FWM A G A Z I N E

R E P R I N T | F I N A N C I E R W O R L D W I D E M A G A Z I N E

������������������������ ��������������������������

����������������������������������������������

�������������������������������

�����������������������������������������������������������������������������������������������

��������������������������������������������������������������

Magazine-FW-October11A.indd 1 27/9/11 11:12:28

S P E C I A L R E P O R T

M A N A G I N G R I S K

© 2011 Financier Worldwide Limited.Permission to use this reprint has been granted by the publisher.

REPRINTED FROM:

OCTOBER 2011 ISSUE

www.financierworldwide.com

FINANCIERWORLDWIDEcorporatefinanceintelligence

SPECIAL REPORT

Managing risk

sponsored by

SPECIALreport

www.financierworldwide.com | October 2011 FW | REPRINT

FORUM

Are you ready? – five steps to manage organisational risksRISK AND INSURANCE MANAGEMENT SOCIETY, INC.

Risk oversight: of ‘rogues’, reporting systems, and reasonable doubt NATIONAL ASSOCIATION OF CORPORATE DIRECTORS

Managing anti-corruption risk in mergers and acquisitionsBAKER & MCKENZIE LLP

Fish cannot see water: why companies failSOLON GROUP, INC.

CONTENTSTop 10 risks to global business

From reactive to proactive

The current state of enterprise risk oversight

Managing risk in a changing business and technology environment

Addressing the systemic part of liquidity risk

ORGANISATION GLOSSARY

THE PANELLISTS

Scott B. Clark is a President and Director at RIMS. He can be contacted on +1 (212) 655 6059 or by email: sclark@rims.org.

Scott B. Clark is president and director of RIMS. He currently serves RIMS as secretary. He has served on RIMS’ board since 2000 in various capacities. He has been a member of the Society since 1987, and has served on RIMS Member & Chapter Services

and RIMS Safety and Health Committee. He is a founder of RIMS Greater Miami Chapter where he has twice served as president.

Craig Wright is a Partner and National Head of Risk & Advisory Services at BDO. He can be contacted on +44 (0)7800 682016 or by email: craig.wright@bdo.co.uk.

Craig Wright is a partner at accounting firm BDO LLP and is the firm’s National Head of Risk and Advisory Services. He is a Chartered Public Finance Accountant and member of the

Chartered Institute of Internal Auditors. Mr Wright has extensive experience in internal audit, risk management and corporate governance at a strategic level. He

has led on reviews for major regulators, funding bodies and major corporations.

Peter Beardshaw is a Partner at Accenture. He can be contacted on +44 (0)207 844 7550 or by email: peter.beardshaw@accenture.com.

Peter Beardshaw is executive director – Accenture Risk Management. Based in London, Mr Beardshaw brings over 15 years of deep experience in delivering target operating

models and business process redesign initiatives within the credit risk and capital management areas. His broad experience in investment banking program management and change management, in addition to his technical experience in multiple asset classes across front, middle and back office helps organisations become high-performance businesses.

Holly J. Gregory is a Partner at Weil Gotshal & Manges LLP. She can be contacted on +1 (212) 310 8038 or by email: holly.gregory@weil.com.

Holly J. Gregory is a partner in the international law firm of Weil Gotshal & Manges LLP where she counsels companies and boards of directors on the full range of governance issues,

including fiduciary duties, risk oversight, conflicts of interest, board and committee structure, board leadership structure, audit committee investigations, board audits and self-evaluation processes, shareholder initiatives, proxy contests, relationships with shareholders and proxy advisory firms.

FORUM

Scott B. Clark of RIMS moderates a discussion on enterprise risk management in today’s challenging market between Peter Beardshaw at Accenture, Craig Wright at BDO and Holly J. Gregory at Weil Gotshal & Manges LLP.

Enterprise risk management (ERM) in today’s challenging market

SPECIALreport

REPRINT | FW October 2011 | www.financierworldwide.com

Clark: In your opinion, are corporate boards and management teams paying enough at-tention to the risks facing their business? How have attitudes and outlooks changed in recent years?

Gregory: Board and management under-standing of the role that risk management plays in effective governance and, most importantly, in positioning the company for strategic suc-cess, continues to improve. This is leading to a more concerted focus on the material risks facing the business. In addition, boards and managers are more keenly aware of the role that the compliance culture plays in creating a risk mitigation environment. We are also see-ing both growing sophistication in the systems that management teams are relying on to iden-tify and monitor business risks and increased clarity regarding the differentiation between the management and board roles with respect to risk.

Wright: Risk management has certainly moved up the agenda in recent years, most notably since the onset of the financial crisis. The question as to whether boards are paying enough attention to risk management is a good one. The answer is that we are seeing mixed responses. Some companies appear to be ris-ing well to the challenge of enhancing risk management arrangements. This is evident through their proper risk management strate-gies and policies, clearly articulated risk man-agement objectives, and a clearly defined risk appetite. Risk is high on board agendas and a considered approach to the strategic risk reg-ister is taken. Conversely we are seeing some companies still struggling to get to grips with risk management.

Beardshaw: Based on our 2011 Global Risk Management Study, it’s clear that risk manage-ment is increasingly important to corporations. In fact, executives are much more likely today than they were two years ago to have invested

in and advanced their risk management capa-bilities. Of the nearly 400 executives surveyed for our study, across 10 industries, worldwide, 98 percent indicated that risk management is a higher priority now than it was in 2009. Ad-ditionally, executives increasingly recognise that risk management is a capability they can leverage to achieve a competitive advantage in today’s complex, continuously changing busi-ness environment. More than 80 percent of our research respondents believe their risk area is a key management function that helps them deal with marketplace volatility and organisational complexity. As a sign of the increasing impor-tance of risk both in managing market events and in driving better business performance, we find that companies are investing – they are taking risk management seriously from a structural and technological perspective and spending in smart ways to make it more du-rable.

Clark: To what extent do today’s economic and regulatory pressures emphasise the need for a more formal, strategic and proactive means of managing risk?

Wright: Today’s economic and regulatory pressures mean that the introduction of a for-mal, strategic and proactive approach to man-aging risk is crucial. Companies cannot afford to operate in a vacuum and need to pay particu-lar attention to the current risks and opportuni-ties from within and outside the organisation. This means establishing a proper framework that looks to capture known risks which can be influenced internally, but which also looks to understand those external risks which may sometimes be outside of the immediate control of the board. An element of horizon scanning is required and boards should be prepared to equip themselves with the relevant skills in order to do this. Invariably this requires addi-tional training for some boards.

Beardshaw: Economic and regulatory pres-

sures contribute to the complexity of busi-ness today but, more importantly, companies recognise that risk management contributes to competitive advantage. More than 53 percent of the executives who participated in our study said compliance with regulations is a ‘criti-cal’ driver of the need for risk management. Similarly, 91 percent said the enablement of long-term profitable growth is an ‘important’ or ‘critical’ driver of the need for risk manage-ment, and 93 percent said it was either an ‘im-portant’ or ‘critical’ factor in the sustainability of their company’s future profitability.

Gregory: Systematic, as contrasted with ad hoc, risk management efforts are critical in an environment of ever increasing regulation, business complexity, technological change and globalisation. ERM systems help management teams and boards categorise and track risks in a cohesive framework, and help assure appro-priate linkages and communications between relevant business lines with respect to inter-related business risks and risk management strategies.

Clark: Can you highlight some of the key business risks that ERM seeks to target?

Beardshaw: Risk has always been a part of business – an enduring reality that every com-pany must address. To compete, grow, and capture benefit, organisations must accept risk. It’s what businesses do. However, the nature of risk is different in the 21st century. Nowa-days, risk is magnified by supply chain com-plexities, shorter product life cycles, tumultu-ous financial markets, sudden demand shifts, emerging competitors, global collaborations, expanding regulations and technology advanc-es. Risk also has many more faces: cash flow crises, supply disruptions, quality failures, cy-ber intrusions, financial fraud, and technology breakdowns. Clearly, companies are exposed to more risk – and more kinds of risk – than ever before.

Gregory: ERM refers to processes used to identify potential risks, assess the likelihood of the risk being actualised and manage risks that arise related to the activities of the corpo-ration in managing the business. Key types of risks faced by most businesses include opera-tional risks, such as the risk of product failure or better execution by competitors; strategic risks, such as the risk of product development failure or the failure to identify and prepare for a key trend; financial risks, such as risks as-sociated with pricing, currency, asset valuation and liquidity; and hazard risks, such as the risk of a natural catastrophe. Many types of risk intersect these broad categories, such as risks associated with compliance, reputation and 8

SPECIALreport

www.financierworldwide.com | October 2011 FW | REPRINT

8

integrity and risks associated with the broader environment such as capital availability and competition.

Wright: ERM seeks to target those risks which can impact on a company’s ability to meet its own objectives. These can be strate-gic, financial, and operational risks, but always those risks and/or opportunities that, were they to crystallise, would have a direct impact on the achievement of the organisation’s goals and stakeholder value. The proper starting point for ERM therefore should always be the corporate planning process.

Clark: When assessing risk, how important is it for companies to quantify and prioritise the risks they identify? What methods can be used to achieve this?

Gregory: Cataloguing potential risks is only a starting point. The likelihood of the risk actu-ally materialising and the potential impact of that event should drive risk avoidance, mitiga-tion and insurance strategies. Consultants in the area of ERM sell a variety of tools to help companies map and prioritise risk. However, management and boards need to resist com-placency and not equate ERM tools with the actual discussion and effort of risk manage-ment required at the senior-most levels of the company.

