Security, Data Analytics, Smart Leadership – the Trifecta in Consumer Products and Services

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the consumer products industry.


Rick ChildsBy Richard Childs, Managing Director
Consumer Products and Services Industry Leader




The list of top risks in the consumer products industry – regulation, customer loyalty, cybersecurity, growth, and employee recruitment and retention – have remained remarkably consistent year-to-year. In 2016, the perceived significance of those risks decreased across the board, but it’s hard to say whether this is a statistical anomaly, or indicative of the anesthetizing effect of managing significant risks over an extended period.

From Protiviti’s perspective, we have not seen anything to suggest any ebb in the disruptive forces at work in the industry. If anything, consumer demands are increasing as technology and competition foster expectations of a consistent and fluid shopping experience across multiple channels – allowing customers to shop online, accept delivery on their doorstep and return goods in the store, for example.

If anything, this so-called “omni-channel” business model is increasing risks, by demanding that retailers simultaneously collect more data and invest in better security to keep it safe and analytics to make it actionable. This increased reliance on data, delivery and telecommunications increases the risk of regulation and regulatory scrutiny.

Finally, it ups the ante on consumer products and services companies to recruit and retain employees and executives capable of embracing change without losing sight of unique brand values and brand-specific customer expectations.

In my experience, the executives I work with are well-aware of these challenges. This leads me to lean toward the idea that executives who responded to our survey are already so engaged in the process of dealing with the risks they identified that perhaps they don’t loom as large as before.

The most interesting risk I see in the industry today is also an opportunity – and that’s deep data analytics. Big retailers have been capitalizing on this opportunity for some time, digging deep, mining customer data, trying to drive repeat purchases. They’re getting very good at providing customers with what they want, when they want it, on the customer’s terms, and still managing to control inventory without running out of stock. That’s not so much the case with mid-size and small companies, but it’s what they should be doing to remain in the game.

Bringing all of that home, I think there are really three areas where consumer products and services companies should be investing now to mitigate risks and get the best return on their strategic risk management investment. The first area is data security – nothing will do more damage, faster, than the public disclosure that a retailer failed to protect customer credit card data. Second, data analytics – the ability to analyze and predict customer spending – is going to be critical to retail success in an omni-channel world. And finally, talent acquisition – the right team can make a critical difference. These days a new CEO usually comes with a new team and a whole new brand philosophy. Experience has shown that what connects a brand with its customers at one company can turn customers off at another. A CEO with innovative ideas can propel a company upward – or plunge it towards the bottom. So this is a critical risk.

All of these are good challenges to have, and it’s a fascinating time to be in the consumer products and services industry. I would definitely encourage you to download and read the overall survey and the industry findings. And I’d love to read your thoughts in the comment section below.

Technology Leaders Worry That Their Companies May Be Too Resistant to Change

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on technology, media and communications.


gordon-tucker-3By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader




“Only the paranoid survive.” – Andy Grove, former Intel CEO

Companies in all industries face a number of risks these days, ranging from volatility in equity markets, falling oil prices, global terrorism, expanding regulation and oversight, and technological disruption. The technology, media and communications (TMC) industry is no exception to these trends. But while TMC leaders remain concerned, they appear to be less so than they were last year – with one exception.

While it appears surprising, at first, that TMC respondents were somewhat less concerned than they were last year about four of the top five risks identified in the survey, on further thought, it makes sense: The intrinsic technological nature of these companies requires them to stay ahead of the curve, and many have made serious efforts, after recognizing the risks back in 2014, to address them, including cyber threats, disruptive innovations and privacy concerns. They are also less worried about economic conditions restricting their growth.

I found it really interesting that the one risk that keeps technology leaders awake at night this year more than last is their concern that resistance to change in their companies may be standing in the way of necessary adjustments to their business models.

What to make of this? The survey did not delve into precisely why leaders were feeling differently, but it does stand to reason that with the speed of technological disruption, they are becoming more aware of the need to keep up by being agile and open-minded. I’ve heard it said that disruption is great – if you happen to be the one disrupting. It’s obviously less advantageous when you are the one being disrupted – and the finding underscores this awareness.

Case in point is the industry’s grand exodus from the old world of packaged software and hardware to the new world of software/platform/infrastructure as a service (S/P/IaaS). If you are an established player, the migration from the box to the cloud means fundamentally changing your entire business model.

These days, the threat to established technology companies – and there are many – comes from newer companies that were “born” in the cloud, so to speak – companies for which migration was never an issue. And while some, like Amazon and Microsoft, have demonstrated their ability to not just adapt but reaffirm their market dominance, others are still in the process of getting there – and they worry they may not get there fast enough if their organizational mindset lags behind.

Managing the risk that comes with change in business model is a concern too. A cloud provider, for example, assumes the cybersecurity risk on behalf of its customers. If you are a born-in-the-cloud company, you likely have the effective organizational mindset and the resources to address this risk. Others will need considerably more preparation in that regard – and may worry that resistance from the inside may hinder the imperative to innovate.

