My Dinner with Dr. Mervyn King

His Royal Highness Prince Charles, in a videotaped welcome message kicking off The Institute of Internal Auditors International Conference in London this summer, spoke of the importance of long-term value creation, noting that nonfinancial reporting is changing the face of internal audit.

He deferred on the subject to a general session speaker, Professor Mervyn E. King – not the former head of the Bank of England, but the former South African judge widely considered a staunch champion of corporate governance and viewed by some as the father of integrated sustainability reporting.

King, the eponymous architect of South Africa’s pioneering integrated reporting framework, has served and, I believe, continues to serve as chair of the International Integrated Reporting Council (IIRC). The IIRC was created by Prince Charles to examine long-term solutions to value creation and break the cycle of corporate governance driven by short-term financial pressures. Quite a daunting task, and one which required a special person to lead the effort.

Some 14 years ago, I undertook a 32-day trip around the globe to promote a book I wrote on the topic of enterprise risk management. This was, in fact, the first book published on the subject. One of the countries I visited was South Africa. My partners at Andersen in Johannesburg arranged a dinner with several individuals, including Dr. King. It was a long table in a private room and Dr. King and I were seated directly across from each other. While I am sure Dr. King has long forgotten that evening in Johannesburg, it was a memorable experience for me personally. I learned firsthand that he and I had a common core set of views on a wide variety of topics around corporate governance, risk management and internal control, and their importance to creating and protecting enterprise value. Most importantly, he was quite the gentleman.

At the time, Dr. King was chairing a committee that prepared what became known as the King II Report, which updated a prior version of a governance framework. Issued in March 2002, the report covered such topics as directors and their responsibility, risk management, internal audit and integrated sustainability reporting. Acclaimed internationally, King II was a rich source of input to the U.S. Congress in formulating the Sarbanes-Oxley Act. Since then, Dr. King has consulted with and advised bodies all over the world on King II and governance generally.

In 2009, King II was updated because Dr. King was of the view that sustainability issues did not warrant a mere separate chapter but should be integrated into the mainstream. The resulting King III report asserted that strategy, risk, performance and sustainability are inseparable; hence, the phrase “integrated reporting” was used throughout the report.

I recently saw an article referencing King III and its impact on integrated reporting. The principles of the King III framework, which now form the nucleus of the IIRC’s integrated reporting framework, raise the bar for governing and managing an organization. They can be summarized as follows:

  • Good governance is essentially about effective leadership. Leaders need to define strategy, provide direction, and establish the ethics and values that will influence and guide practices and behavior with regard to sustainability performance.
  • Sustainability is now the primary moral and economic imperative, and it is one of the most important sources of both opportunities and risks for businesses. Nature, society and business are interconnected in complex ways that need to be understood by decision makers. Incremental changes towards sustainability are not sufficient – we need a fundamental shift in the way companies and directors act and organize themselves.
  • Innovation, fairness and collaboration are key aspects of any transition to sustainability – innovation provides new ways of doing things, including profitable responses to sustainability. Fairness is vital because social injustice is unsustainable and collaboration is often a prerequisite for large-scale change.
  • Social transformation and redress is important and needs to be integrated within the broader transition to sustainability. Integrating sustainability and social transformation in a strategic and coherent manner will give rise to greater opportunities, efficiencies and benefits, for both the company and society.
  • Sustainability reporting is in need of renewal in order to respond to a) the lingering distrust among civil society of the intentions and practices of big business, and b) concerns among business decision makers that sustainability reporting is not fulfilling their expectations in a cost-effective manner.

These are sound principles. Slavish devotion to short-term financial goals is an unwise policy from the standpoint of the long-term interests of our global society. While the almighty bottom line will always be important, income inequality, resource preservation, chronic unemployment, carbon footprint size and other issues suggest that business strategies should drive long-term corporate growth and profitability by considering environmental and social issues in the business model. Some take this mantra seriously. Many don’t. King III is a call to action on this front.

Looking back fondly on that dinner, so many years ago, I raise a glass once again in Dr. King’s honor and wish him continued success at bringing his much-needed ideas into the corporate and public company mainstream.

For more on the work of the IIRC, visit For more on Mervyn E. King and King III, visit


Tuning the Tone at the Top: Is Your Board “on Board” with Data Security and Privacy?

With cyber attacks and data breaches routinely making media headlines, conventional wisdom suggests companies would be making IT security and data privacy a top priority.

But the results of Protiviti’s 2014 IT Security and Privacy Survey indicate many organizations still have done little to safeguard against such potential crises. And worse, they are ill-prepared to mitigate them if they should strike.