Wright: Quantifying and prioritising risk is very important. Albeit somewhat judgemental, failure to quantify and prioritise risks could lead to an inappropriate focus or direction of resources. There are various methods that companies can adopt, from the simplistic to the complicated. All tend to follow a similar theme of evaluating identified risks at an in-herent level – what is the likelihood and im-pact of risks crystallising in the absence of any internal controls, followed by evaluating risks at a residual level, that is, what is the likelihood and impact of risks crystallising after taking

account of existing controls? Adopting this ap-proach not only allows companies to prioritise risks but also to begin to form a view on the dependency on specific controls. For example, the larger the movement between inherent and residual risk scores would suggest an increased dependency on one or more specific controls which the company should then seek to review the efficacy of on a regular basis.

Beardshaw: Despite best efforts and invest-ments to date, critical exposures remain for many organisations. According to our sur-vey, more than a quarter of respondents are not measuring major risk items: 50 percent of companies are not measuring emerging risks; 57 percent do not measure political risks; 44 percent do not measure reputational risks; and 27 to 28 percent of companies are not measur-ing major financial risks, including business, market and credit risks. Although the conclu-sion here may be obvious, companies cannot manage effectively what they do not measure. These measurement gaps expose them to po-tentially harmful business and marketplace risks, and also create a situation where assess-ing improvement and progress becomes im-possible or, perhaps worse, merely anecdotal.

Clark: Can you provide a broad outline of the key issues for companies attempting to integrate risk management into their organi-sation?

Wright: Typically, reporting channels, struc-ture and consistency. In many companies there are challenges in the board’s message being heard in relation to risk management. A risk champion has the challenge of ensuring that a framework is consistently applied across boundaries and that reporting arrangements are regular and robust. Local champions can assist with this and regular communication should never be underestimated.

Beardshaw: What matters is knowing how

to effectively identify, mitigate and leverage risk – embedding those capabilities into a company’s operating model and using them to excel financially and competitively. Forward-thinking respondents to our survey seem to un-derstand this and are working harder to make risk management a top priority and to position risk management as a critical business driver and potential source of sustained growth and long-term competitive advantage. More than most, amongst other things, these executives think and act proactively instead of reactively; seek new ways to use advanced risk manage-ment principles to increase shareholder value; think more holistically about risk; infuse risk awareness across the organisation; and invest in continuous improvement.

Gregory: The challenges vary by company but often there are cultural issues and issues related to ensuring integration between lines of business. There is also the very pragmatic challenge of finding an appropriate balance – determining the company’s appropriate ap-petite for risk and associated investment in risk management processes and strategies, in the context of business realities. If you man-age all the risk out of the business, there will be no business.

Clark: What challenges arise when compa-nies try to create a culture of risk manage-ment? What steps can be taken to surmount these obstacles?

Beardshaw: Creating a culture of risk man-agement requires a top-down approach, with executives leading by example. Identifying an executive in the C-suite who is accountable for risk management is paramount, as it connects risk management to the rest of the business while clearly showing the rest of the organisa-tion the importance of risk management. Risk management must be integrated across the business. The good news is that nearly half of executives told us their company has a chief risk officer – that was up from only 33 percent in 2009. And, nearly one quarter of the execu-tives said their company’s chief executive of-ficer now owns the responsibility for risk man-agement, up from 13 percent two years ago. Furthermore, 79 percent of executives said the person responsible for risk management in their organisation reports directly to the CEO.

Gregory: Like a culture of compliance, a culture of risk management cannot simply be imposed one day. Culture develops over time and the key is to continually strive to improve. Efforts to drive significant change need to be socialised within the organisation; success will often depend on the commitment of senior management to careful and consistent messag-

SPECIALreport

REPRINT | FW October 2011 | www.financierworldwide.com

ing about the importance of the issue and how the changes will ultimately benefit everyone involved. Senior management needs to invest in culture change and recognise that there may be some resistance, especially if business lines are being asked to communicate, coordinate and report in ways that they haven’t in the past.

Wright: Risk management works well when it is part and parcel of the normal business ac-tivities of an organisation. Forcing risk man-agement on the culture of a company may lead to the process stalling or being seen as a bureaucratic exercise. Steps to introduce the process properly should always start with the tone from the top. The board needs to be fully engaged in the process otherwise all levels will not necessarily take the process as seri-ously as they should. This means setting the organisation’s objectives and appetite for risk management and articulating them via a prop-erly constructed, approved and articulated risk management policy and strategy. When all levels can see that the process is live and

meaningful to the board, there is every chance that it will succeed and that a culture of risk management will ensue.

Clark: Do you expect companies to contin-ue improving their ERM frameworks in the years ahead? To what extent do they need to regularly review and update their ERM strat-egies as part of this process?

Gregory: Boards and managements need to stay abreast of developments in the ERM area and should assess, from time to time, how the company’s processes for ERM compare to what similar companies are doing. The board should dedicate time in its agenda each year for a specific ERM broad discussion of risk oversight and ERM. The board should use this time to discuss how it approaches its risk over-sight role, review the risk management pro-cesses used by management, review the ERM analysis of material risks and their likelihood, and also hear from the CEO about what keeps her up at night from a risk perspective. This annual discussion however does not substitute

for the regular discussion of risk as a compo-nent of strategic discussions or the board com-mittee level oversight of the ERM processes used by the company. Clearly, the board needs to pay special attention throughout the year to the risks that only the board can manage – largely related to having a high-performing and appropriately compensated CEO in place along with effective governance processes and a culture of objectivity and accountability.

Wright: I think risk management is here to stay. Companies therefore need to gear up but shouldn’t necessarily treat risk management as an independent process. Where we see it work-ing really well is where companies have ad-opted risk management as part of their strate-gic planning process and review arrangements. This means it has become integrated into the planning of the future direction of a business and forms part of the regular performance re-porting and consideration.

Beardshaw: In our study we asked execu-tives about their risk management plans and they told us that their companies still face critical exposure to risk and they believe the benefits of enhanced risk capabilities have yet to be realised. More than half said their com-pany had invested $25m or more since 2009 to improve risk management capabilities, and one in 10 said their company’s investment had exceeded $250m. Even so, 83 percent of ex-ecutives said additional investments would be made in risk management in the next two years as companies navigate market volatility, man-age increased complexity, and address a prolif-eration of risks ranging from supply chain and other operational issues to new regulations, reputational concerns, and increased threat from financial fraud and other cyber-based crime.

Are you ready? – five steps to manage organisational risksBY SCOTT B. CLARK

As the business world becomes more com-plex and interconnected, so do the risks

that each company faces. Every natural catas-trophe, product recall or market fluctuation reminds us that even something that happens halfway around the world can have a profound effect on your company’s bottom line. No risk occurs in isolation. So in order to address these wide-ranging risks, organisations need

to adopt a broader approach. For many, this means developing an enterprise risk manage-ment (ERM) program that can strategically address the full spectrum of a company’s risks and managing the combined impact of those risks as an interrelated risk portfolio.

But for any ERM program to succeed, it must be aligned with your organisation’s overall business strategy. Failure to do so puts your

risk management program in a passive or re-active position that will not contribute to the growth of the organisation. If risk manage-ment is not on anyone’s mind except when an accident, injury or other loss occurs, then it will not be as effective as it can be.

Consequently, all business units in the or-ganisation, including risk management, must tie their performance to the strategic goals of

OPINIONS ARTICLES

8

SPECIALreport

www.financierworldwide.com | October 2011 FW | REPRINT

8

the organisation. For example, if a company’s goal is to manufacture the best television set, then the risk management objective should be to help the company business units identify and mitigate the impediments to achieving that goal, whether the problem lies in production, marketing, finance or the supply chain.

Five basic ERM principles Although the steps involved in an ERM pro-cess are generally the same, each organisation goes about implementation in different ways, depending on its strategic objectives, culture and operational structure. A solid ERM frame-work should include the principles that we have come to think of as typical of the ERM and fundamental risk management process.

Identification. In a typical risk management process, the risk manager interviews individu-als where a loss may occur in order to identify exposures. This is a silo approach. In the ERM approach, the interview is expanded to include stakeholders from across the organisation.

ERM not only highlights material risks, but it also shows what is driving them and thus pro-vides incredibly valuable information. Manag-ers have a natural tendency to only manage their silo since that is what they control. The key, however, is to break down those arbitrary boundaries when identifying risks. ERM helps leadership to view their organisations not just horizontally, but also vertically.

During the identification process, it is im-portant to consider events ‘outside the bell curve’. These so-called ‘Black Swan’ events, such as natural catastrophes, terrorist attacks and supply chain interruptions, often do not hit the radar screen – they are not as obvious as a plant burning down or a severe increase in en-ergy costs – yet they pose a significant impact on capital and may put the continuity of your business at risk.

Questions to help identify risks can include: What could go wrong? What must go right for us to succeed? Where are we vulnerable? Which assets do we need to protect? Do we have liquid assets or assets with alternative uses? How could our operations be disrupt-ed? How do we know whether or not we are

achieving our objectives? What do we spend the most money on? How do we bill and col-lect our revenue? Which activities are regulat-ed? What are our greatest legal exposures?

The responses to these questions will provide a much clearer picture of the risks your organi-sation faces and the steps needed to continue the ERM process of assessing, evaluating, mitigating and, finally, monitoring risks.

