Over the past year, the economic environment has shown signs of stabilizing, but recent events suggest the seas are likely to remain choppy for some time to come. There are many factors contributing to the uncertainty businesses face as they look to the future. This issue of The Bulletin provides observations and ideas for boards of non-financial services companies and their audit committees to consider in this challenging climate. We begin by describing 10 major challenges non-financial services businesses face as a context for setting the 2012 audit committee agenda.1
Ten Major Challenges
Following is a summary of 10 major challenges many companies likely will encounter in the next 12 months. The purpose of this list is to summarize many top-of-mind issues companies are facing in these dynamic times. The first five pertain to specific strategic imperatives or risk issues while the last five relate to more pervasive matters. Different industries face different issues and priorities, so the applicability and prioritization of the challenges will vary by industry.
Ten Major Challenges Facing Businesses
- Achieving true customer loyalty
- Managing supply chain risks and rising commodity costs
- Managing increasingly complex privacy and information security issues
- Managing regulatory change
- Attracting, retaining and developing top talent
- Improving business performance to enhance and sustain competitiveness
- Adjusting to changing geopolitical dynamics
- Capitalizing on the pickup in mergers and acquisitions (M&A) and realizing value
- Improving information for decision-making by focusing on data management and analytics
- Increasing the focus on enterprise risk management (ERM) as risk profiles change
- Achieving true customer loyalty – It is intuitive to assert that the longer a customer does business with a company, the more that customer is worth to the company. While research on customer loyalty, defections and their effects on corporate profits provides a source of validation for this assertion, every business recognizes the value of long-term customers. This type of customer buys more, requires less time to service, is less price-sensitive, has no startup cost and may even bring in new customers. Long-term customers are worth so much in some industries that reducing customer defections by a small percentage can have a huge impact on profitability. In many industries today, however, even satisfied customers can defect at a high rate. Because satisfaction alone does not translate linearly into loyalty, businesses must strive for total customer satisfaction, gratification and even delight to achieve the kind of loyalty they desire. As customers have the advantage of choice through technological advances and increased competition, product or service failures or inattention to customer issues can be fatal to a customer/company relationship. In managing customer relationships, businesses must show concern for customer needs in all of their actions. This includes the activities of back-office personnel who interact directly with customers.
- Managing supply chain risks and rising commodity costs – In an increasingly global business environment, organizations need to understand and respond to operational risks end-to-end across the value chain.
For example, business interruption, such as damage to the supply chain, is often sudden and unexpected. As organizations expand overseas or components are acquired abroad, the risk exposure becomes more complicated and volatile. Expecting disruptive events across the chain may make more sense than ignoring the risk of their occurrence and may enhance preparedness. Similarly, fluctuating commodity prices pose a number of risks to commodity-based businesses, as they impact pricing strategy and operating margins. There are many drivers of volatility in commodity prices, including government policies, fluctuating business cycles, scarcity of resources, currency fluctuations, retrenchment from globalization, climate change and extreme weather events. With demand for vital resources increasing by 30 to 50 percent over the next two decades, shortages could drive extreme commodity price volatility and create social and political instability and, at worst, geopolitical conflict. Structural changes in supply chain strategies, hedging and improved purchasing operations are some areas where organizations can mitigate the impact of supply chain and commodity price risks.
- Managing increasingly complex privacy and information security issues – In the United States, the cost of data breaches has been rising steadily over the past five years; it increased 5 percent from 2009 to 2010 and 6 percent from 2008 to 2009.2 The total annual economic burden created by data breaches in the U.S. healthcare industry alone is nearly US$6 billion.3 And recent high-profile breaches have helped to underscore that no one is immune to a determined hacker. The potential impacts of data breaches – from short-term economic loss to long-term reputational damage – are driving organizations to invest more in information security and privacy. New regulations, such as the Health Information Technology for Economic and Clinical Health (HITECH) Act for healthcare institutions, impose tougher penalties on organizations for data breaches. Key technological advances and business environment changes are growing the need for greater information security as well. For instance:
• Portable media implies portable personal information
• Adoption of cloud computing presents fresh inherent data security and privacy risks that organizations must address
• Cybercriminals have used social media to identify and compile personal identification data of potential targets
Because these technologies may be exploited by third parties to extract more data than users knowingly provide, organizations need to focus on creating thoughtful privacy policies, as well as deploying appropriate checks and controls. Bottom line: The increased exposure of sensitive data and networks to new threats requires organizations to ensure adequate and necessary controls to reduce the risk of security incidents.
