controls - Blog - Global Risk Community2024-03-29T01:37:15Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/controlsLeveraging Leadership: The Fourfold Path to Business Controlhttps://globalriskcommunity.com/profiles/blogs/leveraging-leadership-the-fourfold-path-to-business-control2023-12-29T13:49:30.000Z2023-12-29T13:49:30.000ZMark Bridgeshttps://globalriskcommunity.com/members/MarkBridges<div><p><a href="{{#staticFileLink}}12342211298,original{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12342211298,RESIZE_710x{{/staticFileLink}}" width="710" alt="12342211298?profile=RESIZE_710x" /></a></p><p>Ensuring that organizations are protected from breaches in control that may result from an empowered and innovative workforce has always been a top priority for executives.</p><p>In these dynamic times, effective employee management necessitates the application of resourcefulness and adaptability. Organizations that function within highly competitive industries and cater to a diverse clientele heavily depend on the resourcefulness and originality of their personnel to seize competitive advantage and exceed customer needs.</p><p>Due to the challenges inherent in maintaining control, organizations are exposed to an inordinate amount of risk or reputation-damaging behavior. Organizations suffer substantial financial losses as a result of control failures, which include reputational damage, financial penalties, operational setbacks, and lost business opportunities. An infringement of control may result in adverse consequences for an organization, including damage to its data assets, operations, audit outcomes, <a href="https://flevy.com/browse/flevypro/post-merger-integration-pmi-revenue-synergies-3953">revenue</a>, and <a href="https://flevy.com/browse/flevypro/profitability-and-cost-structure-analysis-internal-data-analysis-frameworks-1704">profitability</a>.</p><p>In competitive markets, control cannot be achieved through the mere employment of competent individuals, alignment of incentives, and chance. A limited number of organizations elect to implement inflexible bureaucratic systems as a means of preserving control through the regulation of task execution and continuous monitoring to avert unfavorable occurrences. While this approach may seem outdated to contemporary businesses, it remains effective in situations such as assembly lines.</p><p>The Levers of Control framework was introduced by Harvard professor Robert Simons in 1995 as a method to attain an organizational equilibrium between <a href="https://flevy.com/browse/flevypro/10-principles-of-managing-strategy-through-execution-2975">control and management</a>. The Levers of Control paradigm recognizes that setting ambitious targets is insufficient to achieve the objectives of an organization. It involves directing the behavior of both individuals and groups within the organization to ensure that they work in unison to achieve the specified goals.</p><p>Equilibrium within an organization is determined by elements such as codes of conduct, structures, procedures, and well-defined boundaries—often enforced via penalties and restrictions—according to the Levers of Control model. Achieving an optimal equilibrium among these variables and navigating the inherent divergences between control and autonomy, trial and error, and top-down versus bottom-up management are the pillars upon which the Levers of Control model is built.</p><p>The framework is composed of 4 interdependent levers that can be employed in tandem:</p><ol><li><strong>Belief Systems</strong></li><li><strong>Boundary Systems</strong></li><li><strong>Diagnostic Control Systems</strong></li><li><strong>Interactive Control Systems</strong></li></ol><p> <a href="{{#staticFileLink}}12342212467,original{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12342212467,RESIZE_710x{{/staticFileLink}}" width="710" alt="12342212467?profile=RESIZE_710x" /></a></p><p>Let’s us now proceed with a more in-depth analysis of the initial two levers of the model.</p><p><strong>Belief Systems</strong></p><p>Belief systems function as a mechanism for communicating the <a href="https://flevy.com/browse/marketplace/vision-mission-and-values-5926">core values, objectives, and mission of the organization</a>, thus providing guidance and motivation to staff members. By encouraging people to improve their customer service through the inculcation of positive values, conduct, performance, and a feeling of inclusion, this lever ensures the fulfillment of the organization's objectives.</p><p>In the absence of a clearly-defined Belief System, employees are forced to depend on conjecture regarding the organization's intended behaviors and objectives. The obligations of the organization with respect to its clients, staff, community, and other stakeholders are outlined in the Belief Systems. This lever is particularly efficacious for enterprises that are enduring <a href="https://flevy.com/browse/flevypro/transformation-journey-3186">Transformation</a> and organizations seeking to cultivate resilient cultures while harmonizing varied behaviors with fundamental values.</p><p><strong>Boundary Systems </strong></p><p>Without stifling individuals' capacity for innovation or entrepreneurship, this control mechanism permits the development of policies and standards that instruct individuals on bad behavior. Boundary systems implement regulations, <a href="https://flevy.com/browse/marketplace/code-of-conduct-policy-and-procedure-1394">codes of conduct</a>, and premeditated strategic boundaries to delineate acceptable and abhorrent employee conduct, thereby establishing governing parameters.</p><p>These boundaries clearly define the irreversible consequences of violating ethical principles and the potential outcomes that should be avoided. Boundary systems are preferred by risk-averse organizations, industries subject to stringent regulations, or <a href="https://flevy.com/browse/flevypro/strategic-restructuring-critical-success-factors-5389">those aiming to restructure</a> or modify processes where operational efficiency, error and waste minimization, and efficiency are of the utmost importance.</p><p>Interested in learning more about the other levers of the Levers of Control framework? You can download <a href="https://flevy.com/browse/flevypro/5-stages-of-management-evolution-6689">an editable PowerPoint presentation on the <strong>Levers of Control Framework</strong> here </a>on the <a href="https://flevy.com/browse">Flevy documents marketplace</a>.</p><p><strong>Do You Find Value in This Framework?</strong></p><p>You can download in-depth presentations on this and hundreds of similar business frameworks from the <a href="https://flevy.com/pro/library">FlevyPro Library</a>. <a href="https://flevy.com/pro">FlevyPro</a> is trusted and utilized by 1000s of management consultants and corporate executives.</p><p>For even more best practices available on Flevy, have a look at our top 100 lists:</p><ul><li><a href="https://flevy.com/top-100/strategy">Top 100 in Strategy & Transformation</a></li><li><a href="https://flevy.com/top-100/organization">Top 100 in Organization & Change</a></li><li><a href="https://flevy.com/top-100/consulting">Top 100 Consulting Frameworks</a></li><li><a href="https://flevy.com/top-100/digital">Top 100 in Digital Transformation</a></li><li><a href="https://flevy.com/top-100/opex">Top 100 in Operational Excellence</a></li></ul><p> </p><p> </p></div>GRC 6.0 - Discover the Future of GRC – Sign up for our webinar!https://globalriskcommunity.com/profiles/blogs/evolution-of-controls-into-business-management-and-processes-sign2023-08-09T06:20:00.000Z2023-08-09T06:20:00.000ZGlobalRiskCommunityhttps://globalriskcommunity.com/members/GlobalRiskCommunity<div><p><span style="font-family:verdana, geneva, sans-serif;"><span style="font-size:14px;">Hi Global Risk Community member, </span></span></p>
<p><span style="font-family:verdana, geneva, sans-serif;"><span style="font-size:14px;">What does Governance, Risk Management and Compliance management look like across your business? Organizations will often approach GRC as a compliance band-aid rather than truly integrating it into their business. The lack of internal control management opens the door to heightened risk exposure. </span></span></p>
<p><span style="font-family:verdana, geneva, sans-serif;"><span style="font-size:14px;">Join Fastpath host, Frank Vukovits, Principal Evangelist, and guest Michael Rasmussen, GRC Analyst and Pundit at GRC 20/20 Research for an upcoming Fastpath webinar: </span></span></p>
<p><span style="font-family:verdana, geneva, sans-serif;"><span style="font-size:14px;"><strong>GRC 6.0 - Discover the Future of GRC</strong> </span></span></p>
<p><span style="font-family:verdana, geneva, sans-serif;"><span style="font-size:14px;"><strong>Tuesday, August 29, 2023 – 1:00 PM EST </strong> </span></span></p>
<p><span style="font-family:verdana, geneva, sans-serif;"><span style="font-size:14px;"><a href="https://www.gofastpath.com/webinar-grc-6-0?utm_campaign=CA-FP-Webinar-GRC%206.0%20%E2%80%93%20Evolution%20of%20Controls%20into%20Business%20Management%20and%20Processes-19-August-2023&utm_source=email&utm_medium=email&utm_term=GRC-Email8&utm_content=GRC-Email8-Webinar-GRC%206.0%20%E2%80%93%20EvolutionofControlsintoBusinessManagementandProcesses-August-2023" target="_blank">Register Now</a> </span></span></p>
<p><span style="font-family:verdana, geneva, sans-serif;"><span style="font-size:14px;">Learn more about GRC 6.0 and how to best address business management, processes, and internal control into your GRC initiatives. </span></span></p>
<p><span style="font-family:verdana, geneva, sans-serif;"><span style="font-size:14px;">Stay up to date on the latest identity, security, and access controls by signing up to the Fastpath knowledge center <a href="https://www.gofastpath.com/fastpath-learning-center-resources?utm_campaign=CA-Website-Sign-up-Learning-Center-Resources-2023&utm_source=email&utm_medium=email&utm_content=GRCemailknowledgecenter2023" target="_blank">here</a>.</span></span></p></div>Security Reference Model (SRM) of the Federal Enterprise Architecture Framework (FEAF)https://globalriskcommunity.com/profiles/blogs/security-reference-model-srm-of-the-federal-enterprise-architectu2021-09-07T11:39:11.000Z2021-09-07T11:39:11.000ZMark Bridgeshttps://globalriskcommunity.com/members/MarkBridges<div><p><span style="font-size:12pt;"><a href="{{#staticFileLink}}9542439669,original{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}9542439669,RESIZE_400x{{/staticFileLink}}" alt="9542439669?profile=RESIZE_400x" width="250" /></a><a href="https://flevy.com/business-toolkit/enterprise-architecture">Enterprise Architecture (EA)</a> denotes management best practice for lining up business and technology resources to realize strategic results, expand upon Organizational Performance and steer departments to achieve their core missions more successfully and achieve Operational Excellence.</span></p><p><span style="font-size:12pt;">Federal Enterprise Architecture Framework (FEAF) assists any agency of the Federal government achieve this through documentation and information that conveys a summarized outlook of an enterprise at various tiers of scope and detail.</span></p><p><span style="font-size:12pt;">The FEAF comprises of 6 interconnected Reference Models including Security Reference Model (SRM), linked through Consolidated Reference Model (CRM), each relating to a sub-architectural domain of the FEA framework.</span></p><p><span style="font-size:12pt;">Security is a worldwide concern pervading through all layers of the organization. Effect on security at any level has an impact on each successive level, both ascending and descending. Appropriate place for developing and charting Security standards, policies, and norms is the Enterprise Architecture Governance since it is the enforcement point for IT investments.</span></p><p><span style="font-size:12pt;">Security Reference Model (SRM) is a framework for maturing a security architecture created on Information Security and privacy standards. SRM is omnipresent, entwining itself through all of the sub-architectures of the all-encompassing EA across all the other reference models.</span></p><p><span style="font-size:12pt;">Enterprise and solution architects have to remain aware of entire technology, business, performance, and security drivers so as to suitably steer IT Strategy and design Information Technology systems and choose apposite technology that fits their needs. SRM offers all levels of architects a direction to understanding when and where those needs can be consolidated.</span></p><p><span style="font-size:12pt;">SRM facilitates in forming an even security architecture in 3 key areas:</span></p><ol><li><span style="font-size:12pt;"><strong>Purpose</strong></span></li><li><span style="font-size:12pt;"><strong>Risk</strong></span></li><li><span style="font-size:12pt;"><strong>Controls</strong></span></li></ol><p><span style="font-size:12pt;"><a href="https://flevy.com/browse/flevypro/feaf-security-reference-model-srm-5837"><img class="aligncenter size-full wp-image-9613" src="https://flevy.com/blog/wp-content/uploads/2021/09/Slide-Deck-image-FEAF-SRM.png" alt="" width="693" height="520" /></a></span></p><p><span style="font-size:12pt;">All the layers of SRM are vital for the security posture and wellbeing of an entire agency and/or system. Highest levels of Federal architecture transform federal laws, regulations, and publications into specific policies.