Assessing the risks. There is a methodical ap-proach to distilling the list to those that your organisation considers high priority items. If a risk is already well-managed and controlled, it will have a low residual risk. If your organi-sation can do nothing about a particular risk because it is so far beyond your control or in-fluence, the risk may merit only limited atten-tion. This is a quick way to narrow down your list to a more manageable size. It is important to remember, however, that even though a risk is beyond your control, it may still be a signifi-cant risk to the organisation and should remain on the list.

Once completed, risks should be ranked with regard to their importance to your organisa-tion. Be sure that all significant risks are cap-tured on this list and that the priorities appro-priately reflect each business unit’s operations and activities and the current environment. This requires both the consideration of the potential impact/consequence and probability/likelihood of the event occurring. A ranking system may be as simple as using a scale to help determine the severity of each risk: 1-2 (insignificant); 3-4 (minor); 5-6 (moderate); 7-8 (serious); and 9-10 (major).

Evaluation. At this point, you should have a much better understanding of the risks that need more attention. You can now decide what opportunities and benefits exist to mitigate the risks. On the other hand, if you decide not to mitigate the risks, you will also need to con-sider the impacts of that decision as well.

This is where ERM implementation seems to cause the most trouble. Facing a list of big risks, it might be very difficult to see how these risks are to be evaluated in terms of mitiga-tion. Very often, this difficulty is caused by the complexity of the risk. Something like brand

reputation might be affected by thousands of activities within the company, from research and development to marketing and sales. So how do you address all of these areas?

The answer is that you don’t. Rather, it is much more effective to investigate the risk and determine which specific activities are driving the risk and who is responsible for them.

For example, there are many ways a fac-tory could be physically damaged. It is nearly impossible to focus on all of them. Instead, a risk manager should perform an investigation by walking through the factory, speaking with key personnel and considering various loss scenarios in order to concentrate on a few key risk drivers. Similarly, during the ERM evalu-ation process, the risk manager should speak to the business owners and study the various components of the business. These interviews can clear up what needs attention and what does not.

For instance, when considering the risk of failing to meet production goals, the process may seem daunting. But through subsequent investigation, the risk manager may discover that most employees agree that a plant shut-down is their chief concern. When further investigation reveals that the threat of power outage is a possibility, the risk manager can concentrate mitigation efforts in this more manageable area. At this point, the risk man-ager has tied a single cause of risk (power outage) back to an ERM-level risk (failure to meet production goals).

Mitigating risk and exploiting opportunities. Next, a risk manager must develop and follow specific steps to not only reduce the risks and uncertainties that are at the top of the list, but to increase their potential benefits.

Taking the example from the previous step about the factory, the company has several op-tions to mitigate the power outage risk. It could build a second factory in a different location, install a generator, keep a surplus product sup-ply large enough to see the organisation through any power outage or transfer the risk via insur-ance. All of these options will have associated costs, so these need to be weighed against their effectiveness in mitigating the risk.

ERM-level risks, because they involve many parts of the business, might call for a treatment that is outside the scope of the risk manager’s duties. However, an effective ERM strategy dictates that it is up to the owner of the activ-ity that drives the risk to determine the most cost-effective mitigation plan. If the activity driving the risk is owned by sales, for instance, then sales should be responsible for the miti-gation.

Monitoring risks. Monitoring allows you to assess the effectiveness of your risk manage-ment process. What may have worked initially could lose its effectiveness over time as com

Although the steps involved in an ERM process are generally the same, each organisation goes about implementation in different ways, depending on its strategic objectives, culture and operational structure.

SPECIALreport

REPRINT | FW October 2011 | www.financierworldwide.com

Risk oversight: of ‘rogues’, reporting systems, and reasonable doubt BY ALEXANDRA R. LAJOUX

As board and committee leaders set their calendars for 2012, risk oversight is rank-

ing high as a concern. The 2011 NACD Public Company Governance Survey results place it just behind strategy and performance as a key issue for boards. But can directors make a dif-ference in mitigating risk? The recent arrest of a UBS rogue trader last month makes this question red hot.

The problem is serious. Respondents to a re-cent survey from the Association of Certified Fraud Examiners estimates that the typical organisation victimised by fraudsters loses 5 percent of its annual revenue to fraud. That’s an average; some percentages are higher – and can cause insolvency for a low-margin com-pany, a grave matter indeed.

If we compare the ‘rogue’ stories to the cur-rent reporting systems, we see a disconnect. Fortunately, however, directors and other pro-fessionals are strengthening standards to less-en the incidence of malefactors – or the need to scapegoat them.

‘Rogues’On 15 September 2011 Kweku Adoboli, a 31-year old UBS trader, was arrested by City of London police in connection with unauthor-ised high-stakes trading that has cost the Swiss bank some £1.3bn (US$2bn), adding insult to the injury of the $50bn the bank had lost dur-ing the financial crisis. The development was particularly poignant in light of the recent riots by many largely unemployed immigrant youth in London and other cities. In contrast to them, the Ghana-born Kweku, a full citizen, had been lauded for his work ethic and good manners.

Nearly one year earlier, in October 2011, a similar high-stakes trader, 33-year-old Jerome Kerviel, was sentenced to five years in prison (two suspended) and ordered to pay a fine of €4.9bn for similar actions. Kerviel made some €50bn in bets (US$62bn) on the German stock market. The judge ruled that he had concealed

his trades with hedging transactions. During his trial, Kerviel said he used only methods that he learned as an employee of Société Gé-nérale.

The pioneer here was Nick Leeson, whose huge trades cost the venerable Barings Bank L827 ($1.2bn) and caused the 200-year-old in-stitution to close its doors. Leeson blames both the rogue traders and the banks that employ them. “The criminality is always with the in-dividual trader, but the bank, with its incompe-tence and negligence in controlling what is go-ing on, is complicit,” he told the Independent in a recent interview following his years doing hard time in a Singapore prison.

This sequence of rogue traders in our gen-eration calls to mind the many illegal insider trading rings of the 1980s run by investment bankers Ivan Boesky, Stuart Levine, and the Yuppie Five (all five under 30 at the time). But banks are not the only companies affected by misbehaving individuals. In the healthcare field for companies ranging from Caremark to HealthSouth there have been issues such as accounting irregularities and allegations of kickbacks and bribes. And let’s not forget Pyramid schemes, which run the gamut from investment (Bernie Madoff) to online poker (FullTiltPoker.com) – the latest to be busted.

Reporting systemsRogues are a shareholder’s worst nightmare. Owners naturally want assurance that corpora-tions are sustainable, so they can receive re-turns from their investments. That’s been true since the dawn of corporations. This indeed was one of the first uses for the double entry bookkeeping, developed in the late 15th centu-ry. But it wasn’t until the 20th century, follow-ing the widespread separation of ownership and management chronicled by Adolph Berle and Gardiner Means in The Modern Corpora-tion and Private Property (1932) that the role of the board became prominent in that assur-

ance. Here are some landmark developments over the past four decades.

Foreign Corrupt Practices Act. This 1977 US law is not just about the prevention of foreign bribes. It also has accounting provisions that require corporations covered by the provisions to: (i) “make and keep books and records that accurately and fairly reflect the transactions of the corporation”; and (ii) “devise and maintain an adequate system of internal accounting con-trols”.

Sentencing Reform Act. This 1984 US law, setting forth Federal Sentencing Guidelines, includes an incentive for compliance systems. A corporation convicted of a federal offence (including in some cases a non-US corpo-ration) may get a reduced sentence if it has maintained an effective program to prevent and detect violations of the criminal laws. The company must prove that it has seven checks, which can be paraphrased as high-level over-sight, procedures to reduce crime, employee screening, communications/training, whistle-blowing, punishment of misconduct, and re-sponse to misconduct (change in procedures). The 2004 amendments clarified that the board of directors must be involved in oversight.

In re Caremark Inc. International Derivative Litigation (1996), a Delaware Chancery Court decision, interpreted director oversight duties of directors under general principles of equity law. Chancellor William T. Allen wrote that “A director’s obligation includes a duty to attempt in good faith to assure that a corporate infor-mation and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in the-ory at least, render a director liable for losses”. Such liability might apply if all of three condi-tions exist, he explained: the directors knew or should have known that violations of the law were occurring, directors took no steps to pre-vent or remedy the situation, and this failure to act became the proximate cause of the losses 8

placency sets in or as the nature of the risk changes. Only by monitoring can you recog-nise when adjustments or a complete reevalu-tion of the risk is needed.

Ahead of the curveThe five ERM principles described might not cover all aspects of implementation but at the very least most programs strive for some level of risk quantification, a systemisation of

the ERM process and a change in behaviour such that all functional groups within the or-ganisation think in terms of risk, risk owner-ship and mitigation. These concepts are at the very heart of an effective ERM program. At the same time, each of the principles can be further expanded to encompass risks specific to your organisation.

Risks will continue to evolve because the business world is constantly changing. Nar-

row-minded, reactive risk management is no longer an effective business strategy. Too much is at stake. It is only through the use of a proac-tive ERM program that you can stay ahead of the curve and make sure that your organisation is not taken by surprise.

Scott B. Clark is president and director of the Risk and Insurance Management Society, Inc. He can be contacted by email: sclark@rims.org.

SPECIALreport

www.financierworldwide.com | October 2011 FW | REPRINT

being litigated. The Sarbanes-Oxley Act of 2002 and the

Dodd-Frank Act of 2010 in the US took whis-tleblowing to a new level. Sarbanes-Oxley de-fined the elements of a strong whistleblowing system and mandated them for all US public companies. Dodd-Frank instituted government bounties for whistleblowers. The UK Bribery Act of 2010, like the FCPA before it, mandates vigilance. It includes penalties for “the failure of commercial organisations to prevent bribery by an associated person (corporate offence)”. Like the FCPA in the US, it can apply to com-panies outside its domestic sphere.

