Managing Your Organization’s Culture During Rapid Growth

Charles Soranno - MD New Jersey

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit



Early in December 2016, I had the pleasure of leading an in-depth webinar exploring how fast-growing companies can prepare for challenges related to changes in their culture and talent requirements, particularly when ramping up for an IPO or following one.

I was joined by Carmela Krantz, Vice President of Human Resource at WideOrbit; Danielle Soucek, Director of Insight Product at Equilar; and Michael Waxman-Lenz, CFO at Undertone. Together, we provided analysis and guidance on how to create the right team, scale for growth, benchmark against peers and competitors, and develop a public company mindset.

As companies implement their growth plans in the new year, it’s worth revisiting a few of the big ideas that emerged from the event.

Building the Right Team – Recognize the Influences
An organization’s ownership structure, its industry dynamics, and whether it has a domestic or global presence shape its culture and need for certain skillsets. Challenges typically emerge when companies bring in new investors, prepare to launch an IPO, add locations, or significantly expand their employee base.

Ownership has a tremendous impact on what the right team looks like, for example. A closely held startup may not have formal financial reporting requirements, but as it attracts institutional capital or registers for a public offering, more specialization and structure is required as expectations and demands change. Institutional investors likely will be less forgiving of reporting errors than founders working in a close-knit setting, and companies that execute their IPOs have to meet strict Securities and Exchange Commission (SEC) regulatory, compliance and reporting requirements. Will free-thinking, entrepreneurial-oriented individuals who were involved in virtually all aspects of a startup’s early development be able to not just perform, but thrive, in this more regimented operating environment?

Scale for Growth
Maintaining robust and consistent communications and formal communication protocols (especially for public companies) between an organization’s leaders and its workforce – even to the point of “over communicating” – is perhaps the most important strategy human resources (HR) can promote when employment rosters are expanding by the dozens each month. Letting employees know how they fulfill a company’s mission during times of rapid change keeps them plugged-in, motivated and contributing to desired business outcomes.

Staying ahead of the recruiting battle is another critical step HR can take. Human resource managers and recruiters must work closely with the C-suite to better understand the dynamics of the growing company and the mindset – not just skillset – required to make new hires successful. Also, by keeping employees informed of open positions and using referral incentives, HR can make all employees recruiters. This strategy can help fill jobs more quickly and often nets candidates of a certain caliber that have a higher chance for success.

Benchmark Growth
Compensation practices change dramatically after a company prepares for and ultimately completes an IPO, typically moving from less structured to more formal, documented programs designed to secure and retain talent. The scrutiny, by the SEC and others, of publicly available post-IPO executive compensation data requires organizations to balance shareholder interests with rewarding executives fairly.

One of the best ways to strike that balance begins with defining the talent market by selecting a peer group survey or collecting proxy data, or by combining both methods. Many companies utilize compensation consultants that can provide the data. Often, the advisors also understand how less tangible factors, such as management philosophy and individual performance, may influence pay packages.

Get a Head Start
While an IPO may be the last thought on the minds of executives running rapidly growing companies, especially early-stage companies, operating as if an transaction is imminent can make organizations more attractive and valuable when investors begin to take interest. Steps companies can take in that direction include developing a solid IT and finance infrastructure, assembling superb finance and operations teams, establishing excellent corporate governance, and developing a public company mindset among employees.

Of these initiatives, developing sustainable and scalable IT infrastructure and strong finance and accounting teams are among the most critical. However, infrastructure also encompasses making sure a company’s organizational chart is balanced and determining whether special technical or general needs should be outsourced. Organizations also need to be aware of pitfalls that could derail the development of a transaction-ready public company mentality. Underestimating the effort required not just before, but also after the IPO, is chief among them.

Learn More
Rapidly growing companies face a number of challenges as they transition from freewheeling entrepreneurial startups to more structured, efficient and mature operations. By preparing for headwinds associated with changing cultures, they can put themselves in a better position for success. Listen to the recorded webinar for a deeper dive into the ideas discussed here.

IT Innovation: Does Your IT Budget Have Room for It?