- Managing regulatory change – The pace of regulatory and legislative change is increasing significantly across industries. According to the 2011 Global Risk Management Survey by Aon,4 regulatory risk is the second most important risk after economic slowdown. Failure to comply with legislative and regulatory change can result in severe consequences, including direct penalties in the short term and the loss of market share, reputation and customers over the long term. Regulatory change, even in small doses, can add tremendous cost to a corporation. Even the threat of change can create significant uncertainty; therefore, regulatory change has been a significant focus area across many industries. For example, the Dodd-Frank whistleblower rules in the United States and the increased emphasis by governments around the world on dealing with corruption have been game changers. The U.K. Bribery Act 2010, effective in 2011, extends beyond the requirements of the Foreign Corrupt Practices Act in the United States. Protecting reputation and brand is everything: Senior management must pay attention to the regulatory environment because the process of staying in compliance and managing the increasing associated costs of both compliance and noncompliance becomes more challenging as the complexity of the environment increases.
- Attracting, retaining and developing top talent – As we’ve said in the past, acquiring, retaining and developing the best talent is a big deal for many companies. No list of challenges is complete without acknowledging this imperative. The workforce is changing, not just demographically (e.g., increasing diversity and an aging workforce), but through the ways in which we interact with each other (e.g., through technology and because of globalization). As the baby boomer generation ages, companies that discover how to harness the experience and wisdom from the semi-retired workforce may enjoy a competitive advantage over those that don’t. This will include thinking “outside the box” and incorporating full-time workers, seasoned contractors, part-timers, and flexible scheduling options into the human resources mix. As many delayed infrastructure and investment projects find a path to renewal, organizations will require skilled workers and project management expertise to execute these projects – some of whom were laid off during the recent recession. As these projects begin, the requisite skills and capabilities will be essential to ensuring that such investments are productive. Finally, the “mobile workforce” phenomenon – that is, workers are generally less loyal and more transient – continues to have significant long-term implications and is both a threat and an opportunity.
- Improving business performance to enhance and sustain competitiveness – Improving quality, time, innovation and cost performance has always been important. However, as companies continue their relentless pace to provide products and services faster, better and at lower price points, the focus turns to improving the effectiveness and efficiency of business processes and the upstream and downstream components of the value chain. This continued focus is essential to survive and thrive in the marketplace. For example, many companies have made significant investments in enterprise resource planning (ERP) software applications to facilitate the flow of internally and externally sourced information between business functions and across the organization. After realizing performance gains during initial implementation, companies often question whether full value is being derived from their ERP investments. Is the software being applied to measure the real cost of goods and services? Is it helping to drive workforce productivity and improve margins through less rework and overtime? Is it being used to find opportunities to expand the business and add customers through data integration with partners and strategic suppliers? And is it helping to improve the quality and speed of decision-making through a “single version of the truth”?
- Adjusting to changing geopolitical dynamics – Economic uncertainty is still a major risk as unemployment remains high in the United States. Similar uncertainty exists in Europe, Asia and other regions, as well. Instability in the Middle East and North Africa also is intensifying. Oil prices have increased about 150 percent since their prior lows in December 2008,5 and the cost of food likewise is rising. Higher prices will tax a global economy struggling to sustain a weak recovery. In addition, rising prices can drive unrest across the Middle East, further impacting the price and availability of oil as several vital delivery routes (such as the Strait of Hormuz) are affected. The dynamics of rising food and energy prices can spread tensions from Pakistan to Vietnam to Venezuela and to other countries with very low disposable income per household and an autocratic dictatorship in power.