Laws aside, there are anti-fraud controls that can become part of a reporting system. In a 2010 study, the Association of Certified Fraud Examiners (ACFE) identified 15 types of fraud prevention. In order of prevalence, they were as follows: external audit of finan-cial statements (76 percent); code of conduct (70 percent); internal audit (66 percent); ex-ternal audit of internal controls (59 percent); management certification of financial state-ments (59 percent); management review (53 percent); independent audit committee (53 percent); hotline (49 percent); employee sup-port programs (45 percent); fraud training for managers (42 percent); fraud training for employees (40 percent); antifraud policy (39 percent); surprise audits (29 percent); job ro-tation/mandatory vacation (15 percent); and rewards for whistleblowers (7 percent).

How effective are these? Detection usu-ally comes from hotline tips, internal audit, or management review, says the study. (Note, however, that bounties had little impact – an interesting finding in light of the whistleblow-er bounty program set up this year under Dodd-Frank .) Other venues for discovery have nothing to do with any ‘system’. They include accidental discovery and confession by perpetrators. Overall, though, when ACFE surveyors looked at the effect that the 15 for-mal controls had on the size and duration of

the frauds, the trend was clear. Defrauded or-ganisations that had these controls in place had significantly lower losses and shorter time-to-detection than defrauded organisations without the controls.

Reasonable doubtThe question remains, how can fraud be stopped altogether? The key seems to be en-couraging everyone in the financial reporting chain to develop a sense of reasonable doubt. Financial executives, internal auditors, exter-nal auditors, and audit committee members need to exercise scepticism. This does not mean mistrusting everything and everyone, but it does mean being aware of anomalies. Corpo-rate boards and the professionals serving them are continually refining their risk oversight tools in this regard. In closing, here are a few recent and upcoming initiatives meant to em-power reasonable doubt.

In April 2011, a Study Group on Corporate Boards co-chaired by Charles Elson of the University of Delaware and Glenn Hubbard of Columbia Business School issued Bridg-ing Board Gaps. This report, sponsored by the Rockefeller Foundation at the recommenda-tion of veteran corporate director Frank Zarb, who served as vice chair of the Group, urged board chairs to “foster an environment of dis-cussion and debate…” Some takeaways: “As a Chair, encourage constructive skepticism, debate, disagreement, and, when necessary, dissent”…“As a director, speak your mind and ask questions”.

In June 2011, the Bank for International Settlements (BIS, based in Basel Switzerland) released Principles for the Sound Management of Operational Risk. The principles are meant to complement the regulatory framework pro-posed in the document known as Basel III – a comprehensive set of reform measures, devel-oped by the Basel Committee on Banking Supervision, to strengthen the regulation, su-pervision and risk management of the banking

sector. The BIS paper details eleven principles of sound operational risk management cover-ing governance, risk management, and disclo-sure. They include two principles for boards. These principles, if followed, can prevent an-other UBS.

In late 2011, the Committee of Sponsoring Organizations of the Treadway Commission will release an update Internal Control – Inte-grated Framework, its 1992 guide on internal controls. The report, says COSO, will address key challenges presented by an increasingly complex business environment and help or-ganisations worldwide better assess, design and manage internal control.

Finally, throughout 2012, a four-way col-laboration of the Center for Audit Quality, Financial Executives International, The In-stitute of Internal Auditors, and the National Association of Corporate Directors will be-gin releasing a series of products intended to combat fraud and teach the skills of scepticism without destroying trust. These efforts, fol-lowing the October 2010 report from CAQ on Deterring and Detecting Financial Reporting Fraud, will include case studies, real-time dis-cussions, webcasts, white papers, and a new self-quiz for fraud detection.

In summary‘Rogues’ – ranging from scapegoats to true vil-lains – will always appear on the scene where money is concerned. Good reporting systems can detect their activities before they become dangerous. Through positive and negative ex-amples, as well as guidance from regulators, courts, and professional groups, we are all learning more about how to keep fraud at bay. Our rallying cry after UBS must be: Never again.

Alexandra R. Lajoux is a chief knowledge officer at the National Association of Corporate Directors. She can be contacted on +1 (202) 280 2185 or by email: alajoux@nacdonline.org.

Enforcement of anti-corruption laws throughout the world is at an all-time high

and potential liabilities for companies, togeth-er with investigation and defence costs, can amount to millions of dollars.

While corporate officers and directors ap-preciate that involvement in schemes to pay bribes to get business can result in serious con-

sequences, few appreciate that merely acquir-ing a business in which improper payments have been made can result in equally serious problems. Not only can the target company face potential liability, which can materially diminish the value of the acquisition, but also the acquirers can face successor liability for the improper conduct of the target.

Examples from recent enforcement actions by US authorities illustrate the risks. In 2007 eLandia bought Latin Node, a telecom compa-ny whose business focused on emerging mar-kets. eLandia did no compliance due diligence, and it was not until after the acquisition that it learned about Latin Node’s improper pay-ments at which point eLandia disclosed them

Managing anti-corruption risk in mergers and acquisitionsBY RICHARD N. DEAN

8

SPECIALreport

REPRINT | FW October 2011 | www.financierworldwide.com

to the US government. In 2008, eLandia decid-ed to write off approximately 75 percent of the value of Latin Node. As it turned out, a very substantial portion of Latin Node’s business was premised on making illegal payments, and it ultimately pleaded guilty to making over US$2m in illegal payments in Honduras and Yemen. Clearly proper anti-corruption due dil-igence pre-acquisition can result in identifying problems that go right to the basic value of a target company.

Such pre-acquisition due diligence is impor-tant not only to verify the value of the invest-ment, but also to avoid successor liability for illegal payments made by the target company. The acquiring company can face liability under the Foreign Corrupt Practices Act (FCPA) if it acquires a company and can be seen to have benefited from illegal payments at the target level or to have permitted the continuance of such payments by the target. If the acquirer is aware of such illegal payments and does noth-ing to stop them, criminal penalties are pos-sible under the FCPA. If the acquirer does not know about the target’s illegal payments and does nothing post-acquisition to investigate or remediate, the acquirer can face civil charges brought by the Securities and Exchange Com-mission (SEC) for false books and records and internal controls violations. This is true even if the books and records and internal controls violations occur only at the subsidiary level, because the SEC has successfully resolved a number of cases in which the parent company has been held strictly liable for such violations by its controlled subsidiaries (or in this case, its acquired company) simply because the in-correct records form part of the parent’s con-solidated financial statements.

There is a third less well known problem for companies which are based in the United Kingdom or acquire companies with substan-tial operations in high risk emerging markets and are connected to the United Kingdom. Much attention has been given to the recent-ly enacted UK Bribery Act, but companies should not overlook the application of UK money laundering laws in M&A transactions. Consider two examples. First, a UK company buys a company which has paid bribes to ac-

quire key assets, such as a large government contract. Those bribes could give rise to ‘crim-inal property’ under UK money laundering laws and the purchase price paid for a com-pany could be recharacterised as a ‘reward’ to the company’s owners for unlawful conduct. Second, if the acquired company pays a bribe to obtain a government contract and then pays a dividend, based in part on the revenue from the contract, to the acquirer/parent in the UK, that dividend could be considered the means by which criminal property was transferred to the UK providing the basis for a money laun-dering prosecution in the UK.

These scenarios of potentially serious loss of value or direct liability should dictate that companies carefully approach the acquisition of businesses operating in emerging markets with high risks of corruption. Standard legal and financial due diligence should be expand-ed to evaluate the possibility that the target has engaged in corrupt practices. Such due dili-gence should begin with an evaluation of the target management’s understanding and ap-preciation of the corruption risk. What policies are in place to guide employees? What con-trols exist to minimise the possibility of im-proper payments? Moving from the general to the specific, such due diligence should include a forensic review of the target’s books and records and its use of intermediaries, such as agents and distributors, in its business. Particu-lar attention should be paid to government ‘in-terface’, i.e., what are the occasions when the business interacts with government officials in a way that creates corruption risk? This would include an identification of the specific inter-faces, such as tax officials for audits, as well as what, if any, payments are made or benefits extended, directly or indirectly, to government officials who have some oversight responsibil-ity for the business. Does the target have sig-nificant government customers?

Unlike standard legal and financial due dili-gence, proper anti-corruption due diligence is more likely to identify serious potential crimi-nal and civil liability, especially where the tar-get company demonstrates no understanding or appreciation of corruption risk. This is a very common problem, especially when ac-

quiring local companies in high risk emerging markets. Such companies often make accom-modations to the local culture in the belief that ‘it’s just how things are done here’ or ‘we can-not conduct business without payoffs’. These issues become delicate in an M&A transaction because the target is understandably sensitive about the disclosure of such issues to local law enforcement authorities and the acquirer is concerned about its own liability if it com-pletes the acquisition.

Addressing these issues may require the in-vestigation and remediation of certain suspi-cious business practices, the termination of certain contracts and even the disclosure of potential liabilities to law enforcement bodies. This latter step is particularly sensitive and is more common in the US and the UK where acquirers are seeking to eliminate the possi-bility of successor liability, but it may lead to government investigations exposing the target company and its principals to criminal or civil liability.

