Using Five Lines of Defense for Your Risk Management Super Bowl

With the Super Bowl just around the corner, don’t ask me who is going to win. That I don’t have a clue just makes it even more exciting as either team is capable of winning.

Unlike the anticipation many of us are feeling with the Super Bowl match-up between Seattle and Denver, risk management and compliance management issues do not generate the same level of excitement unless something goes wrong and the board of directors, CEO and executive team are pushed into crisis management mode. Instead of the outcome being decided in one football season or a single game, effective enterprise risk management is an ongoing process of “blocking and tackling” to make sure it works — and, in today’s fast-paced world, a company’s viability often depends on it being done right.

In a recent issue of Board Perspectives: Risk Oversight, we discuss how an effectively designed and implemented lines-of-defense framework (as shown below) can provide strong safeguards against breakdowns in risk management and compliance management.

5 lines

As you can see, this lines-of-defense model emphasizes a fundamental concept of risk management: From the boardroom to the customer-facing processes, managing risk, including compliance risk, is everyone’s responsibility. It differs from the traditional view of three lines of defense.

I encourage you to subscribe to this newsletter and invite you to provide any comments or responses here. How does your organization safeguard against breakdowns in risk management and compliance management? How does executive management evaluate the organization’s risk culture? Do the board of directors and executive management play separate and distinct roles in overseeing the execution of risk management and compliance management?

Note that this article is also available on my blog for the National Association of Corporate Directors: You also can find more about the five lines of defense here.


Setting the 2014 Audit Committee Agenda to Address Tough Issues

As those of you who serve on audit committees know, setting an effective and strategically sound audit committee agenda is no easy task. For one thing, a lot is already on the agenda and there are certain things audit committees are required to do according to the company’s exchange listing standards and other legal requirements. So aside from the things the committee is obligated to do, is there anything else it should consider?

In addition, understanding significant risks can be difficult because of the complex and evolving nature of the global business environment in which the company operates. With this in mind, we share our guidance for setting your 2014 audit committee agenda, as detailed in our latest issue of The Bulletin. This agenda is based on our interactions with client audit committees, roundtables we have conducted, and discussions with directors at conferences and other forums.

Enterprise, Process and Technology Risk Issues:
1. Update the company’s risk profile to reflect changing conditions – Given the constantly changing environment, the audit committee should take a close look at the company’s risk profile at least annually. Expect management to provide the committee an updated assessment.
2. Oversee the capabilities of the finance organization and internal audit – These capabilities must be aligned with the company’s changing needs, both internal and external. Make sure finance and internal audit are sufficiently resourced to meet these needs so they can carry out their responsibilities.
3. Contribute to board oversight of the five lines of defense – Watch for the warning signs that the tone of the organization, risk management function, internal control and escalation processes are not functioning effectively.
4. Understand how new technological developments and trends are impacting the company – Understand the implications of technological innovations to security and privacy, financial reporting processes, and the viability of the company’s business model.

Financial Reporting Issues:
5. Continue to enhance the external auditor’s communications with the audit committee – Manage the external auditor relationship so that the company receives value for its audit fees through enhanced communications from the audit process and inquire whether PCAOB inspections are having an impact on the audit approach.
6. Pay attention to the PCAOB initiative to expand the auditor’s report – Watch developments on the new auditing standard and related amendments that are intended to enhance the auditor’s reporting model.
7. Understand the impact of COSO’s 2013 update of the Internal Control – Integrated Framework – Understand the effect of the update on the company’s internal control reporting, internal audit activities and other affected areas.
8. Provide oversight on efforts to comply with new reporting requirements – Inquire about the impact of new accounting standards (e.g., revenue recognition and accounting for leases in the United States) and the status of the company’s due diligence with respect to the conflict minerals disclosure, if applicable.

I will continue to discuss these topics in future blogs and other pieces. As always, I welcome your questions and comments on these views. What are shaping up to be the priorities and issues for your company this year?

Five Things for CEOs and Boards to Watch in 2014

Here are five things that companies should have on their radar for 2014. I see these as hot-button issues that will affect all U.S. companies to varying degrees. I am not suggesting that they are the only things to watch nor are they necessarily the most important things to watch (although some may be). My point is these five issues are “going down” in 2014 whether we’re watching them or not! Here we go:

1. Data Security/Privacy: Although not yet a formal mandate, data security and privacy is a burning issue and one that affects many, if not most, industries. We expect to see a lot of future regulation in this area. By being proactive and recognizing security/privacy as a business issue rather than an IT issue, you may be able to mitigate future risk by getting ahead of the curve. A new year is an excellent time to ensure that processes are in place to safeguard customer privacy and provide cyber security (as further reason why, look no further than Target’s recent and mass Continue reading

The Year Ahead in the Financial Services Industry

For our readers in the financial services industry, we just published – in the latest installment of FS Insights – some excellent insights and perspectives on key challenges financial institutions will face in 2014. These include:
– Facing economic uncertainty
– Persisting regulatory change
– Regaining customer and market trust
– Enhancing risk management, governance and internal audit functions
– Addressing system and data issues to protect against security and cyber threats
– Attracting, retaining and developing the talent needed for the future
– Finding new revenue sources

We believe that understanding these challenges and addressing them proactively will help you achieve a successful year ahead.

Your thoughts? What other challenges is your organization facing?


Harnessing Your Business Intelligence the Right Way

Happy New Year! I hope everyone got some much needed R&R! With the holidays now (sadly) in our rear-view mirror, it’s time to move forward again with our commentary and insights on today’s key business challenges. This time, I want to discuss business intelligence.

Business has fundamentally changed in the past 20 years. Users are closer to their customers and need to be able to retrieve and analyze their own data dynamically and independently, instead of being forced to submit queries to IT and then receive technical, and often unhelpful, green-bar reports on a weekly or monthly basis. Continue reading