The age of compliance Preparing for a riskier and more regulated world. A report from the Economist Intelligence Unit
|
|
- Archibald Patrick
- 8 years ago
- Views:
Transcription
1 Preparing for a riskier and more regulated world A report from the Economist Intelligence Unit
2 Preface The age of compliance: is an Economist Intelligence Unit briefing paper sponsored by SAP. The Economist Intelligence Unit bears sole responsibility for this research. Our findings drew on desk research and in-depth interviews with executives familiar with risk and compliance within their organisations. The findings and views expressed in this report do not necessarily reflect those of the sponsor. Rob Mitchell was the author of the report and Dan Armstrong was the editor. August
3 The age of compliance: Preparing for a riskier and more regulated world Things like risk appetite statements, scenario planning and responses to regulatory changes require an enterprise view. Bruce Munro, Group Chief Risk Officer, National Australia Bank 1 com/2008/11/23/ business/23citi.html?_ r=1&hp=&pagewanted=all 2 Based on testimony by Richard Bowen, a former chief underwriter at Citibank, at the Financial Crisis Inquiry Commission, April 7th, 2010: gov/hearings/ pdfs/ transcript.pdf 3 s/0/095cc462-79f5-11df feabdc0.html 2 In September 2007, senior executives at Citibank gathered at the company s New York headquarters to discuss a sudden spike in the number of mortgage defaults among sub-prime borrowers in the US. It was at this meeting that Chuck Prince, then CEO of the bank, was told for the first time that Citibank owned mortgage-related assets worth about US$43bn. 1 Thomas Maheras, who oversaw trading at the bank, reassured Mr Prince that everything was fine, but within weeks Citi nursed losses on the assets that ran into billions of dollars. The bank s risk management was shown to have severe deficiencies: accepting ratings agency opinions in lieu of independent reviews; relying on brittle financial models; and, according to subsequent congressional testimony, violating internal credit policies. 2 Within two months, Mr Prince was out of a job. Other industries, such as the energy sector, can face equally disastrous risks. At a US Congressional hearing in June 2010, Tony Hayward, CEO of BP, told members that he had no prior knowledge of the drilling of Deepwater Horizon, the Gulf of Mexico oil well that exploded in April with the loss of 11 lives and devastating environmental consequences. 3 Members criticised Mr Hayward for the evasiveness of his answers and accused him of putting profit ahead of safety. Mr Hayward stepped down as CEO in July. These two examples, while different in their origins and consequences, illustrate the challenge of managing risk and compliance across large and complex organisations. Even medium-sized companies rely on a network of suppliers and partners, and have employees, functions and divisions scattered around the world. It is therefore unsurprising that despite years of investment in risk management tools and processes, a clear view of the risks accompanying key decisions remains elusive for many senior executives. Events such as the financial crisis and the Gulf oil spill have provided fresh impetus for efforts to gain better oversight and co-ordination across risk and compliance functions. The terms enterprise risk management (ERM) and governance, risk and compliance (GRC), both in circulation for over a decade, have taken on fresh significance, and a growing number of companies are redoubling their efforts to coordinate and ideally integrate their various sources of assurance. You get to the point where you recognise that things like risk appetite statements, scenario planning and responses to regulatory changes require an enterprise view, says Bruce Munro, group chief risk officer of National Australia Bank. It s difficult to ask people in their particular areas of risk expertise to do that, so you ve got to invest in people that can do it on a full-time basis. In many companies, compliance and risk activities remain highly fragmented and scattered around the
4 The exponential growth of US financial services regulation Number of pages of legislation 2, Dodd Frank Wall Street Reform Act 2,319 pages 2,000 1,500 1, Federal Reserve Act 31 pages 1933 Glass Steagall 37 pages 1966 Interstate Banking Efficiency Act 51 pages 1999 Graham Leach Bliley 145 pages 2002 Sarbanes Oxley 66 pages 0 Source: Economist Intelligence Unit, enterprise. The professionals charged with ensuring compliance with Sarbanes-Oxley, for example, are likely to use a different framework and standards than those managing health and safety compliance. And in risk management, teams looking after the credit of customers to whom the business provides financing will be in a separate department from those that look at operational risk. Each risk and compliance activity is often built up separately, frequently in response to a major event or new compliance obligation. This fragmentation is costly because there is duplication of effort. It leads to complexity because there is no common approach. And when compliance activities are splintered, business risks inevitably grow. For instance, the lack of a comprehensive and integrated approach to IT compliance can lead to security breaches or data losses. Fragmented financial compliance can open the door to fraud or restatements. Compliance is often thought of as separate from risk. But in fact the two functions are tightly bound, since an ad hoc approach to compliance leads to higher levels of risk. Efforts to boost visibility into risk exposures across the enterprise, or to achieve a more holistic and consistent approach to compliance, are nothing new. Over the past decade, many executives have experienced initiatives designed to aggregate risk management across the company s divisions, functions and risk silos. Few can say with confidence that these initiatives were successful. GRC holds the promise of taking this process of integration a step further by integrating ERM and compliance activities within a broader governance framework. Dating from the Sarbanes-Oxley Act of 2002, when listed US companies faced complex and costly obligations under Section 404 of the Act, GRC emerged as a set of tools to help companies manage risk, track compliance and monitor internal controls. Since then the scope of this discipline has broadened. Although definitions vary, it now refers to 3
5 an enterprise-wide framework that companies use to manage risk and compliance within established corporate governance parameters. The point of governance and compliance is to ensure transparency, says Mr Munro. Compliance plays an important role in providing assurance for people like me and the Principal Board that we re actually doing what we say we re doing. Beginning with the high-level risk appetite, and cascading through the layers of the business, there needs to be a mechanism to ensure that when there are issues, they are discovered, escalated, dealt with and the lessons learned. 4 This paper examines how the integrated management of risk and compliance has developed among corporates in multiple countries and industries. It is based on a series of interviews with chief risk officers and other high-level risk professionals from large multinationals around the world. These interviews, conducted in June and July 2010, reveal a number of common themes. 4 The Principal Board refers to the Principal Board Audit Committee (PBAC), formed by NAB in 2003 to discuss and investigate any high risk issues raised by internal or external auditors. 4