Pressures also continue to arise due to macroeconomic imbalances resulting from tension between the increasing wealth and influence of emerging economies and the high debt levels of advanced economies. With political gridlock, particularly in the United States, spawning an unpredictable economic and business climate, many fear rising levels of government debt will have a strong impact on the cost of credit in the future. Growing population and prosperity are driving unsustainable pressure on global water, food and energy resources. One very disturbing scenario is these forces leading to a retrenchment from globalization, creating a sea change in the flow of global trade. With emerging economies expected to dominate global growth, succeeding in these markets has become a strategic imperative. However, doing business in these markets creates new risks.
- Capitalizing on the pickup in mergers and acquisitions (M&A) and realizing value – M&A activity is accelerating as organizations recover from the economic crisis and seek new sources of growth. Attractive valuations and availability of financing will further drive M&A globally. With respect to these transactions, research indicates that a staggering 70 to 90 percent of them fail to deliver the value expected by management and the board.6 Therefore, it is critical to understand the key success factors that drive an effective merger or acquisition, including the integration process. Shortfalls in acquisition execution and integration are almost always attributable to inadequate due diligence and planning.
- Improving information for decision-making by focusing on data management and analytics – Organizations are handling increasingly high volumes of data. Enterprises globally stored seven exabytes of new data in disk drives in 2010 – one exabyte is equivalent to more than 4,000 times the data stored in the U.S. Library of Congress. International Data Corporation estimates that the amount of digital data created worldwide will grow at a rate of 40 percent annually until 2020, reaching a volume 44 times the amount of data created in 2009. Companies also are investing heavily in business intelligence tools, indicating a need for effective data governance to ensure data quality and integrity. There is opportunity to use the data and information available in the organization more effectively to make timely and informed decisions; that reality provides the impetus to improve information for decision-making through analytics and mobility.
- Increasing the focus on enterprise risk management (ERM) as risk profiles change – Many of the above challenges, as well as increased interest in board risk oversight, intense competition (including exposure to new entrants and disruptive displacement) and exposure to an uncertain economic cycle, have raised the need for a truly enterprisewide approach to managing risk. Not an end in and of itself, ERM is a means to an end – that is, to position companies to recognize quickly a unique opportunity or risk and use that knowledge to evaluate options either before anyone else or along with other firms that likewise recognize the vital signs and seize the initiative. We refer to such firms as “early movers.”7
Companies able to position themselves consistently as early movers have competitive advantage, as they are more likely to survive a major market shift than their less aware and less nimble peers. They are more likely to monitor the vital signs of the competitive environment using the critical assumptions underlying the corporate strategy as a guidepost and revisit the strategy over time should one or more of those assumptions become invalid. Early movers understand the velocity of risk and focus on managing risk at the speed of business.8
These are the significant challenges companies face as they approach 2012. In light of an ever-changing business environment, audit committees must formulate an appropriate agenda.
The 2012 Mandate for Audit Committees
- Update the company’s risk profile to reflect changing conditions – Broaden the assessment with an end-to-end enterprise view of the value chain
- Ensure the company’s risk management capabilities are being enhanced as the business environment changes – Assist the board in evolving risk oversight in a changing business environment; ensure management’s risk assessments provide insight on crisis preparedness
- Oversee the capabilities of the finance organization and internal audit – Make sure the CFO organization and internal audit function are keeping pace with changing expectations
- Continue to watch the overall control environment – Be alert for warning signs regarding the enterprise’s “tone at the top” and culture
PROCESS AND TECHNOLOGY RISK ISSUES
- Focus on financial communications quality as the IFRS/GAAP convergence process proceeds – Stay focused on financial reporting risk and the quality of financial and public report presentation and disclosures, earnings guidance and earnings releases
- Ensure that the implications of changing laws and regulations are effectively understood and managed – Assess the company’s policies and procedures in dealing with new and pending laws and regulatory changes, regulator reviews and other developments
- Understand how new technological developments and trends are impacting the business – Understand the implications of technological innovations to security and privacy, financial reporting processes, and the viability of the company’s business model
- Assess committee effectiveness – Evaluate whether committee composition and expertise are sufficient in light of the changing environment and risk profile
The 2012 Agenda
Below we have summarized an audit committee agenda that is broken down into two categories – enterprise-level mandates and process and technology risk issues. The 2012 agenda refines the areas of emphasis included in the 2011 agenda that we recommended at the beginning of the year.9 It is based on our interactions with client audit committees, roundtables we have conducted and discussions with directors at conferences and other forums. We believe the message for the next 12 months is the need for a sharper focus on these areas as changes occur in the business environment.