At the contract stage, properly addressing the corruption risk usually involves a com-plex interplay of representations and warran-ties; carefully crafted disclosures; conditions to closing that set out a process to resolve a potential corruption problem that may permit an acquirer to terminate the transaction if the issue cannot be resolved; and indemnification provisions to allocate the risk that the target may face liability under anti-corruption laws. Heightened concerns among all stakeholders about corruption and related problems means that these issues will be addressed in highly-charged circumstances.

Avoiding the loss of the value of the acquisi-tion, such as eLandia experienced with Latin Node, requires thorough and well-focused due diligence to evaluate not only corruption risk but the basic ways the target does business.

Avoiding successor liability, which is the un-expected consequence of acquiring a business that has engaged in corrupt practices, requires not only effective due diligence, but also the following critical steps. First, ensure that all improper payments at the target company have been stopped prior to acquiring the tar-get. Second, avoid acquiring assets that have been ‘tainted’ by improper payments, such as a government contract obtained by paying an excessive commission to an agent close to the government customer in circumstances that make it clear that the agent paid a kickback to an official at the customer. Third, correct false accounting and other records at the target level. Finally, ensure that the target enacts ef-fective compliance controls.

Richard N. Dean is a partner at Baker & McKenzie LLP. He can be contacted on +1 (202) 452 7009 or by email: richard.n.dean@bakermckenzie.com.

Clearly proper anti-corruption due diligence pre-acquisition can result in identifying problems that go right to the basic value of a target company.

SPECIALreport

www.financierworldwide.com | October 2011 FW | REPRINT

8

Why do companies fail? More important-ly, what can vigilant executives do to

prevent that failure? There are many homilies that attempt to address this issue, and many borrow a biological model to suggest that companies follow a life cycle just as plants and animals do. Economist Hyman Minsky posits that stability itself breeds instability, and therefore inside success, the seeds of fail-ure are taking root. This article explores one aspect of the causes of failure, worth thinking about when we realise that of the original S&P 500 list created in 1957, only 74, or 15 percent are, according to CFO.com, still on the list.

How can one explain why seemingly suc-cessful companies go bankrupt or fall from a successful leadership position? How do they go from appearing invulnerable to drifting aimlessly in short periods of time? Following Minsky’s theory, we confront the problem of success itself. When an organisation is suc-cessful following a particular path, it becomes increasingly difficult to deviate and take new risk of any kind. While a company striving to become successful knows that each new day requires making strategic adjustments to an-ticipate continuously changing circumstances, these habits are very difficult to maintain in the successful market leader. Vision tends in-evitably to narrow.

Are executives in such companies blind? Failure can occur due to a sudden shock to the system, but most failures are not due to unforeseeable events. The executives of com-panies that have failed often knew what was happening but chose not to do much about it. To be more specific, these executives are of-ten relying on data that is not providing them with the information they need to understand what is happening inside and outside of their companies. Because it is familiar, though, and can be compared to last month or last year, they are lulled into a false sense of security, believing they are measuring what matters. It is a profound part of the human condition to want to feel part of a functioning system, protected from the forces of chaos, whether the system is validly measuring a company’s reality or not.

In many cases executives believe that if there is a control system in place, it will do the job for which it was intended. However in many organisations their systems and policies are constructed for day to day transactions, or to meet accounting criteria, but are not built for analysing the abundance of raw data to make sense of what it all means. Sustainability is

based on transforming data into meaningful information to provide insight and support de-cision making.

Assumptions are not factsOne once highflying technology company was supposed to be able to see into the future, by matching supply and demand trends precisely, in real time, thus providing the ability to gen-erate tightly focused forecasts. The technol-ogy worked very well, it seems, but the fore-casts did not. The company analysts had not included the ability to adjust the forecasts to reflect changes in one key variable: the rate of growth. Company executives believed they had a superior grasp of reality and acted on the information they had, to the company’s disadvantage.

Data is not informationIn another company, a private one in the middle market, cash flow was falling and its lenders were insisting on asset sales and deleveraging, along with the appointment of outside advisers. The company, in the waste management sector, had 52 profit centres, and no method of easily aggregating the data into useful information. To make matters even harder to understand, the company thought about its business activity by product line: residential and commercial hauling, and land-fills. This method ignored the functional con-nection between the hauling activity and the company owned landfills. The use of landfills not owned by the company required tipping fees, which significantly reduced profitabil-ity. Once the advisers rearranged the data by geographic market segment and reduced the number of profit centres, the resulting infor-mation made it easy for management to see which assets were not profitable, and sell them forthwith. Instead of forcing a liquida-tion, their banks were suddenly competing to offer the company new financing on much better terms.

Accounting does not equal realityThe subprime meltdown, analysed ad nau-seam elsewhere, provides another example of participants blinded by bad information. In one company, the oldest subprime residential mortgage originator and servicer with a large retail branch network, the loans they originat-ed were sold into a securitisation each quarter, for approximately 10 years. Each quarter they recognised as income the discounted value of the difference between the expected interest

income from the loans, adjusted for expected losses and prepayments, and interest rate the securitised vehicle would pay to investors. Using the accounting procedure required, the expected cash flows resulting from each se-curitisation were capitalised as assets on the balance sheet.

In such circumstance, it is easy to see how the company and its board can have lost sight of the fact that the asset on its books did not represent anything more than assumptions as to likely future receipts. The ‘earnings’ the company was declaring showed attractive growth, not because the company was actu-ally earning more, but because it was valuing the expected future cash flows on ever more aggressive assumptions, which had the effect of supporting the stock price. Even its lenders had been caught up in the momentum, lending the company large amounts on an unsecured basis. It required looking at the company with fresh eyes not accustomed to the habits of years and not driven by a desire to drive the stock price forward to point out that the com-pany was not earning the cash it needed to pay for its day to day operations. When the oppor-tunity to securitise dried up and the company had to sell its loans directly to buyers, it could not support itself. Had the company not been blinded by what it believed to be the value of its main asset, the capitalised value of ex-pected future cash flows, its board would have been able to take advantage of an offer to buy the company. Instead they faced liquidation.

It is very difficult to challenge the status quo and get appropriate attention paid to consider-ing whether the information available match-es the nature of the decisions that need to be made, and further to then persevere in devel-oping various new ways of testing the qual-ity of the data and the conclusions reached. Delusion, fear of the unknown, and fear of being criticised for pushing an unpopular is-sue are powerful. Organisations that do not create space and support for such questions, however, and perpetuate the making of deci-sions on flawed information are often destined to disappear.

Given the global economic uncertainty at present, coupled with an accelerating rate of change, stakes have never been higher. Com-panies need to learn to make better decisions based on sound information. Companies that successfully use their information to out-think and out-execute their competitors thrive. Con-sistently high-performing enterprises build their strategies around information-driven

Fish cannot see water: why companies failBY DEBORAH HICKS MIDANEK

SPECIALreport

REPRINT | FW October 2011 | www.financierworldwide.com

8

insights.These processes are difficult to learn, but

must be adopted. Those at the top of the com-pany, most deeply invested in seeing them-selves as successful, cannot easily see the enterprise from a detached position. Thus, the

status quo continues to be the paradigm that informs how we see and create the world, and is not questioned.

Remember that fish cannot see water, and build the habit of always taking the time to ensure that the information provided, and the

assumptions it is based upon, reflect the na-ture of the decisions to be made.

Deborah Hicks Midanek is president of Solon Group, Inc. She can be contacted on +1 (917) 853 3598 or by email: DHMidanek@SolonGroup.com.

In order to help companies stay abreast of emerging issues and learn what their peers

are doing to manage risks and capture oppor-tunities, Aon conducted its 2011 Global Risk Management Survey. This, the third survey of its kind, gathered information from 960 com-panies, across 27 industries, in 58 countries in all regions of the world to help identify the 10 biggest risks facing organisations today.

No.1: Economic slowdown. While the eco-nomic crisis has abated in most parts of the world, continued high unemployment rates and unease over the debt sustainability of many of the largest economies has caused organisations to remain concerned about a double-dip recession.

Indeed, for two consecutive surveys, respon-dents have highlighted the economic slow-down as the top risk facing their organisation. The economic slowdown was noted as the number one risk across all geographies and was cited as the risk that led to the greatest reported income loss last year.

No.2: Regulatory/legislative changes. Risks related to regulatory and legislative changes involve the inability of an organisation to comply with current, changing or new regu-lations. Failures in compliance can result in severe consequences, including direct penal-ties in the short-term and the loss of markets, reputation and customers in the long-term.

Banks reported the greatest losses related to this risk last year. Meanwhile the CEOs, presidents, chief finance officers and treasur-ers surveyed cited legislative changes as their number three risk, suggesting that these posi-tions may view it more as a cost than risk.

No.3: Increased competition. Economic trends, regulatory changes, entry of new com-petitors, changes in consumer trends, advance-ments in technology and aggressive strategies by competitors are some of the many variables that can impact the competitive position of an organisation in any one industry. However, in this rapidly changing marketplace, failure to adequately address these market changes could lead to irreversible loss of market share.

Increased competition was reported as the

number one risk for the wholesale trade indus-try. Meanwhile over 70 percent of respondents in the construction and telecommunications and broadcasting industries said they reported losses last year due to increased competition.

No.4: Damage to reputation and brand. Cor-porate reputation is one of the most important assets and also one of the most difficult to pro-tect. Several high profile industrial accidents and product recalls have made organisations realise the urgency of protecting their reputa-tion, which can take years to build but can be destroyed overnight.