</span></p><p><span style="font-size:12pt;">Main principle of the SRM, at the enterprise layer, is to utilize the standards in place throughout the Federal or national IT security expanse to classify policy for a particular enterprise or agency.<strong> </strong></span></p><p><span style="font-size:12pt;">Segment level transforms department specific policies into security controls and measurements. Policies set in place from the enterprise layer are utilized by SRM to categorize controls for a certain agency or segment.<strong> </strong></span></p><p><span style="font-size:12pt;">SRM utilizes controls set at the segment layer to enable system-specific designs and/or requirements of the individual system. SRM employs controls chosen by the agency or segment to truly embed security into a system or application.</span></p><p><span style="font-size:12pt;">Proper security procedures ensure both risk reduction and regulatory compliance. Regulatory compliance is not an aim in itself, but a constituent of the course by which risks and controls, applicable to the circumstance at hand, are chosen. Risk mitigation is the eventual motive for the application of security controls.</span></p><p><span style="font-size:12pt;">In the same vein, chief goal of security is not to apply controls rather it is to diminish risks by means of layered security measures of which implementation of controls is a part. Attaining decreased risk profile means that controls ought to be integrated throughout the organization, vertically and horizontally, across system and solution deployments, layered progressively.</span></p><p><span style="font-size:12pt;">Consequences of security are far more challenging to measure, and differ based on the organization’s business. Metrics are signs of an organization’s advancement in security maturity and part of the overall IT Capability Maturity. Undeveloped organizations have diminished capability of defining or collecting metrics.</span></p><p><span style="font-size:12pt;">Interested in learning more about FEAF: Security Reference Model? You can download <a href="https://flevy.com/browse/flevypro/feaf-security-reference-model-srm-5837">an editable PowerPoint on <strong>FEAF: Security Reference Model (SRM)</strong> here </a>on the <a href="https://flevy.com/browse">Flevy documents marketplace</a>.</span></p><h3><span style="font-size:12pt;"><strong>Do You Find Value in This Framework?</strong></span></h3><p><span style="font-size:12pt;">You can download in-depth presentations on this and hundreds of similar business frameworks from the <a href="https://flevy.com/pro/library">FlevyPro Library</a>. <a href="https://flevy.com/pro">FlevyPro</a> is trusted and utilized by 1000s of management consultants and corporate executives. Here’s what some have to say:</span></p><blockquote><p><span style="font-size:12pt;">“My FlevyPro subscription provides me with the most popular frameworks and decks in demand in today’s market. They not only augment my existing consulting and coaching offerings and delivery, but also keep me abreast of the latest trends, inspire new products and service offerings for my practice, and educate me in a fraction of the time and money of other solutions. I strongly recommend FlevyPro to any consultant serious about success.”</span></p><p><span style="font-size:12pt;">– Bill Branson, Founder at Strategic Business Architects</span></p></blockquote><blockquote><p><span style="font-size:12pt;">“As a niche strategic consulting firm, Flevy and FlevyPro frameworks and documents are an on-going reference to help us structure our findings and recommendations to our clients as well as improve their clarity, strength, and visual power. For us, it is an invaluable resource to increase our impact and value.”</span></p><p><span style="font-size:12pt;">– David Coloma, Consulting Area Manager at Cynertia Consulting</span></p></blockquote><blockquote><p><span style="font-size:12pt;">“FlevyPro has been a brilliant resource for me, as an independent growth consultant, to access a vast knowledge bank of presentations to support my work with clients. In terms of RoI, the value I received from the very first presentation I downloaded paid for my subscription many times over! The quality of the decks available allows me to punch way above my weight – it’s like having the resources of a Big 4 consultancy at your fingertips at a microscopic fraction of the overhead.”</span></p><p><span style="font-size:12pt;">– Roderick Cameron, Founding Partner at SGFE Ltd</span></p></blockquote></div>Security Controls as a Strategic Enabler- all the Things Auditors Been Asking About. - Interview with Frank Vukovits, Director of Strategic Partnerships at Fastpathhttps://globalriskcommunity.com/profiles/blogs/security-controls-as-a-strategic-enabler-auditors2020-09-12T10:48:22.000Z2020-09-12T10:48:22.000ZBoris Agranovichhttps://globalriskcommunity.com/members/BorisAgranovich<div><p><span style="font-size:12pt;"><strong>This is a transcript of our recent interview with Frank Vukovits, Director of Strategic Partnerships at Fastpath about </strong></span></p>
<p><span style="font-size:12pt;"><strong>You can watch the original video interview <a href="https://globalriskcommunity.com/video/interview-with-frank-vukovich-director-of-strategic-partnerships" target="_blank">here</a></strong></span></p>
<p></p>
<p><span style="font-size:12pt;"><strong><a href="https://globalriskcommunity.com/video/interview-with-frank-vukovich-director-of-strategic-partnerships" target="_blank"><img src="{{#staticFileLink}}8028338083,original{{/staticFileLink}}" width="350" class="align-left" alt="8028338083?profile=original" /></a>Boris:</strong> Welcome to our <a href="https://globalriskcommunity.libsyn.com/" target="_blank">Risk management Show interview</a> with Frank Vukovits. Frank is a director of Strategic Partnerships at Fastpath, which is the leader in audit, compliance and security solutions for mid market companies. Frank, thank you for taking your time and coming to our interview today.</span><br /> <br /> <span style="font-size:12pt;"><strong>Frank:</strong> Great to be here. Thank you.</span><br /> <br /> <span style="font-size:12pt;"><strong>Boris:</strong> This is our second interview with you guys from Fastpath. We had the first one, a few weeks back with Aidan Parisian and we saw very high engagement and decided to invite you guys for the second interview.</span><br /> <br /> <span style="font-size:12pt;"><strong>Frank:</strong> Yes, he's a good colleague of mine known him for a while.</span><br /> <br /> <span style="font-size:12pt;"><strong>Boris:</strong> Today we will do a deep dive into security controls as a strategic enabler and talk about many important things that auditor’s been asking about.</span><br /> <span style="font-size:12pt;">Frank, for those viewers who didn't watch the first interview, can you perhaps tell us about what you and your team at Fastpath are up to these days?</span><br /> <br /> <span style="font-size:12pt;"><strong>Frank:</strong> Absolutely. Fastpath is a software company in the GRC space. We spend a lot of time working with customers around governance, risk and compliance, specifically developing great solutions that work to provide the right controls you need from security, audit and compliance perspective and controls around business software. So the traditional accounting systems, ERP systems, as they continue to evolve mountainous business software systems.</span><br /> <br /> <span style="font-size:12pt;">So SAP, Oracle, Microsoft Dynamics, NetSuite, those are the types of systems you work with. However, the last couple of years as the ERP space has evolved similar to security in the cloud, we've also moved our solutions into other business software solutions, such as Workday on HR side, Salesforce, Coupa. At the end of the day, controls are important for companies big or small, and many business software solutions either are lacking the controls auditors like to see, or the controls that are in place natively with the software require you to do auto manual processes.</span></p>
<p><span style="font-size:12pt;">So Fastpath really fills that gap that exists there. And we've developed a set of solutions starting 17 years ago here in the States around Sarbanes Oxley or SOPs and some compliance needs there for Microsoft, then it was called Great Plain solution. And the company has really evolved from there.</span><br /> <br /> <span style="font-size:12pt;">We don't offer professional services, but we have a lot of really smart people who understand security inside these different systems, how it works and where the data is at specific way. We mapped that with the knowledge we also have with our accountants and auditors and staff that understand how controls need to be designed in software to ultimately provide confidence. Not only if you get audited, but confidence to the CFO and the CIO and CISO so that their internal control system is designed and operating correctly.</span><br /> <br /> <span style="font-size:12pt;">Part of that design are strong controls in the area of security and we fill that gap that's there. We have probably now, 1200 plus customers in 30 different countries. And again, we've been doing this for 17 years, and we worked quite closely as well with the accounting and audit community.</span></p>
<p><span style="font-size:12pt;">In my role at Fastpath, I do a lot of that actually working with the big four and Grant Thornton, and Protivity. There's a long list of audit partners we have that are using our solutions out in the marketplace to audit their clients, to provide services when there's external audit, internal audit security re-architecture projects.</span><br /> <br /> <span style="font-size:12pt;">And also we have lots and lots of system integrators, implementers out there that are helping our clients with deployment and Fastpath to meet their security needs as well.</span><br /> <br /> <span style="font-size:12pt;"><strong>Boris:</strong> Interesting. So let's start with a question that you probably have to answer many times, what should audit look at the IT security and the cyber world?</span><br /> <br /> <span style="font-size:12pt;"><strong>Frank:</strong> That's a great question. It continues to evolve. I was doing a webinar, actually a virtual session for an Institute in Toronto recently and that exact question came up. With cybersecurity now in the evolution of all the tools out there, it is a different approach to what auditors are asking for and what they're looking for.</span></p>
<p><span style="font-size:12pt;">In the past they used to be very, very focused on the ITGC or IT General Controls. As an example, testing the process for granting someone new access and following that paper trail, if you will, the user access request form, ask them basic questions about you, test your code before you move it to production from a development perspective.</span></p>
<p><span style="font-size:12pt;">Now with cyber, the threat landscape is much broader and they have to worry about security and the controls on the outside or the external threats, but still worried about security on the inside, the internal threats, that fraud that could exist in areas where traditionally they asked the ITGC questions. But now they're having to ask even deeper questions because of the technologies evolve.</span></p>
<p><span style="font-size:12pt;">And when you move applications to the cloud, they're not only asking questions and the auditors are only looking at areas they have in the past but now they're asking questions about the key vendors you work with, that you integrate with.</span></p>
<p><span style="font-size:12pt;">Everyone now has software solutions. Fastpath is no different that they've added onto their core business software systems be an API or web services. Auditors are having to ask questions about how you do vendor management and what questions are you asking those key vendors you're now doing business with electronically, do you know the controls are in place to develop their product? If your solution is hosted in the cloud, like Microsoft hosted on Microsoft Azure, do you ask questions about the host during the controls? They have to keep your data safe.</span></p>