6 Pressure builds for a consistent approach The three themes of governance, risk and compliance have been central to the management agenda for a decade. But whereas five years ago it would have been the C in GRC that was most likely to keep executives awake at night (and indeed was the impetus behind the development of GRC in the first place), in the post-crisis world it is the R that has risen to the top of the agenda. The whole environment over the past 18 months has been the facilitator of much broader thinking about risk management, says Mark Krakowiak, chief risk officer of GE, the industrials and financial services group. The reasons for this laser-like focus on risk are well understood. The financial crisis has highlighted the interdependencies between different divisions of the organisation and between the enterprise as a whole and the external environment. Under pressure from legislators and investors, boards are becoming more demanding. In one sector, financial services, regulators are stipulating that institutions form risk committees. And the role of chief risk officer, once confined to banking and insurance, has spread across the corporate world. But the management of risk however broadly it is framed is just one piece of the puzzle. Companies also face an increasingly complex and rigorous regulatory compliance burden that has become both costly and risky, should the company fail to meet its obligations. In June 2010, for example, the UK Financial Services Authority fined JP Morgan, an investment bank, 33m (US$50m) for failing to comply with a regulation requiring it to segregate client assets from its own funds, 6 while the US transport regulators fined Toyota US$16.4m in April for failing to notify them sooner about defects in its cars. 7 The whole environment over the past 18 months has been the facilitator of much broader thinking about risk management Mark Krakowiak, Chief Risk Officer, GE 5 com/s/documents/amr-grc-in pdf 6 s/0/9e66733e-6ef4-11df-a2f feabdc0.html 7 s/0/6053df1c df-94c feabdc0.html 5
7 Setting effective guidelines Interviews with risk and compliance professionals within corporations yield a consistent set of guidelines to manage this set of disciplines effectively. They are guidelines, not rules, because they require judgment and nuance in organisations already laden with policies and procedures. Buy-in requires ownership; ownership seldom results when senior management simply issues a dictum. All managers are familiar with processes which, however well intentioned originally, have become checklists devoid of meaning. As has been demonstrated over the past few years, risk and compliance are too important to suffer this fate. Commitment must come from the top Those who best understand the risks embedded in a business process are people who are closest to it: the business owners and process owners. At the same time, senior management and the board play a crucial role in raising the profile of risk management and ensuring that the organisation has a consistent methodology for dealing with it. The more involvement the board has in risk matters, the better the organisation is, says Mr Munro. If you don t have your board onside and you don t have agreement between the board and management about the appropriate level of risk-taking, then you re setting yourself up for trouble. I d much rather have an active and engaged board than not. Any investment in enterprise-wide risk and compliance framework must have absolute commitment from the top of the organisation. You need buy-in from both the senior management team and the board, says Mark Newlands, head of risk at Anglo American. They need to be convinced that what you are suggesting will add value. From the board s perspective, GRC can provide assurance that risks are being identified and that information about them is being passed to the right people at the right time. A more consistent approach to reporting also makes it easier to evaluate and compare risk exposures. What we re trying to do is present a picture to management and the audit committee of what the risk profiles for each of our businesses looks like, and what the risk profile of the group as a whole looks like, says Mr Newlands. Standardised processes are an important first step Building an enterprise-wide layer for risk and compliance on top of existing processes can seem like a daunting task. With individual sources of assurance and compliance activities run separately and rarely interfacing either personally or by means of risk systems and IT infrastructure the time and resources 6
8 necessary to achieve successful integration can be considerable. According to Mr Krakowiak, much depends on the extent to which existing risk processes have already been standardised. Nine months ago, GE took the step of creating a single framework for risk management across its entire enterprise, spanning both the financial and industrial businesses. Mr Krakowiak believes that the company s longstanding commitment to the standardisation of business processes made this a more straightforward task than it might otherwise have been. We already had a very process-oriented approach to the operational side of our business, he explains. For example, we have a standard review process for our compliance and we use standard processes for budget planning and strategy planning. So we already had a pretty good framework that we could take up a level in terms of looking at enterprise risk. For companies that do not know where to begin, a first step may be mapping to existing standards like ISO ISO (2009) provides principles and guidelines on risk management covering a wide range of business activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. Adopting a standard such as ISO helps to move companies beyond ad hoc collections of controls towards a unified framework. Balancing autonomy and control A successful enterprise-wide view of risk and compliance depends on managing the opposing requirements for centralisation and decentralisation. On the one hand, there needs to be a central function that can aggregate risk and compliance information from the business. Without it, senior executives cannot effectively make business decisions regarding how to manage risk and take advantage of new potential business opportunities. Yet at the same time, risk needs to be owned by the business, within an established framework. It s really important to have risk people close to the business so that they can help managers with a specific set of risks that need to be managed, notes Mr Munro. But you ve also got to have an enterprise-wide view. You need to walk that fine line between collaboration and independence. An important part of this balance is deciding which risks need to be defined within a centralised framework and which can be determined by the business. You need to understand the roles and responsibilities of different functions and units, says Harri Spolander, chief risk officer of Fortum, an energy company headquartered in Finland. While it is conceptually a good idea to centralise risk management and have a co-ordinated approach, you need to decide and define explicitly which risks should be managed centrally and which should be devolved to the business. If you are not clear about that, you are in a situation where no one really knows who is responsible for what. In the energy industry, for example, one might choose to centralise the management of risks associated with currencies, interest rates and commodity positions and hedge them appropriately. But while overall policies for risks such as environmental risk can be determined centrally, the management of those risks must always happen locally. Naturally compliance is an important housekeeping thing and also a best practice to certain extent but not the main driver for our risk management, says Mr Spolander. It really must be the responsibility of every operational unit because leakages, for example, do not happen in the central corporate unit, they take place in the power plant, says Mr Spolander. You need to decide and define explicitly which risks should be managed centrally and which should be devolved to the business. Harri Spolander, Chief Risk Officer, Fortum 7
