BUSINESS PRESCRIPTION — COSO ENTERPRISE RISK MANAGEMENT:
Organizations are looking for a structured methodology that lets them quantify risk, establish risk appetite/tolerance, identify and prioritize controls, and establish a system of record to meet a multitude of legal and compliance obligations.
This is where COSO comes in. The COSO Internal Control Framework was originally authored in 1994 with the aim of establishing internal controls to manage operational efficiency and effectiveness, financial reporting reliability, and compliance with laws and regulations. The Internal Control Framework has received a lot of attention recently, as it is the approach most organizations are taking for Sarbanes-Oxley compliance and is recommended by the SEC and Public Company Accounting Oversight Board.
What has been lacking is a structured framework to build an ERM process upon that integrates and extends the Internal Control guidance. PricewaterhouseCoopers, working alongside a project advisory council, worked with COSO in developing this needed guidance. The result: the recent release of the COSO ERM framework.
COSO defines enterprise risk management as:
“Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.”
The COSO framework provides an answer to the challenges organizations are facing in governance, risk, and compliance. This framework’s goal is to build a risk management process as a foundational element of business operations.
The Evolution Of Technologies And Tools In Support Of COSO ERM
Sarbanes-Oxley (SOX) was the primary driver in providing a wake-up call within organizations for a consistent and defined structure to ERM.
Facing Section 404 compliance, organizations turned to documenting accounting controls in spreadsheets of SOX-specific solutions. Organizations have now become aware that a broader approach to risk and compliance management is needed. This results in a shift in the approach and tools needed to document risk, compliance, and internal controls. Neither the spreadsheet approach nor specific SOX tools are enough — organizations now need tools that can document and manage risk and compliance to the broader risk and compliance demands the organization faces.
Vendors in the SOX segment will face increasing demand for broader enterprise risk and compliance management capabilities — those that are to narrowly focus are likely to falter.
(COSO is the Committee of Sponsoring Organizations of the Treadway Commission. It is a cooperative effort between the American Institute of Certified Public Accountants, American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors, and the Institute of Management Accountants. Further information on COSO and the Enterprise Risk Management framework can be found at http://www.coso.org.)
Monday, May 26, 2008
Friday, May 23, 2008
Understanding Enterprise Risk Management In-Depth
In today’s blog, we will discuss “Understanding ERM In-Depth; Using the Right ERM Strategy as A Catalyst for Addressing Risk, While Improving Audit Outcome”.
Companies are under significant pressure to stay abreast of a wide array of business risks that may impact their organization’s success and sustainability. BODs and senior management’s risk oversight role is becoming as critical to the sound running of an organization, especially for companies with significant market risk exposures. This has caused BODs and corporate officers to become more involved in strategic ERM planning at early stages, rather than just reviewing and signing off on an ERM strategy after it has been fully developed by management. Furthermore, the increasing demands and high expectations from the BOD levels have caused a major shift in how audit committees and chief audit executives approach their internal audit programs. Internal auditors are encouraged to incorporate a risk-based approach to internal controls auditing.
ERM Framework and Strategy:
I’ve seen many clients undergo major efforts in developing an ERM framework that work for their business. Most of these frameworks, in my opinion, appear to be nothing more than an over-engineered process that could have been completed with a COSO-based or NIST-based ERM framework. Bottom line here is to take advantage of frameworks that have already been established so that you are not “re-inventing” the wheel. Your ERM framework should capture ALL key and critical business areas within your organization. Your framework should also account for both, business and information risks. Key word here….ENTERPRISE!
ERM and Internal Audit:
The role of the internal auditor and the internal audit process is quickly changing. Today, internal auditors are encouraged to take a risk-based approach to their audit programs. I am working with a particular client where they are using risk composites to drive or “trigger” their audits. The way it works is that when both the likelihood and the MOI (magnitude of impact) of the threat are equally high, the audit department is notified to audit the control(s) that are supposed to mitigate the risks or threats. As an auditor, I strongly encourage that your audit team employ a risk-based approach to your audit strategy. Additionally, getting integrated with your ERM division offers great rewards in this process. This strategy will also improve your audit outcome. Know the risk….employ the effective control(s)….mitigate the risk….you get the idea!