Possibly driven by the proximity of its prod-ucts to end users, stringent regulatory over-sight and heightened public scrutiny, this risk was cited No.1 in the food processing and dis-tribution industry.

No.5: Business interruption. Business inter-ruptions can arise from many sources, some man-made, some natural, however the factors that contribute to business interruption are often sudden and rapidly changing, making it a challenging risk to manage. Even so, the report suggests that the recent events in Ja-pan reinforce the importance of having risk mitigation strategies for business interruption exposure.

The pharmaceutical and biotechnology in-dustries cited business disruption as their number two risk as they are more vulnerable to disruptive events at their manufacturing or suppliers’ facilities, where highly specialised equipment cannot be easily replaced in the event of a loss and restarting operations may be subject to strict regulatory approval. How-ever, 70 percent of respondents said their or-ganisation has a plan in place or has under-taken a formal review of this risk.

No.6: Failure to innovate/meet customer needs. Innovation plays a vital role in the development of new business concepts, pro-cesses and products, driving growth and op-portunity in new markets and breathing life into mature industries. In the battle to win the hearts and minds of customers, companies can rapidly lose market share if they fail to invest in innovation.

This was ranked the number one and number two risk by respondents in the machinery and equipment, non-aviation transportation, print-ing and publishing, and technology industries. However 68 percent of respondents said their organisation has a plan for or have undertaken formal review of this risk.

No.7: Failure to attract or retain top talent. Corresponding with the changing business environment, from number 10 in 2009 when companies were forced to conduct massive layoffs to stave off the impact of the financial crisis, this risk has moved up three places in the current survey. Indeed, today the process of recruiting top industry talent is a massive challenge requiring a thoughtfully designed talent strategy which includes rigorous and appropriate recruitment, assessment and de-velopment.

This was ranked the number one risk in the government sector, which is losing talent to the well-paying private sector. It was also ranked the number two risk in the Asia Pacific region, where rapid economic growth may have used up the limited pool of available talent while education and training have been unable to keep pace.

No.8: Commodity price risk. Just after this survey was conducted, a global surge in com-modity prices occurred. The Economist com-modity index was up by an annualised 33 per-cent by the end of 2011. Unlike many other risks on the top 10 list, commodity price risk has a direct and measurable cost to most or-ganisations. The stability of commodity prices looms as a bigger concern for many organisa-tions than this ranking might suggest, accord-ing to the report.

Although viewed as an opportunity risk that is manageable and integrated into their over-all business strategy, this risk was ranked the number one risk by the natural resources and food processing and distribution industries.

No.9: Technology failure/system failure. This is the first time technology failure/system fail-ure has appeared in the top 10 risks since the start of the survey in 2007. However, this is no doubt due to its impact on other risks.

Top 10 risks to global businessBY SELINA HARRISON

SPECIALreport

www.financierworldwide.com | October 2011 FW | REPRINT

With their heavy reliance on technological infrastructure, organisations are becoming more vulnerable to system failures, which can lead to business interruptions, damage to reputation and loss of customers. Accord-ing to Gartner, Inc., expenditure on servers by businesses worldwide increased by 13 percent

in 2010. The need for increasingly advanced technology to support business processes will continue to keep this risk high on the list of concerns for organisations.

This risk was rated a higher concern for avia-tion, non-aviation transportation and telecom-munications and broadcasting industries and

was cited as a top 10 risk in all regions except North America, where companies may be rel-atively better prepared through heavy invest-ment in technology upgrades.

No.10: Cash flow/liquidity risk. Possibly aided by the current economic recovery, this risk has dropped from number seven in 2009 to number 10 in this survey. Indeed, the pro-longed period of low-interest rates globally, restructuring efforts, and the revival of inves-tor confidence have enabled corporations to access relatively cheap short-to-medium term funding sources. Despite this, the survey re-veals that organisations still consider cash flow/liquidity a substantial risk in the after-math of the financial crisis.

More than three quarters of respondents said their company has a plan for or has undertaken formal review of this risk. However, this is a greater concern for companies with revenues under $1bn as they have fewer assets to bor-row against.

With their heavy reliance on technological infrastructure, organisations are becoming more vulnerable to system failures, which can lead to business interruptions, damage to reputation and loss of customers.

When global management consultancy firm Accenture conducted its Global

Risk Management Study in 2009, the business community was shaken by the financial crisis, in premature stages of recovery, and frantical-ly attempting to establish an enterprise-wide approach to risk management. Two years lat-er, the corporate attitude toward risk manage-ment has gone from reactive to proactive.

Today, executives are much more likely than they were two years ago to have invested in and enhanced their risk management capa-bilities. Almost all executives surveyed in the 2011 Global Risk Management Study indicat-ed that risk management is a higher priority now than it was in 2009.

The increasing importance of effective risk management When surveyed, 98 percent of executives in-dicated that increasing volatility and grow-ing complexity has made risk management central and strategic to all industries. A high proportion of executives who expressed this sentiment ‘to a great extent’ were from finan-cial services firms and insurance companies, faced with changing legislation and increased regulatory scrutiny. Across all industries, over 80 percent of executives surveyed said they consider this risk area to be a key manage-ment function that helps them deal with mar-ketplace volatility and organisational com-

plexity. Executives see their risk management capa-

bilities as important to future profitability and long-term growth. Almost half the companies surveyed (49 percent) indicated that they see their risk organisation as a critical driver for enabling long-term profitable growth and 42 percent of executives saw their risk man-agement capabilities as ‘important’ to their company’s growth. Meanwhile, 48 percent of executives view risk management as critical to sustained future profitability, while another 45 percent believe it to be ‘important’.

Companies are implementing comprehen-sive enterprise risk management programs. More than 80 percent of executives surveyed indicated they have an enterprise risk manage-ment (ERM) program in place or plan to have one in the next two years. Latin American companies are especially likely to have ERM programs – an almost unanimous 99 percent of those surveyed. European companies were the least likely to have an ERM program, with just 52 percent.

Companies are establishing C-level over-sight of the risk management function. Over two-thirds of all the companies surveyed in-dicated they have a Chief Risk Officer (CRO) operating with this title, while 20 percent of respondents said their company has an execu-tive fulfilling the responsibilities of this role, though without the title. Financial services

companies are more likely to have an execu-tive in place with the CRO title (84 percent) while insurance companies (71 percent) are also above the survey average of 64 percent.

Executives expect their investments in risk management to increase over the next two years. Eighty-three percent of executives sur-veyed believe their companies’ risk manage-ment investments (which includes salary and benefits for risk employees, professional ser-vices, technology costs, facilities and travel) will increase in the next two years. Of those, 21 percent foresee a significant increase (more than 20 percent of current spending) while 62 percent foresee an increase of less than 20 percent.

Meeting the coming challengesAlthough the risk management insights above point to a positive view of the importance of risk management and of its potential impact on business performance, the survey results also underscored a series of deeper concerns.

First, the types and magnitude of risks are increasing. The executives interviewed feel that companies are faced with a broader spec-trum of risks, including those related to regu-lation, reputation and crime. For example, 89 percent of respondents indicated that their company’s regulatory risk will increase in the next two years. Another area causing consid-erable concern is financial fraud and crime:

From reactive to proactiveBY SELINA HARRISON

8

SPECIALreport

REPRINT | FW October 2011 | www.financierworldwide.com

93 percent of survey executives indicated that financial crime and fraud is more challenging to address than it was two years ago.

Second, despite major investments to im-prove risk capabilities, critical exposures persist. While companies are not shying from their risk management responsibilities – in recent years, 52 percent of respondents have invested at least $25m in such capabilities – critical exposures remain. Fifty-seven percent of executives do not measure political risks, 44 percent do not measure reputational risks and around 28 percent are not measuring ma-jor financial risks, including business, market and credit risks.

Third, organisational silos are preventing ef-fective integration of risk management struc-tures and responsibilities. Across most types of risk (including, regulatory, operational, legal, market and political) from 15 percent to 24 percent of survey respondents note that their risk management approach is not inte-grated, and that silos remain. Moreover, be-tween 40 and 50 percent of the executives sur-veyed said that management of these major risks are only ‘somewhat’ integrated.

Fourth, companies experience performance gaps between expectations for risk manage-

ment and what is achieved. Although many executives have high expectations for what their risk function should be able to accom-plish, the actual performance of the function generally does not live up to the expectation. For example, 93 percent of respondents indi-cate that the risk organisation is important as a driver for sustained future profitability, but only 76 percent say their risk organisation has achieved this goal.

Finally, cost reduction and alignment of risk management with overall business strategy are ongoing executive concerns. According to the survey findings, during the next two years, the main challenges for the risk organi-sation will be reducing costs and aligning risk with the overall business strategy. Up from 38 percent in 2009, almost half (47 percent) of executives named ‘reducing costs’ as a signif-icant challenge. Meanwhile up from 37 per-cent two years ago, 43 percent of respondents cited ‘aligning risk with the overall business strategy’ as another significant challenge.

Learning from the Risk MastersThe report identified a set of Risk Masters – about 10 percent of the companies surveyed – whose risk management capabilities are su-

perior to their peer set. By studying the ac-tions that enable Risk Masters to effectively advance their risk management capabilities, organisations can gain practical insights as they look to enhance their own risk manage-ment processes, technologies and talent, as follows.

First, involve the risk organisation in key decision-making processes. The risk man-agement organisation needs to be included in activities such as strategic planning, objective setting and incentives, financing decisions and performance management processes.

