% Fear of compliance failure 17% Identifying emerging 13% * The dark bar represents those respondents who mentioned general regulatory risks challenges; the light bar represents those respondents who specifically cited Basel II implementation 9
  • 11. Challenge #1: Inefficiency is acting as a “drag on the system” There is unanimous recognition that rapid growth of business – mergers, global expansion – together with SOX and the complex regulatory environment, have resulted in inefficient structures, and redundant systems and processes There is an extremely high desire to fix this problem 10
  • 12. Challenge #2: There is a growing frustration with regulators Respondents see no letup in the regulatory environment – Sarbanes Oxley, Basel, privacy, HIPAA, IFRS, Anti-money Laundering etc., etc… Organizations are pushing back 11
  • 13. Challenge #3: Keeping pace with business growth and complexity The requirement for speed to market creates pressure on all types of fronts, from credit and market risk related approvals to compliance or regulatory or legal approvals How do we do our part to support revenue growth and the growth of our company and have the proper risk/reward balance? There is a proliferation of new products which are becoming increasingly sophisticated 12
  • 14. Challenge #4: The complex environment is driving the need to attract and retain talent Definitely a major concern for the leadership Good talent is hard to find Competition for talent is intense, and the supply of risk professionals is not keeping up with demand 13
  • 15. Challenge #5: Dealing with people and organizational change issues is daunting Inefficiencies, the complex regulatory and business environment, and the shortage of talent, are stressing current systems and driving demand for more robust solutions “Moving the supertanker” requires a common understanding of risk and control procedures across the enterprise, senior management buy-in, and clear definitions of roles People’s natural resistance to change is a constant struggle 14
  • 16. Challenge #6: Identifying emerging risks and fear of compliance failures keep many respondents up at night Despite significant investments, many acknowledge they continue to worry about breaches in compliance due to human error, regulatory surprises, or unknown emerging risks – “We operate in so many different jurisdictions, in 50 countries, and with various different products. We have about 130,000 employees. And if you think that everybody is doing everything they should, the way they should be doing it, you know that's not happening.” - Head of Internal Audit, Commercial Bank 15
  • 17. The Current State Costs and Budgeting 16
  • 18. Costs and Budgeting: Half of all respondents believe costs will continue to rise; the other half see costs stabilizing ALL RESPONDENTS Increasing 48% Reasons cited include: Continued business growth and global expansion Decreasing 21% Rigorous regulatory environment Need for more Staying the same 25% expensive senior talent Don't know 7% 17
  • 19. Costs and Budgeting: Very few can estimate time business spends on risk and control management Most feel that time spent in the business units is too embedded to track Time spent depends on the job and the type of business – “Our industry is plagued with this: we don’t have a good understanding of what our key processes are and we don’t have the ability to measure our unit costs. If you went to Toyota or Coca Cola, they have a whole science, but when you ask about processes here people look at you as if you were speaking Swahili.” - Head of Operational Risk, Commercial Bank 18
  • 20. Top Challenges: Six challenges dominate senior management agendas Category Includes Improving efficiency Achieving greater efficiencies in risk and control processes; improving coordination; unifying and Challenging streamlining approaches Shifting regulatory demands, high degree of regulatory regulatory scrutiny, variation of regulations across environment with Keeping pace jurisdictions. Rapid business growth, competitive intensity, M&A business growth and activity, global expansion, increasing product complexity complexity, raised customer expectations Attracting and Shortage of good talent in competitive markets, retaining talent especially in specialized areas or emerging Managing change geographies Dealing with people and organizational issues as new processes demand new methods of work Fear of compliance Fear of compliance failures despite best efforts, due failures and to human error or unanticipated events; identifying emerging risks and preparing for future risks 19
  • 21. Now Consider This Example: Nicole is an equity division manager in global bank The work day has barely begun Discovered that a recent spike in trading volume has jolted the firm’s trading platform resulting in a multitude of trade breaks and delayed executions She checks her e-mail and sees a barrage of requests to provide risk information to various departments Compliance department wants an urgent meeting to discuss its plan to conduct several business reviews during the year IT risk unit has sent a questionnaire on business continuity planning and data security Internal audit is asking to review its risk assessment of her business and agree to four audits of her group in the next 12 months How can Nicole effectively increase the top line if she is hampered by inefficient business processes? 20
  • 22. Risk Convergence – Streamlining Governance, Risk and Compliance (GRC) 21
  • 23. What Is Risk Convergence? Common framework to assess and monitor the organization’s risks: Reduce redundant risk management and control activities Eliminate duplication among business units Drive down costs 22
  • 24. Why Risk Convergence?? “It is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change.” — Charles Darwin 23
  • 25. Why Risk Convergence?? Standard & Poor’s, Moody’s and other credit-rating agencies measure an Enterprise Risk Management program as a lead risk indicator and a major scoring factor. Standard & Poor’s credit rating Challenging to determine management capability and capacity to manage risk Proposal to introduce enterprise risk management analysis into the corporate debt rating process 24