ERM and GRC (Governance, Risk, and Compliance):
I had a customer ask me. “What is the most critical component of the GRC Process”? Although this is a tough question and every component of the GRC process is important, it is my opinion that cornerstone of GRC is risk (R). Without knowing and understanding the risks that businesses face today, it would be difficult to provide BODs with risk oversight, identify controls that need continuous monitoring, and achieve a risk-based approach to compliance management. Once your risk appetite has been determined and your business risks have been identified, you can perform risk analytics and modeling to further enhance your ERM program and provide BODs and corporate officers with oversight of their enterprise risks. All in all you can see the importance and significance of ERM within a GRC or corporate governance strategy. I’m curious to hear other approaches to this thought.
I would like to hear your views on the following:
Thank you
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Companies are under significant pressure to stay abreast of a wide array of business risks that may impact their organization’s success and sustainability. BODs and senior management’s risk oversight role is becoming as critical to the sound running of an organization, especially for companies with significant market risk exposures. This has caused BODs and corporate officers to become more involved in strategic ERM planning at early stages, rather than just reviewing and signing off on an ERM strategy after it has been fully developed by management. Furthermore, the increasing demands and high expectations from the BOD levels have caused a major shift in how audit committees and chief audit executives approach their internal audit programs. Internal auditors are encouraged to incorporate a risk-based approach to internal controls auditing.
ERM Framework and Strategy:
I’ve seen many clients undergo major efforts in developing an ERM framework that work for their business. Most of these frameworks, in my opinion, appear to be nothing more than an over-engineered process that could have been completed with a COSO-based or NIST-based ERM framework. Bottom line here is to take advantage of frameworks that have already been established so that you are not “re-inventing” the wheel. Your ERM framework should capture ALL key and critical business areas within your organization. Your framework should also account for both, business and information risks. Key word here….ENTERPRISE!
ERM and Internal Audit:
The role of the internal auditor and the internal audit process is quickly changing. Today, internal auditors are encouraged to take a risk-based approach to their audit programs. I am working with a particular client where they are using risk composites to drive or “trigger” their audits. The way it works is that when both the likelihood and the MOI (magnitude of impact) of the threat are equally high, the audit department is notified to audit the control(s) that are supposed to mitigate the risks or threats. As an auditor, I strongly encourage that your audit team employ a risk-based approach to your audit strategy. Additionally, getting integrated with your ERM division offers great rewards in this process. This strategy will also improve your audit outcome. Know the risk….employ the effective control(s)….mitigate the risk….you get the idea!
ERM and GRC (Governance, Risk, and Compliance):
I had a customer ask me. “What is the most critical component of the GRC Process”? Although this is a tough question and every component of the GRC process is important, it is my opinion that cornerstone of GRC is risk (R). Without knowing and understanding the risks that businesses face today, it would be difficult to provide BODs with risk oversight, identify controls that need continuous monitoring, and achieve a risk-based approach to compliance management. Once your risk appetite has been determined and your business risks have been identified, you can perform risk analytics and modeling to further enhance your ERM program and provide BODs and corporate officers with oversight of their enterprise risks. All in all you can see the importance and significance of ERM within a GRC or corporate governance strategy. I’m curious to hear other approaches to this thought.
I would like to hear your views on the following:
- What is your approach to Enterprise Risk Management?
- How do you incorporate risk into your GRC or Corporate Governance Strategy?
- What ERM framework works best for your organization?
Thank you
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Subprime Mortgage Meltdown
In today’s blog, we will discuss the issue concerning the Subprime mortgage meltdown and whether or not Sarbanes Oxley should be extended to the Mortgage Industry.