9 A constant dialogue between risk functions and the businesses Frequent dialogue between risk functions and the business is essential. The relationship should be symbiotic: managers should be confident that the risk management process adds value to their role, while risk professionals should be able to use their dialogue with business leaders to gain a better picture of overall enterprise risk. Getting everyone on the same page at all organisational levels about what it is we re trying to achieve, and making the accountability stick is key to both the effectiveness and efficiency of the regime, says Ed Popplewell, head of risk & internal control at Siemens plc and North West Europe. In some firms, this requires a shift in perceptions of the risk function. Rather than being seen as a preventer of business whose role is to impose limits and controls, it needs to be perceived as an enabler that can offer valuable advice. To gain the confidence of business managers, risk professionals should demonstrate commercial understanding and a willingness to provide constructive input to help managers meet their objectives. We have consciously evolved our response from waving a red flag and walking out to waving a red flag and working with the business teams on mitigation plans, says Alexis Samuel, chief risk officer at Wipro, an Indian business process outsourcing and technology company. A key metric for the success of this dialogue is the extent to which heads of business units and business managers proactively seek out the risk function to engage them in discussion about their plans. People are now willing to accept us as an enabling function and reach out to us, but we have to constantly reassure our teams that we are not just red flag wavers and will go beyond, roll up our sleeves and work with them to mitigate their risks, says Mr Samuel. Dialogue between the risk function and the business can also help to create a more consistent view of the risks of a particular project that is in line with the enterprise s overall risk tolerance. The intention is to make the management team collectively aware of the risks that are going to prevent them from being successful in whatever it is they are trying to achieve, says Mr Newlands. The owner of a particular project may have a view on the risks, but his or her colleagues may have a completely different view. Unless you get around a table and discuss them through a structured process, you can end up with completely divergent views. In 2006, Anglo American brought in what it calls an integrated risk management approach that was designed to improve on the previous system by being more relevant to business divisions. The key to its success, according to Mr Newlands, has been the introduction of facilitated discussions with managers in the business. Rather than having a one-size-fits-all, paper-based approach where managers filled in forms against a standard matrix, we have moved to a system that is much more aligned with their business processes, he explains. We now look at risks that are relevant to each business and prioritise them according to a matrix that is also customised to their circumstances. A more systematic understanding of the risks When risk is managed in silos, it provides a good measure of each specific area of exposure, but there is no bird s-eye view of the company s overall risk position. A silo-based approach also means that certain risks can fall between the cracks. During the financial crisis, for example, many banks lacked understanding of the risk associated with certain assets because credit risk departments thought they were market risk 8
10 Steps towards integration at Siemens The industrials group Siemens is one large multinational that has adopted an enterprise-wide approach to risk and compliance. Following a series of well-publicised compliance failures in the late 1990s and early 2000s, senior management overhauled the company s compliance processes by combining its entire assurance activities-including ethics, codes of conduct and relationships with business partners worldwide-within one function. At a global level Siemens identified that the existing risk management process was a little narrow and financially oriented, and needed to be much more forward-looking and focused on strategic and operational risk over the medium term, says Ed Popplewell, head of risk & internal control at Siemens plc and North West Europe. The new framework sees risk management, and compliance with internal controls and guidelines, as two sides of the same coin. We need to respond to the risks in our business by ensuring that we ve got sound internal controls in place, notes Mr Popplewell. Equally, things that my internal control practitioners find through our assurance programmes tell us a lot about whether our risk management processes are robust. So the two activities feed off each other. issues, and market risk departments believed they were the responsibility of credit risk managers. As a result, companies are increasingly focusing not only on risk management within their organisation, but on interdependencies with other companies within their network as well as the broader economy. Companies are finally realising that there is a need to determine how an organisation can look at its risks from a holistic perspective and figure out how those can be managed and monitored, says Richard Apostolik, chief executive officer of the Global Association of Risk Managers. By aggregating risks at an enterprise level, a company has a much better understanding of potential threats that could cause serious financial or reputational damage. GE s new enterprise-wide risk approach is a good illustration. We wanted to make sure that when we looked across the entire portfolio, we understood clearly the key things that could potentially put the franchise at risk, reports Mr Krakowiak. To get high returns, you have to take a certain level of risk, and we just wanted to make sure that we understood completely the risk we were taking, what some of the external factors were that could impact us, and what could prevent us from achieving our strategic objectives. For any large company, the list of potential threats that could have an adverse impact on the business is huge. Careful prioritisation is therefore needed to prevent management paralysis. We are trying to focus on the four or five big things that could have a systemic risk problem for the company, while continuing to ensure that businesses manage their own risks within each function, says Mr Krakowiak. A consistent approach to risk and compliance across the enterprise depends on creating a standard language around risk that can be understood by business owners across functions and locations. At GE, for example, one key challenge in creating an enterprise-wide approach was forming a bridge in understanding between the financial services and industrial businesses which inherently have very different requirements in terms of risk and compliance. What we try to do is come up with a common set of definitions and terminologies, or what we call a taxonomy, adds Mr Krakowiak. This can be used by both sides of the house. We have also tried to interconnect the risk appetite statement for the financial 9
11 services business with that over the overall company. Aggregation of risk and compliance at the enterprise level also provides senior executives with the oversight they need to assess interdependencies and correlations across the business, and make adjustments accordingly. You might find that you want to put in different limits or constraints, or adjust your capital allocation because what looks okay in one silo doesn t necessarily look the same once you aggregate it at the enterprise level, argues Mr Munro. Boards need to define what their risk culture is and... define what their organisation s risk appetite is. Richard Apostolik, Chief Executive Officer, Global Association of Risk Managers A single risk appetite may not fit the entire enterprise Although much is said about the need to build an enterprise-wide risk culture, it is down to boards and executive management to define what it is. Boards need to define what their risk culture is and from there they need to define what the organisation s risk appetite is, says Mr Apostolik. Then they have to ensure that the rest of the organisation works within the definitions that they have come up with. In general, a risk appetite should be a clear articulation, approved by the board, of the institution s risk tolerance and limits across its full range of businesses. Once this has been set at the enterprise level, it can be cascaded down through the various divisions and regions to the ultimate risk owners. We set a risk appetite at enterprise level, then each of the business units takes that and applies it and forms their own risk appetite based on those overall settings for their line of business, explains Mr Munro. So you start to get commonality, a common approach and a common language. Properly done, the risk appetite statement becomes a cornerstone and becomes part of the language of enterprise risk. In other industries, it may be difficult to set an overall risk appetite because individual operations or change projects vary so widely in terms of their perceived risk. Mining is a case in point: with operations in locations that are subject to widely differing levels of political and business risk, no two investments are alike. I don t think there s ever a situation where you can say that our risk appetite is X and will remain X for the rest of the year, says Mr Newlands. It s not a number. It s about taking each individual proposition for change, or each operation, and determining whether that is something that the organisation is willing to accept or not. Overcoming resistance One barrier to implementing an enterprise view is resistance from people in long-established silos. One example would be a division that has invested heavily, and successfully, in China. However, upon assuming an enterprise-wide view of its risks, the company may decide that it is over-exposed to business in China and that each division needs to cut back its investment. For divisions used to running their own P&L and managing risks within a silo, this can be a difficult decision to swallow. It can take time and effort to educate managers in the need to make sacrifices in order to gain a more balanced enterprise-wide risk exposure. Some managers may think that an enterprise approach will penalise business units viewed as deficient in terms of risk management. But as Mr Newlands explains, the goal is not to create competition. It s not a question of one business unit s performance against another, he says. What we re interested in is each unit s risk profile, what they re doing to mitigate those risks and how it all fits together at the enterprise level. 10
