From Pandemics to Drones to Planning for Resource Scarcity: Protiviti Scans the Emerging Risks Landscape in the Latest Edition of PreView

As the world turns its eyes to the Olympics in Rio de Janeiro, athletes and visitors alike are being warned to take precautions against the Zika virus – a flu-like strain that comes with the added risk of crippling birth defects. The situation is so serious that health authorities are urging women in South America to avoid becoming pregnant for a year or more – a demographic anomaly with far-reaching economic implications down the road. Previous pandemics – swine flu, Ebola, SARS, cholera and MERS – have wreaked economic havoc. And the National Science Foundation predicts five new emerging pandemic diseases annually.

Viral outbreaks and their global consequences represent only one of the macro-level trends we’re watching as part of Protiviti’s ongoing PreView global risk series. We evaluate these emerging risks according to the five global risk categories established by the World Economic Forum.

In our most recent issue, in addition to Zika, we examine several other emerging trends – the opportunities and risks of commercial drones, the growing volatility of natural resources, the future of autonomous vehicles, blockchain – the break-through technology pioneered by Bitcoin, and global internet accessibility. Here are the highlights:

  • Aerial drones have expanded far beyond surveillance to include crop monitoring, oil and gas exploration, retail delivery, and real estate and insurance appraisals. Key considerations: regulation, privacy and safety. Read more.
  • Blockchain, the super-secure cryptocurrency technology, has emerged from the shadows of its Bitcoin origins and is being tested in applications ranging from the automated processing of property titles to password-free interbank transactions. Recently, a blockchain platform called Waves raised $2 million in the first 24 hours of a crowdfunding campaign. Yet, cryptocurrency is still not widely accepted, or well understood. A judge in Miami recently threw out felony charges against a web designer accused of laundering $1,500 in bitcoin. The judge threw out the case because he asserted that bitcoin is not real money. Our advice: Stay tuned.
  • Autonomous vehicles are still in the development phase, with Google and Tesla projects dominating the headlines, and Apple said to be close to announcing their own self-driving vehicle. While the bugs are being worked out, researchers predict self-driving cars will be the norm by 2050 – a prospect with far-reaching effects on everything from law enforcement staffing to road construction, public transportation and commercial trucking. As more vehicles become automated, accidents are expected to decrease. Insurers, pay attention.
  • Natural resources – Oil, gold, coal, rare earth elements, and water – are experiencing increasing price volatility as scarcity competes with demand, speculation and new technologies to increase uncertainty. This uncertainty poses risks to a wide range of industries, from financial services to transportation, energy, agriculture, technology and the military.
  • Internet access is the ticket to ride in a connected economy, and expanding internet access is a global priority for just about everyone who wants to reach customers beyond the digital “old world” (Europe, North America, and parts of Asia-Pacific). Increasing the online audience in the developing world presents exciting new opportunities for companies that may not currently have a way to reach these markets. Facebook and Google are the leaders in internet outreach programs – but they are not the only ones. Key hurdles: availability, affordability, readiness, and relevance of the expanding internet to the new market.

The topics summarized above offer much food for thought and discussion with your boards and strategic teams as you and they look forward. Here’s a sampling of our topics looking ahead:

  • Brexit – A developing story, with multiple risk implications. In a future publication, we will look more deeply at the economic, financial and political risks resulting from this decision.
  • Artificial intelligence, also known as machine learning, is progressing at a pace that is exciting to some and concerning to others. Pairing machine learning with quantum computing could have effects we can’t even fathom yet, which is why billions of dollars are being invested to mitigate the risk of a “cyberpocalypse.”
  • Talent retention is critical to organizations’ ability to execute growth and innovation strategies, but finding and keeping people with the requisite knowledge, skills and core values is becoming increasingly difficult. Building executive “bench strength” by grooming – and holding onto – strong-performing managers is easier said than done. Millennials continue to be a mystery for hiring managers, but their attitudes will be shaping the job market in the decades to come.

We invite you to continue the discussion, in the comment section below, and in your boardrooms and executive meetings. We welcome and value your input.