Second, integrate risk management capabili-ties across business units and organisational structures. Much higher percentages of Risk Masters excel at the integration required for effective risk management, something that requires a commitment to evolving organisa-tional capabilities over a multi-year program of change.

Finally, establish a dedicated, C-level risk executive with oversight and visibility across the business. Top performers separate them-selves from the pack by having in place a ded-icated risk executive with sufficient visibility and leverage to influence risk management capabilities across the entire organisation.

With domestic and global economic mar-kets becoming more complex, and in

light of recent events such as the Japanese Earthquake, the Middle East’s ‘Arab Spring’, and continuing concerns over cyber-crime, senior executives and boards of directors face new and unprecedented challenges. As a re-sult, says a report by the American Institute of Certified Public Accountants (AICPA), an in-creasing number of business leaders are realis-ing that traditional approaches to risk manage-ment do not suffice, and require enhancement to place them in a more-informed position to proactively manage emerging risks.

Modest maturationThe 2011 ‘Report on the Current State of Enterprise Risk Oversight’ found that while there has been a move toward more holistic approaches of enterprise risk management (ERM), and a modest maturation of processes in general, organisations continue to highlight a number of areas where risk management and strategic planning are less developed. Despite the growing trend towards adopting a broader, top-down approach to risk oversight, not all

organisations have taken steps to modify their procedures for identifying, assessing, and managing risks, and in communicating risk information to key stakeholders, both internal and external to the organisation.

The study was carried out by the Enterprise Risk Management Initiative (ERM Initiative) at North Carolina State University, in conjunc-tion with the AICPA’S Business, Industry, and Government Team. The results are based on the data collected by 455 respondents to an online survey sent to members of the AICPA’s Business and Industry group serving in ex-ecutive positions. The authors admit that the report may suffer some bias, due to the volun-tary nature of the survey. The results of those choosing to respond to the survey, it says, may differ significantly from those who chose not to. To this extent, the report’s findings may be somewhat skewed.

Key findingsOverall, the risk environment is changing, found the report. More than 55 percent of re-spondents indicated that the volume and com-plexity of risks have changed ‘extensively’ or

‘mostly’ in the last five years. The figure is down slightly from previous reports published in 2009 and 2010. However, the authors con-tend that the data show executives still face substantial risk management challenges.

Fifty-one percent of respondents said they had no enterprise-wide approach to risk over-sight, though this is a slight improvement on the 2010 study which noted 57 percent of or-ganisations had no such approach. Just over half of respondents – 52 percent – reported that they either had no structured process for identifying and reporting risk exposures to the board, and an additional 30 percent described their risk management process as informal and unstructured. In light of this data, it is unsur-prising to find that operational surprises are still a major source of risk to organisations, with one-third of respondents admitting they were caught off guard ‘extensively’ or ‘most-ly’ in the last five years. A further 32 percent stated they had been ‘moderately’ affected by operational surprises. The findings suggest weaknesses in risk identification are a cause for concern.

While a near-majority of respondents de

The current state of enterprise risk oversightBY MATT ATKINS

8

SPECIALreport

www.financierworldwide.com | October 2011 FW | REPRINT

scribed their organisation’s risk culture as ‘strongly risk averse’ or ‘risk averse’, 48 percent described the sophistication of their risk oversight processes as ‘very immature’ or ‘developing’ and over 60 percent reported that management does not report top risk ex-posures to the board of directors on at least an annual basis. This trend was quite different for the largest organisations and public companies where 61.3 and 72.5 percent respectively pro-vide such reports. Indeed, the report found that ERM maturity is linked to the size and type of organisation. Larger organisations – those with revenues of $1bn or more – public companies, and financial services entities, were far more likely to report that they had a complete or at least partial ERM process in place.

Just under half of organisations surveyed reported that they do no formal assessments

of strategic market or industry risks, with 44 percent noting that they do not maintain risk inventories on a formal basis. This means that almost half have no processes for assessing strategic risk. In spite of this, 51 percent of the respondents indicated they believed that exist-ing risk exposures are well considered when evaluating possible strategic initiatives. With this in mind, the report asks whether some or-ganisations have too much confidence in their informal processes.

This seems fair to suggest, given the fact that the report found most organisations have not provided, or have provided only minimal, training and guidance on risk management in the past two years. Thus, assert the authors, the overall relative immaturity of ERM processes in many organisations may be due to a lack of understanding of the key components of effec-

tive enterprise-wide risk oversight.

Cause for concernWhile the report does show a modest trend towards greater enterprise-wide risk oversight between 2009 and 2011, many of the key ele-ments of effective ERM are, at best, moder-ately mature. Despite the obvious demand for more effective risk oversight that has emerged from the recent financial crisis, the level of enterprise-wide risk oversight across a great number of organisations has not increased at the rate one would expect.

The results of the survey suggest there is a strong need for a number organisations to evaluate their risk management processes. Sev-eral areas offer opportunities for improvement. Many organisations need to begin with basic risk management fundamentals and should ensure that senior management is explicitly charged with identifying and assessing key risk exposures. Only then can a disciplined, structured process that leads to consistent risk identifications and measurements be estab-lished and maintained.

Though the largest organisations, public com-panies, and financial services entities are more advanced in their risk oversight processes than the full sample of organisations, the apparent overconfidence of many certainly gives cause for concern.

Recent cyber attacks launched against large organisations such as Sony, Fox News

and eBay have demonstrated that protecting and securing data is more important now than ever before. Identifying how a data compro-mise could occur and ensuring adequate inci-dent response procedures are in place are key to reducing the risk of suffering from a data breach, as a cyber attack can have a negative impact on a company’s value, reputation and ability to generate revenue.

As sponsors of the e-Crime Report 2011, KPMG in association with the e-Crime Con-gress, surveyed over 200 senior security de-cision makers globally across all industry sectors to explore their views of the threat landscape today, how emerging technologies and business models impact the level of e-crime risk and how organisations can struc-ture a response to this threat.

Overall threat of e-crime on riseAn organisation’s cyber risk profile is no

longer determined by the potential monetary value of information to attackers. The threat landscape is made up of many malicious players with different motivations and aims. However, tactics and technical tools devel-oped by financially motivated, well organised and well financed crime syndicates are now sold or freely shared and distributed on the internet. As a result, the average level of at-tack sophistication is increasing.

When asked, in relation to the threats their department focuses on mitigating, whether the overall level of e-crime risk their organi-sation faces increased, decreased or remained the same over the last 12 months, 53 percent of respondents said this risk had increased. Just 6 percent of respondents felt risk levels had declined.

In order to reassess their potential for at-tack from hackers not motivated by personal financial gain, companies must look at factors such as the public or strategic sensitivity of information they have access to and who their

clients or partners are, to identity their vulner-ability. However, in any case of technical in-trusion, companies must improve their ability to defend against attacks that aim to disrupt operations or reduce the ability to generate revenue. Companies should ensure they can respond to a broad range of malicious activi-ties that include altering database records to compromise data integrity, making changes to the configuration of IT systems or source code, and extracting specific data such as emails, contracts, or design blueprints.

Mobile workforce/social technology threatTo reduce costs, improve collaboration and raise productivity, most organisation now have a mobile workforce who access data us-ing the internet on an “any user, any content, any location, any time” basis which, although helps the sharing of information between in-dividuals and organisations, has expanded the attack surface. When asked if they believe that mobile employees and home-workers

Managing risk in a changing business and technology environmentBY SELINA HARRISON

Many organisations need to begin with basic risk management fundamentals and should ensure that senior management is explicitly charged with identifying and assessing key risk exposures.

8

SPECIALreport

REPRINT | FW October 2011 | www.financierworldwide.com

using the same IT hardware for business and personal use will contribute to an increase or decrease in e-crime risk for their organisation, 83 percent of respondents believed this would increase the risk.

Social media networks and applications are also a threat to business. Executives are publishing details of current activities and interests while project managers are ‘linking in’ with clients to reveal who they are work-ing with. However, as profiles amalgamate information from third party applications, cyber criminals are able to access sources that supply intelligence that can be used in spear-phishing attacks. Indeed, when asked if they believe the availability in the workplace of multi-functional internet-hosted software, such as social networking, will contribute to an increase or decrease in e-crime risk for their organisation, 83 percent of respondents felt there will be an increase in risk in this area.

When asked if they believe the use of con-sumer oriented IT hardware with internet connectivity, such as smart phones and tab-let computers for business related purposes,

will contribute to an increase or decrease in e-crime risk for their organisation, almost all respondents (92 percent) expected the threat in this area to rise.

The sensitive information flowing through wirelessly enabled portable devices makes them an obvious target for cyber criminals. Further, the technical defences of PCs, such as anti-virus software, which consume high volumes of processing power or memory, are unsuited to devices such as smartphones and tablet computers. As such, risk judgments must be made regarding the pragmatic de-ployment of personal consumer devices and a key focus for securing the mobile workforce must be whether applications are trusted, and how security is certified.

Be preparedWith mounting threats from hacktivists and organised crime syndicates, companies need to do all they can in the battle against e-crime. Although the outlook is challenging, the re-port suggests there are many things, often basic and inexpensive, that organisations can do to protect themselves and make sure they

react effectively in the event of an attack.First, creating an incident management plan

during a time of crisis is a sure-fire recipe for disaster. Companies must implement a well-documented, well-understood and embedded plan in advance, highlighting the paths of escalation and detailing the circumstances in which they need to be activated.

Second, undertake a revised risk assessment at planned intervals. This should help com-panies to identify and keep track of the infor-mation, systems, infrastructure and processes that are critical to business.