12 Overcoming this resistance means that outmoded perceptions of risk functions as business prevention units need to be challenged. You have to demonstrate that this is something of value, adds Mr Newlands. We have to make it clear that we are not here to stop people taking risks or to eliminate risk. We are here to make sure that managers understand what it is that they are taking on. Once managers in the business units decide on their own to make a public commitment, they will behave consistently with that commitment for as long as necessary. Coercion will not work. The key is to demonstrate how risk and compliance activities can help them to achieve their business goals. Creating a wide awareness of risk Although controls and monitoring play an important role in the risk management toolkit, this should only be seen as one small part of the role of the risk function. Rather than mandating a set of top-down rules without adequate explanation, risk professionals must work with the business in order to demonstrate both that they understand the business and that there is a rationale for the position they are taking. Thus GRC is about communication and education, not the setting of rules. It s really all about behaviour, says Mr Popplewell. We have a culture of treating risk management and internal controls as an important source of value for our business, rather than just a kind of mindless rule set. Formal reporting structures are important, particularly when a company is seeking to aggregate risk at an enterprise level, but the informal discussions about risk are the real bedrock of effective management. There s a clear and detailed structure as to how we organise things, but it s really about the conversations that happen as much as it is about what ends up in different boxes on spreadsheets, he stresses. Training and education have become an important part of the role of the risk function. Wipro, for example, runs training in general risk concepts such as business ethics for all its key managers, while specific course modules have been developed for every employee in the organisation. A communication plan around risk is set in advance and rolled out throughout the year. We publish news bulletins and risk circulars on a regular basis, says Mr Samuel. We also convert some of our risky incidents or near-misses into pamphlets that we use in training and discussion in our leadership forums. GRC is about people as well as technology Technology plays a vital role in automating the collection and analysis of data as well as the monitoring of key risk indicators. When implemented properly, it can help companies assess the impact of a risk against a particular objective, and increase visibility into the effectiveness of compliance efforts. That said, people are just as important in the process. We don t want the risk function to become a team of data entry and monitoring personnel, says Mr Samuel. It s important to think through any technology solution and ensure that it is carefully tailored to our needs and does not just add a layer of bureaucracy. Mr Newlands agrees and sees the risk management process as primarily a process of face-toface engagement between the risk function and business units. It is a qualitative discussion with management involving people, and technology plays only a small part, he explains. We have some technology that helps us capture, store and analyse the output of our work, but what we don t do is get into a great deal of quantification. It has its place, but by far and away the most important thing 11
13 is the judgment of the people who are managing risks on a day-to-day basis. The danger I see with quantification is that the one thing you can guarantee is that you will be precisely wrong. Problems with gaining access to accurate, high-quality data also hamper the quantification and analysis process. The question of appropriate data and the analysis of that data is probably the biggest issue that companies face, says Mr Apostolik. Putting the systems in place to collect the data that you can analyse and report from is a huge undertaking. Eli Lilly: Linking risk with strategy An enterprise-wide approach to risk and compliance brings significant benefits in terms of visibility into risk exposure and adherence, but it can be difficult to elevate the programme beyond a focus on operational processes. To date, few companies have taken the next step, which involves integrating this enterprise-wide approach with the broader strategy of the business. All too often, strategy and risk assessment are only tangentially connected chief risk officers rarely sit on executive boards and their role in terms of the broader strategic direction of the business is one of support and analysis, rather than active participation. Eli Lilly, a pharmaceuticals company has run an ERM programme since However, there was a growing sense among senior management that it was not well integrated with the overall business planning and longer-term strategy. Major strategic risks or the potential impact of major external events, such as the financial crisis were not sufficiently factored into the existing programme. When we went to the board, we found that we were talking about risk from a different perspective, says Peter Johnson, vice-president of corporate strategic planning at Eli Lilly. That s what drove us to say, Are we asking the right questions about the risks we really face and that will make us vulnerable? The treatment of strategic risk is inherently different from that of operational risk, and requires a different framework for identification, assessment and mitigation. With operational risk, you can usually quantify it, says Mr Johnson. You may run it 7,000 times and get five errors. Strategic risk doesn t work like that. There are some things you can prevent and want to prevent, there are others you can only react to, and there are some that you can prepare for and hope they don t happen. We re trying to look at all these different situations as part of our management of these risks. This more thorough risk identification process particularly in a company as large and complex as Eli Lilly requires careful prioritisation to ensure that the right issues are being examined. It s very clear that you can easily get bogged down in identifying so many different risks and developing action plans that you don t actually accomplish anything, says Anne Nobles, chief ethics and compliance officer and senior vice-president for enterprise risk management at Eli Lilly. I think the biggest challenge is going to be to really refine the list and focus attention on areas where we need thinking and planning in order to prepare the company. The integration of ERM and the strategy process at Eli Lilly leads to a different mode of thinking about the overall role of risk management at the company. Strategy processes tend to be opportunity-oriented and risk management ones tend to be fearbased, says Mr Johnson. But what we re trying to say is that they re two sides of the same coin. Once you ve made your decisions from an opportunity perspective, you can begin to ask What could go wrong with those decisions and how do we manage that? As with any major change project, there is a risk associated with this transition that it fails to achieve its overall objective to change people s behaviour. There s a danger that it can become all about the process rather than the outcome, says Ms Nobles. If corporate staff ends up owning this rather than the business managers themselves, then we will not have been successful. Equally, the identification and assessment of strategic risk should not lead to a kind of paralysis. You can t remove all risk, says Mr Johnson. If that s the objective, we shouldn t be in business because we take on a massive amount of risk every day here. The question is, are we competent to do it and are we doing it in an effective way. 12