Real-World Risk Rigors Require Effective Challenge

Matthew PerconteBy Matt Perconte, Director
Risk and Compliance Practice



Man plans, God laughs, according to the Yiddish proverb. Bank regulators, not so much – at least not when it comes to risk management, which continues to be an ever-moving target for financial institutions. Providing stakeholders with assurance that the risk control frameworks financial institutions have adopted will hold fast in an actual emergency is an ongoing challenge, and banks test their plans annually. The tests are meant to be aggressive and realistic – in a regulatory vernacular, they need to represent an “effective challenge.” Getting effective challenge right, however, is easier said than done.

The Federal Reserve and the OCC have published guidance outlining the characteristics of an effective challenge. I, and several of my colleagues, recently shared thoughts and advice on this as part of the Risk Management Association’s audio conference series.

As is often the case, there is a gap between present conditions and the desired future state. Risk management at many institutions is applied inconsistently across the three lines of defense and different risk types. The rules governing the control challenge process and the process for escalating risk management concerns to executive and board attention are often poorly defined, documentation is limited, and risk management often lacks the authority to effectively challenge operational managers, inhibiting mitigation efforts.

The best way for financial services providers to combat these challenges is by following leading practices – for example:

  • Building effective challenge into risk management processes
  • Clearly documenting policies and procedures
  • Documenting challenges – for example, through detailed meeting minutes at management- and board-level meetings, and
  • Requiring the appropriate escalation and resolution

Effective enterprisewide risk management requires the cooperation and alignment of all three lines of defense, plus effective oversight by top executives and the board of directors. The board of directors oversees all three lines of defense and, working closely with executive management, sets the risk appetite and the “tone at the top” of the organization to strengthen the company’s overall risk management process.

Each line of defense plays a specific role. The first line focuses on business, financial and operational risks. The second independently establishes protocols for risk and compliance decisions. The third line, which includes internal audit, assesses risk management and risk governance processes, and conducts its own tests to ensure that risk management policies are adequate and effective.

To have an impact, an effective challenge must do several things:

  • Drive two-way communication on strategic business and risk decisions
  • Provide transparency and direction to business and risk leadership before issues arise, and
  • Enable the business to grow and pursue new opportunities according to its established risk appetite

These are common-sense steps, but common sense isn’t always common. The upshot is that robust risk management is a cultural process that depends on a strong tone at the top and an engaged middle and bottom. More than just planning, best practices call for extensive monitoring and effective challenges that pull no punches and seek to make the system stronger and more secure than before. Communication is key. So is continuous improvement.

How is your organization implementing effective challenge? Join the conversation by leaving your comments below.

So You’ve Gone Public – What’s Next?

Steve HobbsBy Steve Hobbs, Managing Director
Public Company Transformation



Once a company is public, the event is often celebrated and the organization emits a collective sigh of relief. But then the next daunting question looms: “What’s next?” Recently, I had the opportunity to discuss this very topic on a podcast with my colleague Andrea Spinelli, a director in our Business Performance Improvement practice. The key aspects of a post-IPO environment, which we discuss in more detail during the podcast, include:

  • Transition from “project” to “process.” Now that the pre-IPO scramble is in the past, companies need to focus on designing, operating or enhancing processes within the organization to meet the financial reporting and other requirements for public companies.
  • Forecast the business. Forecasting can be a fairly complicated and difficult process that is often overlooked when a company is considering its IPO readiness – but it is something public companies are expected to do competently.
  • Invest in technology. There is a higher expectation for increased capability maturity from a public company. This expectation runs throughout the organization and includes the technology automation required to manage the business. Manual processes, for example, are more prone to error and create data and other integrity risks, and technology is key to minimizing those risks.

The podcast discussion provides insight on these points and more, and is of interest to both pre- and post-IPO companies. I urge you to listen at the link below when you have time, and send us a comment if you like.

Podcast: So You’ve Gone Public – What’s Next?