Currently there is much debate and finger-pointing regarding the Sub-Prime Mortgage Meltdown. According to Bankrate.com, the Meltdown was something that many saw coming, but no one -- not the industry, not the secondary market, not the regulators, or the media --did anything to prevent it.
The Issue:
Subprime mortgage lenders make it possible for many borrowers with flawed credit to obtain mortgage loans, many of which could not afford those loans. While this concept aligned with the American Dream of Home Ownership, many mortgage companies failed to realize one important facet of this concept – RISK!!! It appears that many of the mortgage lenders capitalized on the millions of dollars of inflating interest rates in a low interest market but failed to implement the controls that mitigated the risk of surging federal interest rates, foreclosures, loan defaults, and over extended credit.
Should Sarbanes Oxley Be Extended to the Mortgage Industry?
In my opinion, this is an unconditional yes and if you research the section 13a or section 15d of the Securities and Exchange Act of 1934, some mortgage lenders may be obligated to comply with SOX but are not. Here’s the deal according to the law: Companies that issue asset-backed securities are must report under section 13a or 15d. All sub-prime loans are issued as asset-backed or mortgage-backed securities. If a mortgage company issues asset-backed securities on the open market and remains the master-servicer of the loan pool, the company's reporting obligation under sections 13a or 15d of the Securities and Exchange Act of 1934 is not suspended — it continues. So you see that many subprime lenders should already be accountable to Sarbanes Oxley.
My Conclusive Analysis:
In order to minimize the risk of mortgage meltdown in the primary markets, Sarbanes Oxley should be extended to the Mortgage Industry. Furthermore:
Thank you
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Currently there is much debate and finger-pointing regarding the Sub-Prime Mortgage Meltdown. According to Bankrate.com, the Meltdown was something that many saw coming, but no one -- not the industry, not the secondary market, not the regulators, or the media --did anything to prevent it.
The Issue:
Subprime mortgage lenders make it possible for many borrowers with flawed credit to obtain mortgage loans, many of which could not afford those loans. While this concept aligned with the American Dream of Home Ownership, many mortgage companies failed to realize one important facet of this concept – RISK!!! It appears that many of the mortgage lenders capitalized on the millions of dollars of inflating interest rates in a low interest market but failed to implement the controls that mitigated the risk of surging federal interest rates, foreclosures, loan defaults, and over extended credit.
Should Sarbanes Oxley Be Extended to the Mortgage Industry?
In my opinion, this is an unconditional yes and if you research the section 13a or section 15d of the Securities and Exchange Act of 1934, some mortgage lenders may be obligated to comply with SOX but are not. Here’s the deal according to the law: Companies that issue asset-backed securities are must report under section 13a or 15d. All sub-prime loans are issued as asset-backed or mortgage-backed securities. If a mortgage company issues asset-backed securities on the open market and remains the master-servicer of the loan pool, the company's reporting obligation under sections 13a or 15d of the Securities and Exchange Act of 1934 is not suspended — it continues. So you see that many subprime lenders should already be accountable to Sarbanes Oxley.
My Conclusive Analysis:
In order to minimize the risk of mortgage meltdown in the primary markets, Sarbanes Oxley should be extended to the Mortgage Industry. Furthermore:
- Congress should ultimately enforce the SEC laws as well as force mortgage executives to retrain their loan officers to pitch programs that are better suited to their customer’s unique financial situation.
- Mortgage companies must implement controls and key systems that automatically detect an over-extension of credit as well as implement thresholds that minimize business risks.
- The industry should quickly come to the conclusion that Sarbanes Oxley applies and would make mortgage lenders document, test, assert, and attest to the effectiveness of their internal controls according to Section 404.
- Similar to the insurance industry, mortgage lenders should do a better job of assessing risks when extending credit to subprime borrowers.