14 Conclusion The concept of an integrated approach to risk and compliance is not new, but the financial crisis and major risk events have placed fresh impetus behind it. More than ever, boards and senior management want to understand overall risk exposures, and be provided with clear, consistent information in a timely manner. With corporate governance legislation increasingly stressing the importance of personal liability and accountability for executives and non-executives, companies cannot afford to be in the dark about their risk position. As with any three-letter business acronym, GRC can elicit scepticism from the business community. Many companies have attempted to implement an enterprise-wide view of risk and compliance, but have been frustrated by political resistance, a lack of board-level support or inadequate technology and infrastructure. Although these problems have not gone away, companies would be wrong to give up hope of achieving a more holistic picture of their risk. No major change management programme is ever easy, but with the right board-level commitment, tools and processes, integrating the management of risk and compliance across the organisation is achievable, and the potential benefits difficult to dispute. Visibility into decisions taken across the enterprise will help to preserve a company s reputation, while a more efficient approach to managing risk and compliance will help to reduce duplication of effort and streamline business processes. And for senior executives who carry responsibility for corporate activities, there will be the potential for more thorough knowledge about their business and, hopefully, a less stressful work environment. 13
15 Design: Cover: Getty Images Whilst every effort has been made to verify the accuracy of this information, neither the Economist Intelligence Unit Ltd nor the sponsors of this report can accept any responsibility for liability for reliance by any person on this report or any other information, opinions or conclusions set out herein.
16 LONDON 26 Red Lion Square London WC1R 4HQ United Kingdom Tel: (44.20) Fax: (44.20) NEW YORK 750 Third Avenue 5th Floor New York, NY United States Tel: (1.212) Fax: (1.212) HONG KONG 6001, Central Plaza 18 Harbour Road Wanchai Hong Kong Tel: (852) Fax: (852) GENEVA Boulevard des Tranchées Geneva Switzerland Tel: (41) Fax: (41)
A report from the Economist Intelligence Unit. Retail banks and big data: Risk and compliance executives weigh in
A report from the Economist Intelligence Unit Retail banks and big data: Risk and compliance executives weigh in A recent Economist Intelligence Unit survey of bank risk management executives yielded a
More informationOWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT
OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT ERM as the foundation for regulatory compliance and strategic business decision making CONTENTS Introduction... 3 Steps to developing an
More informationUniversity of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No. 2008-19 June 2007
University of St. Gallen Law School Law and Economics Research Paper Series Working Paper No. 2008-19 June 2007 Enterprise Risk Management A View from the Insurance Industry Wolfgang Errath and Andreas
More informationIn search of insight and foresight
A report from the Economist Intelligence Unit In search of insight and foresight Making the most of big data C-suite perspectives: Mind the data-strategy gap Sponsored by Intel, the Intel logo, Xeon, and
More informationIntegrated Risk Management:
Integrated Risk Management: A Framework for Fraser Health For further information contact: Integrated Risk Management Fraser Health Corporate Office 300, 10334 152A Street Surrey, BC V3R 8T4 Phone: (604)
More informationHow To Manage An Itil Service Manager
Newcastle University IT Service Sharon Mossman AXELOS.com Case Study February 2015 Contents Introduction 3 Adopting ITIL 4 ITIL s Continuing Use 7 What are your recommended Best Practices? 8 About AXELOS
More informationA report from the Economist Intelligence Unit. Views from the C-suite Who s big on BIG DATA? Sponsored by
A report from the Economist Intelligence Unit Views from the C-suite Who s big on BIG DATA? Sponsored by Executive summary The way that big data pervades most organisations today creates a dynamic environment
More informationA report from the Economist Intelligence Unit. Driving a data-centric culture: A BOTTOM-UP OPPORTUNITY. Sponsored by
A report from the Economist Intelligence Unit Driving a data-centric culture: A BOTTOM-UP OPPORTUNITY Sponsored by Driving a data-centric culture: a bottom-up opportunity Big data has captured the attention
More informationTHE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK
THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationAfter the big bang. How retailers can harness the big data explosion. A report from the Economist Intelligence Unit. Sponsored by
After the big bang How retailers can harness the big data explosion A report from the Economist Intelligence Unit Sponsored by After the big bang: How retailers can harness the big data explosion Savvy
More informationKeeping risk in check
Keeping risk in check How BlackRock helps institutional investors to manage risk by Doug Bartholomew Ed Fishwick is co head of the Risk and Quantitative Analysis (RQA) Group. BlackRock is well known for
More informationCapital Adequacy: Advanced Measurement Approaches to Operational Risk
Prudential Standard APS 115 Capital Adequacy: Advanced Measurement Approaches to Operational Risk Objective and key requirements of this Prudential Standard This Prudential Standard sets out the requirements
More informationGUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
More informationStrengthening governance, risk and compliance in the insurance industry. An Economist Intelligence Unit report Sponsored by SAP
Strengthening governance, risk and An Economist Intelligence Unit report Sponsored by SAP Economist Intelligence Unit Limited 009 Strengthening governance, risk and Preface Strengthening governance, risk
More informationPrinciples for An. Effective Risk Appetite Framework
Principles for An Effective Risk Appetite Framework 18 November 2013 Table of Contents Page I. Introduction... 1 II. Key definitions... 2 III. Principles... 3 1. Risk appetite framework... 3 1.1 An effective
More informationRemarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the
Remarks by Carolyn G. DuChene Deputy Comptroller Operational Risk at the Bank Safety and Soundness Advisor Community Bank Enterprise Risk Management Seminar Washington, D.C. October 22, 2012 Good afternoon,
More informationEffective risk management
Effective risk management Our holistic and disciplined risk management program is designed to mitigate risks at all levels of our business in order to protect our clients interests. 2 Vanguard > Effective
More informationLessons learned from creating a change management framework
Lessons learned from creating a change management framework Author Melanie Franklin Director Agile Change Management Limited Contents Introduction 3 What is a Change Management Framework? 3 Why is it called
More informationTake the right steps 9 principles for building the Risk Intelligent Enterprise
Take the right steps 9 principles for building the Risk Intelligent Enterprise Contents 9 principles for building a Risk Intelligent Enterprise 2 The Risk Intelligent Framework 4 1. Is risk a threat or
More informationOperational Risk Management in a Debt Management Office
Operational Risk Management in a Debt Management Office Based on Client Presentation January 2008 Outline The importance of operational risk management (ORM) International best practice A high-level perspective,
More informationEffective Internal Audit in the Financial Services Sector
Effective Internal Audit in the Financial Services Sector Recommendations from the Committee on Internal Audit Guidance for Financial Services: How They Relate to the Global Institute of Internal Auditors
More informationENTERPRISE RISK MANAGEMENT FRAMEWORK
ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...