<p><span style="font-size:12pt;">Those are all questions that auditors never had asked in the past. And then you have the cybersecurity questions as well, that in the past, maybe touched upon a little bit from a network perspective, but it's more important than ever to ask questions. For example, how you're protecting the perimeter of your environment of your company, your data center which is now probably a data center room, still important to keep the software and the hardware in that room secure, but also as your employees now work remotely, especially in this COVID world, we've been talking a lot about the Cybersecurity and a work from home world.</span><br /> <br /> <span style="font-size:12pt;">What are you doing and what questions should they be asking to make sure your employees are still working securely from home? Are they sharing their home device with others in their family? Is everyone at their home uses that computer? Are there good basic principles around strong IT security and awareness and not open up phishing emails. Last, more questions auditors ask, especially from external side, but there's one key stat I'd like to quote is that the Association of Certified Fraud examiners that came out with their annual report to the nation study recently.</span><br /> <br /> <span style="font-size:12pt;">It looks at fraud, specifically, occupational fraud, whether intentional or not in the space. It’s only sampled 2,500 companies and they identified $3.6 billions of fraud in those 2,500 companies extrapolated the data out and estimated that 5% of revenue for all companies around the globe will be lost to fraud. It'll happen. Majority of that fraud is internal. So while it's important to talk about cybersecurity and all the controls and keeping the bad guys and gals out, there's a huge component still inside your company that you need to worry about your own systems and what you're doing with control lives, including your accounting systems, your HR systems, your CRM systems, that occupational fraud happens, whether it's intentional or not.</span><br /> <br /> <span style="font-size:12pt;">And you need to have a good eye on that. And auditors are asking more and more about that as well.</span><br /> <br /> <span style="font-size:12pt;"><strong>Boris:</strong> So what have you learned in this couple of months on the importance of security changed in the new COVID and the work from home world?</span><br /> <br /> <span style="font-size:12pt;"><strong>Frank:</strong> Great question. I think what we've learned is that the larger companies or enterprise companies that have large IT staffs have large help desks, have large security groups, they were better positioned to transition the workforce immediately to a work from home world. Not just because they have the resources, but also they could spend the time and had programs already to educate those users and quickly get them directions for setting up computers at home. Here's the security guidelines for working from home.</span><br /> <br /> <span style="font-size:12pt;">And those guidelines are not just for you, the employee at anyone that uses that computer. I'm making sure they have the right antivirus and the right malware protection, the right patches for their operating systems on their home computers. Those larger companies had groups already that had developed that type of guidance. They just had to push that out to their distributed employees now working from home.</span></p>
<p><span style="font-size:12pt;">Unfortunately with the smaller companies fraud happens just as much. In fact, I could argue that let's say a quarter million dollar fraud in a smaller company is able to bring it to its knees and probably put out of business. And that only has to happen once.</span></p>
<p><span style="font-size:12pt;">Larger company, Fortune 10, Fortune 100, they can stomach that a small company can't, but that smaller company has just as much exposure in the work from home world, all these threats as the larger company. And those are the ones with maybe they have two people in their IT department, they don't have a help desk. They've really not done much with security awareness training historically inside their company to begin with. They did not have programs to fall back on to quickly push out to the distributed folks, to educate them about the need for security and home.</span><br /> <br /> <span style="font-size:12pt;">I speak a lot about security. And one of the quotes I like is the <strong>chain is only as strong as its weakest link</strong>. It takes one weak link to break down the chain from a security perspective. Ironically, that's very similar to COVID right now that you could have social distance, do all the right things and if one person is not doing the right thing that chain can break.</span></p>
<p><span style="font-size:12pt;">From a security perspective it’s extremely important in these smaller companies that initially weren't prepared to work from home, <strong>as far as resources go with hardware</strong> and making sure that employees had the right equipment, and <strong>they did not have the right solutions</strong> that immediate they can pull in distributively to work from home, <strong>they didn't have a lot of staff already in place to educate their users</strong> about the need for strong security and to give that to their users. So they share with their family.</span></p>
<p><br /> <span style="font-size:12pt;">There's, many, many, companies that are working from home, where there might be only one computer and one internet access to the home. And that computer shared by the students working from home, shared by their spouse. And do they all understand the right and wrong way to use your computer and things to look out for?</span></p>
<p><span style="font-size:12pt;">We don't make this assumption. Everyone knows that. <strong>And I think that's been the biggest challenge that the smaller sized companies working from home</strong>, it's easy to say, okay, just log in remotely, but really the security around that device, that link is indeed secure and how do you educate your users to keep it secure?</span><br /> <br /> <span style="font-size:12pt;"><strong>Boris:</strong> All right. So how do organizations get more than only one IT department to engage in the need for strong security?</span><br /> <br /> <span style="font-size:12pt;"><strong>Frank:</strong> So, and that goes back to that last part. I like to draw an analogy when it comes to security to do it correctly, it's a company wide project with executive support. Where does that sound familiar? Hopefully that's the same way you're cutting me, ran the project when it implemented SAP or Oracle or NetSuite or Microsoft Dynamics or Salesforce or any of these large business software solutions that your company probably uses when you first implemented it, or when you upgrade, it's a company wide project, you need to have an executive steering committee with buy-in, the CIO, CFO, the CEO of the other executives, understanding why implementing that software was important.</span></p>
<p><span style="font-size:12pt;">The exact same thing is true with security. It's not just an IT project and us as auditors, a lot of times we see companies that think security is just an IT thing and in some cases, IT headache. We have to do it, but it's something we prefer not to do. It's something that does allow us to sell more software, does allow us to build more cars, It does allow us to acquire more customers. Well, I can make a strong case that security is a strategic enabler. And we'll talk more about that later.</span></p>
<p><span style="font-size:12pt;">Ultimately to do security right it has to have the executive commitment and then it trickles down all the way down to the lowest levels of organization. And that's where the security awareness is so critical. You might have someone working from home today, then the past worked in an office in the back of a plant and maybe never talked to someone in IT. So their world was to support the plant, working there with Office. Now they're working from home and they need to understand why, what IT is asking them to do is so critically important, the entire security of the company is that weakest link.</span><br /> <br /> <span style="font-size:12pt;">And if you don't set up a security project with the executive commitment from the top down, educating people all the way down and putting the right resources, the right dollars and the right executive commitment into it, it's going to be very difficult for your employees to buy into it and certainly from an investment perspective to do the right things.</span></p>
<p><span style="font-size:12pt;">Once your company puts the right security controls in place and starts to require a periodic review of users access, <strong>require running segregation of duty reviews, require looking at sets of access more closely and starts to require tracking changes to critical data</strong>, all those controls that Fastpath sell solutions for.</span></p>
<p><span style="font-size:12pt;">But more importantly, also as auditors we're asking questions about, and there are strong controls that people actually using the tools to implement those controls need to understand why it’s important. If you don't educate people, you don't explain to them that as part of a broader security policy, you're ultimately going to have people that maybe don't do the tasks how they supposed to.</span></p>
<p><span style="font-size:12pt;">Maybe this quarter, they don't look at all these items because they don't understand why it's important.</span></p>
<p><span style="font-size:12pt;">So ultimately strong security starts with executive commitment. It starts with putting the right resources there and the right education explaining why it's a company wide project, and it's not just an IT project. And then the other thing I'll throw in there, sometimes companies make the mistake similar knowing implement business off for thinking that the software's the silver bullet that just implement the security software and it'll make all your problems go away. It'll make the auditors happy. It'll provide the controls we need.</span></p>
<p><span style="font-size:12pt;">The only way to really do things correctly, whether there's any project around compliance, whether it's security, audit, government regulations, what have you, is that your executive commitment, has to understand <strong>that security is achieved by people plus process plus technology</strong>.</span></p>
<p><span style="font-size:12pt;">So technology is a piece that people process are equal piece. And if you don't educate people that correctly without one of those three things together, then you won't have the strong controls around security that you need.</span><br /> <br /> <span style="font-size:12pt;"><strong>Boris:</strong> So you just explained that a security is not really only about a strong technical solution, but how to choose the best framework for security control?</span><br /> <br /> <span style="font-size:12pt;"><strong>Frank:</strong> There's lots and lots of guidelines out there, lots of frameworks out there to follow and depending on what industry you're in, no matter what, and they would tell you first, you need to figure out if there's any specific regulations need to be following. Here in the States, we have the FDA and there's lots of guidelines they have that you have to follow around security for manufacturing, medical devices, prescription drugs, and what have you. If you work in government here in the States, FedRAMP has another regulation you have to look at. So the first thing you have to do framework-wise is to figure out if there's regulation or some standards you have to fall in.</span></p>
<p><span style="font-size:12pt;">Today's privacy world, I'm sure you're very familiar with that. I'm somewhat familiar with it actually had done some work with Fastpath internally with it and spoken to some conferences about GDPR and the privacy of personal data. Now, the regulation that you have to worry about out here in the States, we're starting to see some of that here with California has their own version of it, CCPA.</span></p>
<p><span style="font-size:12pt;">At the end of the day, there's going to be either international or state and local regulations standards that you have to follow from a security perspective. So that the first thing you need to identify.</span></p>
<p><span style="font-size:12pt;">Then second need to realize in addition to meeting the standards, there's also different frameworks. Different groups have put out there to make it easier to build security the right way with the right controls that will meet those standards.</span></p>
<p><span style="font-size:12pt;">So the ISO 27001 and the like frameworks. They're out there as a guideline, as a roadmap to help you with setting up a very broad security program from how you manage the security program to the technical approach you should have, to the education and users. So I would encourage everyone to look at a lot of free resources that are out there around these different frameworks, by designs that have been developed.</span><br /> <br /> <span style="font-size:12pt;">They want to push that out to the different businesses to have access to. And again, a small, medium size company, your two person IT shop can pull down some information that's free and use that as a good starting point. And again, I'd like to draw analogies to strong security and building up correctly to implement a business software. We used to always say, when we implement ERP software and <strong>to just like eating an elephant, you eat an elephant one bite at a time</strong>, even though elephant might be huge, you can't eat it at once.</span></p>