What’s the takeaway point? Companies in the technology sector must stay on top of their enterprise risk management (ERM) planning. They want to have access to the right information about emerging risk from their risk committees and management teams, so they can adjust quickly. These are things that should not be left to chance.

It’s important to remember that risk is a moving target. Executives are going to react differently at different times, depending on what’s going on in their markets and with their customers. But self-examination and honesty are hallmarks of this industry – and rest assured, industry leaders are continually examining their businesses and striving  to ensure they have the best practices with which to face change. Let’s just call it healthy paranoia.

SOX Costs Are Rising But So Are the Benefits

SOX costs are rising but so are the benefits for companies. Improved control structures, ability to address emerging risks and enhanced business and IT processes are some of the upsides. Listen to Brian Christensen, Protiviti’s global leader of Internal Audit, address these benefits, as well as cost reducing opportunities around SOX.

COSO Unveils New ERM Framework

ByBob Hirth - Protiviti 2013 (300 dpi_2x2.5) Bob Hirth
Chairman, Committee of the Sponsoring Organizations of the Treadway Commission

Editor’s Note: This week, COSO released for comment the much-anticipated update to its ERM Framework. I asked Bob Hirth, Chairman of COSO, if he would share his thoughts with us on the new framework. Bob graciously agreed.  — Jim

After 18 months of hard and focused work with our advisory council and official observers, COSO is releasing the public exposure draft of its revised enterprise risk management (ERM) framework. This is truly a leading-edge piece of thought leadership on ERM and will help all organizations improve the way they develop and set strategy, make decisions, manage risk, and enhance their performance overall. It also will aid them in creating a risk aware culture throughout their organization and developing a discipline around effective ERM.

The exposure draft introduces five components and 23 principles of effective ERM to which any organization can compare themselves and develop a plan to improve their ERM practices. In turn, this should help them meet more of their key objectives over time.

Please visit our COSO ERM website for information on how to obtain a copy of the draft and participate in the comment process. The comment period will end September 30.


AML Lookbacks: Top 10 Lessons Learned

Carol BeaumierBy Carol Beaumier, Executive Vice-President and Managing Director
Regulatory Compliance Practice




pro_1116_ig_amltop10lookback_nam_engRegulators may require a financial institution to perform a transaction review of historical activity, often referred to as a “lookback,” when they determine that the financial institution does not have an adequate transaction monitoring program and/or has not evidenced sound decision making in determining whether transactions are suspicious or not. The scope of the lookback may span from six months to multiple years. Often, the regulators will mandate that the financial institution engage an independent third party to perform the lookback.

Lookbacks are time-consuming and costly and often perceived by the industry as punitive exercises that provide little real value to an institution. If your institution is facing a lookback, consider the following lessons learned for maximizing efficiency and value.

  1. Select the right party: If you are required to engage an independent third party, make sure you select a firm that will be credible with the regulators (who often will need to provide a non-objection), that it has lookback experience comparable to the scale of your lookback, and that it understands the customers you serve, the geographic markets in which you engage, and the products and services you offer. If the third party you are considering does not meet these criteria, choose another firm.
  2. Understand the approach: Ask the third party how it will approach the lookback to achieve maximum efficiency – for example, what transaction data will and will not be in scope, how it will produce alerts, how it will triage and assign alerts for review, what documentation will be developed and where this documentation will be stored, and what will the final deliverables be. If the third party cannot readily respond to these questions, consider another firm.
  3. Be candid and open about the challenges: If you know from your own experience that the third party is underestimating the number of potential alerts, that certain information (check details, for example) will be challenging to retrieve, or that certain customers/counterparties are likely not to be cooperative in responding to questions because of, for example, privacy laws in their home country or because you terminated your relationship with them subsequent to the lookback period, tell the third party. This will help ensure that they build a realistic project plan and timetable.
  4. Get regulator buy-in: Whether it is explicitly required or not, ask for the regulators’ feedback on the planned approach and deliverables. This will help ensure that the lookback methodology and final deliverables will align with regulatory expectations.
  5. Ensure availability, access and understanding of data: Invest time at the beginning of the project to ensure that the third party performing the lookback has access to all required systems (core systems, transaction monitoring systems, know your customer [KYC] systems, etc.) and take the time to explain these systems and their configurations (for example, are there products that are not included in your transaction monitoring system, are certain transaction codes suppressed in the system, do you use “white lists,” how are accounts linked?). Doing this upfront will minimize the potential that the party performing the lookback will form opinions based on flawed or incomplete data or lack of understanding of the data, or that work will need to be re-performed because the wrong or inadequate data was used.
  6. Establish and communicate operating protocols: Effective and timely communications will be critical to meeting the lookback project timeline. Make sure you and the third party are on the same page with respect to how and to whom questions will be escalated and how long you have to respond to those questions. Also, remember that the final report is expected to include information on the disposition of any activity referred to you by the third party for SAR filing consideration. The expectation is that disagreements between you and the third party on when a SAR should be filed will be minimal, but when they do occur, you should document your rationale clearly and completely.
  7. Stay engaged: Just because the third party is required to operate independently, it does not mean you should not be informed about how the lookback is progressing and what the third party firm is finding. The third party should provide you with regular status reports and hold periodic status meetings. If this is not the case, you should require this. Regulators will expect this of you, and you certainly don’t want to be blindsided at the end of a lookback project by finding out that you need to file an unexpectedly large number of SARs.
  8. Consider how the results of the lookback will be integrated into your monitoring program: Often, lookbacks are performed in a system environment you provide, but that is segregated from your existing production environment. Make sure you understand how the information developed during the lookback (investigation files, SAR/No SAR decisions, etc.) will be integrated into your case management system at the completion of the lookback so that you have complete records.
  9. Ask for recommendations: Although the primary objective of the third party is to identify any potentially suspicious activity that you may have missed, the third party will learn a lot about your customers and their activity, and your existing transaction monitoring capabilities and processes. Ask the firm to provide you with recommendations on changes you can make to enhance your transaction monitoring.
  10. Respect the independence of the third party: You should always expect the independent third party to ask for your factual review of deliverables and, while you are always free to suggest other changes, you should understand that the third party may not always agree with you and is obligated to report its findings objectively, based on its own work and convictions. It is important to the credibility of the lookback that both you and the third party respect the boundaries of independence.