Compliance Issue Resolution: Responsible Business Conduct in Financial Services

Steve StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance Practice



In April, I joined several of my Protiviti colleagues on a webinar hosted by The IIA’s Financial Services Audit Center. The two-hour session, titled Hot Topics in Compliance: Consumer Protection and Compliance Governance, focused on recent regulatory developments in consumer protection reforms related to the Dodd-Frank Act, including mortgage lending disclosures and debt collection practices.

It was a great session, packed with valuable information, especially Tom Giltrow’s take on the evolution of the Fair Debt Collection Practices Act, or FDCPA, and Todd Eaton’s explanation of the new consolidated mortgage loan disclosures (known as TILA-RESPA Integrated Disclosures, or TRID) that have replaced the familiar Truth in Lending and Good Faith Estimates and HUD Settlement Statement forms for consumer real estate loans.

My bit, the subject of this post, covered compliance issue resolution, and the heightened expectations financial regulators have regarding compliance management systems and consumer remediation.

I’ll say up front, as I said in the webinar, that regulatory compliance is an all-in responsibility that requires the engagement of all three lines of defense. Without standards and direction at the enterprise level, compliance management and consumer remediation tend to occur ad hoc, within individual business units or departments, which can result in inconsistent and potentially inadequate corrective and remedial actions.

In 2013, the Consumer Financial Protection Bureau (CFPB) published a bulletin outlining four expectations for what it calls “responsible business conduct”:

  • Self-policing – Robust self-monitoring mechanisms are needed to detect violations. From quality control, compliance monitoring and testing, to compliance reviews, complaint response and internal audit, as issues are identified, steps should be taken to evaluate root causes and what corrective actions and remediation might be necessary.
  • Self-reporting – Once an issue has been identified and internally evaluated or vetted by the organization, the CFPB expects that institutions self-report the issues, particularly for significant issues involving potential violations and consumer harm. Self-reporting is a difficult task for many institutions, but it is an important part of being transparent with the institution’s regulators when issues do arise.
  • Remediation – Institutions should take timely steps to detect and correct compliance issues, with an eye toward the implementation of robust, longer-term corrective actions. Consumers impacted negatively by an issue, whether financially or non-financially, should be remediated, and the redress should reasonably “make the customer whole.” This is also a difficult task, because the exact form of redress is often dictated by the circumstances rather than a clear legal or regulatory requirement. The appropriate course of action is often benchmarked against precedent, such as through public enforcement actions.
  • Cooperation – When it comes time to determine what actions, if any, to take against an institution, regulators have made it clear that affirmative credit will be reserved for those institutions that are forthcoming and transparent in working with them and law enforcement. The CFPB has stated that self-reporting and cooperation do not guarantee that the agency will not take action against an institution, but that the cooperative behavior will be viewed positively when a regulatory action does arise. Public CFPB enforcement actions have indeed borne this out.

Ultimately, the message here is that an institution’s response to a compliance issue or an adverse consumer issue can be more important than the issue itself. By focusing on root causes and timely corrective actions to address operational and technological deficiencies, and not getting bogged down in the specifics of an individual mistake or violation, organizations, with the help of their internal audit functions, can vastly improve issue resolution and governance, and possibly qualify for affirmative credit.

Our webinar was focused on internal audit and the implications of regulatory expectations and changes to compliance requirements on the internal audit function and on financial institutions broadly. Internal audit’s role in compliance issue resolution is varied – from, at minimum, ensuring that internal audit issues are tracked and resolved appropriately by the institution, to providing credible challenge to management’s overall compliance issue identification and resolution processes. Credible challenge might include review and validation of the effectiveness of the implemented corrective actions as well as the remediation provided to impacted consumers.

That’s plenty to think about for now. I hope you’ll join the conversation by sharing your thoughts in the comment section below.

Top Risks in Financial Services: Ever the Same, Always Changing

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the financial services industry.


