IT Risk Tops List of Concerns for Board Members

A recent survey of Public Company Audit Committee Board Members about risk highlights the desire to focus more heavily on Information Technology (“IT”) related risks. This is not surprising given that technological innovation continues at a rapid pace while it is also increasingly impacting every key facet of business today. The survey, conducted by the National Association of Corporate Directors and sponsored by KPMG, uncovered the following common board-level views about IT and other risk areas.

  • They are not satisfied that their oversight of various IT risks is effective, or that the company’s strategic planning process deals effectively with the pace of technology change and innovation.
  • The one person they would most like to hear from more frequently is the CIO.
  • They want to spend more time with the CRO and mid-level management/business-unit leaders; and few are satisfied that they hear dissenting views about the company’s risks and control environment, or rate their company’s crisis response plan as “robust and ready to go.”
  • The audit committee is devoting significant agenda time to legal/regulatory compliance risk, with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and impact of the SEC’s whistleblower “bounty” program of particular concern.

An integrated, enterprise-wide risk program is the key to addressing these items in a holistic and practical way.  If your company has not implemented such a program, meeting the demands of the board will be challenging.

A Call to Action for Risk Managers

Risk managers are waking up to the fact that as the world continues to change, they must also change. Upgrades to skill sets as well as the overall approach to risk management is essential for these professionals to provide the value that companies are demanding in the tumultuous global economic environment. Just this week, at the Federation of European Risk Management Associations annual conference in Sweden, a call to action is being made to risk managers around the world.  Here’s a sample of the views expressed during the conference as reported by Business Insurance magazine.

During a news conference at FERMA’s forum in Stockholm, FERMA executives said risk managers cannot isolate themselves from the financial turmoil in many parts of the world or the rapid changes in many industries because of technology. “You cannot put your head in the sand; you have to understand and live with it,” said Julia Graham, chief risk officer for London-based law firm DLA Piper U.K. L.L.P. and VP of FERMA.

Ms. Graham said the skills that risk managers need have changed in the past five years. Now, she said, risk managers need to look forward more than backward, have greater financial literacy to understand and talk the language that company boards use, and improve their management skills, among other things.

The purely quantitative, historical view of risk is no longer adequate in today’s complex global marketplace.  Strong business acumen is required for risk managers to provide a better view of potential risks and opportunities facing companies today.

Rebuilding Trust Through Better Risk Monitoring

A recent op-ed article in the Financial Times by noted author and professor, Frank Portnoy, raises the question about the need to hold corporate managers personally accountable for gross negligence when they do not monitor risks. Mr. Portnoy proposes having senior executives at major banks certify that they are actively monitoring the risks taken in areas such as trading desks that have resulted in recent losses due to rogue trading activities. He summarizes his view in the following way.

Current rules permit directors and officers to avoid personal liability for gross negligence. That is a wise rule for most business decisions: courts are generally not skilled at assessing business judgment. But risk is different. Why should a bank manager who is grossly negligent in supervising risk avoid liability?

Shareholders might never be able to understand the risks of modern banks, and current regulatory approaches will not give them much confidence. But if they knew that senior managers had agreed to be personally liable for gross negligence in monitoring risk, they might trust the banks more. Without trust, it is hard to see how banks can recover.

Mr. Portnoy is correct to promote the notion of greater accountability for monitoring risk. However, attaching personal liability to executives may not necessarily be the best method. It would be very difficult to define what is an adequate level of risk monitoring since it really differs for every institution. That is why the industry is so heavily regulated. However, Mr. Portnoy is certainly on point in the fact that stronger risk monitoring is needed to rebuild trust in banks.

Another Example of the Value of Risk Management

It seems that some financial institutions have not fully learned the lessons from past rogue trading incidents such as the ones that occurred at Societe Generale and Barings. Officials at UBS announced today that they are facing massive losses at the hands of a lone trader. Here’s what BBC reported this morning.

Police in London have arrested a 31-year-old man in connection with allegations of unauthorised trading which has cost Swiss banking group UBS an estimated $2bn (£1.3bn). Kweku Adoboli, believed to work in the European equities division, was detained in the early hours of Thursday and remains in custody. UBS shares fell 8% after it announced it was investigating rogue trades. ZKB trading analyst Claude Zehnder said the news would damage confidence in UBS. “They obviously have a problem with risk management.”

This is yet another example of the value of having a strong risk and control program. While it is difficult to control external events, companies can certainly implement proper internal controls to protect from massive losses such as this one.