You can download the AML infographic here.

Internal Audit at Financial Institutions Is Evolving

Mike ThorBy Mike Thor, Managing Director
Internal Audit Practice Leader for Financial Services in North America




Financial firms’ risk profiles are continually challenged by new regulatory requirements and heightened expectations from supervisors requiring firms to advance their risk management processes. At the same time, advances in technology are driving consumer demand for more mobile services, even as new entrants, the so-called fintech companies, are transforming the competitive landscape. All this means that demands on chief audit executives (CAEs) and internal audit departments at financial institutions are increasing in proportion to these new challenges.

Under the heightened standards for large financial institutions, a set of guidelines issued by the U.S. Office of the Comptroller of the Currency (OCC), the role of internal audit is defined as opining on the readiness and design of the risk management systems and corporate governance structures of the institution, including its risk culture and risk appetite. To fulfil this role, auditors at financial services firms need to improve their technical knowledge in several areas, according to Protiviti’s latest Internal Audit Capabilities and Needs Survey, a comprehensive survey of internal audit professionals conducted in the fourth quarter of 2015.

A special industry-focused publication derived from the larger survey’s results, Top Priorities for Internal Audit in Financial Services Organizations, zooms in on the concerns and outlook of internal audit leaders within the financial services industry. In summary: The list of internal audit priorities for financial services firms is only getting longer, and internal auditors are noting the need to improve their knowledge in key areas, specifically cybersecurity, mobile applications, model risk, and the challenge of integrating risk appetite and risk culture within an agile risk management philosophy.

In addition, as the last line of defense, internal auditors need to streamline their processes to foster a more agile and efficient internal audit approach. The survey makes clear that during the past year, internal audit executives have advanced in their efforts to connect with the lines of business and management as part of collaborative efforts to improve oversight and to help the organization understand its risks and achieve its strategic objectives. Such collaboration improves communication between the three lines of defense while also helping organizations become more efficient and optimize existing resources – an important goal, since difficulties in hiring and retaining talent have become more acute in recent years.

In light of this talent shortage, internal audit functions are increasingly considering investment in technology-enabled auditing approaches and tools, which can help them meet two important objectives: 1) address their growing list of priorities more efficiently, and 2) stay current and effective in their approach to risk, as banks continue to adopt emerging technologies in an effort to remain competitive in a rapidly evolving marketplace.

By improving their efficiency, knowledge and effectiveness, internal audit functions will be able to better assist their organizations in their continued growth. The improved skill set also will help position internal audit for its growing role of a key strategic partner in the broader enterprise – a role very much in demand, according to the recently published North American results of the 2016 Common Body of Knowledge (CBOK) Stakeholder Survey (with global results coming soon).

Finally, the reports on internal audit priorities, both the overall findings and the financial services edition, provide more than just a snapshot of the areas internal audit executives are most concerned about. The publications also offers real, practical advice from Protiviti experts from a variety of subject areas on how internal audit functions can achieve their goals and objectives. They discuss hot topics and changes that have occurred over the past 12 months in the financial services industry, and their impact on the work of internal audit. Download the two reports here and here.

Understanding the Costs and Benefits of SOX Compliance

Infographic-2016-SOX-Compliance-Survey-ProtivitiProtiviti has released the results of its latest Sarbanes-Oxley Compliance Survey, which offers a wealth of data and insights about the SOX costs and hours tied to compliance, and benchmarks the control environments of a broad spectrum of organizations. Learn more at our SOX Survey site, and view our video and infographic here.