PreView: Checking the Rearview Mirror and Looking Ahead

In risk management, like driving, the safest way forward is to keep your eyes on the road ahead. Every now and again, however, it’s a good idea to check your mirrors. That’s the premise behind the latest issue of PreView, Protiviti’s ongoing series on emerging risks. In our first ever “look-back” edition, we revisit some of the risks we’ve highlighted since we initiated the series in early 2014. We often advise our clients to do a look back on their risk assessments, so it is appropriate for us to take our own medicine. Risks evolve, and checking to see whether we were on track with our predictions is worth the time and effort.

A little background: PreView is a “big picture” publication that focuses on macro-level emerging risks, classified according to the World Economic Forum’s five global risk categories – economic, technological, environmental, societal and geopolitical. Protiviti’s Risk and Compliance Solutions team scans the risk landscape and selects risks they believe have the potential to fundamentally change the profile portrayed in those risk categories.

The risks we revisited in the latest issue include municipal financial instability, Big Data, mobile banking and social media lending. Here, in short, is how these risks have evolved:

Municipal Financial Instability – In December 2014, we warned of municipal instability stemming from a decline in investor appetite for municipal bonds following a wave of defaults. We also warned of a pending debt crisis in Puerto Rico.

Update: Puerto Rico has defaulted on its debt in a case that is currently before the U.S. Supreme Court. At issue: The unprecedented possibility of a state-level debt restructuring – previous restructurings in the United States have all been at the municipal level. What to watch for: If the Supreme Court allows Puerto Rico to restructure its state debt, the bond market will turn a wary eye on the State of Illinois, which is experiencing its own financial crisis.

Big Data – In 2014, “big data” and machine-to-machine communication via the Internet of Things were all the buzz, and we cautioned against over-investing in data analytics without a clear quantification of benefits. We also called for strong data governance, security and management.

Update: Big Data and data analytics have moved from the fringe and into the mainstream due in part to the rapid expansion and dropping costs of data storage, cloud infrastructure and high-speed Internet bandwidth. Using this readily available data strategically promises to fundamentally change everything, from pizza delivery to health care. Big Data also has become the backbone of modern cybersecurity. And 79 percent of business leaders agree that companies that do not adopt Big Data will lose their competitive position and may face the possibility of extinction.

Mobile banking – In our first two issues of PreView, we noted the increasing popularity of mobile banking and suggested that successful financial institutions in the future would be those that found a way to integrate mobile banking and other banking options with traditional brick-and-mortar branch operations to allow customers to choose from multiple ways to conduct their banking.

Update: Trends have continued to show that consumers are interested in an “omni-channel” experience, where they can choose among different banking options, depending on their needs. In addition, nontraditional competitors such as PayPal, Amazon Payments and others continue to disrupt the market and threaten the relationship between the consumer and his or her bank. Cybersecurity and regulatory compliance remain key risks.

Social media lending – In January 2014, we predicted that an individual’s reputation on social media platforms, rather than their traditional credit score, could become a growing basis for lending. In addition, we anticipated that social media lending would create unique and complex fair-lending compliance issues and increase reputation risk with consumers. Lastly, we stated that social media disclosures and behavior might provide lenders with a source for validating information and a predictive profile of creditworthiness in the underwriting process.

Update: We hit two out of three right, as social media lenders in the United States entered and left the market, failing to pass the fair-lending standard. Target customers for this service today seem to be young entrepreneurs outside the United States who are shut out of traditional lending by a lack of a comprehensive credit history.

I know that this short overview doesn’t come close to doing these topics justice. For a more in-depth analysis and bibliographic links, download our Volume 3, Issue 1. In our next edition, we’ll continue to look forward: Technology enabled disruption in financial services, natural resources sustainability and competition, political shifts and climate change effects on the economy are among the topics on our radar. We hope you stay engaged with us to navigate these risks.


Executive Perspectives on Top Risks for 2016

Protiviti, in partnership with North Carolina State University’s ERM Initiative, has just published the results of its fourth annual global survey of board members and C-suite executives about the top risks organizations will face over the next 12 months. We’ll be covering many of these issues in greater detail in future blog posts. For now, you can check out our video and infographic here. And you’ll find our full report and other information at


Devices are mobile, is your security policy on board?

Scott Laliberte 2By Scott Laliberte
Managing Director, Information Systems Security




With 3.4 billion smartphones worldwide as of 2015 (and 78 percent of U.S. college grads owning smartphones), chances are your employees not only own one, but they’re also bringing them to work and using them to do work when not at their desks.

It’s the BYOD – Bring Your Own Device – movement. And while many employees may find this trend convenient – and the applications and cloud services that come with those devices certainly enable this convenience – the security risks do make employers worried.