<p><span style="font-size:12pt;">Same with implemented business software, you can't do everything at once. You can't make everyone happy in the first time, same with security. <strong>You have to take a risk based approach.</strong> You're not going to set up security the same way across your entire organization, big or small because different parts of data, different business processes, different parts of your business operations are at a higher risk compared to other parts of the organization.</span></p>
<p><span style="font-size:12pt;">In the past path, we spent a lot of time working with our customers about talking, taking a risk based approach to security that applies as well in this scenario.</span></p>
<p><span style="font-size:12pt;">You need to figure out where you need to invest your time and money based on the risk profile of your company, what are the threats are? And then basically make some business decisions.</span></p>
<p><span style="font-size:12pt;">If we have X amount of dollars to spend this year on security, what's mapped that up against our risk assessment of our business and where we think the most of the holes are and the highest risk areas. And let's put a fair amount of dollars there first, because ultimately again, here in the States, there used to be a famous bank robber called Jesse James. And the little joke is why did Jesse James Rob all the banks?</span><br /> <br /> <span style="font-size:12pt;">Because that's where the money was from a security, audit and a risk and control perspective. You need to protect your most important assets. And if you don't do a risk assessment, you don't really know where those are, where the risks and where the threats are. So that's how I would approach it initially, people plus process plus technology. <strong>It is not just a silver bullet technical solution.<br /></strong></span> <br /> <span style="font-size:12pt;"><strong>Boris:</strong> So once the framework in place who actually owns security inside an organization, IT, audit, the business units, or what is your take?</span><br /> <br /> <span style="font-size:12pt;"><strong>Frank:</strong> So unfortunately I think what we find a lot is that, especially again in a smaller organizations, even after we implemented, security is considered to be owned by IT. And that's just a flawed approach. IT may be the one that is doing the most risk security, provisioning users, running reports. If you have an information security department that probably rolls up through IT, <strong>but that's the operation side of security. It doesn't mean it's the same as the ownership side</strong>. <strong>Ultimately strong security is owned across the organization at the executive level</strong>.</span></p>
<p><span style="font-size:12pt;">I've been around a long time and I worked at corporate audit for Verizon for many, many years starting in the late eighties. I can tell you security back then was viewed just as an IT thing. I was an IT auditor, we go out and do IT audits. When we audit the data center, we would just present the results of our data center audit to the CIO and his or her organization, not the business users, not the COO, not the CFO. And that was unique. And it was flawed back then because ultimately who is using all those applications that run in the data center? The different business units that are spread out across your business operations.</span><br /> <br /> <span style="font-size:12pt;">So their data, their applications exist in a data center. They had just as much at stake to know that it's control, correct correctly as do the IT people that are working daily in that data center. So take that now, 30 plus years from an owner security perspective, ultimately it needs to be owned and be committed to from all your executives.</span></p>
<p><span style="font-size:12pt;">CFO is worried about your accounting system on his suite in generating strong financial statements. But also the CFO now has to worry about a business relationships you have and dollars going in and out.</span><br /> <br /> <span style="font-size:12pt;">And other things involve technology. The CIO was always worried about controls from an IT perspective. And now they have to worry about the different operations and applications they have to support the business that might be more distributed, might be in the cloud. And that worked closely with the sales function and the manufacturing function or the HR function. Your CISOs now, Chief Information Security Officers, you're oftentimes viewed as the owner security. We split that off from the CIO. Ultimately <strong>I would argue still a strong security has to have executive commitment and ownership across the company.</strong></span><br /> <br /> <span style="font-size:12pt;">And when they talk about security, those the CFO and the CIO and the CEO, the CISO need to be involved. I know here in the States, there was a guideline that came out from the PCA OB years ago, couple years ago that said publicly traded companies when their board meets, and that's usually every quarter, they have to talk about cybersecurity. Well, your Board members, aren't all IT people. That's your Board. Now talk about security. If that's good enough for the Boards to talk about it, people with different backgrounds, it's good enough for your executives to talk about and be committed to and understand they all are a part of that ownership or security.</span><br /> <br /> <span style="font-size:12pt;">That doesn't mean, however, what IT does is not as important as was in the past. Operationally, it is still the biggest component, execution wise to what's going on with security and all the things they do.</span><br /> <br /> <span style="font-size:12pt;"><strong>Boris:</strong> All right. So summarizing, if someone who is listening to this interview would like to walk away with one or two major takeaways, what would it be?</span><br /> <br /> <span style="font-size:12pt;"><strong>Frank:</strong> So, <strong>number one</strong>, that the companies big or small, <strong>controls are important</strong>. Yes, we talked about a lot of that aspect because we're in the business, but that taken off my Fastpath hat, I'll take it off for a <strong>second</strong>. I put my auditor hat on. Controls are important for any company because ultimately they protect you big or small, public or private.</span><br /> <br /> <span style="font-size:12pt;">So it doesn't matter if you're getting audited or not. When you hear people talk about the need for strong controls and strong system that applies to your Fortune 10 companies and multibillion dollar companies. And that applies to the mom and pop, the husband and wife company, that maybe is only doing a hundred thousand dollars a year.</span></p>
<p><span style="font-size:12pt;">Going back to the report by the certified association of fraud examiners, that threats out there with fraud, you need to have the right controls in place, big or small to protect your financially and operationally and from IT perspective.</span></p>
<p><span style="font-size:12pt;"><strong>That's the first thing, don't think that worrying about strong controls are just a thing for IT audit, it's not.</strong></span></p>
<p><span style="font-size:12pt;"><strong>And then the second thing</strong> I would say is the key take back is if you are getting audited, <strong>the relationship you have with audit should be a positive one</strong>. You talked to about who owns security. Is it IT, is the business owners, is IT audit? Ultimately, if you are working with auditors and work with organization, that is, <strong>they are there to be an enabler to make your company more successful.<br /></strong></span> <br /> <span style="font-size:12pt;">We talk about security as a strategic enabler to companies, auditors serve a purpose. Sometimes it seems adversarial. And again, the person they're auditing may not understand why the audits important, this broader scheme of things, internal control system. I'll go back to chain of only strongest or weakest link from a security perspective. The same holds true with their internal control system. If there’s a part of their organizations that don't have the strongest controls, that one weak link can be compromised that can lead to that part at 3.6 billion of fraud last year alone, and 2,500 cases and across 125 different companies according to Certified Auditors Association.</span></p>
<p><br /> <span style="font-size:12pt;">So don't be afraid of auditors, they're there to help you and work with you.</span></p>
<p><span style="font-size:12pt;">And ultimately, again, this is more of an internal oversight, but even external oversight, what they're doing is, one to protect your company, two is put in a better position from a strategic perspective. And I think sometimes us as auditors get pigeonholed into and an adversarial relationship, we've worked really hard over the years, trying to build how we communicate better with the folks in the business, how we explain to them better what we're doing, but ultimately it's about education for strong security, education for strong audit, education for strong internal control systems period.</span><br /> <br /> <span style="font-size:12pt;"><strong>And remember a chain's only as strong as this weakest line</strong>.</span><br /> <br /> <span style="font-size:12pt;"><strong>Boris:</strong> All right, fantastic. Thank you Frank, for, for your time and I wish you and your company high growth and that we can see you more on our community at <a href="http://www.globalriskcommunity.com">www.globalriskcommunity.com</a></span><br /> <br /> <span style="font-size:12pt;"><strong>Frank:</strong> Absolutely, I appreciate the opportunity Boris, and look forward to meeting you in person. Hopefully I'll be over at a conference. And then another one is sometime here in 2021, perhaps. Thanks. Have a great day.</span></p>
<p><span style="font-size:12pt;"> </span></p></div>Center Stack Display Trends Are The Future Of Automotive Sectorhttps://globalriskcommunity.com/profiles/blogs/center-stack-display-trends-are-the-future-of-automotive-sector2020-07-16T07:20:47.000Z2020-07-16T07:20:47.000ZKBV Researchhttps://globalriskcommunity.com/members/KBVResearch<div><p>Center stack displays have developed from the early days of a small screen with a few keys and arrows to becoming the main way of displaying important vehicle information to drivers and passengers. The center stack display may contain a wide range of interactive content, like navigation, cabin temperature controls, and music or entertainment information.</p><p></p><p><a href="{{#staticFileLink}}8028327880,original{{/staticFileLink}}" target="_blank"><img src="{{#staticFileLink}}8028327880,original{{/staticFileLink}}" class="align-center" alt="8028327880?profile=original" /></a></p><p></p><p>This display typically receives input from the header panel, which is directly connected to the high-speed interface. These displays have a complementary technology that enables, integrates, and facilitates immersive user experience with vehicle displays without being a driver distraction.</p><p></p><h2><strong>What is a center stack display?</strong></h2><p>The <a href="https://www.kbvresearch.com/center-stack-display-market/">center stack display of the automobile</a> applies to the control-bearing surfaces in the middle of the front of the interior of the engine. The term applies to the field that begins in and continues below the dashboard which sometimes merges with the transmission tunnel that passes between the front driver's seat and the passenger seat in many vehicles. Traditionally, vehicles with a gear rod have placed this control where the two console and tunnel areas merge, or at the rear-most end of the console, in front-wheel-drive vehicles with no transmission tunnels.</p><p></p><p>In certain modern vehicles – in particular vans – the gear stick is mounted on the front, the more vertical portion of the center console to be within greater control of the driver without having a long stalk mounted on the steering column. Center consoles increasingly have a wide variety of storage compartments and cup holders, some of them with a microwave, in addition to the more conventional usage of an instrumentation surface ( e.g. outside temperature display) and control (car audio).</p><p></p><h2><strong>Why a vehicle’s center stack is better than a smartphone?</strong></h2><p>Recent advances in connected and self-driving cars have contributed to the common idea that the future car would be a 'smartphone on wheels.' Tesla highlights this term with an iPad-like dashboard that allows users to turn on in-vehicle applications by pushing a button. The rest of the automobile industry has started to catch up and exploit vehicle-generated data and artificial intelligence and improve consumer service by making it seamless and intuitive.</p><p></p><p>The smartphone has become the focus of our lives, whether it's to stay linked with family and friends, book a ride, keep track of our well-being, or access smart plugs around the home. With popular customer demand, the integration of the smartphone into the vehicle has become a top priority for almost every automaker. Vehicles should be just as smart and wired as smartphones are today.