Cory Gunderson MD NYC

By Cory Gunderson, Managing Director
Global Leader, Financial Services Industry




When we conducted our survey in the fourth quarter of last year, the top risks on the minds of financial services directors and executives, in order of priority, included: regulatory changes and increased scrutiny, cybersecurity, information security, economic volatility, and succession. However, risk is never static. If we were to conduct the survey today, with the significant changes over the past six months, including growing nationalist sentiment across the globe – Brexit being the most recent example – economic concerns would probably rise as high as second place, even with cybersecurity and information security remaining strong and “evergreen” concerns.

Executives perceive risk in much the same way the body perceives pain. New risks arise sharp and top-of-mind, but recede in perceived importance as the corporate body adapts to the stimulus. My colleague Richard Childs alluded to this “anesthetizing effect” in his recent post on top risks in the consumer products and services industry. In financial services, the reigning top risk – regulatory changes and scrutiny – continued a steady decline in perceived severity, and at least two other top risks from 2015 – social media and disruptive technology – dropped out of the top five.

That’s not to say these risks have receded. If anything, regulations continue to evolve and they change with greater frequency, reflecting the critical importance of a sound financial system to the world’s economy. And the level of investment in fintech – the technology driving the bleeding-edge of financial services – is growing in leaps and bounds. Rather, financial institutions are now dealing with these risk areas on a daily basis, so they are not perceived as sharply as when they first arose.

Similarly, other risks fundamental to a financial institution’s survival – such as market risk and credit risk – are so much a part of everyday life that they don’t even register on a survey like this. Things could change soon, however. We have lived in a low interest environment for well over 20 years, creating an entire generation of risk managers who have never had to manage volatile interest rate risk – at least not on the scale of the 1970s and 1980s. With the Federal Reserve strongly hinting of higher interest rates to come, regulators are keeping an increasingly close eye on this fundamental. Interest rate risk could very well become one to watch. And as in any cycle, the spectre of credit risk looms on the horizon, with many regulators looking at evidence of the risk-compounding scenario of loosened underwriting standards coupled with overheated pricing bubbles.

The bottom line is that the financial services industry, because it is central to the world’s liquidity, movement of capital, financing of business expansion and the safekeeping of wealth, is always going to be risk-heavy – and while the ranking of risks matters, it is not to be seen as an indication of one risk or another going away completely. Financial services firms are in the business of managing risk by their very nature, meaning the rankings are really more a reflection of what’s top of mind at a given point in time.

We are entering a period of increasing volatility. There are going to be stresses on financial institutions’ systems. It is important, going forward, that executives and directors work hard to remain agile and adaptive in their risk management roles, challenging all layers of defense – especially the first line – to remain engaged, and avail themselves of the latest in risk management capabilities. History has shown that when organizations become complacent, or assume that the situation of today won’t change tomorrow, risks have a way of becoming realities, and neither the regulators and policy makers nor the public at large appear to be in a forgiving mood.

Technology, Privacy and Cybersecurity Among Top Risks for Healthcare

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the healthcare industry.


Susan Haseley

By Susan Haseley, Managing Director
Healthcare and Life Sciences Industry Leader




A few years ago, several high-profile information security break-ins at banks and other consumer-facing outlets made the public all too aware of the cybersecurity dangers at financial institutions.

These days, it is healthcare organizations in the crosshairs.

When Protiviti and North Carolina State University’s ERM Initiative conducted a survey of directors and executives worldwide to identify the top risks that are on their minds, technology, privacy and cybersecurity figured as three of the top six concerns. When we zoomed in on the responses of our healthcare survey participants, disruptive technology, privacy concerns and cybersecurity figured as the third, fourth and fifth top risk, respectively. Perhaps more important, these risks saw the biggest upward change from last year.

There are several driving factors for these ratings:

With the continuing digitization of healthcare records and just about everything else, a lot of valuable information is online, ready to be hacked into. Not only do health records contain some of the same financial data as financial records, including Social Security and credit card numbers, but they also contain additional personal and highly sensitive information that can be used to forge IDs, obtain prescription medication, or even sign up for health benefits.