Sarbanes-Oxley Executive Compensation Clawbacks Continue

Yesterday, the U.S. Securities & Exchange Commission (“SEC”) announced another successful “clawback” of executive compensation under the Sarbanes-Oxley Act of 2002. James O’Leary, former Chief Financial Officer of Atlanta-based Beazer Homes USA, was forced to return over $1.4 million in bonus payments and stock sale profits that he made as a result of fraudulent financial reporting in 2006. What is somewhat unique about the case is the fact that the CFO was not implicated in any wrongdoing other than certifying that the financial statements were accurate. The individual who is being criminally prosecuted for the fraud is the Chief Accounting Officer who reported to the CFO during the time period in question.

“Section 304 of the Sarbanes-Oxley Act encourages senior management to take affirmative steps to prevent fraudulent accounting schemes from occurring on their watch,” said Rhea Kemble Dignam, Director of the SEC’s Atlanta Regional Office. “O’Leary received substantial incentive compensation and stock sale profits while Beazer was misleading investors and fraudulently overstating its income.”

This announcement comes on the heels of a related clawback from the CEO of Beazer Homes that totaled more than $6.4 million. Again, in this case, the CEO was not implicated in any criminal wrongdoing. The SEC’s enforcement approach regarding both the CEO and the CFO in this case serve as a reminder to senior executives to ensure their annual certifications are accurate. The only way to know is to have a strong risk and control program in place. Wheelhouse Advisors can help. Visit to learn more.

Increasing Your Risk Awareness

Companies of all sizes are searching for direction as they seek growth during these tumultuous economic times. Some companies are looking for better ways to deploy capital while others are simply fighting for survival. It is during times such as these that many do not take the time to seek perspective on the risks that they face. However, the strongest companies realize that having a solid understanding of their unique risks is vital to their continued success. These companies also realize that the risks they face are ever-changing – both internally and externally.

The first step to developing a better understanding of risk is to conduct an Enterprise Risk Assessment based on the company’s strategic objectives. This risk assessment will serve as the baseline for measuring risk responses going forward and also as the foundation for a broader Enterprise Risk Management (“ERM”) program. As a company implements their ERM program, it is critical that a culture of risk awareness rather than risk aversion is promoted. A “risk aware” culture embraces risk as the flip side to the reward they seek.

However, simply identifying, measuring and mitigating risks is only part of achieving “risk awareness”. An effective way to gain this perspective is to examine how the business is evolving in relation to its overall strategic direction through the Risk Awareness Cycle (see figure below). At any given time, a product, service or an entire company is in one of four stages of evolution – Order, Complexity, Chaos or Simplicity. Within each of these stages, risks take different forms. In addition, to continue as a viable enterprise, movement from one stage to the other is essential. Without movement, an enterprise will lose forward momentum and ultimately fail.

To learn more about how you can increase your company’s risk awareness, visit

Risk Awareness Cycle

SEC Launches Office of the Whistleblower

Just more than a year after the Dodd Frank Wall Street Reform and Consumer Protection Act was signed into law, the Securities & Exchange Commission (“SEC”) has established a new office to handle one of the major provisions of the act.  The Office of the Whistleblower was publicly launched last week.

To aid in the submission of whistleblower tips, the new office has created a website that provides details on how whistleblowers should provide information and what whistleblowers should expect. According to the website the SEC, “… is authorized by Congress to provide monetary awards to eligible individuals who come forward with high-quality original information that leads to a Commission enforcement action in which over $1,000,000 in sanctions is ordered. The range for awards is between 10% and 30% of the money collected.”

Potential whistleblowers are encouraged to report their issue through a company’s internal compliance program before contacting the SEC.  In fact, according to the final rules, the SEC will consider increasing the overall award amount if the whistleblower utilizes the internal compliance channels.  The following is an excerpt from the SEC’s whistleblower rule book.

Participation in internal compliance systems. The Commission will assess whether, and the extent to which, the whistleblower and any legal representative of the whistleblower participated in internal compliance systems. In considering this factor, the Commission may take into account, among other things:
(i) Whether, and the extent to which, a whistleblower reported the possible securities violations through internal whistleblower, legal or compliance procedures before, or at the same time as, reporting them to the Commission; and
(ii) Whether, and the extent to which, a whistleblower assisted any internal investigation or inquiry concerning the reported securities violations.

Companies should use this opportunity to communicate the importance of reporting issues through internal channels before reporting to the SEC.  For those companies that do not have a well constructed compliance program, now is the time to build one.

