SOX risk assessment

Top Risks 2016 Webinar Follow-Up: Jim DeLoach on Changes in Risk, Technology and Culture Challenges

Jim DeLoach, Managing Director Host, The Protiviti View

A few weeks ago, Protiviti and North Carolina State University’s Enterprise Risk Management (ERM) Initiative published Executive Perspectives on Top Risks for 2016, the results of an annual survey. Regulatory changes topped the list of executives’ and directors’ concerns for the fourth consecutive year, followed by economic concerns and worries about cyber threats. Operational risks dominated, overall, accounting for five of the top 10 risks. I had a chance to discuss some of the findings in a March 23 webinar, along with Mark Beasley, the Deloitte Professor of Enterprise Risk Management at North Carolina State University, and Pat Scott, Protiviti’s executive vice president of global industry and client programs.

The online Q&A dialogue was robust, and we were only able to get to a few questions. I wanted to continue the discussion here, responding to those we did not have time to address, or address in detail:

Q: Are you surprised that operational risks are trending higher than strategic risks? I would think strategic risks would have a much deeper impact in the long term.

A: Sustaining growth is a challenge in the current global economy for many companies, so no, it’s not surprising that operational issues and bottom-line concerns are top of mind for executives right now. We have been experiencing a slower growth rate, and there does not appear to be, at least over the near-to-intermediate term, a prospect for a significant upturn in economic activity. So organic growth is more challenging, which drives companies to focus intrinsically on sustaining customer loyalty by improving their customer fulfillment processes and customer service, while also improving quality, time, cost and innovation continuously to maintain margins. This commitment to operational excellence is not suggesting strategic risks aren’t important. It’s more a question of preserving bottom-line performance.

Q: Why do you think the concern over economic risk is so high? No major economies are in recession or expected to be, according to the International Monetary Fund.

A: I think it’s a matter of judgment as to what that really means. Economic risk is very fluid, and I think if we had conducted this survey in the first quarter of 2016 instead of the fourth quarter of 2015, the perspective might have been totally different. I do think CEOs have some concerns as to what the economic outlook is. China is a concern. You’ve got challenges in Brazil, and growing concerns about the stability of the European Union. In addition, the concern over economic risk may be less of an issue with regard to recessionary fears and more a concern over achieving more robust growth rates that facilitate aggressive hiring plans and investments to expand in new markets. We expect this risk to continue to fluctuate as time goes on.

Q: What do you think is the contributing factor to this uptick in the perceived global risk environment given that most of the highly ranked risk environments have been here for the last couple years? Are companies just waking up to this?

A: Another macroeconomic question, and one we discussed on the call. We stated that we didn’t think anyone was just waking up to recognize the global risk environment. We’ve done this study for four years, and each year it was clear that executives and directors perceive a risky environment in which to do business. But to the question about this year’s results specifically, you’ve got the geopolitical environment exemplified by the Syrian refugee crisis, a rise in terrorism, an acute decline in oil prices, global tensions, and uncertainties raised in the U.S. presidential race. C-level executives are looking at this environment and saying: “We see a higher level of risk this year.”

Q: Any advice on how to mitigate risk caused by use of technology that is more advanced than the controls available?

A: This question is also one we discussed during the webinar, but it bears repeating here. Disruptive change through advances in digital technologies has two primary impacts. The first is strategic, and involves constant vigilance to ensure that an organization’s business model is current and competitive. You have to compete at, or ahead of, the pace of change or you risk becoming obsolete or disintermediated. The second, which gets to the control issue, involves 1) knowing what your “crown jewels” are – that is, the information and proprietary assets you want to protect at all costs; 2) constantly monitoring and assessing the threat landscape; and 3) having an effective response program. Today’s rapidly changing technology environment – with its constantly moving targets of third parties, mobile computing, BYOD and the cloud – makes the management of security and privacy issues more complex. Therefore, the organization’s control framework has to be agile and flexible enough to adapt to the changing risk landscape.

Q: How can internal audit work with the C-suite to achieve consensus on the top risks on which they differ? What should be the main objective of the risk discussion? (e.g., alignment to business objectives, consensus on the top risks)?

A: A couple of things: One of the main takeaways of our study, in my opinion, is that C-level executives and board members have differing perspectives as to what the key risks are. This isn’t, in itself, a problem, because it represents a healthy diversity of opinion and perspectives. What is important is that organizations have a process by which they capture these differing opinions and perspectives, by making sure they are heard and understood by the organization’s leaders, and bring these perspectives to bear in assessing risks and developing a comprehensive risk mitigation strategy.

Q: Can you talk about the difficulty in changing a company’s culture to deal with risk?

A: This is a great question. It’s difficult to alter any organization’s culture. The challenge is to ensure there is a strong tone at the top (which requires effective board oversight), and that the tone in the middle is aligned with the tone at the top. The objective should be to make sure that your line managers and middle managers are talking the same message and practicing the same core values communicated and practiced by the CEO and senior executive team. The rank-and-file pay more attention to what their immediate supervisors say than what the CEO says. In that sense, the tone in the middle is at least as important as the tone at the top and is the key to ensuring that the tone at the bottom is consistent with the tone at the top. While this doesn’t make it easy, it does provide insight as to what needs to be done to shape the culture to fit the core values espoused by the organization’s leaders.


Add comment