As we complete another volume of The Bulletin, one thing is certain: Much has changed in the risk landscape over the past two years. Volume 3 of The Bulletin, a newsletter series that focuses on key corporate governance and risk management issues for organizations, began just when the magnitude of the global financial crisis was becoming known. This volume ends at a time when more and more economic indicators suggest the crisis may be ebbing, and Issue 12 highlights challenges and opportunities in the year ahead as companies define how they can succeed in an ever-changing global business landscape.
We hope that you find this summary of Volume 3 useful, and we look forward to sharing further insights with you in the future. All issues of The Bulletin are available at www.protiviti.com.
Protiviti Inc. January 2010
Issue 1 – “Setting the 2008 Audit Committee Agenda” (1/2008)
This issue of The Bulletin outlines key issues for boards of directors and their audit committees to address in the coming year (2008). The agenda includes, among other items, reviewing preparations for emphasis on enterprise risk management (ERM) quality in the credit ratings process; focusing on management’s plan for dealing with changes in the financial reporting model; creating transparency around large risk exposures; understanding the issues around electronic discovery and how management is addressing them; monitoring and understanding key changes in regulations and how they impact the business; and managing IT security. This issue sets the stage for drilling down further on certain topics in Issues 2, 3, 4 and 5.
Issue 2 – “Credit Rating Analysis of Enterprise Risk Management at Nonfinancial Companies: Are You Ready?” (Updated 6/2008)
With ERM initiatives appearing to be gaining strong support from credit rating analysts, there has never been a better time or reason for most companies – financial and nonfinancial – to take a hard look at where their ERM practices stand. In nonfinancial companies, analysts have been looking for involvement from all levels of management in the ERM process. This issue of The Bulletin explores how consideration of ERM quality can impact the ratings process and what nonfinancial companies can do to prepare for this added dimension to the process. To illustrate the potential risks to consider when implementing ERM, an example risk model is included in an accompanying supplement, “The Protiviti Risk ModelSM – An Illustrative Risk Language.”
Issue 3 – “IFRS or Country-Specific GAAP: Who’s on First?” (3/2008)
Countries worldwide face the prospect of changing the accounting standards on which their public financial statements are based. Much of the world has declared that IFRS is the standard of choice and has either adopted it or committed to transition to it. Issue 3 considers these matters and the ramifications of transitioning from country-specific GAAP to IFRS. Amid the uncertainty as to timing, one thing is clear: Companies, both large and small, are going to need sufficient time to prepare for the transition.
Issue 4 – “Creating Transparency into Your Largest Risk Exposures” (4/2008)
There are severe penalties if the largest risk exposures for an organization are not identified in a timely manner, properly monitored and managed effectively. For example, reputational damage and brand erosion probably will occur when large, unusual and unexpected losses are reported. The resulting loss of confidence can drive a decline in market capitalization, downgrades in credit ratings and damage to key stakeholder relations. This issue of The Bulletin suggests approaches for improving transparency into an entity’s most significant risk exposures, with the objective of minimizing the risk of unwanted surprises.
Issue 5 – “Electronic Discovery: An Academic Exercise or Your Next Crisis?” (7/2008)
Electronic discovery (or e-discovery) refers to the process by which relevant electronically stored information (ESI) is produced as evidence when an organization faces legal or regulatory action. Since the Federal Rules of Civil Procedure (FRCP) in the United States were amended in December 2006 to govern the discovery of ESI, attention has been drawn to the need for identifying and producing evidence in “good faith” and through “reasonable efforts.” General counsel and top-level executives must pay attention to the amended rules. The stakes are far too high for companies to scramble and sort through electronic information in the charged atmosphere of a pending lawsuit or regulatory investigation. Issue 5 provides ideas for companies to implement practical approaches in proportion to their litigation risk exposure and ongoing operations that will significantly reduce the cost, burden and time associated with records retention and e-discovery.
Issue 6 – “Ten Common Risk Management Failures and How to Avoid Them” (12/2008)
The global financial crisis has drawn increased attention on the role of risk management. Issue 6 explores 10 common risk management mistakes and how they can be avoided. It is based on our firm’s collective experiences in working with many companies, as well as seeking to understand significant failures observed over the years. The 10 common areas where risk management fails are poor governance and “tone at the top”; reckless risktaking; inability to implement ERM; nonexistent, ineffective or inefficient risk assessment; falling prey to a “herd mentality”; misunderstanding the “If you can’t measure it, you can’t manage it!” mindset; accepting a lack of transparency in high-risk areas; not integrating risk management with strategy-setting and enterprise performance management; ignoring the dysfunctional behaviors and “blind spots” of the organization’s culture; and not involving the board in a timely manner.
