Cybersecurity Framework: Where Do We Go From Here?

Protiviti just published a Flash Report on the National Institute of Standards and Technology’s (NIST) final version of its Framework for Improving Critical Infrastructure Cybersecurity. I highly recommend that anyone involved in cybersecurity in their organization become familiar with the NIST Framework by reading our report. This framework could end up being the new game in town.

Just over a year ago, President Obama signed an Executive Order calling for increased cybersecurity for the critical infrastructure of the United States. On the anniversary of this Executive Order, NIST issued the final Framework, along with a companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity. The Framework and Roadmap are the result of a 12-month development process that included the release of multiple versions for public comment and multiple working sessions with the private sector and security stakeholders.

Our Flash Report provides an overview of and observations on the new Framework. You can read it here.


Ethics in Corporate Governance: “Walking the Talk”

If it’s true you can’t legislate morality – and all evidence, including but certainly not limited to corporate malfeasance such as the Enron and Worldcom scandals or the questionable corporate behavior of reckless risk-taking to maximize short-term profits and compensation (under “heads I win, tails you lose” compensation structures that left shareholders with the short stick) that contributed to the financial crisis, supports this hypothesis – why do companies bother with ethics policies?

I know Section 406 of Sarbanes-Oxley requires publicly traded companies to disclose whether they have ethics policies and whether their executives are bound by them. But Enron had a beautiful 64-page ethics policy, suitable for framing – for all the good it did them. So what’s the big deal?

Continue reading

PreView-ing Today’s Emerging Risks

Cory Gunderson and Jim DeLoach

We want to share a heads up with you regarding a new Protiviti newsletter that we’re very excited about. We’ve just published the first edition of PreView, which will be a quarterly review of emerging risks likely to have a strategic impact on organizations over the long term. Our focus in issuing PreView is on helping organizations ask the right questions rather than provide answers. Therefore, we hope that PreView will prompt thought and dialogue within organizations.

We are big fans of the annual World Economic Forum (WEF) Global Risks Study in offering far-reaching perspectives for the long term for company executives and policymakers to consider. In PreView, we root our evaluation framework for emerging risks in the annual WEF reporting, which we like because each WEF periodic refresh provides rich, thought-provoking input into the likely mega trends expected over the next 10+ years. It is a great tool for stimulating truly long-term thinking for directors and executives in virtually any industry. Over time, we’re confident that Protiviti’s PreView will offer a useful perspective for board members and C-suite executives, providing yet another source of input for them to consider risks that are evolving in the marketplace.

Effective risk management requires companies to understand more about what they don’t know than what they do know. Emerging risks are those risks that are beginning to surface and could smolder over time before affecting an organization. They are often the result of macro-level changes in the business environment. Left unaddressed over the long-term, they can alter the assumptions underlying corporate strategies and could have a long-term impact that directors and executives might regard as “unthinkable” today. Therefore, we see these risks as distinctly different from risks that have been previously identified and present a focal point for current risk management capabilities.

We realize that the implications of emerging risks may not be fully understood at the present time even though we know they’re on the radar, and hence, comprehensive risk management options to assess, quantify, monitor and develop response plans are difficult for organizations to design and implement today. In fact, many emerging risks may warrant a strategic response, meaning the monitoring of vital signs in the environment and possibly making adjustments to the corporate strategy over time.

We hope this PreView newsletter serves as a thought-provoking piece in organizations’ consideration of emerging risks, particularly those risks that may have a direct impact on them, as businesses undertake steps to evolve and adapt progressive risk management practices.

To read the newsletter and to continue the conversation about emerging risks, we invite you to visit our Emerging Risks site ( As you will note, we’re trying to make PreView easy to read, and that means we selected a few risk issues to discuss and kept the discussion crisp rather than list everything we could think of. If you’re familiar with some of these issues, please comment on them here. If you have other issues you think we should explore, please raise them or any questions you have here.

The world is a complex place and our crystal ball is just as foggy as everyone else’s. But we hope to initiate and sustain a dialogue regarding emerging risks through quarterly issues of PreView and periodic entries in this blog over time.

More on the Five Lines of Defense

In January, I commented on this page regarding how an effectively designed and implemented lines-of-defense framework can provide strong safeguards against breakdowns in risk management and compliance management. The traditional lines-of-defense model has emphasized three lines of defense – (1) business unit management and process owners, (2) independent risk management and compliance functions, and (3) internal audit, in that order. We proposed a five lines of defense model which features the tone of the organization as the first line and executive management operating under the oversight of the board of directors as the final line of defense, both wrapped around the traditional three lines of defense.

Since then, Sean Lyons has informed me of his ongoing work on the five lines of defense framework. His take and our take on the five lines concept are different and were independently developed. Check out Sean’s work using Google and his name.

The three lines of defense model has been around a long time. As we point out in Issue 4 of Volume V of The Bulletin:

    This point of view is found in “Risk Management…Easy as 1, 2, 3,” published by The Institute of Internal Auditors (IIA), Tone at the Top, Issue 60, February 2013. Also, ISACA has published a point of view of the strategic implementation of three lines of defense as the first principle of its risk management framework. ISACA’s view of three lines of defense differs slightly from The IIA as it adds the board of directors along with internal audit as the third line of defense. Solvency II incorporates three lines of defense into its publications with similar thinking along the lines of ISACA.

Continue reading

Executive Perspectives on Top Risks for 2014

One of the first questions an organization seeks to answer in risk management is, “What are our most critical risks?” To provide perspectives about the nature of potential risks in 2014, I am pleased to report that Protiviti and North Carolina State University’s ERM Initiative have partnered for the second consecutive year to poll more than 370 board members and C-suite executives regarding their views on the top risks their organizations are facing.

Our report, available at, is packed with information on notable trends, along with analysis and commentary based on different data groupings – company size, role, industry, etc.

Among the key findings from our study:
– The overall survey responses suggest a business environment in 2014 that is slightly less risky for organizations than it was a year ago, although board members, when viewed discretely from the rest of our respondents, tend to perceive this year as more risky.
– Overall, strategic risk concerns show the largest year-over-year increase in risk scoring.
– Regulatory change and heightened regulatory scrutiny represents the top overall risk for the second consecutive year.
– Economic conditions in domestic and international markets are again a highly ranked risk, but there is a notable year-over-year decrease in the risk score.
– Cyber threats and privacy/identity management not only rank among the top 10 risks for 2014, but are ranked even higher, compared to the overall results, among many respondent groups, including large organizations.
– Uncertainty surrounding political leadership affecting U.S. and international markets represents another key risk that may affect or restrict growth opportunities for organizations.

I’ll be commenting in more detail in this blog about many of the trends and critical risk issues identified in our study.

Our report, Executive Perspectives on Top Risks for 2014, as well as a podcast and video, are available at We also have published an informative infographic (see below). In addition, on Tuesday, February 11 (at 1:00 p.m. ET/10:00 a.m. PT), Protiviti and North Carolina State University will host a webinar to discuss the survey results and provide analysis as to how organizations can address these risk areas.


I want to acknowledge our outstanding partners at North Carolina State University’s ERM Initiative: Dr. Mark Beasley, Dr. Bruce Branson and Professor Donald Pagach. It continues to be a pleasure to work with them to make this project a success. I also want to thank the many individuals in Protiviti, including our Industry Leadership team, for their valuable contributions to this project.