Thank you
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Thursday, May 22, 2008
IT Governance, Risk, and Compliance (ITGRC)
Businesses rely on their IT departments and resources for competitive advantages and business to business transactions and cannot afford to apply to IT anything less than the same level of commitment they devote company assets. IT offers extraordinary opportunities to transform the business; however IT must deliver value and enable the business, and IT-related risks must be mitigated. Governance of IT, Information Security, and Risk Management encompasses several initiatives for executive management. At a glance, they must be aware of the role and impact of IT on the enterprise, define constraints within which IT professionals should operate and measure performance, understand risk and obtain assurance.
Corporate Governance:
Before discussing Information Technology and Security Governance, one must look at that broader issue of Corporate Governance in the enterprise. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.
Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.
Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.
IT Governance Role:
IT governance is the responsibility of the board of directors and executive management. It is an integral part of corporate governance and consists of the leadership and organizational structures and processes that ensure that the organization’s Information Technology sustains and extends the organization’s strategies and objectives. Also, IT governance is the term used to describe how those persons responsible for governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied within the business will have an immense impact on whether the business will attain its vision, mission or strategic goals. In today’s economy, and with most businesses reliance on IT for competitive advantage, businesses simply cannot afford to apply to their Information Technology anything less than the level of commitment they apply to overall governance.
Who is Responsible for IT Governance and Risk Management:
Board of Directors (BODs) and executive management have a joint responsibility to protect shareholder value. This responsibility applies just as stringently to valued information assets as it does to any other asset. BODs and management must recognize that securing information and information assets is not just an investment; it is essential for survival in all cases and for many it guarantees competitive advantage. Additionally BODs and management must accept the responsibility of ensuring that:
In Closing:
IT governance covers a number of activities for the board and for executive management, such as becoming informed of the role and impact of IT on the enterprise, assigning responsibilities, defining constraints within which to operate, measuring performance, managing risk and obtaining assurance.
IT Governance is focuses two categories: (1) IT’s delivery of value to the business and (2) mitigation of IT risks. In order to have an effective IT and Security Governance strategy businesses must address the following questions:
Always remember that managing information security risks as part of operational risk involves establishing an effective IT governance and control architecture.
Thank you
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Corporate Governance:
Before discussing Information Technology and Security Governance, one must look at that broader issue of Corporate Governance in the enterprise. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.
Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.
Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.
IT Governance Role:
IT governance is the responsibility of the board of directors and executive management. It is an integral part of corporate governance and consists of the leadership and organizational structures and processes that ensure that the organization’s Information Technology sustains and extends the organization’s strategies and objectives. Also, IT governance is the term used to describe how those persons responsible for governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied within the business will have an immense impact on whether the business will attain its vision, mission or strategic goals. In today’s economy, and with most businesses reliance on IT for competitive advantage, businesses simply cannot afford to apply to their Information Technology anything less than the level of commitment they apply to overall governance.
Who is Responsible for IT Governance and Risk Management:
Board of Directors (BODs) and executive management have a joint responsibility to protect shareholder value. This responsibility applies just as stringently to valued information assets as it does to any other asset. BODs and management must recognize that securing information and information assets is not just an investment; it is essential for survival in all cases and for many it guarantees competitive advantage. Additionally BODs and management must accept the responsibility of ensuring that:
- IT Governance is aligned with the overall Corporate Governance structure within the enterprise.
- IT Governance includes an alignment with the Enterprise Risk Management Program, which is a responsibility of the BODs and Management
- There is a balance of the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their enterprise’s business strategy and objectives.
- Risks and threats are identified, categorized and mitigated to acceptable levels.
- IT Governance obtains coordinated and integrated action from the top down.
- IT investments are not mismanaged or misdirected.
- IT Governance rules and priorities are established and enforced.
- Trust is demonstrated toward trading partners while exchanging electronic transactions.