</p><p></p><h2><strong>The trend of flexible center stack displays for automotive</strong></h2><p>The trend towards greater connectivity and automation in the vehicle is increasing the focus and value of the HMI. Up until now, the HMIs have been highly concentrated on the driver, with virtually no control available until passengers. For the future, a much greater proportion of the interior surfaces of the car will become digital and the surface area dedicated to screens in the interior of the vehicle is now growing rapidly.</p><p></p><h3><strong>Displays for increased safety</strong></h3><p>Usually, these displays would have to conform naturally to the curved surfaces of the car and be discrete when not showing information. They would also need to be both non-rectangular and non-flat. For example, a curved display of the A-pillar of the car will show the driver what is behind the pillar. Curved displays can also be used as 'digital' side-view mirrors (in conjunction with cameras)-they can improve protection by widening the field of view as well as adding to fuel economy compared to external side-view mirrors.</p><p></p><h3><strong>Displays for infotainment</strong></h3><p>Most of the cars produced in the last decade feature a flat, rectangular satnav or infotainment screen that occupies the center console. These displays are now ubiquitous in the newest generation of cars and are getting bigger and bigger. The dominant active matrix display technology in vehicles is LCD made of glass. These glass LCDs are often the only flat surfaces left in the car, disturbing the form and function of interior space and limiting designer ergonomic options. Replacing these flat panel displays with screens that can suit the vehicle's interior shape and curves would allow them to integrate seamlessly and enhance the esthetics of the car interior.</p><p></p><h2><strong>Emerging trends in the center stack display industry:</strong></h2><h3><strong>Increasing demand for gesture control</strong></h3><p>The demand for gesture recognition systems in the automotive industry is being increased by the awareness about regulations and driver safety. Similarly, increasing demand for new tech-based applications claims to support market growth. The gesture interfaces in the vehicle are simple to use and increase protection by reducing the driver's visual demand.</p><p></p><p>Prototype capacitive proximity sensing and depth camera-based systems show that modern finger and hand gestures can recognize diverse complexities. The next-generation in-car user interface is expected to be management recognition technology. The recognition of gestures determines if the driver has made identifiable hand or finger gestures in an appropriate location without contacting a touch-screen.</p><p></p><h3><strong>Increased demand for advanced infotainment systems</strong></h3><p>The major democratic technology and skeptics can look no further than the cars of today, which deliver more choices than ever in-car entertainment options. Automotive manufacturers want to append more displays and more functionality to their models, making their trip as simple and enjoyable as possible.</p><p></p><p>Such devices handle audio and video content and provide alerts and information on traffic conditions and weather forecasts. Advanced in-vehicle infotainment provides information, communication, and entertainment with the help of mobile integration technology. This allows users to connect to their in-car infotainment devices and to use all infotainment mobile services. Furthermore, it also provides navigation and driver assistance through the use of high-performance interfaces like human-machine interfaces (HMI), control units, and operating controls. These innovative technologies have driven the adoption of in-car infotainment and are projected to drive the market in the future.</p><p></p><h3><strong>Car software and electronics architecture</strong></h3><p>The software relevance in terms of key technology developments is increasing rapidly, as the automotive market is moving from hardware to computer-specific vehicles. Not surprisingly, players across the digital automotive value chain are seeking to capitalize on software and electronics innovations. Software companies and other players in digital technology are leaving their current level two and level three positions as level one provider to mobilize automakers.</p><p></p><p>By transitioning beyond functionality and apps into operating systems they expand their participation in stack automotive technology. At the same time, traditional tier-one electronic system giants are assertively entering the original feature and app turf in the tech giants, and premium automakers moved further down the stack to secure the essence of their differentiation and technical distinction, such as operating systems, hardware abstractions and signal processing.</p><p></p><h2><strong>Future trends in the center stack display</strong></h2><p>Vehicle manufacturers are introducing new center stack display technologies that project images from the rear-facing camera, while "heads-up displays"—where displayed photos float on the windshield and give useful detail to the driver — are an exploding market.</p><p></p><p><strong>Free Valuable Insights:</strong> <a href="https://www.kbvresearch.com/news/center-stack-display-market/">Global Center Stack Display Market to reach a market size of USD 12.2 billion by 2026</a></p><p></p><p>In addition, in some versions, digital gauges replace static, physical gauges to create a dynamic screen for exchanging more specific and personalized information. Audi's Virtual Cockpit system is one of the industry's leading projects, although more traditional manufacturers, including Ford and Mazda, have since introduced their digital gage cluster combinations. These gages can offer a better view of vehicle behavior and performance, such as fuel efficiency, and can also include navigation directions.</p></div>Wells Fargo Auto Loan Scandal: The Saga Continues (Part 2)https://globalriskcommunity.com/profiles/blogs/wells-fargo-auto-loan-scandal-the-saga-continues-part-22017-08-17T13:53:03.000Z2017-08-17T13:53:03.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028256900,original{{/staticFileLink}}"><img width="300" src="{{#staticFileLink}}8028256900,original{{/staticFileLink}}" class="align-right" alt="8028256900?profile=original" /></a>The blows keep on coming for Wells Fargo. Within a year of their cross-selling scandal, two more scandals have risen to the top of news headlines.</p><p>In <a href="http://www.logicmanager.com/erm-software/2017/08/09/wells-fargo-saga-continues-part-1/">part one</a> of this series, I set out to make good on a prediction I presented to business journalist <a href="http://www.garp.org/#!/risk-intelligence/culture-governance/conduct-ethics/a1Z40000003PXEUEA4/Breakdown-and-Repair-The-Wells-Fargo-Reputational-Crisis-and-Its-Aftermath">L.A. Winokur</a>. I predicted that after the dust settled for the original cross-selling scandal, Wells Fargo would remain vulnerable in other areas of its operations, lest they address the gaps in their risk management program.</p><p>In the time it took me to examine and expose the similarities between the sales incident and their latest <a href="https://www.americanbanker.com/articles/wells-fargo-said-to-get-regulatory-questions-after-breach">data leak</a>, news broke of yet another Wells Fargo scandal, proving once again that the bank has not taken sufficient measures to improve the governance of their risk management program, and that they are still just as vulnerable to risk management failures and negligence law suits in different areas of their business.</p><p>In my blog post, “<a href="http://www.logicmanager.com/erm-software/2017/04/25/good-governance/">What is Good Governance, and Why Do We Care?</a>” I walked through why business scandals are 100% preventable with effective enterprise risk management. Since systemic negligence in effective risk management is the cause of these scandals, organizations are highly likely to have multiple scandals over time until effective enterprise risk management is put into place.</p><p>Let’s take a look at the bank’s <a href="https://www.cnbc.com/2017/07/27/wells-fargo-reportedly-forced-car-loan-customers-to-buy-auto-insurance.html">auto loans scandal</a> with an eye towards how their failure to mitigate the root cause of their first two failures set them up for another appearance in the news, and more record breaking penalties and law suits.</p><p> </p><h2><strong>The Wells Fargo Auto Loan Scandal: What Happened?</strong></h2><p></p><p>Many standard auto loan contracts require customers to have comprehensive insurance for potential damage to their vehicle. These contracts also stipulate that if the purchaser of the vehicle cannot prove they have this coverage, the bank who grants them the loan may purchase the insurance for them and add the cost of coverage to the cost of the loan.</p><p>Last week, Wells Fargo admitted that they had <a href="https://www.wsj.com/articles/wells-fargo-might-face-more-regulatory-sanctions-1501860794?mg=prod/accounts-wsj">charged 800,000 customers for insurance they did not need</a>. The added cost to their premiums caused 274,000 customers to defect on their loan payments and resulted in the wrongful repossession of 25,000 vehicles.</p><p>In a <a href="https://www.cnbc.com/2017/07/27/wells-fargo-reportedly-forced-car-loan-customers-to-buy-auto-insurance.html">statement</a>, head of Consumer Lending Franklin Codel said, “We take full responsibility for our failure to appropriately manage the collateral protection insurance program and are extremely sorry for any harm this caused our customers, who expect and deserve better from us. Upon our discovery, we acted swiftly to discontinue the program and immediately develop a plan to make impacted customers whole.”</p><p>To this end, Wells Fargo named a new head of the auto business, and centralized collections operations to improve the customer experience, boost consistency and minimize risk to the business, according to an internal memo. The bank is also in the process of refunding customers the $80 million they were wrongfully charged, and alerting credit bureaus on customers’ behalf.</p><p> </p><h2><strong>The Wells Fargo Auto Loan Scandal is Another Failure in Risk Management</strong></h2><p></p><p>After the news broke, <a href="http://money.cnn.com/2017/07/28/investing/wells-fargo-auto-insurance-car-loans/index.html">New York City Comptroller Scott Stringer said</a>, “This is a full-blown scandal—again. It’s unbelievable, outrageous, sad, and yet quintessential Wells Fargo.”</p><p>Such a statement assuredly resonates with millions of people whose eyes so much as glanced this latest headline. Scandals are always met with a feeling of outrage because they are preventable. What makes this particular scandal so outrageous is that it is tantalizingly similar to the risk management failure in their cross-selling scandal.</p><p>Wells Fargo is an innovative bank. Most banks dream of having a cross-selling program or offer products like Guaranteed Asset Protection products. But as I’ve said before in regard to big name companies like <a href="https://blogs.wsj.com/riskandcompliance/2016/06/03/the-importance-of-risk-assessments-in-business-innovation/">Chipotle, BP, and Volkswagen</a>, with innovation comes risk.</p><p>As I explained in <a href="http://www.logicmanager.com/erm-software/2017/08/09/wells-fargo-saga-continues-part-1/">part one</a>, with the innovation of cross-selling came the risk of access rights and separation of duties. Without a proper governance structure in place to identify and control the risks inherent to these new process, scandal was bound to materialize.</p><p>Of course, as I’ve mentioned, Wells Fargo and many others incorrectly saw the root cause of this scandal as an overzealous sales program. The <a href="https://www.wsj.com/articles/wells-fargo-might-face-more-regulatory-sanctions-1501860794?mg=prod/accounts-wsj">OCC</a> and <a href="http://www.logicmanager.com/erm-software/2016/09/20/wells-fargo-scandal-risk-management/">myself</a> came out and said that it wasn’t a sales culture problem, but a risk governance problem, and mandated that the bank implement an effective enterprise risk management program.</p><p>However, the bank seems to have interpreted the OCC too narrowly. Instead of understanding the root cause as a failure in enterprise risk management, they identified the root cause as a failure in risk management in the one department where the scandal occurred, i.e. sales.</p><p>Clearly, this was the wrong interpretation, as the newest auto loans scandal shares the same root cause: a failure to see the side effects of innovation and govern their processes effectively. Same root cause, different department.</p><p>In a statement, Wells Fargo spokeswoman Jennifer Temple said that the bank took steps to improve the administration of their Guaranteed Asset Protection products back in 2014. While it is unclear what these steps were, it is evident that the risks associated with this “improvement” were not identified or properly controlled.