This has made health records much more lucrative than financial data. Patients can’t simply change their personal information like they can a credit card number. Once stolen, the information can be sold and resold, or used to inflict personal damage. If the hack is into a medical device, such as a pacemaker or an insulin pump, the personal damage can be fatal. This last issue is so serious that the FDA has issued a draft guidance specifically for medical device manufacturers. As you can imagine, healthcare providers that use those devices are seriously concerned.

In the last six months, these topics have been on every agenda of every board in which I participate.

This is not a theoretical concern. Organizations need to consider all the possibilities and potential responses, including:

  • How would the company respond to a cyber incident? What is the incident response plan and policy?
  • What will the company do if a cyber attack brings down the computer network? How will staff handle patients without access to their electronic records?
  • How will the organization handle the adverse publicity?

Given all this, I am not surprised that the concerns about risks surrounding technology and cybersecurity shot up this year, while traditional healthcare worry staples like regulation and healthcare reform costs dropped.

One silver lining is that with risk awareness comes action. And healthcare organizations really don’t have a choice when it comes to technological innovation and digitization. Patients demand it. Other healthcare providers are doing it. Electronic healthcare records are nearly universal, and patients demand access to information and their doctors from anywhere – on their phones, at work, while travelling. If a provider fails to innovate to meet these demands, the patients will go to the provider who does.

Healthcare institutions have another big incentive to continue innovating. The successful healthcare organization of tomorrow is not the one that treats disease but the one that manages the health of its patients. To figure out how to do that, healthcare organizations need to harness data – continuous information about their patients’ health that will help prevent many of the expensive and urgent procedures that keep costs up today. With the increased amount of data comes an increased need to protect the privacy and security of the sensitive information. Advanced technological solutions, data security and data analytics are simply part of becoming a successful healthcare organization.

I am interested in your take on our findings. Access the healthcare-specific findings of our Top Risks survey here.

Global Instability, Cybersecurity on the Minds of Manufacturing and Distribution Industry Executives

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the manufacturing and distribution industry.


Sharon Lindstrom

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader




Not surprisingly, economic conditions and financial market volatility top the list of manufacturing and distribution concerns for 2016, and the degree of concern is higher than in prior years. Manufacturers, to a greater extent than many other industries, depend on global sourcing so it’s no wonder that manufacturing executives would be more concerned than usual, given the widespread and growing uncertainty about the financial stability of key U.S. trading partners around the world on whom U.S. manufacturers depend for everything, from polymers and resins to product assembly.

In addition to supply chain concerns, manufacturers worry about sales. Global instability makes it harder to predict where production and inventory will go. Top of mind at the moment: the concerns over Great Britain’s withdrawal from the European Union, as well as economic turmoil in China and Brazil.

Cyberthreats surged into the top five risks for manufacturers for the first time this year. We interpret that as a growing concern for critical systems and infrastructure that we haven’t seen previously in this sector. The concern is indicative of a growing awareness by directors and executives of the vulnerability of networked devices in an increasingly connected global economy with increasingly sophisticated data harvesting and analytic tools.

Unlike, say, retailers, who might be primarily concerned with protecting customer data, manufacturers are primarily concerned with protecting trade secrets and the integrity of networked production equipment. Within manufacturing IT, we’re seeing more focus on security architecture, specifically related to robotics and embedded technology communicating machine-to-machine via the Internet of Things.

Given these changes, it is perhaps not surprising that manufacturers cited recruiting and retaining top talent as one of their top 5 concerns. There is an increased demand for accurate and timely analytics with which to counter market uncertainty – and personnel capable of extracting actionable intelligence from the overwhelming and growing amount of available data. Automated manufacturers are also aware that they need a higher level of cybersecurity expertise to thwart potential disruption and maintain a competitive edge.

Finally, regulatory risk appears in the top five again, as it has for three years in a row. Manufacturers have a significant and fairly consistent compliance burden when it comes to occupational, environmental, health and safety requirements. More recent concerns have included ethically sourced materials and labor. Regulatory challenges change over time, of course, but history suggests that compliance with regulations will remain a fundamental performance concern for executives and directors.

You can read the key findings and additional commentary in our manufacturing-specific report, which you can access here. The entire survey is available here.