Third, consider the implementation of soft-ware version control. This is relatively easy to do for important systems where executable code is static and may be important when try-ing to identify the presence of malware.

Fourth, anti-malware defences should be multi-layered and up-to-date.

Finally, think beyond technical platforms. Companies should consider the use of open source intelligence to identify whether the business is indeed a potential target as this could provide an early warning of possible at-tacks and their likely source of origin.

Systemic liquidity risk was at the core of the recent financial crisis, according to the

authors of ‘How to Address the Systemic Part of Liquidity Risk’, a paper in the Global Fi-nancial Stability Report published by the IMF earlier in 2011. The chapter stresses that more needs to done to develop macro-prudential techniques to measure and mitigate such risks, and suggests three methods that can help to achieve this goal.

Systemic liquidity risk is the risk that mul-tiple institutions may face simultaneous dif-ficulties in rolling over short-term debt, or ob-taining short term funding due to widespread dislocations of money and capital markets. There is a widespread tendency of financial institutions to collectively under-price liquid-ity risk in good times, says the paper, because they are convinced that the central bank will almost certainly intervene to maintain the markets, and prevent the failure of financial institutions.

While Basel III goes some way to mitigating this risk, ensuring that individual banks will need to maintain higher and better-quality liq-uid assets, and to better manage their liquid-ity risk, its measures only target individual banks, stresses the paper. Therefore Basel III

liquidity rules can only play a limited role in addressing systemic risk concerns. More needs to done to develop macro-prudential techniques to measure and mitigate systemic liquidity risks.

Tackling liquidity riskThe paper’s authors suggest that a priority should be made of designing a form of as-sessment that can judge the negative affect that one institution’s liquidity risk poses to the wider financial system. A form of assessment such as this would allow financial institutions to carry more of the burden currently placed on central banks and governments. Currently, however, there is no robust methodology for measuring systemic liquidity risk, or the con-tribution to this risk of individual institutions.

The paper proposes three methods of mea-suring such risk, each of which could be used to construct a macro-prudential tool, such as capital surcharge, tax, or insurance premium with which the risk can be mitigated. Each method examines the risks across time and institutions using publicly available informa-tion, though varying in degree of complexity. Although the focus is on banks, the methods are sufficiently flexible to use for any insti-

tution which contributes to systemic liquidity risk. The tools are also complementary to the Basel III liquidity standards and would ac-complish two goals: (i) measuring the extent to which an institution contributes to systemic liquidity risk; and (ii) using this to indirectly price the liquidity assistance that an institution would receive from a central bank – proper pricing of this assistance would help lower the scale of liquidity support warranted by a cen-tral bank in times of stress.

First, the paper recommends establish-ing a market-based systemic liquidity index (SLRI), that is, a market-based index of sys-temic liquidity based on violations of com-mon arbitrage relationships. Second, the pa-per suggests a systemic risk-adjusted liquidity (SRL) model to calculate the probability of simultaneous liquidity shortfalls, and the mar-ginal contribution of a particular institution to systemic liquidity risk. This model would be based on financial balance sheets and market data. Third, a macro stress-testing (ST) model is proposed, which gauges the effects of an adverse macroeconomic or financial environ-ment on the liquidity risk of a set of institu-tions by determining how close they are to insolvency and thus an inability to fund them

Addressing the systemic part of liquidity riskBY MATT ATKINS

8

SPECIALreport

www.financierworldwide.com | October 2011 FW | REPRINT

ORGANISATION GLOSSARY

Accenture Risk Management works with clients to create and implement integrated risk management capabilities, as its consultants provide strategic consulting, outsourcing, change management and technology and systems integration services – all geared to helping clients create a growth-focused, enterprise-wide risk management capability. Accenture is a global management consulting, technology services and outsourcing company with more than 223,000 people serving clients in more than 120 countries. Its home page is www.accenture.com.

Baker & McKenzie brings to matters the instinctively global perspective and deep market knowledge and insights of more than 3750 locally admitted lawyers in 69 offices worldwide. We have a distinctive global way of thinking, working and behaving – ‘fluency’ – across borders, issues and practices. We have cultivated the culture, commercial pragmatism and technical and interpersonal skills required to deliver world-class service tailored to the preferences of world-class clients worldwide.

Steve Culp steven.r.culp@accenture.com

London +44 (0)207 844 4855

Peter Beardshaw peter.beardshaw@accenture.com

London +44 (0)207 844 7550

BDO is the world’s fifth largest accounting network. We have an excellent partner to staff ratio, with 44,000 people working with our clients and offering challenging, ethical and practical advice from 1095 offices in 110 countries. Our common methodologies and IT platform ensure effective and efficient service delivery to all our clients. We remain focused on helping our clients navigate ever-changing economic and market conditions by providing high quality advice and service to all our clients on a consistent basis.

Craig Wright craig.wright@bdo.co.uk

London +44 (0)7800 682016

selves.These methods, along with the proposed

macro-prudential tools, aim to achieve two goals: (i) measuring the extent to which an in-stitution contributes to systemic liquidity risk; and (ii) using this information to indirectly price the liquidity assistance that an institu-tion would receive from a central bank. Proper pricing would help lower the scale of support warranted by the central bank in times of stress, ensuring that systemic liquidity short-falls do not morph into large-scale solvency problems, undermining the economy.

The regulatory approach taken to address-ing systemic liquidity risk should be multi-pronged, note the paper’s authors, who do not place a particular emphasis on any one of the methods they have suggested. Rather, they stress the broader point that the introduction of their methods and tools would allow a more effective sharing of public and private bur-

dens associated with systemic liquidity risk. However, whichever method is pursued, they stress, policymakers should remain mindful of the broader context of any regulatory reforms that have been proposed. Policymakers should also be aware of how improvements in mar-ket infrastructure can help mitigate systemic liquidity risks – for instance, taxes or add-on capital surcharges to control systemic solven-cy risk among systemically important finan-cial institutions may also help lower systemic liquidity risk.

Further recommendationsAdditional recommendations of the paper in-clude: (i) measures to make funding markets work better by strengthening their infrastruc-ture – for instance by having collateral behind repurchase agreements registered in central counterparties; (ii) greater oversight and regu-lation of non-bank financial institutions that

contribute to systemic liquidity risk through the ‘shadow banking’ system; (iii) closer in-ternational coordination and greater disclo-sure of financial information on relevant fund-ing markets and the maturity of assets and liabilities, which would allow for an adequate assessment of the build-up of liquidity risks; and (iv) better evaluation of the cost effective-ness of various macro-prudential tools, which would lessen the need to rely on systemic li-quidity mitigation techniques.

Finally, concludes the paper, more needs to be done to strengthen the disclosure of de-tailed information on various liquidity risk measures. Greater transparency, the authors stress, would help the market and authorities assess the robustness of an individual insti-tution’s liquidity management practices, and potentially allow official liquidity support to be minimised, better targeted and more effec-tively provided.

Richard N. Dean richard.n.dean@bakermckenzie.com

Washington, DC +1 (202) 452 7009

8

SPECIALreport

REPRINT | FW October 2011 | www.financierworldwide.com

The National Association of Corporate Directors (NACD) is the only membership organisation delivering the information and insights that corporate board members need to confidently confront complex business challenges and enhance shareowner value. With more than 11,000 members, NACD advances exemplary board leadership. NACD is focused on creating more effective and efficient boards through director-led education and peer forums to share ideas and leading practices based on more than 30 years of primary research. To learn more about NACD, visit www.NACDonline.org.

As the preeminent organisation dedicated to advancing the practice of risk management, the Risk and Insurance Management Society, Inc. (RIMS) is a global not-for-profit organisation representing more than 3500 industrial, service, nonprofit, charitable and government entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education opportunities to its membership of more than 10,000 risk management professionals who operate in more than 120 countries. For more information on RIMS, visit www.RIMS.org.

Solon Group, Inc. is a small firm that solves big problems, and helps management teams, corporate board of directors, and institutional investors navigate in uncertain times. Whether providing advice, developing solutions, or serving as officer or director of the company, Solon professionals take a fresh look and challenge conventional thinking, often discovering unexpected sources of value. Recent assignments include advising the creditors committee in the bankruptcy of a large US financial institution; creating a distressed residential mortgage fund of funds, and helping early stage ventures attract capital.

Weil is committed to providing sound judgment to clients on their most difficult and important matters. Recognised by clients, the media, and professional commentators as best in class, the firm’s lawyers are known for the clarity, timeliness, and effectiveness of their counsel, and as a result have become clients’ call of first resort for solutions to their toughest legal challenges. Weil’s one-firm approach ensures that it works seamlessly to handle the most complex corporate, litigation, regulatory, and restructuring challenges.

Holly Gregory holly.gregory@weil.com

New York, NY +1 (212) 310 8038

For information on how your firm can participate in a Financier Worldwide Special Report,

contact Peter Livingstone on +44 (0)845 345 0456

or by email: peter.livingstone@financierworldwide.comFWM A G A Z I N E

Scott Clark sclark@rims.org

New York, NY +1 (212) 655 6059

Deborah Hicks Midanek DHMidanek@SolonGroup.com

New York, NY +1 (917) 853 3598

Henry Stoever hstoever@nacdonline.org

Washington, DC +1 (202) 775 0509

Peter Gleason prgleason@nacdonline.org

Washington, DC +1 (202) 775 0509

Alex Lajoux alajoux@nacdonline.org

Washington, DC +1 (202) 775 0509