ORSA: Getting Ready for the 2015 Summary Report

Last week, we published a new white paper on the upcoming Own Risk and Solvency Assessment (ORSA) requirement for insurers in 2015. ORSA is a key part of the Solvency Modernization Initiative of NAIC. For the insurance industry specifically, the ORSA challenges organizations to think about their solvency and risk management processes as part of their overall risk strategy, instead of just once a year when filing the report.

In this white paper, we provide an overview of the ORSA requirement and guide you through the ORSA process and report.  We examine the risk management frameworks of leading insurance companies for common traits and issues, such as the lack of integration among various risk frameworks inside organizations. Readers can benefit from several specific suggestions aimed at helping insurers replace the traditional risk management process with a forward-looking one that embraces a more comprehensive enterprise risk management framework, as well as considers the organization’s solvency and capital adequacy. The hope is that by assessing risk in a continuous, future-oriented manner, companies can avoid repeating some of the mistakes and excesses that led to the turmoil of the financial crisis.


Looking at Trends in the U.S. Insurance Industry

We’ve published another white paper, 2014 Trends in the Insurance Industry, that those with insurance organizations will find relevant. Aimed at helping insurers understand the main forces and trends shaping the direction of the industry, the paper discusses five key trends:

  • The Own Risk and Solvency Assessment (ORSA)
  • Anti-money laundering (AML) compliance
  • Big data
  • Social media
  • The U.S. Department of the Treasury FIO report, issued at the end of last year

These trends have important implications for insurance organizations, including the need for a reliable governance system for handling and safeguarding the vast amounts of customer data available to insurers, a framework for evaluating an organization’s risk management and solvency and the related ongoing regulatory reporting, resource development and training in enhanced AML requirements, and effective and flexible policies and procedures for social media engagement with customers. In addition, the recent shift of the Federal Insurance Office toward a hybrid model of insurance regulation means insurers should keep a close eye on regulation reforms, at both the state and federal level. In short, these trends and developments are a big deal and, without a doubt, will impact the industry.

Protiviti’s Financial Services and Risk & Compliance leaders contributed to this trends analysis.


Keeping Pace with SOX Compliance – COSO, Costs and the PCAOB

Every year, one of Protiviti’s most highly anticipated studies is our Sarbanes-Oxley Compliance Survey, in which we assess the current state and maturity of SOX compliance in public companies, along with factors influencing their efforts and costs. In our 2014 survey, the results of which we released today, there are a number of notable takeaways suggesting that, as a result of the new COSO framework and PCAOB inspection reports, among other factors, new hurdles are emerging in the SOX compliance process.


Our key findings:

  • Companies are getting started, albeit slowly, with implementing the new COSO framework.
  • There is measurable fallout from the PCAOB’s inspection reports.
  • Compliance costs are going up but are still manageable for many.
  • Organizations continue to automate more processes and controls.

For more information and detailed survey results, I invite you to visit www.protiviti.com/SOXsurvey. Also, you can check out our infographic and video here.



A Look at the Maturity of Vendor Risk Management – A Benchmarking Study from the Shared Assessments Program and Protiviti

I want to share with you a just-released report on the results of a study on vendor risk management practices in which Protiviti partnered with the Shared Assessments Program – a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively. Our report reveals some particularly interesting findings regarding how well organizations are managing their vendor risk. Bottom line: There is significant room for improvement in many organizations.

As the volume of outsourced and offshored products and services has surged in recent years, so, too, have the risks associated with vendors and third-party providers. Data breaches at vendors handling a company’s data and information are costly; they can even carry a higher cost than in-house breaches.

Importantly, the number of incidents is rising – in highly regulated industries such as financial services and healthcare; in media and retail, as seen in recent news; as well as in any organization in any industry that is relying on third-party vendors to manage operations and processes. These at-risk vendors include not just data management, IT and security providers, but also facilities management along with any vendor that may have access to your network, data or facilities.

Thus, vendor risk management is a big deal, raising the bar on the importance of a company knowing who its third parties are, how each of them interacts with the company’s customers, what activities each performs on behalf of the company, and what company data they access and process. Unfortunately, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model by the Shared Assessments Program.

The Shared Assessments Program recently partnered with Protiviti to conduct a third-party risk management benchmarking study based on this maturity model. Our study reveals some interesting trends:

  • Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies and industries.
  • Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the overall financial services set.
  • Notable areas for improvement include program governance, and policies, standards and procedures.

To learn more, please visit www.protiviti.com/vendor-risk. And as always, I invite you to share your comments and feedback here.



The CIO’s New World – Transformation, Innovation and the Impediments to Achieving Them

by Ed Page
Managing Director – Leader, Protiviti’s National Financial Services IT Consulting Practice

Innovation and IT transformation are hot topics these days. Our Emerging Risks and IT Priorities surveys highlight these points clearly, as there’s good reason for these trends.