Worry, of course, is best handled with information. Employers need to know exactly what the risks of BYOD are and deal with them head-on, by creating policies that address them.

These policies should address the obvious questions, and go beyond. How, for example, do you enforce usage policy on an employee-owned device, or handle forensics on incidents involving one, be it a smartphone, simple cell phone, tablet or notebook? It is not a simple task. Personal privacy and other ethical issues abound, in addition to technological ones.

A good way to start creating BYOD policy and addressing the security risks of mobile devices is by asking some basic questions:

  • Does your organization have the authority to seize and investigate the device?
  • Does it have the employee’s passcode and permission to use it?
  • Several mobile device management (MDM) solutions can provide controls on the device, limiting risk. Does your company have such solutions and does it have permission from the employees to use them on the devices?
  • Mobile apps are conduits into an employee’s device. Do you know what kind of apps are on an employee’s device?
  • Are those apps secure? Do they support strong authentication and protection of sensitive data?
  • Do those apps introduce risk to the device or to the data?
  • Are the apps accessing information from the user, such as geolocation and personally identifiable information (PII) that can create privacy or data security concerns for the company?
  • Do the apps introduce insecure services that attackers can take advantage of? In other words, are the apps, themselves, a weak link that hackers can exploit? Keep in mind that the more widely an app is used, the greater a target it becomes since it can yield greater rewards for the attacker.

Apps, of course, are only part of the problem. Many employees rely on cloud-based storage solutions that allow them to easily access or share their own documents via their cellphones and personal computers.

Companies need to ask similar questions regarding those services, such as:

  • Are employees allowed to use cloud-based storage solutions? If so, for all data, or certain types of data? What ensures the protection of data that is sent to the cloud?
  • If storing data in the cloud is too risky, how can employees access work material from their own devices? Is desktop virtualization practical for our company? What other ways are there to remove the data control point away from the device, so if the device is lost or stolen, the data is not jeopardized as well?

There isn’t one type of BYOD security policy. Each company must create its own, asking the questions above and designing a policy that provides the right amount of flexibility to its workforce without jeopardizing data security.

Do you have an opinion on BYOD? Please share in the comments.

Procurement Power-up: Building an Internal “Brand”

Tony AbelBy Tony Abel, Managing Director
Protiviti’s Supply Chain Practice




Procurement functions proclaim their value in “millions of dollars saved,” but it’s no secret that such savings are often questioned by internal critics who counter that actual savings were less than advertised, or came at the expense of quality.

There’s no doubt that a good procurement team can generate genuine savings throughout the enterprise without sacrificing quality. The self-evident value of such efforts, however, should not be taken for granted.

A new Protiviti white paper, The Dollars and Sense of Procurement’s Real Value, explores best practices in procurement brand building. I want to highlight a couple of points from that paper.

First and foremost: Show your work. You can be the best negotiator in the world, but that’s not going to build your brand unless you and your internal customers can agree on what’s required in terms of procured goods and services and what constitutes a successful outcome.

Procurement should be knowledgeable about, and formally aligned with, the business stakeholders it supports. By working collaboratively with business partners, procurement can establish a consistent, enterprisewide view of spending and value among the stakeholders. Accurate measurements of cost reduction and the value that procurement delivers are crucial to providing your stakeholders transparency into your effectiveness.

Metrics should be agreed to upfront, in a project charter – a formal document delineating goals and desired outcomes. Value claims should be documented, auditable and aligned with a budget – a process that should include operational stakeholders, procurement and finance.

Additionally, treat suppliers as partners. Few leading procurement functions these days view their primary role as hammering suppliers on cost. While costs must be managed to generate the greatest value to the organization, top procurement functions work with suppliers to find solutions that create sustainable value on both sides of the transaction.

For example, suppliers will often offer a discount to buyers who promise to pay in ten days or less. Such trade terms can offer substantial savings over the outdated strategy of stretching out payments to earn more interest on the float, especially in today’s low interest-rate environment.

By now, you should be seeing a pattern. Relationship-building, accountability and collaboration are the hallmarks of a procurement powerhouse. By taking the time to cultivate relationships – both inside the company and with suppliers, getting straight on stakeholder expectations and success metrics, and documenting actual savings and savings, as well as cost avoidance, you’ll see your the value of your procurement brand soar.

Do you have a procurement success story? I’d love to hear about it. Feel free to reach out or share it in the comment section below.

Arriving at Internal Audit’s Tipping Point Amid Business Transformation

Protiviti just released its 2016 Internal Audit Capabilities and Needs Survey, the 10th year we have conducted this insightful study on internal audit priorities and trends. We’ll cover many aspects of this study and the results in future blog posts. For now, I invite you to view our video and infographic, and visit our website to learn more and read our report.