  • 26. Why Risk Convergence - Aligning to Your Business Drivers Keep Us Out of Trouble/Make the Business Better Maintaining strong ethical tone at the top Reputation and Brand Protecting and defending intellectual property Do our stakeholders rights have a favorable view? Managing customer and employee information, e.g., privacy concerns Organizing regulatory compliance/governance in an efficient manner Revenue and Asset and Market Share business Capital Management How does the How efficient organization grow? drivers is the organization? Entering new markets— Improving inventory and particularly emerging markets receivable management Prioritizing R&D spend to Earnings and Coordinating supply ultimately align with customer chain/lean manufacturing needs Operating Margins Integrating global processes How profitable is and IT systems Integrating large scale acquisitions the organization? Using finance arrangements Simplification of multi-element Maintaining gross margins through new to access new markets sales, e.g., software, product introductions hardware and services Improving operating margins Channel management Managing warranty terms and product returns Managing third-party contractor relationships 25
  • 27. Why Risk Convergence?? Mitigate risk Despite significant investments, compliance failures continue to represent a major threat – both monetary and reputational Streamlining risk and control operations reduces compliance gaps and enables more effective ongoing risk management Increase efficiency / reduce costs Streamlining risk and control programs and processes reduces the enormous time commitments and frustration levels throughout the organization, and ultimately will result in better cost management and control Support strategic decision-making Greater coordination and information sharing among corporate control units and business units provides senior management and board committees with more effective multi-dimensional risk information that supports decision-making 26
  • 28. State of Convergence: All organizations are underway with some form of convergence Terminology may vary, but all understand the concept of streamlining governance, risk and control processes Each organization is forging its own way, based on culture, business imperatives, appetite for change, and regulatory history Most are in the early stages and the majority of activities are driven by short-term objectives 27
  • 29. State of Convergence: There are no best practices There are some organizations that are fairly far down the path, however, no one considers themselves ‘converged’ Currently there are no best practices or established methodologies Most convergence activities are being led by the CFO, CRO, or the head of one or two functions 28
  • 30. State of Convergence: Efficiency is the primary driver of convergence Desire for greater efficiency is the main driver for risk convergence Reducing risk fatigue in the business units is considered but this has eased since the early SOX days Surprisingly, cost reduction is not a major driver 29
  • 31. State of Convergence: Convergence is evolutionary not revolutionary are addressing convergence in Most organizations incremental stages The appetite for a massive enterprise transformation is low 30
  • 32. State of Convergence: People issues are the primary barriers to convergence Overcoming people’s natural resistance to, and fear of, change is the biggest obstacle to convergence • “People don’t like converging. In their minds it tends to dilute their efforts. If it is a significant risk to them, they want and demand the resources to deal with it.” - CRO, Commercial Bank 31
  • 33. State of Convergence: Convergence is creating a need for more senior talent As convergence initiatives begin to reduce redundancies and inefficiencies, organizations are finding that they need more senior talent and less junior staff This represents a major shift in the skill base and exasperates the shortage of talent in the industry 32
  • 34. Stages of Risk Convergence 33
  • 35. The Path to Convergence While there is not one clear approach to convergence, Convergence companies are following somewhat Technology institutionalized options similar paths implemented Roles and Methodologies responsibilities aligned redefined Implementation Redundancies being Reporting addressed streamlined Integration Phase Groups Owner identified interacting and committee formed Alignment Phase Vision defined Coordination Phase Sophistication 34
  • 36. The Path to Convergence Most respondents are in “Coordination Phase” Convergence institutionalized Technology options implemented Roles and Methodologies responsibilities aligned redefined Implementation Redundancies being Reporting addressed streamlined Integration Phase Groups Owner identified interacting and committee formed Alignment Phase Vision defined Coordination Phase Sophistication 35
  • 37. The Path to Convergence As organizations make progress in reducing Convergence institutionalized redundancy, they begin to Technology options tackle more difficult aspects implemented of efficiency improvement Roles and Methodologies responsibilities aligned redefined Implementation Redundancies being Reporting addressed streamlined Integration Phase Groups Owner identified interacting and committee formed Alignment Phase Vision defined Coordination Phase Sophistication 36
  • 38. The Path to Convergence Even for those furthest along the convergence path, redefining roles, Convergence implementing new technologies, and Technology institutionalized options embedding new practices remains a implemented goal Roles and Methodologies responsibilities aligned redefined Implementation Redundancies being Reporting addressed streamlined Integration Phase Groups Owner identified interacting and committee formed Alignment Phase Vision defined Coordination Phase Sophistication 37