Perhaps, most glaring – and difficult to explain – is the lack of corporate initiative with regard to written information security policies (WISPs) and data encryption policies. More than one-third of survey respondents said they do not have a WISP in place, and 41 percent lacked a data encryption policy.

Such findings are startling, considering that 46 of 50 states have data privacy laws that impose significant penalties on organizations that expose confidential data. Every privacy-related law holds accountable the company in possession of private data if that information is breached. Just as important, nearly all of these laws allow for leniency if the targeted organization has a WISP and data encryption policy. There is no way to sugarcoat it. With the opportunity to minimize legal liability, it is imperative for companies to adopt these policies.

Beyond highlighting such deficiencies, our survey provides insights into key factors that help organizations establish and maintain a robust IT security and privacy profile. Conducted in the second quarter of this year, the survey incorporates responses from more than 340 CIOs, chief information security officers, and other IT executives and management-level professionals.

The common denominator among entities with strong cybersecurity profiles is an engaged board of directors that is cognizant of security and privacy issues. According to our survey, 78 percent of organizations with boards demonstrating a high or medium level of engagement and understanding of security risks had all “core” information security policies in place. It is important to note that involvement doesn’t mean boards must be aware of every security practice detail. However, boards that set a strong “tone at the top” will drive their organizations to plan and implement more robust cybersecurity measures.

Our survey’s findings repeatedly show striking differences in security performance between companies with strong board engagement in information security and those without it.

For example, with data volume growing almost exponentially, it is paramount for companies to stratify their data based on importance and apply appropriate retention and destruction dates to each type, according to regulatory and legal requirements or industry standards. Here again, there is a clear divide between companies with regard to this pressing challenge: 87 percent of companies with boards that are highly engaged in information security have a clear data classification policy, compared with 64 percent for those lacking board engagement.

Likewise, although all companies can fall victim to hackers, it is interesting that those with a board that is more engaged in information security likely will recover more quickly after an attack: 77 percent of these companies have a formal and documented crisis response plan that would be executed in such an event. By comparison, only 47 percent of companies without high board engagement in information security are similarly prepared.

The obvious question is, why is high board engagement in information security such a differentiator? In our experience, operational teams in these organizations are compelled to tackle IT security issues earnestly as a result of oversight and direct questions from board members. Furthermore, they likely are producing meaningful metrics and communicating effectively with the board, which in turn may authorize management to make greater investments in security measures.

The clear takeaway here is that a board that is highly engaged in information security often leads to a security-conscious environment that fosters a true understanding of an organization’s capabilities – and, just as importantly, its limitations.


Thinking M&A or Divestiture? We’ve Got Answers in Our M&A FAQ

Jim Ryan low resby
Jim Ryan
Managing Director – Leader, Protiviti’s Mergers & Acquisitions practice


We recently published our M&A FAQ Guide and the timing could not be better. M&A activity, including carve-outs and divestitures, is on the rise around the globe as organizations sharpen their strategic focus. Yet, as noted repeatedly in articles in Forbes and the New York Times, among other media, the majority of companies fail to realize the desired value of their transactions. Why? Simply put, organizational responses are not comprehensively designed to match the complexity of an integration or separation.

Our M&A Guide offers considerations that may better prepare your organization. Mergers and acquisitions tend to be corporate-wide initiatives that, by their very nature, are sprung on employees with little analysis of people, process and technology interdependencies. Additionally, planning is rushed, runways for execution are shortened and key personnel become overcommitted. Our guide can accelerate your M&A activities by providing insights for many of the key challenges that organizations must solve to meet expectations.

For a glimpse at the guidance we offer, consider five questions to ask about your M&A activity:

  1. What is a typical deliverable of the due diligence team?
  2. Have we sufficiently defined the scope and change control process?
  3. How do we structure the team without detracting from daily business demands?
  4. What are the unique issues facing Finance, IT, Marketing and Sales?
  5. What are the key risks?

To make a merger or divestiture succeed, you must align the growth strategy with your corporate strategy; identify the right markets and targets; define and execute thorough, fast due diligence; prepare a detailed plan by phases; and follow up with well-resourced execution.

While nothing replaces focused thought and aggressive action, the information in our guide can help sharpen your focus while reducing risk, improving your chances of realizing desired value – and maybe get a little sleep.