Issue 7 – “Setting the 2009 Audit Committee Agenda” (2/2009)
Since Protiviti published Issue 1 of Volume 3 of The Bulletin, “Setting the 2008 Audit Committee Agenda,” the world has changed – dramatically. This issue of The Bulletin provides observations and ideas for boards and their audit committees regarding matters they should consider to help their organizations get through the trying times in the year ahead (2009). Enterprise-level mandates and process and technology risk issues are discussed, as well as the 2008 agenda items listed in Issue 1. These mandates and issues are based on Protiviti’s interactions with client audit committees, roundtables, and discussions with directors at conferences and other forums.
Issue 8 – “Managing Outsourcing and Offshoring Risk” (3/2009)
Issue 7 states that audit committees should make it a point on their 2009 agendas to understand how outsourced/offshored operations are being managed. Issue 8 of The Bulletin explores the advantages, disadvantages and risks associated with outsourcing and offshoring, and how those risks can be managed when decisions are made to outsource and/or offshore business activities. If these challenges are met, outsourcing and/or offshoring initiatives can be highly effective. If they are not met, it is likely these initiatives will fall short of management’s expectations. Companies need to think of their outsourced and/or offshored operations as extensions of their business.
Issue 9 – “Managing Corruption Risk Involving Foreign Officials and Avoiding Its Impact on Reputation” (6/2009)
Organizations that are domiciled in, or have securities registered in, the United States, or that are required to file periodic reports with the U.S. Securities and Exchange Commission under the Securities and Exchange Act of 1934, must comply with requirements of the Foreign Corrupt Practices Act (FCPA). The FCPA prohibits bribery of foreign officials for purposes of obtaining or retaining business. Anti-corruption has become a major global initiative, as evidenced by efforts of organizations such as the World Trade Organization (WTO), European Union, Organization of American States, Association of Southeast Asian Nations, Caribbean Community and African Union, among others, to require their members to address it. Issue 9 focuses on the management of corruption risk, using the FCPA as a framework for this discussion.
Issue 10 – “Public Company Readiness: Getting Ready for Prime Time – Before the Market Does” (6/2009)
While the market has presented unprecedented challenges and difficulties, it also provides opportunities for companies with IPO aspirations to take a step back and revisit their long-term strategic goals against the current environment. A thoughtful readiness assessment and IPO road map will position companies to make sound decisions in order to weather the current tough times, as well as take advantage of opportunities to prepare for the future by focusing on certain aspects of the IPO preparation process. Issue 10 focuses on aspects of the IPO preparation process, including the need for a readiness assessment, along with specific areas management should address – common financial reporting challenges, the close process, Sarbanes-Oxley compliance and the IT infrastructure.
Issue 11 – “Making Internal Audit a Value-Adding Contributor to Economic Recovery” (12/2009)
The severity of the global economic downturn has left organizations around the world searching for ways to contain costs, improve efficiencies, maintain customer satisfaction levels and protect their balance sheets. This unprecedented economic crisis has been nothing short of an urgent call to action for more robust risk management practices in global organizations of every size and industry. In retrospect, the role of the internal audit function may have been somewhat overlooked in the economic storm. This issue explores how internal audit can contribute to organizations as they recover from the crisis and what management and boards should expect of internal audit going forward.
Issue 12 – “Setting the 2010 Audit Committee Agenda” (1/2010)
The coming year (2010) promises to be one of significant opportunities for most companies. The environment remains dynamic and challenging. This issue provides observations and ideas for boards and their audit committees regarding matters they should consider. Ten mandates are listed that warrant audit committees’ attention. Among them are keeping the company’s risk assessment evergreen, assessing the capability and succession planning for the finance organization, assessing the impact of compensation on risk-taking, evaluating internal control failure risk, evaluating the company’s ability to manage in the current economy, evaluating the competence and capability of the internal audit function, and paying attention to the anti-fraud program. Prefacing the 10 mandates, Issue 12 also highlights 10 major challenges many companies are facing to provide a context for setting the 2010 audit committee agenda.
The Bulletin (Volume 3 closing summary)