- Update the company’s risk profile to reflect changing conditions – As we noted earlier in our discussion of challenges, much has happened over the last year – supply chain disruption, threat of rising commodity costs, security breaches, regulatory changes, and game-changing developments in the Middle East, just to name a few events and trends. As risk profiles change, companies need to take a fresh look at their risks and evaluate the implications to the business and how well they are managing them. Audit committees should be satisfied that action plans are in place to manage the most important existing risks, as well as those that could emerge in the near future.
- Ensure the company’s risk management capabilities are being enhanced as the business environment changes – Audit committees can play an important role in helping the overall board evolve its risk oversight in a changing environment. For example, as we’ve pointed out in the past, if several high-impact, low-likelihood risks are identified, management often experiences difficulty in deciding what to do differently relative to these risks. Some high-impact, low-likelihood risk scenarios can be “showstoppers,” particularly if they have a high velocity (i.e., the speed between the occurrence of the event and its impact on the organization) and high persistence (i.e., the duration of time the effect of the risk event lingers and extent of effort required to deal with the impact of the event once it occurs).
Prioritizing risks based upon impact, velocity and persistence adds discriminatory focus to the assessment. For high-impact, high-velocity and high-persistence risk scenarios, the dialogue logically moves to the topic of response readiness. It is at this point where the risk management process begins to intersect with the crisis management process. The disruptive events over the past year suggest this exercise would be very useful in pinpointing areas where a company’s preparedness may require improvement.
- Oversee the capabilities of the finance organization and internal audit – We listed this important area as a mandate for both 2010 and 2011. Because both the CFO organization and internal audit continue to face a rapidly changing environment, the audit committee should therefore continue to ensure the skill sets available in both functions match the myriad expectations driven by the organization’s industry, structure, culture, business performance issues, and internal and public reporting requirements. With respect to internal audit, the audit committee’s oversight should ensure that the function (including any co-source partners) has the resources, skill sets and tools it needs to address the company’s key risks.
- Continue to watch the overall control environment – The organization’s “tone at the top” and culture continue to be vitally important to the audit committee’s watch. The committee should be alert for red flags indicating the internal control structure is under stress as the company continues to streamline its processes to fulfill customers’ needs at lower cost in a highly competitive environment. The committee also should ensure the company emphasizes responsible business behavior and maintains a strong focus on preventing and deterring fraud and corruption. Essential compliance and risk management functions should remain intact, requiring careful delineation of key control responsibilities as process cost-effectiveness is improved. Key control activities essential to financial reporting must not be compromised. New developments – new acquisitions, business activities and information technology (IT) systems – warrant close attention as they can place the control structure under stress.
For M&A activity, ensure management’s integration plan is effective in maximizing expected value. Realizing value for M&A transactions, for instance, is often subject to the susceptibility of estimated future cash flows to product life cycles, technological change and volatile economic activity and may require subjective assumptions. Accordingly, the committee should inquire regarding the acquired entity’s future earnings and the fair values assigned to its assets. In some circumstances, companies may elect to pay less up front and rely more on earn-out provisions.
Process and Technology Risks Issues
- Focus on financial communications quality as the IFRS/ GAAP convergence process proceeds – The audit committee should remain focused on its core mission to oversee financial reporting risk and the quality of financial and public report presentation and disclosures, earnings guidance and earnings releases. With the increasing complexity of business and the convergence of generally accepted accounting principles (GAAP) with International Financial Reporting Standards (IFRS) in many countries, a proactive approach to oversight of financial reporting is warranted. For example, the committee should:
- Focus on the convergence process, which affects both private and public companies, particularly in key areas on standard-setters’ agendas (such as revenue recognition and leases, both of which are on the Financial Accounting Standards Board’s agenda for 2012 in the United States).