Perilous Times Require Strong ERM Programs

Each day as we read the news across the globe, it is apparent that the business environment continues to be laden with a myriad of risks. Without advance preparation, companies looking to advance their strategies will find themselves at the mercy of some unforeseen event that will threaten their success or perhaps their very survival. In times like these, it is critical to have a strong enterprise risk management (“ERM”) program that is woven into the fabric of a company’s strategy as well as its day-to-day business operations.

However, implementing an effective ERM program today is no easy task. Faced with an uncertain regulatory and economic outlook, many companies struggle to create a cost-effective, focused program that will provide the necessary insight to anticipate the most critical risks.  While each company and industry may be unique, there are a few common steps that can be taken that will lead to a more effective ERM program.

1. Start with the strategic plan – focus ERM efforts on where the company is going, not where it has already been

2. Create a simple framework and process that is easily understood – too many companies try to make ERM more complicated than it needs to be

3. Demonstrate importance of the program with a C-level champion – whether it is a new Chief Risk Officer, the CFO or even the CEO, a key leader must lead the charge

4. Tie risk management objectives and metrics to existing performance metrics – business goals require incentives and risk management objectives are no different

5. Invest in cost-effective enabling technologies – a wide range of risk management technology solutions exist today and choosing the wrong solution can result in cost overruns and poor results

By taking these steps, you will certainly be headed in the right direction on your ERM journey. However, the ultimate success factor is maintaining a long-term commitment to ERM as a valued business discipline. To learn more about creating a successful ERM program, visit

ERM Adds Strategic Value

As enterprise risk management (“ERM”) becomes a more widely accepted practice, many companies are realizing the value of including a risk viewpoint in their strategic planning exercises. In the past, many executives viewed risk management purely as a loss avoidance exercise.  However, now that ERM is providing a broader view of risks and allowing companies to become more resilient, companies are more willing to incorporate the employment of calculated risks into their strategy formation.  A recent study by the Economist Intelligence Unit provides the following insight into this changing view of ERM.

One important indication that a shift might be occurring, however, is that 75% of executives think that risk considerations are playing an increasingly important role in strategy at their organisations. This suggests that rather than playing a preventative role—avoiding financial losses, for example—risk management could be moving towards an enabling role that contributes more fully to corporate strategy.

To navigate risks for both the shorter and the longer term, many firms are beefing up their risk management systems. ABB, for one, is increasingly moving away from a decentralized risk management model and putting in place a more group-wide strategy. “We’ve put in place a centralized enterprise risk management program over the last 12 months, and viewing holistically all the risks we face in the organisation,” confirms Mr Hall. “What we realized in the financial crisis, particularly from a financial point of view, is that the best way to manage risk is centrally.”

Martin ten Brink, a director at Shell, a British oil giant, says his company intends to refine some aspects of its enterprise risk management system in the coming year, particularly the pricing of risk. Furthermore, he says, Shell is improving the way it gauges risk velocity. The firm is targeting “a better understanding of the speed with which a risk can materialize and impact business performance.”

Wheelhouse Advisors is uniquely qualified to help companies build ERM programs that can be a source of strategic value. To learn more, visit

Demand for ERM Continues to Grow

More companies are beginning to realize the value of Enterprise Risk Management (“ERM”) as a discipline that can propel a business forward rather than hold it back. In the recent past, many ERM programs focused primarily on revisiting problems from the past or examining all risks regardless of size. While these types of exercises can keep people busy, they rarely benefit a company that is trying to navigate forward to achieve successful outcomes. However, according to recent comments by a risk expert at the Risk and Insurance Management Society, ERM is evolving into a highly valued business practice. Here is what she had to say in an interview conducted by

Today, a growing perception that ERM “is a business discipline that can advance an organization’s [big-picture] objectives” is driving higher adoption rates across all types of organizations, says Carol Fox, director of strategic and enterprise-risk practice with the Risk and Insurance Management Society.

While there is also a perception that risk managers are having difficulty getting invited to a seat at the C-suite table, Fox believes that most corporate leaders, with only rare pockets of resistance, are eager for expert input about the strategic risks the organization faces.

“With all the external pressures—whether it’s Dodd-Frank, shareholders or the disclosures required now by the SEC for public companies—there is plenty of demand, visibility and support at the board level and at senior-management level” for ERM, she says.

As more board members and senior executives become acquainted with the usefulness of a well-designed ERM program, the discipline will become a “must have” for companies looking to compete in the new economy.