Just-Released Insights on IT Security and Privacy – Board Engagement, Cyber Threats and More

I am pleased to announce that Protiviti released the results of its 2014 IT Security and Privacy Survey today. Our report contains some highlInfographic-2014-IT-Security-Privacy-Survey-Protivitiy noteworthy findings that we’ll be discussing in greater detail in future entries. For now, let me share the key highlights with you:

  1. Board engagement is a key differentiator in the strength of IT security profiles.
  2. There remains a surprising lack of key “core” information security policies.
  3. Organizations lack high confidence in their ability to prevent a cyberattack or data breach (which isn’t a surprise given previous entries we’ve posted on this blog!).
  4. Not all data is equal: Companies can’t protect everything – designating a subset of their data deemed most critical will help with their data security measures, yet many aren’t doing this.
  5. Many are still unprepared for a crisis.

Visit for more information and to obtain a complimentary copy of our report. And view our video below.

Mobile Health Apps

Pretty much everyone I know – and I’ll bet everyone you know – uses a mobile device of some kind. In fact, more than 130 million people in the United States own smartphones, and almost half have slept with a phone next to the bed (hopefully they don’t put it under their pillow!). It’s also estimated that half have used them to obtain health-related information, and that about 20 percent have installed a health-related app (so-called mHealth, a term used for the practice of medicine and public health with the help of mobile devices). In fact, I’ve read reports that five years from now, 100 million people will be using mHealth and various mobile fitness apps. And we’re not just talking about application for industrialized nations; the mHealth field has emerged in recent years largely as an application for developing countries, where mobile phone penetration is increasing rapidly. In developed and developing countries, mHealth is rapidly becoming a means of providing greater access to larger segments of the population, as well as improving the capacity of their health systems to provide quality care. Thus, mHealth is a big deal.

Protiviti’s recent white paper, “mHealth: How Mobile Apps Can Help Health Plans Improve Consumer Engagement and Facilitate Behavior Change,” recently took a close look at the mHealth space and identified multiple opportunities for health plans to use mobile app technology. Our research confirms that member engagement via mobile telephony can improve member satisfaction, loyalty and retention. It also can be a key strategic weapon against rising medical and administrative costs and reform uncertainty, and facilitate interaction with health exchanges and accountable care organizations.

I’d like to make a couple additional points about mHealth apps:

  • The federal government is already deeply invested in mHealth and patient engagement. The Department of Health and Human Services set up a Text4Health task force to provide mHealth recommendations directly to the secretary. It also established a SmokefreeTXT program for smoking cessation, and TXT4Tots, a text messaging library with evidence-based information on nutrition and exercise.
  • In the private sector, Aetna, Humana, Florida Blue and Kaiser Permanente are among several high-profile examples of health plans maximizing mHealth apps.
  • mHealth vendors are already servicing payers which need engaging mobile content for users – but too often use communications written by clinical staff using clinical terminology. Sensei Health stands out in this; it uses writers with diverse backgrounds – including comedians, in some cases – to compose several versions of a standard message, then tracks users’ response rates to each and sends future communications in the most popular style.

I note all this to give you an idea of the potential of mHealth apps for better member engagement. But organizations have to put some effort into it. To be successful, mHealth programs must get personalized information into members’ hands when their members want it – and not use mobile apps only to reduce administrative costs. They’ll need a comprehensive mHealth strategy in order to do this right. Companies don’t want to do it poorly and alienate the members they’re trying to engage.

Ask the senior management in your organization:

  • How can our plan maximize mHealth to optimize member engagement and facilitate behavior change?
  • How can we provide a secure environment for the exchange of sensitive personal information?
  • How can we integrate mHealth information into existing workflows?

The Protiviti white paper on mHealth apps provides details on key issues like patient privacy and data security. I encourage you to check it out.


Cloud Data Security – The Risks Are Real But Don’t Fear

Cal Slemp


by Cal Slemp
Managing Director and Leader of Protiviti’s Security Program, Strategy & Policy Practice

I’m concerned that recent articles might be giving the wrong impression about the risks that accompany data storage in the cloud. When I see headlines like “Cloud Security Concerns are Overblown, Experts Say,” I worry that companies may see “overblown” and perceive “non-existent.” Such stories are part of the news cycle. For example, the same question was posed in this Forbes article back in 2012, and was followed shortly thereafter by a number of very-high-profile retail and financial data security breaches.

Wherever there is risk, there are bound to be stories questioning whether the perception of risk is exaggerated. And while it is true that a few data security breaches do not an untrustworthy cloud make, it is also true that there’s no such thing as secure data storage. Offsite, and thus “out of sight,” should not equal “out of mind.”

