Top Risks in 2015: Webinar Takeaways with Mark S. Beasley

Given the critical importance of auditing the right risks, I’ve spent considerable time analyzing the results of the annual 2015 Executive Perspectives on Top Risks, conducted by Protiviti and the North Carolina State University’s ERM Initiative, and I continue to refer to it often to this day. Having already covered the release of the report itself and the key findings, today I’m going to touch on the significant shifts we’re seeing year over year.

Analyzing the trends behind shifting priorities isn’t easy but one trend calling for attention is this: Creating an organizational culture capable of effectively responding to the escalating speed of change and risk is key.

That’s the conclusion I reached with my good friend, Dr. Mark S. Beasley, Director of the North Carolina State University ERM Initiative. In a recent webinar I hosted with Mark, we reviewed the risks, noting that the familiar ones maintained their positions at or near the top of the list. For example, the impact of regulatory changes and heightened regulatory scrutiny has been the top risk annually since the study’s inception in 2013, and was number 1 again this year. We believe that’s a direct reflection of management concern that even marginally incremental regulatory change can add tremendous cost to a corporation – and the mere threat of regulatory change can create uncertainty in hiring and investment decisions.

Similarly, economic conditions – worries about oil price volatility, the effect of economic sanctions against Russia and other geopolitical matters, and currency issues rated highly again: number 2 this year, even if their scores were lower than last year.

Most striking, however, are the risks that moved dramatically up the list as well as those that showed the greatest increase in their significance. In nearly every case, these risks, directly or indirectly, are tied to technology and disruptive innovations.

Concern that organizations may not be sufficiently prepared to manage cyberthreats jumped from number 6 to number 3 – a growing indication that management now views such incidents as a matter of when, not if.

The following are the top 5 increasing risks (based on an increased risk rating in 2015 versus 2014, as determined through our analysis of the survey results):

  • Insufficient preparation to manage an unexpected crisis significantly impacting an organization’s reputation.
  • Inability to utilize data analytics and big data to achieve market intelligence and increase productivity and efficiency, significantly affecting an organization’s management of core operations and strategic plan.
  • Insufficient preparation to manage cyberthreats that have the potential to significantly disrupt core operations and/or damage an organization’s brand.
  • Inability to meet performance expectations related to quality, time to market, cost and innovation as well as an organization’s competitors.
  • The rapid speed of disruptive innovations and/or new technologies within the industry may outpace an organization’s ability to compete and/or manage the risk appropriately, without making significant changes to its operating model.

It is interesting that three of the fastest increasing risks deal with operational issues – and technology is emerging as a core theme which we will continue to watch closely.

Indeed, even concerns about sustaining customer loyalty and retention – a new risk introduced in the survey this year debuting at number 9 – can be linked to technology and its impact. My takeaway on this particular risk is that the rapid pace of change and disruptive innovations are leading to drastic changes in customer preferences as more choices and transparency emerge in the marketplace. These innovations are making it more challenging to retain customers in an environment of slower growth.

Which leads us back to the most critical issue that must be addressed – I suggest heeding Dr. Beasley’s warning:

“Ultimately, culture is king,” he said. “We need to be adjusting business models in this rapidly changing environment. … Our reluctance to embrace change could really put us at a disadvantage.”


Training Is Key to Maximizing SharePoint Investment

Mike SteadmanBy Mike Steadman
Managing Director, Leader of Protiviti’s SharePoint practice




If you are one of the more than 100 million customers who have purchased or licensed Microsoft SharePoint, you’ve probably adopted the platform to improve a spectrum of operations, ranging from optimizing business processes to enhancing efficiency to having better access to analytics within your organization.

Are you maximizing your investment?

According to a recent Association for Information and Image Management (AIIM) survey, nearly 50 percent of responding organizations reported that “lack of expertise” was the No. 1 issue limiting the organization from maximizing SharePoint’s usefulness. Furthermore, only 28 percent were using SharePoint across their entire workforce.

The disconnect between software purchase and user adoption is not only wasting the millions of dollars spent on acquisition, it is also preventing the realization of benefits, such as the additional revenue and savings that companies signed up for when they made a decision to invest in SharePoint.

One of the most common problems undermining SharePoint maximization is that organizations often task their overworked IT department with the responsibility for training users. That’s a daunting proposition for IT, which juggles a variety of business-critical initiatives on a daily basis. With IT departments busy implementing new technology almost continuously, user training frequently gets the short shrift.

The largest companies are beginning to see the problem. According to the results from Protiviti’s 2015 IT Priorities Survey, large company respondents have elevated “end user adoption of data tools” to a significant priority. In 2014, user adoption rated only moderate attention.

Typically, stakeholders involved in SharePoint implementation invest significant effort evaluating their options, selecting the software and partnering with the vendor to implement the solution. Often, however, once the “go-live” event is completed, they return to their previous duties. Meanwhile, end users are whisked onto a new platform, often with minimal training, even though they haven’t been engaged in the implementation and may not have even received an explanation for the change. Is it a surprise that they may not be hitting the ground running and fulfilling the efficiency promises of SharePoint?

That’s why it is imperative for individual business units to partner with IT and take the lead for adoption by clarifying and personalizing the benefits that can be achieved.

An overall strategy must be established up-front to address the big picture of the implementation: determining needs, setting objectives and understanding the audience for proper training. The latter includes taking into account factors such as demographics and preferred learning methods of different user groups. For example, classroom-based training may be best for baby boomers whereas online learning modules are better suited to engage Gen Y-ers.