Ed Page - Protiviti ChicagoBy Ed Page, Managing Director
Technology Consulting




infographic-annual-technology-trends-and-benchmark-study-2016-protivitiOne of the budget struggles chief information officers are continually faced with is reducing operating costs to make room for innovation. And while several studies, including our own, show that they have succeeded in bringing down “lights on” expenditures over the past decade or so, in many cases those savings have been absorbed by urgent non-strategic needs, such as compliance and security, too often leaving innovation to languish.

The consequences of failing to innovate are hardly trivial. The emergence of technology-enabled competitors who, unfettered by legacy technology, are able to develop and deploy new products and services faster and more efficiently threatens to leave behind older, more established companies, and especially those that perennially struggle to build innovation into their IT budgets.

I’ve seen this struggle firsthand in talking to our clients, and our recent benchmarking report, based on the responses of almost 400 C-level technology leaders to Protiviti’s 2016 IT Trends Survey, confirms it.

This dichotomy between the strategic and the urgent is evident in the numbers. While more than half of respondents overall (54 percent) said their organizations were undergoing digital transformation driven by the need for new functionality and innovation, virtually all of their top-10 priorities were security or operations oriented. Only 13 percent of the IT budget, on average, was earmarked for innovation or transformation.

In my experience, companies, and IT departments, fund their most urgent needs. Which means that, even though digital transformation is talked about, most companies are still stuck, budget-wise, in a reactive mode, putting out fires — regulatory, operational, and cybersecurity. These are very real pain points, so that’s where budgets are allocated. While there is an aspiration to transform, other priorities often prevent IT departments from getting where they want or need to be.

There is one consistent differentiator between companies that actually innovate in IT versus those that merely talk about it. The difference is that serious innovators make IT transformation part of their strategic plan and rely on it for the success of other strategic goals and objectives. Very often, these firms view themselves as technology companies, even if others might see them as part of another industry. As the CEO of Capital One, Richard Fairbank, once told investors, “We’re going to need to think more like technology companies and maybe a little less like banks.”

In the absence of a clear plan and executive and board buy-in, IT transformation is just another project competing with a lot of other projects for money. Aligned with company goals and objectives, it becomes an enabling force.

Where such strategic alignment can often benefit an established company the most is in modernizing core IT infrastructure. Management of outdated systems, on which everything else depends, is increasingly becoming the dead weight preventing companies from meeting new challenges and customer demands with agility and speed. CIOs and technology leaders are faced with having to invest more time and resources into keeping these systems up, while at the same time trying to squeeze cost reductions out of them without impacting service levels. In fact, responders to our survey pointed to legacy systems and processes as the number one obstacle impeding IT transformation.

The good news is that a small but growing number of organizations are taking the strategic decision to modernize their aging cores to achieve both increased agility and sustained long-term savings in costs and resources. Among respondents from financial services companies, 70 percent said their companies are undergoing digital transformation (16 percent more than the general population) — perhaps because the field, eagerly entered by emerging fintech companies, is even less forgiving, and because innovative IT structures, once implemented, can create significant opportunities where none existed before.

To be sure, transformation is disruptive, and replacing or modernizing core technology can be very expensive. Both of these barriers can be mitigated, however, through careful planning and a phased approach incorporating newer technologies, more modern architecture approaches and more nimble delivery methods, such as cloud technology, microservices, application program interfaces (APIs), and agile product development and software delivery methodologies.

Once again, real priorities are reflected in the budget, and innovation is unlikely to receive a bigger slice of the pie unless it is seen as a strategic, business project first. While cybersecurity, a key expenditure, will continue to command its share of IT resources, there is a case to be made that these resources can also be used more strategically, efficiently and effectively. We will focus on cybersecurity spend and priorities in a follow-up post. Subscribe to our blog to follow the discussion.

2017 Perceived as Riskier by Top Executives, Survey Results Say

Executive Perspectives on Top Risks 2017 InfographicPolitical and economic instability, cyberattacks and disruptive change have global executives and board members on high alert for the year ahead, according to research from Protiviti and North Carolina State University’s ERM Initiative. The report, Executive Perspectives on Top Risks for 2017, and an executive summary are available for download on the Protiviti website.

Concerns about the global economy topped the list for the first time in the five years we’ve been doing the study, surpassing regulatory concerns, which fell to number two. Tech risks followed, with cyber-risk, identity and privacy remaining in the top five.