Technology is evolving at an incredible pace, putting new capabilities in the hands of both end users and IT professionals alike. This creates a growing need for IT organizations to become more nimble as they seek to adapt to changes in both the technology landscape and consumer behaviors. A lot of attention is being paid to the impact of social, mobile, analytics, and cloud (SMAC) technologies, with many organizations moving towards Agile development methodologies and supporting tools (DevOps) as means of becoming responsive. These areas of focus fuel many of the innovation and IT transformation opportunities that we so often hear about.

On the other hand, there is little talk about the impediments that exist in many large IT shops. The unfortunate reality is that many large enterprises are simply not engineered to take full advantage of these new methods and technical capabilities.

For example, the IT infrastructure for most enterprises in financial services has been developed over decades, often complicated by the impact of multiple mergers and acquisitions. The result is an architecture that I liken to an archeological dig. At the top layer, you’ll find some of the shiniest and newest technology known to man, but dig a little deeper, and you’ll find that it’s built on top of layers and layers of older technology, some dating back three decades or more. The interdependencies between these layers are complex, so it’s not a simple matter to “rip and replace” the older parts of the environment, but absolutely mission critical. Dealing with this reality is not as easy or lacks the same level of sizzle as deploying new products and services, but it cannot be ignored.

This underscores the need for IT transformation, making the job of the CIO a lot like the manager of a large city that has to undergo urban renewal. The enterprise – the CIO’s city – has to keep operating flawlessly while the renewal occurs. Funding for infrastructure renewal has to be procured, risks have to be managed, and “detours” have to be planned and communicated – all while core infrastructure work is underway.

And it’s not just about the technology; working through organizational change has importance since processes are designed to support the current complexity. Successful IT executives will be those who recognize the need for change, then develop and execute a risk-managed plan to adapt their people, processes and technology to create a solid foundation within an organization to support the adoption of new technical capabilities and enable innovation.

These transformation challenges, as well as opportunities presented, are described more fully in our recent FS Insights article on The IT Hierarchy of Concerns and the Ambiguous Cloud of Emerging Technology.


New COSO Framework and Financial Regulators Bring Internal Investigative Units into Focus as Never Before

by Scott Moritz
Managing Director – Leader, Protiviti’s Fraud Risk Management Practice

In acknowledgement of Corporate Compliance and Ethics Week, I’d like to share some thoughts about the state of internal investigative units today.

The ability of corporate security and internal investigative units within public and financial services companies to align with the new COSO internal control framework and in particular, Principle 8, has recently attracted significant focus. As a result, ethics and compliance officers, executive management and internal audit now have to pay much closer attention not only to their organizations’ ability to deter, detect and report internal and external fraud, but also to the investigative units themselves.

Similarly, the recent updating and release of the revised COSO framework last year, with its emphasis on fraud risk assessment, has caused a surge in activity in this area. Internal investigative units, an integral part of the fraud risk management framework, are once more being put under a microscope. Even companies without dedicated investigative or corporate security departments must have clearly defined roles and responsibilities to investigate allegations of fraud or misconduct successfully.

Given the importance of getting fraud investigations right and the increased attention being paid to internal investigative capabilities, organizations need to examine their in-house investigative capabilities objectively. A common problem for many lies in their use of one or more front-end detection systems. These are designed to generate alerts for subsequent review and, if necessary, escalation to higher levels of investigation.

Unfortunately, the vast majority of the alerts produced by these systems are false positives, and chasing these red herrings can quickly exhaust company resources. Fortunately, the problem can be resolved easily by adjusting the system rules and/or algorithms to better suit the end-user organization, providing a welcome lifeline to an overworked investigative team.

Case management systems, which track front-end alerts and provide an audit trail associated with false positives, are also critically important to any investigative unit since they document the progress of investigative cases from initial intake to disposition. For maximum efficiencies, case management systems need to be integrated fully with front-end systems.

Some organizations have multiple organizational constituencies that perform different categories of investigative activity. Legal, HR, anti-money laundering (in the case of financial services companies) Corporate security, financial investigative units, internal audit, labor relations and IT security each may have its own case management tools and front-end tools. There may be very good internal reasons to keep their cases separate, but doing so often results in significant duplication of effort. The creation of a formal mechanism, such as a compliance investigations working group or subcommittee, can break down some of those siloes and ensure better coordination across the units.

Also important – yet sometimes overlooked – are written procedures for the clearing of system alerts, the escalation of alerts to investigative cases, and the investigation and documentation of cases. A lack of these procedures inevitably leads to inconsistency in a company’s investigative processes, which in turn can lead to liability, particularly if an outside party is reviewing the investigative unit as part of a regulatory exam or through legal discovery in connection with an investigation that led to litigation.

In light of the inherent challenges associated with investigative processes and the potential for liability associated with ineffective investigative units, I recommend performing an assessment of your internal investigative unit to measure its effectiveness. Corporate Compliance and Ethics Week is the perfect catalyst to kick off your initiative. The improvements that will likely follow such an assessment will lead to a measurable reduction in fraud losses. Proactive measures today will save you significant heartache tomorrow.

Have you made improvements to your corporate investigative unit recently? Please share your success story here.