More informationMANAGING DIGITAL CONTINUITY
MANAGING DIGITAL CONTINUITY Project Name Digital Continuity Project DRAFT FOR CONSULTATION Date: November 2009 Page 1 of 56 Contents Introduction... 4 What is this Guidance about?... 4 Who is this guidance
More informationMaking the business case for C4RISK databasebased Operational Risk Management software
Making the business case for C4RISK databasebased Operational Risk Management A robust Risk Management and Control process is an integral part of the business infrastructure to enable the Board to create
More informationOPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.
OPTIMUS SBR CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE. Optimizing Results with Business Intelligence Governance This paper investigates the importance of establishing a robust Business Intelligence (BI)
More informationENTERPRISE RISK MANAGEMENT POLICY
ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving
More informationbuilding a business case for governance, risk and compliance
building a business case for governance, risk and compliance contents introduction...3 assurance: THe last major business function To be integrated...3 current state of grc: THe challenges... 4 building
More informationIFAD Policy on Enterprise Risk Management
Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008
More informationEnterprise Risk Management
Enterprise Risk Management Topic Gateway Series No. 49 1 Prepared by Jasmin Harvey and Technical Information Service July 2008 About Topic Gateways Topic Gateways are intended as a refresher or introduction
More informationZurich s approach to Enterprise Risk Management. John Scott Chief Risk Officer Zurich Global Corporate
Zurich s approach to Enterprise Risk Management John Scott Chief Risk Officer Zurich Global Corporate Agenda 1. The risks we face 2. Strategy risk and risk tolerance 3. Zurich s ERM framework 4. Capital
More informationStrategic Executive Coaching: An Integrated Approach to Executive Development
Strategic Executive Coaching: An Integrated Approach to Executive Development A new concept in executive coaching is leading companies to fully utilize the talent they have to drive organizational strategy
More informationDRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS
DRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position
More informationManagement magnified Sustainability and corporate growth. A report from the Economist Intelligence Unit Sponsored by SAS
A report from the Economist Intelligence Unit Sponsored by SAS Preface Management magnified: is the third in a series of three reports written by the Economist Intelligence Unit and sponsored by SAS. The
More informationAvondale College Limited Enterprise Risk Management Framework 2014 2017
Avondale College Limited Enterprise Risk Management Framework 2014 2017 President s message Risk management is part of our daily life, something we do regularly; often without realising we are doing it.
More informationBoard of Directors Meeting 12/04/2010. Operational Risk Management Charter
Board of Directors Meeting 12/04/2010 Document approved Operational Risk Management Charter Table of contents A. INTRODUCTION...3 I. Background...3 II. Purpose and Scope...3 III. Definitions...3 B. GOVERNANCE...4
More informationProject Governance a board responsibility. Corporate Governance Network
Project Governance a board responsibility Corporate Governance Network November 2015 1 Contents Page Introduction 3 Board responsibilities 3 What is project governance? 4 The boards duties in respect of
More informationBlending Corporate Governance with. Information Security
Blending Corporate Governance with Information Security WHAT IS CORPORATE GOVERNANCE? Governance has proved an issue since people began to organise themselves for a common purpose. How to ensure the power
More informationNOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE
STAATSKOERANT, 19 DESEMBER 2014 No. 38357 3 BOARD NOTICE NOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE LONG-TERM INSURANCE ACT, 1998 (ACT NO. 52
More informationConfident in our Future, Risk Management Policy Statement and Strategy
Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents
More informationThird Party Supplier Security
Third Party Supplier Security Managing risk and compliance through external due diligence audits. Presented by: Stephen Higgins 6 th December 2012 To cover When third party supplier security goes wrong...