I had the opportunity to discuss the results — along with Mark Beasley, the Deloitte Professor of Enterprise Risk Management at North Carolina State, and my colleague Pat Scott, executive vice president, global industry and client programs at Protiviti — in a December 15 webinar, and wanted to share some of the highlights.

We surveyed 735 executives and directors at companies around the world, representing a cross-section of industries, and asked them to prioritize 30 risks on a scale of 1 to 10, with 10 being the highest level of concern. Risks were grouped into three categories: macroeconomic, strategic and operational.

The overall risk scores were higher than last year in every category, a sign that executives perceive 2017 as more risky than 2016. Despite that, few organizations plan to invest additional time or resources to risk identification and management — which could reflect either resource constraints, or satisfaction with current resource commitments and prior year investments in risk management capabilities.

From a regional perspective, respondents from companies in the Asia-Pacific region were the most concerned, followed by European companies. Although U.S. executives registered no change from the prior year (i.e., their perception of 2016 risk levels), volatility in global markets and currencies may create significant challenges here as well as abroad.

The next twelve months will be interesting on the regulatory front as a populist wave sweeps across major world economies affecting everything from healthcare, immigration, and trade in many sectors, with implications for many companies, not just the highly regulated ones.

Concern for cyber-threats has been rising over the years, and continues to increase, particularly in the areas of privacy and identity management, as new technology offerings expand faster than the security protections companies have in place.

For other top risks, I refer you to the report.

One parting thought: Just as concerns varied by region, industry and company size, they also varied by the respondent’s role within an organization. This is significant in that I think there is a tendency for companies to assume, internally, that everyone is on the same page when it comes to risk priorities and perception. That’s simply not the case. Therefore, the risk assessment process needs to be inclusive to encourage participation of multiple stakeholders and perspectives.

I think the bottom line is that 2017 is going to be a fun ride that’s not for the timid. So fasten your seat belts!

Jim DeLoach

Compliance Insights Latest: Regulator Warns on Sales Incentives, New York Fed on Ethics, and More

Steve StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance




Culture and ethics are important in financial services; this much has always been clear to anyone working in the industry. Consumers and businesses alike place a great deal of trust in the system, and continue to hold it in high regard even in light of recent scandals and events that have highlighted certain questionable practices, testing this trust. But culture and ethics are much more than empty statements printed on a poster or in an employee bulletin and posted in the breakroom – a financial institution must take tangible steps to instill in its employees the values it declares publicly. Risks and rewards should be managed in a manner consistent with these values, as well as applicable legal and regulatory requirements and expectations and the best interests of the institution’s customers. In our most recent edition of Compliance Insights, we share the latest public statements from the Consumer Financial Protection Bureau (CFPB) and the Federal Reserve Bank of New York related to these topics.

In November 2016, the CFPB issued a bulletin regarding detecting and preventing consumer harm from sales and production incentives (we provide examples of such incentives in our current edition). The CFPB stresses the importance of proper oversight of employee incentives, particularly those that may pose potential harm to consumers if not designed and monitored appropriately. The CFPB expects financial institutions that employ incentive compensation programs to implement effective controls and risk management oversight of both employees and service providers participating in the programs. The CFPB reminds institutions of its expectations that they establish strong compliance management systems that detect violations of Federal consumer financial laws and, in particular, prevent unfair, deceptive or abusive acts or practices (UDAAP). The CFPB makes clear that compliance departments have an important role to play in managing the risks associated with these programs.

The CFPB bulletin was issued a month after William Dudley, president and CEO of the Federal Reserve Bank of New York, called for increased regulatory oversight to ensure accountability for misconduct and lapses of ethical judgment at financial institutions. Among his suggestions, Mr. Dudley articulated the need for tangible regulatory requirements rather than principled high-level statements. He proposed certain solutions, such as a database of banker misconduct and an annual, industry-wide culture survey. However – and clear to anyone involved in financial services – the responsibility for reforming culture ultimately lies with the banking and financial services industry itself, and financial institutions must make coherent, comprehensive efforts to correct any cultural and ethical weaknesses.