</p><p>Let’s take an excerpt from my <a href="http://www.logicmanager.com/erm-software/2016/09/20/wells-fargo-scandal-risk-management/">first Wells Fargo blog</a> regarding their cross-selling practices: “Where were the risk assessments on these sales and booking processes? What about internal audits of both the risk management process and governance oversight on these areas?”</p><p>These questions are directly applicable to the current situation. Before you implement a policy, it’s imperative to perform objective <a href="http://www.logicmanager.com/erm-software/product/assess/">risk assessments</a> on the processes involved to uncover any potential risks before they materialize.</p><p>Having done so, the auto loans department would have seen that there was an inherent risk in their collateral protection insurance policy, that is, a risk of charging a customer for insurance they didn’t need. From there, <a href="http://www.logicmanager.com/erm-software/product/mitigate/">controls</a> would have been implemented to ensure that employees were conducting proper due diligence and ensuring that customers did in fact lack auto insurance before purchasing it for them. From there, the scandal would have never occurred.</p><p> </p><h2><strong>The Reputational Damage of the Wells Fargo Scandals</strong></h2><p></p><p>Admittedly, Wells Fargo has blamed the problem on <a href="https://www.cnbc.com/2017/07/27/wells-fargo-reportedly-forced-car-loan-customers-to-buy-auto-insurance.html">“inadequate checks and balances”</a> and “inadequate internal controls.” To correct these inadequacies, they’ve taken actions involving changes in front-line employees, after-the-fact refunds, and the centralization of collections. The intentions of these actions are all well and good, but we’ve seen good intentions with little result before.</p><p>After the <a href="https://corpgov.law.harvard.edu/2016/12/19/the-wells-fargo-cross-selling-scandal/">cross-selling scandal</a>, which I’ve said was also a result of inadequate checks and balances, 5,300 sales employees were fired, the retail banking head retired, and the board committed to strengthening its risk management program.</p><p>What good did this do if the auto loans scandal manifested from the same <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">root cause</a>? How much can we trust Wells Fargo when they say they are working towards improving their programs and processes?</p><p>Herein lies the truly devastating side effect of poor risk management: reputational damage. Stringer’s comment hardly stands out in a crowd of voices exclaiming their frustrations with Wells Fargo. The fact is, $80 million in refunds is a drop in the bucket for a bank this size. The decline in market value and customer loyalty are the major consequences Wells Fargo will struggle to amend for years to come.</p><p> </p><h2><strong>How to Avoid Future Scandals</strong></h2><p></p><p>Wells Fargo isn’t the only corporation facing multiple lawsuits related to failures in risk management. It seems that big name corporations such as Target and Chipotle, to name a couple, are in desperate need of some risk management rehab if they want to successfully avoid financial and reputational damage.</p><p>Ultimately, the method of prevention is to ensure a policy is followed in operations. Studies show that only 20% of employees operating under a policy are actually following that policy in their daily routine, even after training.</p><p>Here are the steps to operationalize a policy:</p><ol><li>Identify the stakeholders of the policy</li><li>With their help, identify the root-cause risks that threaten adherence to that policy across the organization</li><li>Address those risks with appropriate controls</li><li>Monitor the effectiveness of these controls</li></ol><p>Since this method is proven to work 100% of the time, failure to do so is considered by regulators, shareholders and the courts to be negligence and is at the core of every law suit. Implementing this policy gives every organization the means to avoid litigation and the resultant reputational damage.</p><p></p><p><a href="http://www.logicmanager.com/best-practice-erm-programs-ebook/"><b><i>Download this complimentary eBook</i></b></a> <b><i>to learn how your organization can fill the gaps of your risk management program and prevent your future scandals.</i></b></p><p></p></div>Wells Fargo Data Breach: The Saga Continues (Part 1)https://globalriskcommunity.com/profiles/blogs/wells-fargo-data-breach-the-saga-continues-part-12017-08-09T13:30:00.000Z2017-08-09T13:30:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028264866,original{{/staticFileLink}}"><img width="200" src="{{#staticFileLink}}8028264866,original{{/staticFileLink}}" class="align-right" alt="8028264866?profile=original" /></a>In a recent <a href="http://garp.org/#!/risk-intelligence/culture-governance/conduct-ethics/a1Z40000003PXEU">interview</a> I had with business journalist L.A. Winokur regarding the <a href="http://www.logicmanager.com/erm-software/2016/09/20/wells-fargo-scandal-risk-management/">Wells Fargo cross-selling scandal</a>, I made a prediction: “Once the dust of this scandal settles, perhaps in two or three years, Wells Fargo will remain vulnerable in other areas of its operations to risk management failures.”</p><p>Low and behold, the only part I didn’t get right was the timeline. In less than a year of paying $185 million in penalties, the largest fine ever levied by the CFPB, the bank finds itself in headline news for yet <a href="https://www.americanbanker.com/articles/wells-fargo-said-to-get-regulatory-questions-after-breach">another scandal</a>: this time, a leak of personal identifiable information for over 50,000 accounts’.</p><p>I predicated this outcome because I have always maintained that if a company does not address the <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">root cause</a> of a failure in risk management, the problem is not solved, and other scandals with the same root cause will arise again and again.</p><p>Wells Fargo and their customers have fallen victim to ineffective risk management, brought on by <a href="http://www.logicmanager.com/erm-software/2017/04/25/good-governance/">poor governance</a>. After a <a href="https://newsroom.wf.com/press-release/community-banking-and-small-business/wells-fargo-board-releases-findings-independent">6-month independent board committee investigation</a> into the root cause of their cross-selling scandal, the bank found ineffective governance structures and poor risk management processes to be at the heart of the problem. However, after identifying these factors, the Wells Fargo board did very little to materially change their operations, culture, and leadership in way that would better protect their employees, customers, and shareholders.</p><p>Let’s look at Wells Fargo’s original scandal with an eye towards how their failure to mitigate the root cause of their risk led to the bank’s most recent headlines.</p><h2><strong> </strong></h2><h2><strong>Failed Risk Identification Causes Wells Fargo Cross-Selling Scandal</strong></h2><p></p><p>In 2013, rumors circulated that Wells Fargo employees were engaging in aggressive sales tactics to meet their daily cross-selling targets. It began with 30 employees in San Francisco fired for opening new accounts and issuing debit or credit cards without customer knowledge. One <a href="https://corpgov.law.harvard.edu/2016/12/19/the-wells-fargo-cross-selling-scandal/">Wells Fargo spokesman said</a>, “We found a breakdown in a small number of our team members. Our team members do have goals. And sometimes they can be blinded by a goal.”</p><p>Of course, as we now know, this was no small breakdown. Over five years, 2 million false accounts were created.</p><p>As the investigation unfolded, it became clear that Wells Fargo was reluctant to admit that this issue was systemic, stemming from poor culture and ineffective monitoring of separation of duties. Former <a href="https://corpgov.law.harvard.edu/2016/12/19/the-wells-fargo-cross-selling-scandal/">CFO Tim Sloan stated</a>, “I’m not aware of any overbearing sales culture,” and proceeded to list the “multiple controls” Wells Fargo had in place to prevent abuse such as the employee handbook and a whistleblower program to notify senior management of violations.</p><p>The bank evidently maintained that the fault lay with their front-line employees’ inability to adhere to these protocols, as 5,300 front-line employees were fired, while retail banking head Carrie Tolstedt retired with a pay package valued at <a href="https://corpgov.law.harvard.edu/2016/12/19/the-wells-fargo-cross-selling-scandal/">$124.6 million</a>.</p><p>But as director of the Consumer Financial Protection Bureau <a href="https://corpgov.law.harvard.edu/2016/12/19/the-wells-fargo-cross-selling-scandal/">Richard Cordray asserted</a>, the bank failed “to monitor its program carefully, allowing thousands of employees to game the system and inflate their sales figures to meet their sales targets”</p><p>Ultimately, Wells Fargo built a cross-selling program that forced people into a bad situation. Companies should never put employees in the position of choosing between themselves and the customer. There is nothing inherently wrong with ambiti</p><p>ous sales goals, as long as there are systems in place to ensure the customer and the employee are secure. In this case however, sales employees had the ability to directly open false accounts, thereby enabling them to disturb the customer’s security.</p><p>Herein lies the root cause of the scandal: separation of duties and access rights. Yes, the sales culture was extreme, and the pressure high. But employees tasked with these sales goals should not have been the same employees in charge of opening new accounts, and should not have had the access rights to do so. If these duties and access rights fell under employees that would not have benefited from the creation of these accounts, then there would be no incentive to create them, no conflict of interest, and this scandal would have never occurred.</p><h2><strong> </strong></h2><h2><strong>Failed Risk Mitigation Causes Wells Fargo Data Leak</strong></h2><p></p><p><a href="http://garp.org/#!/risk-intelligence/culture-governance/conduct-ethics/a1Z40000003PXGV">Wells Fargo later admitted</a> that to prevent this risk and others from recurring, it needs to strengthen its risk management program. And yet, their latest scandal reveals that they have not yet taken sufficient action to uncover the root cause of their risk.</p><p>The bank is attracting <a href="https://www.americanbanker.com/articles/wells-fargo-said-to-get-regulatory-questions-after-breach">renewed scrutiny</a> after an unauthorized release of tens of thousands of clients’ information. The data breach began as a financial squabble between a pair of brothers, Gary and Steven Sinderbrand, who formerly worked at the company together. Gary Sinderbrand’s lawyer had been inquiring about documents related to the fees Sinderbrand was allegedly not paid when he received a trove of 50,000 account numbers, names, addresses, and social security numbers.</p><p>The data was sent by Wells Fargo’s representation Angela Turiano without a protective order or confidentiality agreement between the parties. Turiano asked for the data back after she was informed of the breach.</p><p>How does this relate back to the original cross-selling scandal? <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">Root cause</a>. Wells Fargo is again guilty of their failure to implement systems that ensure appropriate separation of duties and access rights.</p><p>Although it is her responsibility to facilitate communication between legal parties, it should not be within Turiano’s access rights and duties to obtain or even view records with the personal identifiable information attached, as this information does not relate to the evidence Sinderbrand’s lawyer was seeking.</p><p>If Wells Fargo had implemented an <a href="http://www.logicmanager.com/erm-software/product/risk-based-process/">ERM framework</a> that implemented stronger governance structures and placed priority on identifying and mitigating the root cause of risks, they would have avoided this data breach.</p><p>Until the company realizes that they aren’t doing enough to fill the major gaps in their <a href="http://www.logicmanager.com/grc-software/risk-management/">risk management program</a>, they will continue to put their customers at risk and suffer the reputational damage of doing so.</p><p>For in the time it took me to write this article, Wells Fargo yet again dominated headlines again for tacking on <a href="http://nypost.com/2017/07/31/wells-fargo-duped-thousands-of-car-owners-into-unneeded-insurance-suit/">$80 million in insurance charges</a> to the accounts of 800,000 auto loan customers.