RIMS ERM Conference Awards Excellence in the Field

The final day of the RIMS ERM Conference in San Diego was highlighted by the first-ever ERM Award of Distinction Luncheon, at which two people within the industry were honored for their innovative ERM programs that have demonstrated, with measurable value to their organization, enterprise risk management success. Essentially, the award was created to honor organizations that have shown tremendous committment to the ERM discipline. The criteria that the judging panel took into consideration included:

  • The scope of the ERM program and how it engages different levels throughout the organization
  • Its link or connection to the company’s overall mission
  • Its ability to create additional value for the organization

Honorable mention for the ERM Award of Distinction went to Goodwill Industries International. With the assistance of Deloitte’s Governance, Risk & Regulatory Services team and as as part of its national pro bono program, Goodwill developed an ERM program template to help member agencies improve their risk management practices. With a template in place, Goodwill was able to provide valuable guidelines to its members, that in-turn has helped protect one of the organization’s most vital assets — its name.

“This is a remarkable story and great example of how an ERM program can protect against reputational risks in a decentralized management structure,” Seaman said.

Jacqueline Fifield of Deloitte accepted the award on behalf of Goodwill.

The big winner of the 2011 ERM Award of Distinction was Paychex, Inc., a company that implemented an ERM program to add value throughout the entire organization, making sure its scope went beyond traditional risk oversight. As Seaman noted, “value creation was the focus of Paychex’s ERM program, and it certainly hit the mark. This is an exceptional example of an ERM program that set out to uncover opportunities for the company to reinvent itself, and it was directly responsible for generating significant revenue.”

Accepting the award was Allan Smith of Paychex, Inc.

Nowell Seaman, Jacqueline Fifield, Allan Smith and Mary Roth at the ERM Award of Distinction Luncheon.

RIMS ERM Conference: ERM Best Practices

It’s everything enterprise risk management here at the first annual RIMS ERM conference in San Diego. One of the first sessions of the day focused on new research by APQC (a business research firm) and IBM on the evolution of ERM into a critical discipline that helps to clarify and fortify strategic decision-making.

Speaking on the topic of ERM were Grace Crickette, chief risk officer of the University of California and Rob Torok, executive consultant of IBM Global Business Services. Both risk management professionals stressed the importance of ERM within any organization and any industry, stating that the CRO’s main responsibility is to identify potential events that could affect the company. “You, as a CRO, can’t say ‘that can’t happen to us,'” said Torok. “You must keep a broad view of all possible scenarios.”

And, as both speakers agreed, you must “make friends” with the sometimes-dreaded internal audit.

“Risk management is how management stays out of trouble,” said Crickette. “You are married to internal audit and yes, you will need lots of marriage counseling.”

APQC’s research found two examples of internal audit interplay and integration:

  • Marathon — audit plan is crafted with full view of enterprise risk and mitigation goals.
  • Intuit —  risk committee membership consists of the chief financial officer, general counsel, vice president of internal audit and the chief risk officer.

While successfully implementing an internal audit process is important, it’s also important that a company not only have one, single definition of risk when it comes to ERM, but that it also has one, single definition of “impact” in terms of how an possible risk will impact a company. “With the definition of impact, there’s  high, medium and low,” said Torok. “Well what do you consider high, medium and low?”

And in terms of companies successfully using online ERM platforms, there are a few standouts:

  • Intuit’s ERM software (internal use only)
  • The University of California’s Excel-based risk assessment tool (publicly available here)
  • Caterpillar’s voting tools and simplified reporting requirements (internal only)

(In our November issue, we ran an ERM case study involving Caterpillar, which you can view here.)

Stay tuned for more to come from the first annual RIMS ERM Conference.

Grace Crickette, Rob Torok and moderator Mary Driscoll discuss ERM best practices.

 

The Financial Industry: Cyber Security Laggards

We have seen it all around us lately — the financial industry’s inability to guard against major data breaches.

Just last month, Citibank, the third largest bank holding company in the U.
buy flagyl online https://royalcitydrugs.com/flagyl.html no prescription

S., experienced a data breach when hackers obtained information on more than 360,000 credit card accounts of North American customers. And just last week, Morgan Stanley announced that data of 34,000 clients was lost or stolen.