 In other compliance news, the Financial Crimes Enforcement Network (FinCEN), in coordination with the Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS), issued an advisory in September to help financial institutions identify and prevent the growing number of e-mail compromise fraud schemes.

The advisory includes a list of relevant red flags and detailed scenarios related to e-mail fraud schemes, and highlights the growing trend of cyber-enabled criminal activity. According to FinCEN, there have been approximately 22,000 reported cases of e-mail compromise fraud involving $3.1 billion in losses since 2013.

Finally, a study by the Global Association of Risk Professionals found that only half of the banks that were required to comply with Basel 239 risk data aggregation and reporting requirements by January 1, 2016 are in compliance. Risk data aggregation refers to a bank’s ability to consolidate various sources of risk data, such as loan default or derivative exposure across various business units.

For a more in-depth analysis of December’s compliance topics, you can read the full insights report here. We look forward to following and sharing more financial services compliance news with you in 2017. Happy New Year!

2016 Was an Eventful Year – This Is How We Covered It

As 2016 comes to a close, I want to look back on the events that made this year unique in ways both rewarding and challenging – and summarize the topics Protiviti professionals discussed, and our readers engaged with, here on The Protiviti View.

Perhaps the most seminal events of 2016 with the biggest implications were Brexit and the election of Donald Trump as president. The Brexit was brought about by sovereignty and immigration issues as those who voted to leave the European Union believed the UK – and no one else – should address UK-related decisions and control over its own borders. The U.S. presidential election arose from many issues such as immigration, trade, healthcare reform and jobs, among others.

We covered the implications of these events, both general and industry-specific, in special reports (here and here) and on the blog (here and here). But other events made waves too – record-setting security breaches across industries, including massive unauthorized release of financial data from offshore accounts, and DDoS attacks enabled by the Internet of Things.

In technology, Google’s AI robot AlphaGo defeated GO champion Lee Sedol, and Uber launched its fleet of driverless cars despite some opposition. Both of these events speak to the future of artificial intelligence, an emerging risk we continue to track in our PreView newsletter). Also in technology, the financial services industry seems poised for change and excited by the possibilities of new financial technology in payments, compliance and more.

Finally, natural disasters and viral diseases like the Zika virus created real economic damage, raising questions about resource availability and business continuity planning. We summarized the potential implications of these unpredictable business disruptors here.

Given the flavor of events this year, it is not surprising our top two most read blog posts had to do with cybersecurity and cyber awareness. Our third most popular blog had to do with money laundering and increased regulatory scrutiny in that area.

The posts that saw the most love on social media were submitted by our fraud investigation experts and focused on fraud prevention and fraud risk management. 2016 was a big year in fraud, as the much-awaited Fraud Risk Management Guide was released by COSO and the FCPA launched its Pilot Program. (Also, SEC gave six out of its 10 highest whistleblower awards this year).

Also widely shared was anything related to cybersecurity and the protection of personal identity, an issue that continues to affect billions of people and to which no company or entity seems to be immune.

This is plenty to look back on and think about in planning for the new year. Once again, I want to thank both our readers and contributors for their participation and engagement. We look forward to continuing these conversations in 2017.

Jim DeLoach

Four U.S. Regulatory Agencies Issue CECL FAQs – Here Is the Summary

Charles Soranno - MD New Jersey

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit 



Four U.S. regulatory agencies – the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC) – have issued a set of frequently asked questions (FAQs) in an effort to assist banks and other financial institutions with the implementation process for the Financial Accounting Standards Board’s (FASB) new accounting standard. The FASB standard introduces the current expected credit loss (CECL) methodology  for estimating allowances for credit losses under U.S. generally accepted accounting principles (U.S. GAAP), and many firms are grappling with how to implement it.

Aside from reiterating the reasons behind the need for the new standard, the FAQs highlight some key areas that firms need to take notice of.

By issuing the new CECL standard, the FASB:

  • Removed the current “probable” threshold and the “incurred” notion as triggers for credit loss recognition and instead adopted a standard that states that financial instruments carried at amortized cost should reflect the net amount expected to be collected over the life of the instrument.
  • Broadened the range of data that is incorporated into the measurement of credit losses to include forward-looking information, such as valid forecasts, in assessing the collectability of financial assets.
  • Introduced a single measurement objective for all financial assets carried at amortized cost.