</p><p></p><p><a href="http://www.logicmanager.com/ebook-5-steps-for-better-risk-assessments/"><b><i>Download this complementary eBook</i></b></a> <b><i>to learn how you can leverage stronger risk assessments to keep your company out of the news and protect your reputation. </i></b></p></div>Weak Risk Management Leads to Internal Controls Deficiencieshttps://globalriskcommunity.com/profiles/blogs/weak-risk-management-leads-to-internal-controls-deficiencies2015-09-17T18:30:00.000Z2015-09-17T18:30:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p>Jeanette Franzel, board member of the Public Company Accounting Oversight Board (PCAOB), recently spoke at the American Accounting Association (AAA), according to <a href="http://blogs.wsj.com/cfo/2015/08/13/pcaob-continues-to-sharpen-focus-on-internal-controls/"><em>The Wall Street Journal</em></a>. She says audit-oversight inspections show a twenty percent increase (since 2013) in internal-control deficiencies of company audits. Inspections also indicate that 36 percent of company audits now have internal-control deficiencies, which constitutes a threefold increase from five years ago.</p><p>Franzel indicated that inadequate internal controls are the source of the most frequent problems addressed by the PCAOB. Even more concerning, more than 80 percent of restatements in 2014 came from organizations that simultaneously reported effective internal controls. This troubling trend indicates that not only do these companies have material deficiencies, but they’re either not disclosing them or are unaware of them to begin with. As a result of this trend, the PCAOB is increasingly zeroing in on internal controls.</p><p></p><h3><strong>How do the 2013 changes to the COSO framework relate to this issue?</strong></h3><p>In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), updated their common internal control model with the goal of adopting an increasingly <a href="http://www.logicmanager.com/erm-software/product/risk-based-process/">risk-based approach to internal control environments</a>. COSO revamped these safeguards, which hadn’t been altered since 1992, in an effort to streamline and reduce costs associated with ICFR compliance. To learn more about these changes, read our blog post, <a href="http://www.logicmanager.com/erm-software/2013/10/09/quick-guide-coso-internal-controls-2013-changes/">“A Quick Guide to COSO Internal Controls 2013 Changes.”</a></p><p>COSO 2013 specifically outlines that assertions and risks must be linked to financial line items. Controls are mapped to financial line items, assertions, and risks so that their effectiveness can be evaluated. This requires collaboration between finance, compliance, and audit departments.</p><p>Many organizations, however, skip this risk exercise and simply document controls and perform tests to prove that they are being performed. Controls cannot be evaluated in isolation of the risks, financial line items, and assertions being connected. This is the <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">root cause</a> of the problem; the PCAOB and SEC are now considering this shortcut to be negligence, and are <a href="http://www.logicmanager.com/erm-software/2012/10/25/erm-compliance-and-enforcement/">stepping up their inspections</a>.</p><p>While there is no strict deadline by which companies need to transfer to the 2013 framework, the <a href="http://www.logicmanager.com/erm-software/product/risk-based-process/">risk-based approach</a> promoted by COSO enables faster identification of deficiencies in internal control environments. Instead of treating all controls as equal and separate, the new framework asks organizations to complete a risk assessment in order to distinguish material weaknesses from superficial ones. Additionally, adoption delays will undoubtedly increase the level of scrutiny coming from both the SEC and investors.</p><p>As required by COSO 2013, assessments prioritize which internal controls need review, and how frequently. Further risk assessments give clear guidance as long as the controls are not only documented, but effective. Controls must evolve as the risks evolve.</p><p> </p><p><span><em>Learn more about how LogicManager’s </em></span><a href="http://www.logicmanager.com/grc-software/sox-financial-compliance/">risk-based approach to SOX compliance</a><span><em> can help your organization identify key controls and prioritize resources, while staying up-to-date with the evolving requirements of the SEC and PCAOB. Then, download our eBook, “<a href="http://www.logicmanager.com/best-practice-erm-programs-ebook">5 Characteristics of the Best ERM Programs</a>,” to learn more about adopting a risk-based approach at your organization.</em></span></p><p> </p></div>A Quick Guide to COSO Internal Controls 2013 Changeshttps://globalriskcommunity.com/profiles/blogs/a-quick-guide-to-coso-internal-controls-2013-changes2013-10-11T18:00:00.000Z2013-10-11T18:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028227458,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8028227458,original{{/staticFileLink}}" width="300" class="align-right" alt="8028227458?profile=original" /></a>The <span style="text-decoration:underline;"><a href="http://www.coso.org/">Committee of Sponsoring Organizations of the Treadway Commission (COSO)</a></span> released its <i>Internal Control – Integrated Framework</i> document all the way back in 1992 to assist publicly traded organizations adhere to the Sarbanes-Oxley Act (SOX) Section 404. COSO considers internal controls to be an integral part of enterprise risk management (as does LogicManager), and as such, any changes to the Internal Controls best practices has a direct effect on organizations with Enterprise Risk Management programs.</p><p>It seems timely then, with the release of <span style="text-decoration:underline;"><a href="http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf">an updated version of COSO’s <i>Internal Controls – Integrated Framework</i></a></span><i>, </i>to take a quick look at the changes made and what Risk Managers should be aware of for their own Enterprise Risk Management Programs.</p><p><b><i>Why did COSO need to update its Framework?</i></b></p><p>Besides it predating the rise of the internet?! COSO needed to update its framework for a variety of reasons, many of which you might expect. The regulatory environment is more demanding and the penalties more severe than they were in 1992. More importantly, the actual speed of business has dramatically increased. The original framework, while comprehensive, was cumbersome to both read and implement. Businesses today value operational efficiency, so the new framework has been slimmed down to cover what’s most critical to business today in the areas of <a href="http://www.logicmanager.com/grc-software/sox-financial-compliance/" target="_blank">financial and SOX reporting</a>, <a href="http://www.logicmanager.com/grc-software/compliance-management/" target="_blank">regulatory compliance management</a>, and <a href="http://www.logicmanager.com/grc-software/risk-management/" target="_blank">operations risk management</a>.</p><p><b><i>OK, but how much did they actually change?</i></b></p><p>The structure of the information should look familiar. There are three categories of objectives – Financial Reporting, Operations, and Compliance – and 5 components of internal controls – control environment, risk assessments, control activity, information and communication, and monitoring activities. The reporting narrative had been adapted to include more than just external financial reporting, and the introduction of 17 codified principles, or more detailed points of focus, gives the document a more detailed, step-by-step approach that may remind organizations of the <a href="http://www.logicmanager.com/erm-software/knowledge-center/ensuring-erm-sustainability/">RIMS Risk Maturity Model</a> structure.</p><p>This new structure should assist organizations in applying the <i>Internal Controls</i> framework more broadly, and make it easier to conduct gap analysis between current and ideal adherence.</p><p><b><i>It doesn’t sound like they changed all that much, is there anything I have to do if my organization currently uses COSO?</i></b></p><p>That all depends on the specifics of your organization’s internal controls framework. COSO’s 1992 Framework was highly relational, mapping the connection between internal controls, financial statements, monitoring activities, and various organizational objectives. If your company’s internal controls have already been mapped, your adjustment might be as easy as taking those relationships one step further and mapping to the now codified principles under each of the 5 components. If you haven’t yet formalized that mapping process, you might benefit from the exploration of <a href="http://www.logicmanager.com/erm-software/product/" target="_blank">ERM software</a> that can assist with that process.</p><p><b><i>That all sounds like it could be more trouble than its worth, what’s the benefit of updating our framework?</i></b></p><p>The new framework will improve how your organization identifies gaps in its internal control environment, and a well-documented procedure can pay off in the event of a control failure. Internal controls is a critical component of Enterprise Risk Management, and integrating the two functions into a single, non-silo platform can drive the continuous improvement the board is looking when they adopt guidelines like COSO. COSO recommends organizations complete their transition no later than December 15, 2014, at which point they’ll consider the original framework superseded.</p><p><i>For more information, or help on how your organization can adhere to COSO’s frameworks or others, download this eBook on <a href="http://www.logicmanager.com/ebook-how-to-integrate-governance-areas" target="_blank">integrating more governance areas into your risk management program</a>,</i><i> or contact LogicManager at </i><a href="mailto:info@logicmanager.com"><i>info@logicmanager.com</i></a>.</p></div>SOX Compliance with ERM: Managing the Risk of Misstatementshttps://globalriskcommunity.com/profiles/blogs/sarbanes-oxley-sox-with-erm-turning-lemons-into-lemonade2012-06-12T12:00:00.000Z2012-06-12T12:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p>First, what is <a href="http://www.logicmanager.com/grc-software/sox-financial-compliance/">Sarbanes-Oxley (SOX) 404 compliance</a>? It is the legal requirement for public companies that senior management state that their company's financial reporting is accurate. Sounds simple? The expense and the value are all in the execution. How is that done? Simply put, the flow of information from the financial reports themselves is traced and connected to the activities that generate that information and the resources that are depended upon to generate that information. That sounds like, and can be, a very difficult and time consuming process, but that is where Enterprise Risk Management steps in to manage the complexity.</p><p><strong>How <a href="http://www.logicmanager.com/erm-software/product/" title="ERM Software">ERM Software</a> benefits SOX</strong></p><p>An ERM approach to <a href="http://www.logicmanager.com/grc-software/sox-financial-compliance/">SOX 404 compliance</a> will dramatically reduce control maintenance and compliance testing activities as well as reduce your external audit fees. What in specific you ask?</p><ol><li><strong>Setting priorities</strong> - Most organizations find it difficult to determine objectively and systematically across business silos what makes an operational control "key" or prioritize test activities based on materiality of the risk of the control they are evaluating. <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-assessment-templates/" title="Risk assessments">Risk assessments</a> identify which risks, and which controls over those risks within each business process are scored the highest.</li><li><strong>Joining IT SOX and SOX compliance at the activity level</strong> - Any automated financial control depends on an underlying IT system to run and be accurate. Most organizations evaluate <a href="http://www.logicmanager.com/grc-software/it-security-risk-management/">IT SOX compliance</a> by one group and the <a href="http://www.logicmanager.com/grc-software/sox-financial-compliance/">internal controls over financial reporting</a> in another without a direct connection between the two. Connecting the specifics of all the touch points in IT and vendor management to a control dramatically reduces the scope of work for what needs to be tested. For example, if an IT resource to a material control has not changed within the past year, there is no need for retesting. But most organizations not being able to connect IT to key controls end up testing for SOX compliance too many applications because their IT group cannot determine what specific controls depend on what parts of their IT infrastructure. The result is not only wasted resources internally, but wasted expense paying external auditors large fees do check and recheck this redundancy!