The following are critical steps for establishing sustainable user adoption, taken from the white paper Keys to Sustainable User Adoption of SharePoint:

  • Generate awareness: The executive staff needs to engage end users early and actively by promoting specific benefits of adoption. The goal should be to proactively answer the question: “What’s in it for me?”
  • Assess capability: It is common for end users to exhibit a wide disparity in capability. Creating a simple survey that establishes a baseline of knowledge will help identify initial training priorities. The survey also can help the executive team identify and recruit potential leaders among the end users to serve as peer mentors.
  • Establish learning objectives: The assessment also should be used to develop specific learning objectives for the training process. The objectives should be practical and measurable. If the training focus is on using a key SharePoint functionality, end users need to demonstrate the ability – for example, upload and download documents, apply metadata to documents and create search queries.
  • Use curriculum-based training: In addition to demonstrating software functionality, end users need specific training in areas that will be most applicable to their roles and responsibilities. This is best done in a lab environment with active instruction and support to help end users obtain hands-on experience.
  • Use environment-based training: Similar to curriculum-based training, this approach introduces end users to best practices within the organization and can also familiarize them with governance strategy. Once this step is completed, the executive team can expect accountability from individuals and departments on the effective use of SharePoint.

Last but not least, it’s important to establish a budget for training – and to do so in the context of the projected financial benefits that will be achieved through high levels of adoption. A rule of thumb is to invest half of the expected benefits value (e.g., 20 percent process efficiency) over one year, aiming for a 6-month ROI. By making such a commitment to training, the organization stands to achieve greater adoption and a greater ROI both in the short and long term.

More on Cybersecurity – President Obama Issues Executive Order to Sanction Cyberattackers

As a follow-up to our recent posts related to cybersecurity and cyberthreats, President Obama issued an Executive Order this week authorizing sanctions against cyberattackers operating outside the United States. You can read the Executive Order here. Reuters also published an informative overview of the Executive Order.

As noted in Reuters’ article and other sources, the Executive Order has received some positive response, but concerns are raised, as well. How exactly will a cyberattack be attributed with certainty to an individual or group? How will the administration handle cyberattackers who are deemed to be state-sponsored, particularly by nations with which the United States conducts trade? Will such sanctions be effective against faceless perpetrators who operate independently (i.e., without state sponsorship)?

We will continue to monitor these issues and comment periodically here and in other forums.


Effective Date of Revenue Recognition Standard to be Deferred

Yesterday, the Financial Accounting Standards Board (FASB) voted to defer, by one year, the effective date of the board’s new revenue recognition standard. Issued almost a year ago, this new guidance resulted from a collaborative effort by the FASB and International Accounting Standards Board (IASB) to agree on a global standard based on common principles that can be applied across industries and regions. The FASB voted for a one-year deferral of the effective date of the new standard and will issue an exposure draft proposing the deferral, with a 30-day comment period.

With respect to public companies: In the original release, the new standard is expected to be effective for fiscal years, including interim periods within those years, beginning after December 15, 2016. The proposal would now require application of the new standard no later than annual reporting periods beginning after December 15, 2017, including interim reporting periods therein. For example, a calendar year reporting company would now be required to apply the new standard during 2018, including the interim periods therein.

For nonpublic entities: The standard, as originally issued, is expected to be effective for fiscal years beginning after December 15, 2017, and interim periods thereafter. The proposal would now require application of the new standard no later than annual reporting periods beginning after December 15, 2018, including interim reporting periods therein. For example, a calendar year reporting company would be required to apply the new standard during 2019, including the interim periods therein.

Under the proposal, public entities would be permitted to elect to early adopt the new standard as of the original effective date, as described above – in effect, a year earlier than the proposed new effective date. In addition, a nonpublic entity may elect to apply the amendments as of the original effective date for public companies. The originally proposed new standard did not allow early adoption.

The FASB’s proposal is based on its outreach to various stakeholders. The board determined that a deferral is necessary to provide companies adequate time to effectively implement the new standard. Interestingly, the IASB (which also issued this standard) has not provided a specific timeline to make a decision regarding a potential delay in its original effective date, although at least one of its board members has referred to such a delay as “inevitable.”

What does the deferral mean?

This deferral is not a surprise. Not only was it expected, but it has been an assumption baked into the planning and implementation practices among many companies that have started the transition to the new standard in earnest. In effect, a one-year delay still means “full steam ahead” for public companies, especially for those who may not have begun working on the transition process.

A quarter of the current year is now spent, and by the time the exposure draft and comment period are done, it could be half the year. Thus, the only delay is in the effective date of the standard; there should be no delay in management’s efforts to position the organization in a prudent state of readiness.

The introduction of the “early adoption” option presents an opportunity for those who have started, were focused on the new standard and now are, or will be, ready to adopt early. Also, it presents yet another choice (whether to early adopt) to the list of decisions for companies, which already includes deciding whether to adopt prospectively or retrospectively. This added choice is one with which the audit committee and the external auditor will want to be involved. In addition, analysts, regulators, lenders and other stakeholders may have an interest in the organization’s decision. The possibility of early adoption by some, but not all, also allows those who might be more cautious to learn from the triumphs and mistakes of the early adopters.

Whatever management’s take on the available options, the pressure remains on the immediate need for companies to perform diagnostic work to demystify the impact on their financial reporting. Otherwise, absent a determination of the impact of the applicability of this new standard, they risk overestimating either the simplicity or the complexity, and run the risk of doing too little, too late, or too much, too soon.

One other point: Now that early adoption will be available for those who have already moved forward with the transition under the original timeline, it will be interesting to see how companies respond when their peers early adopt.