  • 39. Risk Convergence Evolution - A Fresh Look at the “Internal Controls” Effective internal control environment means: The company is working and performing well Communicates performance to capital markets and investors in a transparent manner Note: Transparency and certainty over risk and internal controls in strategic, operational and financial reporting areas Management understand major risks and has processes in place to address/mitigate these risks Changing perception of Internal Controls From being viewed as “burdensome” to “strategic information” for driving business decisions 38
  • 40. Do the current internal controls investments provide the following business benefits? 39
  • 41. Aligning Internal Control Investment with Risk Assessment How frequently does the company conduct an enterprise risk assessment? 40
  • 42. What is the focus of the risk assessment? 41
  • 43. Room for improvement? How effective are internal controls over the following financial reporting areas? 42
  • 44. How effective are internal controls over the following business and operational areas? 43
  • 45. How effective are internal controls over the following information technology areas? 44
  • 46. Where are Leading Companies Investing? What are the key business drivers justifying future investments to strengthen internal controls? 45
  • 47. Better Understanding of Major Risk Areas What is the impact and probability of your top strategic risks? Key Strategic Risks Key Strategic Risks Major Inefficient management of contract Loss of ability to achieve any strategic manufacturer relationship (e.g. – lead objectives-worst case times, variance accounting, etc.) Inefficient JIT inventory management (e.g. – balancing with customer Significant demand) Significantly reduced ability to achieve all Delays in new product development strategic objectives Uncertainty due to increased off- shoring and business process Impact Moderate Disruption to achievement of outsourcing one strategic objective and reduced ability to conduct International expansion/emerging normal operations market penetration Minor Intense competition in mature product Minimal disruption to one strategic objective and some lines impact on ability to conduct normal operations Price/gross margin erosion Insignificant Cost/operating expense management No impact on strategic Intellectual property protection and objectives and only limited disruption to defense normal operations Remote Unlikely Likely Highly Likely Expected Large scale mergers and acquisitions less than 10% Between Between Between Over 75% chance of 11 - 20% chance 21-50%% 51-75% chance of Multi-element sales contract occurrence of occurrence chance of chance of occurrence occurrence occurrence simplification and revenue recognition Probability 46
  • 48. Making the Business Better Investing in a Comprehensive Control Environment strategic value Controls Automation & Continuous Controls Monitoring operations Process & Controls efficiency Improvement Top-Down Risk Assessment financial & Scoping Risk Convergence- Risk Based Consistent Testing & Risk & Control Evaluation Framework Optimization & compliance Standardizatio n of Controls Coverage of Fraud Leveraging Risk & Controls Monitoring Controls cost investment 47
  • 49. Maximizing The Role of IT in Compliance Management Enterprise Risk IT Integration Continuous Controls Monitoring/ Controls Automation Segregation of Duties Change Management Super User Access Rights – Identity and Access Management Application Controls Tools and Technologies – Seamless integration of disparate sources of information Sophisticated Data Analytics 48
  • 50. Continuous Controls Monitoring Another strategy for improving efficiency using IT Automates the monitoring of financial and operational controls at the entity and transaction levels Maximizing the full capabilities of the IT investment to control the flow of transactions and significantly leveraging these capabilities for the operating effectiveness of internal controls Focused on application controls, segregation of duties, transactional data analysis, and IT general controls 49
  • 51. How do Companies Assess? Audit Audit In the Past… Audit • Point in Time Audits High • Reactive • Random • Sampling • Generic Business Moving Forward… Risk Continuous Continuous Proactive Monitoring Comprehensive Integrated Low Business Specific Time 50
  • 52. Leading IT Practices in Successful Organizations Three overarching principles seen in successful organizations Risk Management Manage the risk of IT Leverage IT investments to reduce other risks that organization may face Cost Rationalization Rationalize the cost of IT Leverage IT investments to rationalize costs elsewhere in the organization Value Creation Increase the strategic and operational value being created for the business by IT 51
  • 53. View ODS Function Best/Leading Practices 52
  • 54. Leading IT Practices in Successful Organizations Four distinct traits seen in successful organizations 1. Strategic Alignment: Viewing IT as strategic commitment vs. a utility activity Viewing IT functions as technological framework which coordinates information, decision making, management and strategy Achieved through executive sponsorship and linking IT to major processes and initiatives 53
  • 55. Leading IT Practices in Successful Organizations Four distinct traits seen in successful organizations 2. Effective Governance Achieve formal implementation of IT Governance Representation at Board of Directors meeting Achieved through risk and resource management, board attention, use of leading standards 54
  • 56. Leading IT Practices in Successful Organizations Four distinct traits seen in successful organizations 3. Efficient Operations Strategically utilize IT for revenue generating and cost saving objectives This may include consolidating/standardizing IT functions Achieved through revenue generating enhancements, reduction in service delivery costs, strategic and planned approach to IT function 4. Measured Performance Facilitating strong realization of company’s performance through reporting/assessments 55
  • 57. Questions 56