</li><li><strong><strong>Assurance</strong><span> -</span></strong> Having everything in one place and connected through a <a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/" title="risk taxonomy">risk taxonomy</a> makes automated fact checking easy. Combined with the setting of priorities in point #1 above ensures you that your organization's most material issues are covered by appropriate controls and testing is up-to-date so that management has full transparency and confidence in making their attestations. </li><li><strong>Saving money</strong> - Removing the unnecessary redundancy and overlap between IT SOX and SOX business controls reduces <a href="http://www.logicmanager.com/erm-software/product/monitor/" title="testing activities">SOX compliance testing</a> and sign-off of testing activities. Finally it reduces the external audit fees companies are paying to review all of this unnecessary redundancy and overlap. Look up your company's audit fees disclosed in your organization's 10k to see what a 15-20% reduction of that number is worth to your company each year. Multiply that number by 2 times to get a sense of the time your organization is putting in preparing for that audit and supporting that audit. </li></ol><p><strong>How SOX compliance with ERM benefits the enterprise</strong></p><p>CFOs need greater transparency into operational activities, not just financial reporting accuracy. In the process of achieving SOX compliance, a lot of valuable information is collected that should be used to help other functional areas and bring value to the rest of the organization far beyond just SOX.</p><p>By using your ERM software to streamline SOX compliance, like <a href="http://www.logicmanager.com/erm-software/2012/06/28/erm-and-six-degrees-of-separation/">the six degrees of separation theory</a>, all the relationships between the activities and the effects of the outcome of these activities can be used for other purposes like business continuity, IT access rights auditing, user defined application management, PCI compliance, and so much more. Not only does this result in a reduction of all these other activities by 40-60% due to the reuse of information, but short term cost savings are just the beginning as all this information becomes connected to board strategy and performance management goal achievement at virtually no additional cost or time commitment. The result is better business decisions and better performance management.</p><p><strong><a href="http://www.logicmanager.com/erm-software/knowledge-center/risk-governance-success-story/" title="Watch this video to learn from others">Watch this 5 min video for a case study</a></strong> on how others add value to their existing SOX programs and reduce the time to get their work done.</p></div>Group Rate for the 5th Annual ERM Conference Ending on 02/27/2012https://globalriskcommunity.com/profiles/blogs/group-rate-for-the-5th-annual-erm-conference-ending-on-02-27-20122012-02-20T20:26:45.000Z2012-02-20T20:26:45.000ZMichele Westergaardhttps://globalriskcommunity.com/members/MicheleWestergaard<div><div class="popular-article"><div class="user-contributed"><p class="summary">We have confirmed the conference to take place at The Sutton Place Hotel in Chicago, IL from March 19-21, 2012: <a href="http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww.chicago.suttonplace.com%2Fdefault.htm&urlhash=g2sQ&_t=tracking_anet">http://www.chicago.suttonplace.com/default.htm</a> <br /><br />Spaces are limited for both the event and hotel, so please make sure to book your room ASAP. Cut-off date to book at the discounted rate is February 27th! <br /><br />Join current attendees from: <br />Cliffs Natural Resources <br />ONEOK <br />BNSF Railways <br />ASSA Compania de Seguros <br />Cemex Central <br />Apollo Group <br />Indiana Public Retirement System <br />HCA <br />Endbrige Gas Distribution <br />Avon Products, Inc. <br />Transatlantic Reinsurance Co. <br />Alion Science <br />Stryker <br />Kaiser Permanente <br />Honeywell <br />Metro Inc. <br />Convanta Holding Corp. <br />Multicare Health System <br />APS <br />Cura Software <br />Cemex Central <br />Federal Reserve Bank of Richmond <br />and MANY more! <br /><br />For more information on the event and to book your spot, please contact Michele Westergaard at 312-540-3000 ext. 6625 or Michelew@marcusevansch.com</p></div></div></div>Interview with Jack S. Dybalski, VP and Chief Risk Officer, Xcel Energyhttps://globalriskcommunity.com/profiles/blogs/interview-with-jack-s-dybalski-vp-and-chief-risk-officer-xcel2012-01-16T17:34:33.000Z2012-01-16T17:34:33.000ZMichele Westergaardhttps://globalriskcommunity.com/members/MicheleWestergaard<div><p>In this challenging environment, board members and management executives are striving to maintain their tight grip on costs while maintaining a proper focus on enterprise-wide risk.</p><p>Jack S. Dybalski is Vice President and Chief Risk Officer at Xcel Energy. He will be a key speaker at the marcus evans 5th Annual Enterprise Risk Management Conference taking place in from March 19-21, 2012 in Chicago, IL.</p><p>Jack Dybalski is the Vice President and Chief Risk Officer of Xcel Energy based in Denver, Colorado. He is responsible for key risk assessment, commodity and credit risk management as well as generation modeling, asset risk management, risk analytics, sales forecasting, load research, and compliance for trading.</p><p>Mr. Dybalski answered a series of questions written by marcus evans to discuss the role of a CRO within a company. All responses represent the view of the Mr. Dybalski and not necessarily those of Xcel Energy. (Note that the responses have been approved by Xcel Energy.)</p><p>What would be a more collaborative structure which may help companies to manage risk better alongside performance?</p><p>JD: The specifics will vary significantly from organization to organization and will also depend on the types of risks that are predominant in the organization. Four things have evolved over the years at Xcel Energy that have led to an increasingly successful program.</p><p>i) We have developed governance processes whereby risk management review and assessment is required prior to execution of material transactions and key projects. <br />ii) The business functions have developed a high degree of risk consciousness <br />iii) The risk management function is integrated with the strategy and planning actions of the organization<br />iv) The Board of Directors takes a strong interest in risk management issues and receives a review of the company’s “Key Risks”</p><p>What would you say the differences between risk and uncertainty?</p><p>JD: Uncertainty is only one piece of risk. Uncertainty needs to be applied to multiple risk parameters such as “earnings impact”, “timing”, “controllability’, impact of external drivers” and “interaction with other risks” to get a full flavor of the risk involved. Uncertainty needs to be placed in the perspective of the business and in the perspective of executive management to have meaning.</p><p>What is the exact role of the Chief Risk Officer in an organization?</p><p>JD: This will vary widely from organization to organization and will likely evolve over time as the organization changes. Flexibility and willingness to absorb tasks that need doing are key traits. So any CRO looking for an exact definition from the perspective of specific tasks may very well be unsuccessful. Certain tasks can be defined via policy as needed but are really the small part of the role. An overarching role is to understand the key issues facing the organization, creatively challenge business processes by asking what can go wrong …then working to plug the potential holes. Communicate the risks to executive management and the Board. Perform from the perspective of “what can be?” rather than “what is it now?” Gain the trust and collegial interaction amongst company peers to achieve the optimal level of risk and reward consistent with the Company’s stated strategies.</p><p>What would be the possible areas of risk ownership for the CRO?</p><p>JD: Again, this can and will vary widely from organization to organization. At Xcel Energy, the specific areas of risk ownership have evolved over many years. Many of them were items that simply needed doing for the business. Some came about because of the particular highly analytic skill sets within the risk management organization. Regardless of who actually performs the specific tasks, the key is full transparency and consistency of measurement/assessment techniques as much as possible for use by executive management. One key role for risk management is the communication of how to think about risks and how to portray them for full understanding by all. If that can be accomplished, then the organization is well on its way to comprehensive risk views.</p><p>The marcus evans 5th Annual Enterprise Risk Management Conference will take place March 19-21, 2012 in Chicago, IL</p><p>For further details on the upcoming conference, please contact:<br />Michele Westergaard<br />Marketing/PR Coordinator<br />marcus evans<br />Telephone: 312 540 3000 ext 6625 <br />Email: michelew@marcusevansch.com</p><p>About marcus evans<br />marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually, ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.</p></div>4 Weeks Left to Book Your Seat at the Life Sciences Internal Audit Conferencehttps://globalriskcommunity.com/profiles/blogs/4-weeks-left-to-book-your-seat-at-the-life-sciences-internal2012-01-11T21:13:04.000Z2012-01-11T21:13:04.000ZMichele Westergaardhttps://globalriskcommunity.com/members/MicheleWestergaard<div><div class="popular-article"><div class="user-contributed"><p class="summary">With only 4 weeks left until the Life Sciences Internal Audit Conference, February 8-9, 2012 in Philadelphia, PA, don’t miss out on your opportunity to attend the event! <br /><br />Join key speakers, including: <br />Andy Weintraub, Director, Group Internal Audit at AstraZeneca <br />David Bolton, Internal Audit Manager at Biomet, Inc. <br />Tami McLaine, Director, Audit at Baxter International <br />Katie McCormick, Senior Manager, Corporate Analysis & Control at Boston Scientific Corporation <br />Jeffrey Antoon, Director, Corporate Internal Audit at Johnson & Johnson <br />Rosemary Scardaville, Audit Director at Merck <br />Robert Scala, Senior Director, Corporate Ethics and Compliance at Eisai, Inc. <br />And many, many more! <br /><br />This practical, hands-on event will enable delegates to benchmark their Internal Audit strategies against their peers, and is a “must-attend” conference for industry leaders to discuss best practices on approaching internal audit compliance to increase effectiveness while decreasing cost and time. <br /><br />Hear What Past Delegates Have to Say About the Internal Audit Conference Series: <br /><br />”Great selection & breadth of speakers. Uniformly high quality presentations. Intimate nature of meeting provided excellent opportunities for networking” – Abbott Laboratories <br /><br />“One of the best meetings I’ve attended. Excellent organization, topics and speakers. Overall extremely well done.” – Sanofi Aventis <br /><br />For more information or to RECEIVE A DISCOUNTED RATE, contact Michele Westergaard at Michelew@marcusevansch.com or 312-540-3000 ext. 6625.</p></div></div></div>Responding to Risks When Working with Third-Party Vendorshttps://globalriskcommunity.com/profiles/blogs/responding-to-risks-when-working-with-third-party-vendors2011-11-16T17:09:38.000Z2011-11-16T17:09:38.000ZMichele Westergaardhttps://globalriskcommunity.com/members/MicheleWestergaard<div><p>CIS-Partners, a consulting firm specializing in compliance strategies for the pharmaceutical industry, wrote an article entitled, “Don’t Get Burned”. The main focus of this article is to discuss how organizations are shifting to third-party vendors and in turn, how internal auditors need to respond to the risks associated with this process. <br /><br />View article here: <a href="http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww.cis-partners.com%2Fdownloads%2FRiskWatch_June2011_Don%27tGetBurned.pdf&urlhash=q1O9&_t=tracking_anet">http://www.cis-partners.com/downloads/RiskWatch_June2011_Don'tGetBurned.pdf</a> <br /><br />CIS-Partners is a sponsor of the upcoming marcus evans Life Sciences Internal Audit Forum, February 7-9, 2012 in Philadelphia, PA. During this event, two key sessions will focus on third-party audits and managing the risk that comes along with these new types of relationships. These include: <br />“Administering Effective and Reliable Audits of Third Party Relationships” – Andy Weintraub, Director, Group Internal Audit at AstraZeneca <br /><br />“Recognizing Key Risk Areas in the Overall Operational Audit Management” – Pawel Bialecki, Senior Manager, Internal Audit at Cephalon <br /><br />Don’t miss out on this two-day premiere event! Other key topics include: <br />• Improving communication between business units and internal audit to increase performance <br />• Mitigating risk in the internal audit area by assessing financial and non-financial areas of risk <br />• Discuss how automated controls can increase effectiveness and decrease cost <br /><br />For a full list of speakers and sessions, please contact Michele Westergaard at 312-540-3000 ext. 6625 or Michelew@marcusevansch.com. For registration information, visit: <a target="_blank" href="http://www.marcusevansch.com/LSIA_GRC" class="textblack"><font color="#FF0000">http://www.marcusevansch.com/LSIA_GRC</font></a></p></div>