According to two letters sent to clients, and obtained by Credit.com, the information [of Morgan Stanley customers] includes clients’ names, addresses, account and tax identification numbers, the income earned on the investments in 2010, and—for some clients—Social Security numbers. The data was saved on two CD-ROMs that were protected by passwords, according to the letters, but the CDs were not encrypted. The company mailed the CDs containing information about investors in tax-exempt funds and bonds to the New York State Department of Taxation and Finance. It appears the package was intact when it reached the department, but by the time it arrived on the desk of its intended recipient the CDs were missing, Wiggins said.

The Citibank breach has been referred to as the largest direct attack on a major U.S. financial institution. Since the attack, the Federal Deposit Insurance Corporation has been preparing new measures on data security, which proves to be much needed.

The financial industry has become somewhat of a laggard when it comes to data security initiatives and the risks of data theft are rising.

online pharmacy tadalista with best prices today in the USA

According to a June report by IDC Financial Insights, “As financial institutions expose more capabilities to their clients through their digital channels, they must introduce more sophisticated mitigation and control techniques at a similar pace.” The report points to mobile applications as the next new target of cyberattacks.

online pharmacy revia with best prices today in the USA

(Check out the next issue of Risk Management for more on this topic — online August 1st).

To approach these inevitable risks, there needs to be a change in the role and focus of enterprise risk functions, according to the IDC Financial Insights report. “Cyber risk is an enterprise risk issue, not an IT issue, and as such needs to be addressed from a strategic, cross line-of-business, and economic perspective. The CFO, not the CIO or CTO, is the most logical person to set strategies and lead the efforts required to address the cyber risk challenge.”

The following is a chart that shows that cyber risk is an operational risk component, according to IDC Financial Insights.


Do you agree with these findings? If not, how do you think the management of cyber risks fits within the realm of business’s risk management plan?

online pharmacy lariam with best prices today in the USA

Excellence in Risk Management

The Great Recession is not known for inspiring great things, but it did spur the creation of the Dodd-Frank bill, which, among many things, created the Financial Stability Oversight Council and the Federal Insurance Office. And the near-collapse of the U.S. economy did wonders for the discipline of risk management.

As a result, according to a new survey from Marsh and the Risk and Insurance Management Society (RIMS), executives in the C-suite are expecting much more from the risk managers at their company.

Below are a few of the key findings from the report:

  • An overwhelming majority of respondents said that senior management’s expectations of their organizations’ risk management departments have grown over the past three years. Senior management’s list of desired changes from risk managers includes integrating risk management deeper with operations, executing daily risk management activities more efficiently, providing improved analysis and quantification, and leading enterprise risk management (ERM) activities.
  • The most common focus area for 2011 is strengthening strategic risk management, which was cited by more than half of survey respondents. For the second year, this area came out on top, although barriers to doing so remain.
  • The top barrier cited to senior leadership understanding of the risk landscape was silos within the organization. This is the same answer given in prior years, and is something that organizations should begin to confront if they have not already done so. One way to tear down the silos is to create or strengthen cross-functional risk committees.
  • As the role of chief risk officer (CRO) continues to develop, we are beginning to see some differences in how they view and prioritize the issues. For example, CROs were much more likely than other risk managers to categorize senior management’s change in expectations a “very significant.” CROs said strengthening ERM capabilities and integrating ERM into strategic planning were focus areas for 2011.
  • Economic conditions ranked as the number one risk among respondents, and was also the risk that they were least comfortable with their organizations’ ability to manage. In other areas, such as business disruption, risk managers and the C-suite are not as aligned in their views of how prepared their companies are to manage the risk.
  • Nearly 60% of companies said their use of data and analytics has changed over the past three years. This is likely a reflection of leadership’s desire for there to be more transparency and quantification around risk decisions, particularly the economic implications. Despite the stated changes, however, there appears to be a need for companies to better use the available tools and analytics.

And let’s take a look at the areas in which senior management’s expectations of the risk management department have grown:

It seems the financial crisis continues to shine a light on the importance of risk management as a whole and, more specifically, enterprise risk management and strategic risk management.