Risk is risk. It doesn’t matter if you keep your data in-house or in the cloud; your responsibilities for data security remain the same. You can’t afford to leave anything to chance because you remain responsible for customer data loss – even if the data was lost by a third-party vendor. All the customer cares about is you and the trust he or she placed in your brand. And while you may have a financial recourse in the event of third-party data loss, the reputational damage will all be on you. That is the business reality.

In a Flash Report Protiviti published earlier this year, we summarized the federal government’s cybersecurity framework and how it will help organizations get a handle on securing their information. I feel it’s a helpful document for companies that haven’t spent much time and effort on information security; for those that have, it’s consistent with the efforts we’ve seen in our work in the security and privacy space.

Remember that whichever framework or approach you select, mitigating cybersecurity risk introduces new investment costs that need to be considered by management, and that insufficient data security mitigation plans can cause revenue and customer loss and severe reputation damage that can be detrimental to your bottom line.

The cloud’s vulnerabilities affect your vendor risk management efforts as well. My colleague, Rocco Grillo, noted recently that a company “can have all the security in the world inside its four walls, but all it takes is a compromise at one third-party vendor that’s connected to it. That creates a bridge directly into the organization.” And as our colleague Brad Keller from the Shared Assessments Program states, if you’re relying on a third party, “you can’t just shut the door and say it’s someone else’s problem. You can outsource the function, but not the risk. In effect, you ultimately own the risk.” That’s why Protiviti and the Shared Assessments Program developed the first comprehensive Vendor Risk Management Maturity Model. This model sets forth best practices for developing a comprehensive third-party risk program and allows a company to evaluate its program’s maturity against development goals. It’s worth taking a look to see how well your company stacks up.

Are cloud data security fears overblown? Maybe. Ripples on a pond do tend to grow as they travel outward from the source. But overblown does not mean minimal or nonexistent. The risks are real, and organizations need a solid vendor risk management policy and procedure in place to ensure that those risks are adequately considered and addressed.

IT Transformation: Five Strategies to Manage Change

Boardrooms are abuzz over big data; mobile applications are the order of the day; the first wave of enterprise resource planning systems is due for an upgrade. Without a doubt, information technology (IT) is in the crosshairs of change. Seems like it’s always been that way!

The pressure is on for IT departments to design, source and implement new systems incorporating all the latest bells and whistles. I offer the results of Protiviti’s 2014 IT Priorities Survey, which I have mentioned here previously, as proof of the scope of the drivers for change.

In leaping forward, however, organizations tend to embrace the future at the expense of the status quo. This can be a costly and crippling mistake when dealing with mission-critical systems. Service and performance continuity is as important to change management as change itself. In making change happen, it is essential to ensure that everything already in place runs smoothly while you build and implement the new technology. Also, it is important to achieve acceptable returns on prior IT investments. There has to be appropriate balance when embracing change.

For many companies, IT transformation can mean deploying heavily customized software; “re-architecting” existing networks; establishing interconnectivity with new business partners; adopting specialized technology; and investing further in web and mobile capabilities. So what are the best ways to manage an IT transformation? Here are five strategies and approaches that we have found work best:

  1. Understand – and communicate! – your priorities. This means introducing them with the assistance of relevant functional leaders across the enterprise. Paint a picture of what you have now, what you hope to have after the transformation, and what needs to be done to maintain the technological status quo during the change.
  2. Prepare a prioritized task list, in consultation with the organization’s executive management and business owners.
  3. Make sure you understand which core activities cannot fail during the transformation and develop appropriate timelines to address them.
  4. Organize your IT transformation projects according to your priority list.
  5. Make sure you have the right skills and people in place to get the job done.

Companies know too well how difficult it is to maintain current systems as new systems are being developed and put in place. Indeed, “IT infrastructure change management” and “operating system change management” both ranked very high as critical priorities in our survey. Planning and managing the technical infrastructure are key elements to the success and resilience of the business.

Here are some questions to ask prior to initiating an IT change:

  • Which systems are in immediate need of upgrading and which ones can wait?
  • Which are the mission-critical systems that need to be maintained during the change?
  • How will you maintain IT security during the change?
  • How and when will your IT policies be updated?
  • Do you have the resources to accomplish the transformation efficiently, effectively and with minimal disruption?

The breathtaking pace of technological change greatly complicates IT management processes, and the need for new technologies will continue to command the attention of CIOs and IT leaders. While you can’t stop progress, maintaining current systems and operations to ensure a smooth transition can spell the difference between IT that supports and moves the enterprise forward, or periodically disrupts it.