More informationDeriving Value from ORSA. Board Perspective
Deriving Value from ORSA Board Perspective April 2015 1 This paper has been produced by the Joint Own Risk Solvency Assessment (ORSA) Subcommittee of the Insurance Regulation Committee and the Enterprise
More informationDocument management concerns the whole board. Implementing document management - recommended practices and lessons learned
Document management concerns the whole board Implementing document management - recommended practices and lessons learned Contents Introduction 03 Introducing a document management solution 04 where one
More informationUnderstanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher
Understanding Enterprise Risk Management Presented by Dorothy Gjerdrum Arthur J Gallagher Learning Objectives Understand the components of a wellrun ERM program Review scope and process Explore the role
More informationThe Board Agenda - What boards should be discussing. Corporate Governance Network
The Board Agenda - What boards should be discussing Corporate Governance Network Position Paper 3 - February 2011 CONTENTS Introduction Linking the role of the board to the board agenda The board charter
More informationAn report by the Economist Intelligence Unit. Competing smarter with advanced data analytics. Sponsored by
An report by the Economist Intelligence Unit Competing smarter with advanced data analytics Sponsored by Contents Introduction 2 1 2 3 4 5 6 Companies take to the offense with data analytics 4 Focusing
More informationBusiness Process Outsourcing: Understanding the Critical Role of IT
: Understanding the Critical Role of IT An Economist Intelligence Unit report sponsored by SAP Preface Business process outsourcing: Understanding the critical role of IT is an Economist Intelligence
More informationTHE GOVERNANCE OF RISK MANAGEMENT. Session 5
THE GOVERNANCE OF RISK MANAGEMENT Session 5 Polling Question: Who is primarily responsible for risk governance in any organization? 0% A. The board or board risk committee (if applicable) B. The CRO 0%
More informationGuidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Board of Directors March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance
More informationUniversity of New England Compliance Management Framework and Procedures
University of New England Compliance Management Framework and Procedures Document data: Document type: Administering entity: Framework and Procedures Audit and Risk Directorate Records management system
More informationCapital Requirements Directive Pillar 3 Disclosure. December 2015
Capital Requirements Directive Pillar 3 Disclosure December 2015 1. Background The purpose of this document is to outline the Pillar 3 disclosures for BlueBay Asset Management LLP ( BlueBay ). BlueBay
More informationBeyond risk identification Evolving provider ERM programs
Beyond risk identification Evolving provider ERM programs March 2016 At a glance PwC conducted research to assess the state of enterprise risk management (ERM) within healthcare providers and found many
More informationManaging risk in a new world. Navigating the five major hurdles for hedge funds
Managing risk in a new world Navigating the five major hurdles for hedge funds 2 Managing Risk in a New World Risks Hedge funds are responding to new regulatory reporting requirements and investor demand
More informationRisk Management. Group Standard
Group Standard Risk Management Effective risk management allows Serco to improve customer service, maximize opportunities and reduce business loss from overruns and cost from risks that materialise SMS
More informationMODULE 10 CHANGE MANAGEMENT AND COMMUNICATION
MODULE 10 CHANGE MANAGEMENT AND COMMUNICATION PART OF A MODULAR TRAINING RESOURCE Commonwealth of Australia 2015. With the exception of the Commonwealth Coat of Arms and where otherwise noted all material
More informationMANAGING LEGAL RISK IN AN INTEGRATED GRC FRAMEWORK A BRIEFING PAPER. www.claytonutz.com
MANAGING LEGAL RISK IN AN INTEGRATED GRC FRAMEWORK A BRIEFING PAPER www.claytonutz.com BACKGROUND Organisations are finding that their stakeholders (particularly Boards) are seeking greater assurance of
More informationEnterprise Risk Management
Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's
More informationEnterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management
Enterprise Risk Management Framework 2012 2016 Strengthening our commitment to risk management Contents Director-General s message... 3 Introduction... 4 Purpose... 4 What is risk management?... 4 Benefits
More informationRelationship Manager (Banking) Assessment Plan
1. Introduction and Overview Relationship Manager (Banking) Assessment Plan The Relationship Manager (Banking) is an apprenticeship that takes 3-4 years to complete and is at a Level 6. It forms a key
More informationInsurance Guidance Note No. 14 System of Governance - Insurance Transition to Governance Requirements established under the Solvency II Directive
Insurance Guidance Note No. 14 Transition to Governance Requirements established under the Solvency II Directive Date of Paper : 31 December 2013 Version Number : V1.00 Table of Contents General governance
More informationUnderstanding and articulating risk appetite
Understanding and articulating risk appetite advisory Understanding and articulating risk appetite Understanding and articulating risk appetite When risk appetite is properly understood and clearly defined,
More informationChapter 1 Developing a healthy appetite for risk [DTI] 3. Chapter 2 Getting the best bang per buck [DEFRA] 5
CONTENTS Page Chapter 1 Developing a healthy appetite for risk [DTI] 3 Chapter 2 Getting the best bang per buck [DEFRA] 5 Chapter 3 Getting your house in order [Companies House] 9 Thinking About Risk -
More informationTapping the benefits of business analytics and optimization
IBM Sales and Distribution Chemicals and Petroleum White Paper Tapping the benefits of business analytics and optimization A rich source of intelligence for the chemicals and petroleum industries 2 Tapping
More informationDiscretionary Wealth Management
Discretionary Wealth Management Specialist, Focused, Committed Using experience and expertise to invest for your future Contents 1 The practical importance of wisdom 2 Introduction to Discretionary Wealth
More informationFive steps to Enterprise Risk Management
risk decisions 2011 Five steps to Enterprise Risk Management by Val Jonas CEO Risk Decisions Group www.riskdecisions.com management solutions Val Jonas: Five steps to Enterprise Risk Management Five steps
More informationSarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:
Beyond Sarbanes-Oxley: Using compliance requirements to boost business performance The business regulatory environment in the United States has changed. Public companies have new obligations to report
More informationwww.pwc.co.uk Cyber security Building confidence in your digital future
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
More informationtreasury risk management
Governance, Concise guide Risk to and Compliance treasury risk management KPMG is a leading provider of professional services including audit, tax and advisory. KPMG in Australia has over 5000 partners
More informationThe Asset Management Landscape
The Asset Management Landscape ISBN 978-0-9871799-1-3 Issued November 2011 www.gfmam.org The Asset Management Landscape www.gfmam.org ISBN 978-0-9871799-1-3 Published November 2011 This version replaces
More informationCompliance. Group Standard
Group Standard Compliance Serco is committed to good governance practices and the management of risks supported by a robust business compliance process SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
More informationBreaking Down the Insurance Silos