In terms of changing current GAAP, the new standard:

  • Introduces a new credit loss methodology – The new allowance for credit losses will be an estimate of the expected credit losses on financial assets measured at amortized cost, which is measured using relevant information about past events and other factors.
  • Recognizes credit losses earlier – By removing the “probable” threshold and the “incurred” notion, CECL eliminates the triggers used for recognizing credit losses under existing U.S. GAAP and will require entities to record expected losses earlier, where appropriate.
  • Will allow leverage of existing credit risk management practices – Management will continue to incorporate qualitative and quantitative factors, including information related to underwriting practices, when estimating allowances for credit losses under CECL, but better alignment and timing will be necessary.
  • Will need to incorporate forward looking information in the models – CECL is forward-looking and broadens the range of data that must be considered in the estimation of credit losses. It must consider not only past events and current conditions, but valid forecasts that affect expected collectability.
  • Will reduce the number of credit impairment models – The existing guidance is complex because it encompasses multiple impairment models for different asset types. In contrast, CECL introduces a single measurement objective to be applied to all financial assets.
  • Will introduce the concept of purchased credit-deteriorated (PCD) financial assets – This replaces purchased credit-impaired (PCI) assets under existing U.S. GAAP. The difference in the PCD criteria means that more purchased loans held for investment, more debt securities held to maturity, and more available-for-sale (AFS) debt securities will be accounted for as PCD financial assets.
  • Will modify today’s accounting for impairment on AFS debt securities – Under this new standard, institutions will recognize a credit loss on an AFS debt security through an allowance for credit losses, rather than a direct write-down as is required by current U.S. GAAP.
  • Will require vintage disclosures by public business entities (PBE) in U.S. GAAP financial statements – Under the new accounting standard, disclosures of credit quality indicators need to be disaggregated by vintage year to provide users of financial statements greater transparency regarding the credit quality trends within the portfolio from period to period.

The new guidance is effective for PBEs beginning on January 1, 2020, and for non-PBEs beginning a year later, on January 1, 2021.

We summarized the impact and challenges of the CECL earlier this year in a point-of-view paper and a blog post, which provide more details on the methodology, timeline and action points for firms. Although the expected timeline gives the industry several years to implement the updates, the main message to organizations is that they need to begin the planning process now in order to meet the expected deadline.

Fewer Oil Companies Are on the Edge of Bankruptcy — Is This Really Good News?

In this Industry Perspective series, we offer the views of Protiviti leaders on developments and news in specific industries. The perspective below focuses on Energy & Utilities.


Tyler Chase

robert-patrickBy Tyler Chase, Managing Director, Energy and Utilities Industry
and Robert L. Patrick, Director, Corporate Restructuring and Recovery



A recent update from Debtwire states that 135 oil companies headed for bankruptcy is good news compared to the 180 companies that were on the Debtwire list in January. According to the article, oil prices have recovered from their lows around $26 a barrel and are now hovering around $50, which has helped some companies stabilize. Most of the companies on Debtwire’s list have already eliminated jobs and closed plants, so the industry appears to have hit bottom, the article claims.

Our perspective:

It may be prudent for oil company management teams and investors to hold back on optimism-based strategies for the present time.

Oil market fundamentals and the U.S. economic outlook portend, at best, flat results for the foreseeable future. That said, and as crazy as it might sound, the energy industry was the highest performing industry in 2016, so those that have had positions in energy stocks have benefitted. However, investors who are willing to accept the oil market- and company-specific dangers inherent in placing capital into distressed oil and gas companies should not be looking for immediate returns in 2017.

Those who have been waiting for the industry to “hit bottom” before pulling the trigger on new investments, acquisitions or expansions might want to add this decreased trend of bankruptcies to other recent optimistic news (for example, an energy-friendly federal administration, oil stabilizing around $50/bbl, OPEC cutting production) as an indicator that the industry is headed in the right direction.

Bottom line: Even if a lower number of oil companies appear to be headed for bankruptcy, the industry’s stress is likely to continue and companies will need to continue to strengthen their profit-and-loss monitoring and forecasting, risk management analysis, and strategic planning processes.