In Closing:
IT governance covers a number of activities for the board and for executive management, such as becoming informed of the role and impact of IT on the enterprise, assigning responsibilities, defining constraints within which to operate, measuring performance, managing risk and obtaining assurance.
IT Governance is focuses two categories: (1) IT’s delivery of value to the business and (2) mitigation of IT risks. In order to have an effective IT and Security Governance strategy businesses must address the following questions:
- What decisions must be made to ensure effective management and use of IT?
- Who should make these decisions?
- How will these decisions be made and monitored?
Always remember that managing information security risks as part of operational risk involves establishing an effective IT governance and control architecture.
Thank you
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Thursday, May 15, 2008
Concept of Governance, Risk, and Compliance (GRC) and its impact on your business
In today’s blog, we will discuss the concept of Governance, Risk, and Compliance (GRC) and its impact on your business
Corporate Governance:
Before discussing Governance, Risk and Compliance, one must look at that broader term of GRC – Corporate Governance. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.
Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.
Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.
My definition of GRC:
As it relates to GRC, industry professionals and organizations have defined GRC in many ways. Not to say that they are wrong in defining the GRC concept but GRC in itself means different things in many ways. As such to minimize the ambiguity of the process, I have defined as the following:
A common business management framework that requires strategic collaboration and architecture to bring an enterprise view across governance, risk, and compliance initiatives within a company.
Let’s break out each letter of the process and I will share some insight to each. You really need all three to achieve good corporate governance.
Governance:
It has been a common myth that BODs and senior level managers are responsible for implementing GRC. I won’t get into the roles and responsibilities of GRC participants, but rather articulate the effectiveness of an Integrated GRC strategy. For GRC to be effective in today’s complex business environments, organizations must involve all business process areas in order to achieve an effective integrated GRC strategy. Based on experience, the effective GRC strategy included business unit representation from BODs, Audit Committees, Internal Audit, Legal, Risk Management, Compliance, Human Capital, Information Technology, Sales, Marketing and Strategist…you get the picture. In short, you need to include all key and critical business units in your GRC strategy. GRC is about the whole organization and not just a few parts of it.
James Sayles, MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Corporate Governance:
Before discussing Governance, Risk and Compliance, one must look at that broader term of GRC – Corporate Governance. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.
Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.
Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.
My definition of GRC:
As it relates to GRC, industry professionals and organizations have defined GRC in many ways. Not to say that they are wrong in defining the GRC concept but GRC in itself means different things in many ways. As such to minimize the ambiguity of the process, I have defined as the following:
A common business management framework that requires strategic collaboration and architecture to bring an enterprise view across governance, risk, and compliance initiatives within a company.
Let’s break out each letter of the process and I will share some insight to each. You really need all three to achieve good corporate governance.
Governance:
Corporate governance requires processes for providing Boards of Directors, Audit Committees, and Corporate Management with oversight of business culture, enterprise risks, policies, processes, laws, and regulations.Risk:
Businesses should identify, analyze, assess, mitigate, and manage business and information risks and incorporate them in their business processes.Compliance:
Compliance is about adhering to external laws, corporate policies and procedures, and regulations while providing a comprehensive framework that handles virtually all compliance regimes and control frameworks.GRC Collaboration:
It has been a common myth that BODs and senior level managers are responsible for implementing GRC. I won’t get into the roles and responsibilities of GRC participants, but rather articulate the effectiveness of an Integrated GRC strategy. For GRC to be effective in today’s complex business environments, organizations must involve all business process areas in order to achieve an effective integrated GRC strategy. Based on experience, the effective GRC strategy included business unit representation from BODs, Audit Committees, Internal Audit, Legal, Risk Management, Compliance, Human Capital, Information Technology, Sales, Marketing and Strategist…you get the picture. In short, you need to include all key and critical business units in your GRC strategy. GRC is about the whole organization and not just a few parts of it.
James Sayles, MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Subscribe to:
Posts (Atom)