- Watch for red flags warranting audit committee attention, such as acquisitions, divestitures, changes in markets and/or the economy, and unique or unusual transactions (especially those designed in response to the evolving fair value guidance and revenue recognition rules).
- Understand management’s choices regarding accounting principles, how they compare to competitors and the implications of any differences to the company’s reported financial results.
- Review management’s assumptions underlying all critical accounting estimates to ascertain whether they remain valid in terms of the current business environment and, for each significant area, the range of estimates within which management’s estimate falls.
- Get involved with the company’s approach to interacting with regulators when matters relating to financial and public reporting are called into question.
- Ensure that the implications of changing laws and regulations are effectively understood and managed – As noted earlier, much has happened on the legal and regulatory front over the past year. There are regulations that have been passed or are forthcoming in some countries that companies may not fully understand in terms of their implications. In this environment, audit committees should understand company readiness in dealing with new and pending laws and regulatory changes, regulator reviews and other developments. In highly regulated industries, audit committees should oversee the new and updated policies and processes resulting from management responses to new and emerging regulatory developments. Management of corruption risk and new whistleblower rules should be at the top of the list. U.S. registrants should pay attention to the activities of the Public Company Accounting Oversight Board as they relate to auditor independence and rotation.
- Understand how new technological developments and trends are impacting the business – Technology is setting the stage for many new developments affecting business, including engaging customers and suppliers in sourcing innovative ideas and co-producing products, enabling consumer-to-consumer content sharing, facilitating new forms of business-to-business commerce and driving cooperative consumption by homogeneous groups of end consumers. Many organizations are focusing on how to exploit these technological innovations to establish and sustain competitive advantage. The advent of cloud computing, social media, collaborative computing, the ability to conduct business using mobile devices and other technological innovations that transform the way companies do business, coupled with high-profile security breaches over the last year, underscore the need for organizations to understand how these innovations are impacting security and privacy risks and affecting the company’s business model and financial reporting. Because technology impacts the quality of financial reporting processes, the effectiveness of the overall IT entity-level control environment and IT process-level controls (general IT processes and application-specific processes) continues to warrant the audit committee’s attention.
- Assess committee effectiveness – Evaluate whether the committee’s composition, industry knowledge and financial reporting expertise are all sufficient in light of the growing complexity of the business environment and risk profile and the convergence of GAAP and IFRS. Understanding the business is a vital prerequisite for an audit committee to bring to bear the right questions at the right time on tough issues. In addition, depending on how the board organizes itself for risk oversight, the nature of the risk oversight process may suggest that it would be worthwhile to evaluate the effectiveness of the audit committee in collaborating with other board committees.
The 2012 agenda items we have suggested herein are significant matters warranting audit committee oversight. Committee members should exercise an attitude of healthy skepticism when working with management on new and emerging issues. Change and unexpected developments were the order of the day over the last 12 months, and audit committees should expect nothing less during 2012.
1See Volume 3, Issue 8 of FS Insights, “Setting the 2012 Audit Committee Agenda for Financial Institutions,” for a discussion of the 10 major challenges facing the financial services industry and the related impact on the audit committee agenda (available at www.protiviti.com ).
22010 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, LLC, March 2011.
3“Healthcare patient data breaches cost U.S. $6B annually,” Healthcare Finance News, November 2010.
4The 2011 Aon Global Risk Management Survey.
5As of September 29, 2011 (date this issue went to print), the price per barrel of crude was $82 (compared to $34 per barrel in December 2008).
6“The Big Idea: The New M&A Playbook,” by Richard Alton, Clayton M. Christensen, Curtis Rising and Andrew Waldeck, Harvard Business Review, March 2011.
7See Volume 4, Issue 7 of The Bulletin, “Is Your Organization an Early Mover?,” for an explanation of the early mover concept (available at www.protiviti.com ).
9See Volume 4, Issue 5 of The Bulletin, “Setting the 2011 Audit Committee Agenda,” (available at www.protiviti.com).
The Bulletin (Volume 4, Issue 9)