Breaking Down the Insurance Silos Improving Performance through Increased Collaboration Insurers that cannot model business scenarios quickly and accurately to allow them to plan effectively for the future
More informationBuilding a framework for operational risk management: the FSA s observations
Policy Statement Financial Services Authority Building a framework for operational risk management: the FSA s observations Feedback on industry practice as we prepare to implement CP142 July 2003 Contents
More informationChange Management Office Benefits and Structure
Change Management Office Benefits and Structure Author Melanie Franklin Director Agile Change Management Limited Contents Introduction 3 The Purpose of a Change Management Office 3 The Authority of a Change
More informationScenario Analysis Principles and Practices in the Insurance Industry
North American CRO Council Scenario Analysis Principles and Practices in the Insurance Industry 2013 North American CRO Council Incorporated chairperson@crocouncil.org December 2013 Acknowledgement The
More informationThe Upside of Risk: Enterprise Risk Management and Public Real Estate Companies
The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies James Barkley, Simon Property Group, Inc. and David E. Weiss, DDR Corp. Introduction: As lawyers, particularly real estate
More informationRegulation and Risk as Data Management Drivers
Regulation and Risk as Data Management Drivers September 2014 Sponsored by: Legal Entity Identifiers Editor Andrew P. Delaney andrew@a-teamgroup.com Managing Editor Sarah Underwood sarah.underwood@a-teamgroup.com
More informationGUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES
20 th February, 2013 To Insurance Companies Reinsurance Companies GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES These guidelines on Risk Management and Internal
More informationA Risk Management Standard
A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management
More informationGFMAM Competency Specification for an ISO 55001 Asset Management System Auditor/Assessor First Edition, Version 2
GFMAM Competency Specification for an ISO 55001 Asset Management System Auditor/Assessor First Edition, Version 2 English Version PDF format only ISBN 978-0-9871799-5-1 Published April 2014 www.gfmam.org
More informationERM and GRC Fundamentals. Risk Management Definitions & Guiding Principles. Module 1
ERM and GRC Fundamentals Risk Management Definitions & Guiding Principles Module 1 Agenda Introduction: Purpose and Goal of the Training (5 min.) Section 1: ERM / GRC Terms & Concepts (15 min.) Section
More informationProject Risk Analysis toolkit
Risk Analysis toolkit MMU has a corporate Risk Management framework that describes the standard for risk management within the university. However projects are different from business as usual activities,
More informationAn Effective Approach to Transition from Risk Assessment to Enterprise Risk Management
Bridgework: An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management @Copyright Cura Software. All rights reserved. No part of this document may be transmitted or copied without
More informationMiddlesbrough Manager Competency Framework. Behaviours Business Skills Middlesbrough Manager
Middlesbrough Manager Competency Framework + = Behaviours Business Skills Middlesbrough Manager Middlesbrough Manager Competency Framework Background Middlesbrough Council is going through significant
More informationManaging the challenge of product proliferation. A survey by the Economist Intelligence Unit sponsored by the George Group
Managing the challenge of product proliferation A survey by the Economist Intelligence Unit sponsored by the George Group Preface Managing the challenge of product proliferation is a survey and executive
More informationRisk & Assurance. Tailored to your needs. Internal audit solutions
Risk & Assurance Tailored to your needs Internal audit solutions Internal audit solutions The need for internal audit has never been as urgent as it is today. Unmanaged risks can literally cause the demise
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationTHE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT
THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT Let me begin by thanking Baruch College for giving me the opportunity to present this year s prestigious Emanuel Saxe Lecture in Accounting.
More informationInternal Auditing: Assurance, Insight, and Objectivity
Internal Auditing: Assurance, Insight, and Objectivity WHAT IS INTERNAL AUDITING? INTERNAL AUDITING business people all around the world are familiar with the term. But do they understand the value it
More informationBusiness Continuity Management Framework 2014 2017
Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity
More informationRISK MANAGEMENt AND INtERNAL CONtROL
RISK MANAGEMENt AND INtERNAL CONtROL Overview 02-09 Internal control the Board meets regularly throughout the year and has adopted a schedule of matters which are required to be brought to it for decision.
More informationEnterprise Risk Management: From Theory to Practice
INSURANCE Enterprise Risk Management: From Theory to Practice KPMG LLP Executive Summary Enterprise Risk Management (ERM) is a structured and disciplined business tool aligning strategy, processes, people,
More informationSector Development Ageing, Disability and Home Care Department of Family and Community Services (02) 8270 2218
Copyright in the material is owned by the State of New South Wales. Apart from any use as permitted under the Copyright Act 1968 and/or as explicitly permitted below, all other rights are reserved. You
More informationACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES
THOMSON REUTERS ACCELUS ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES PROACTIVE. CONNECTED. INFORMED. THOMSON REUTERS ACCELUS Compliance management Solutions Introduction The advent of new and pending
More informationSmart Security. Smart Compliance.
Smart Security. Smart Compliance. SRM are dedicated to helping our clients stay safe in the information environment. With a wide range of knowledge and practical experience, our consultants are ready to
More informationThe promise and pitfalls of cyber insurance January 2016
www.pwc.com/us/insurance The promise and pitfalls of cyber insurance January 2016 2 top issues The promise and pitfalls of cyber insurance Cyber insurance is a potentially huge but still largely untapped
More informationHow to gather and evaluate information
09 May 2016 How to gather and evaluate information Chartered Institute of Internal Auditors Information is central to the role of an internal auditor. Gathering and evaluating information is the basic
More informationMuch attention has been focused recently on enterprise risk management (ERM),
By S. Michael McLaughlin and Karen DeToro Much attention has been focused recently on enterprise risk management (ERM), not just in the insurance industry but in other industries as well. Across all industries,
More informationData Quality and the Importance of Trust
Informatiemanagement: A HOT POTATO IN THE HANDS OF FINANCIAL INSTITUTIONS: DATA QUALITY Poor quality of data is still causing headaches to fi nancial institutions. In an environment of ever-growing regulations,
More informationTransforming risk management into a competitive advantage kpmg.com
INSURANCE RISK MANAGEMENT ADVISORY SOLUTIONS Transforming risk management into a competitive advantage kpmg.com 2 Transforming risk management into a competitive advantage Assessing risk. Building value.
More informationStrengthening governance, risk and compliance in the banking industry. An Economist Intelligence Unit white paper Sponsored by SAP
Strengthening governance, risk and compliance An Economist Intelligence Unit white paper Sponsored by SAP Economist Intelligence Unit Limited 009 Strengthening governance, risk and compliance Preface Strengthening
More information