Risk management

Dependency model, Failure Mode Effects Analysis (FMEA)

Protiviti has added a new issue, number 39, to its series on Board Perspectives: Risk Oversight. The latest has the title of Shaping the Risk Oversight Agenda and includes a list of 10 questions board should ask as they consider their oversight of risk management in 2013. The 10 questions are decent ones and I will let you review the Protiviti piece to see them and the useful discussion provided on each. They are fine as far as they go, but they are probably not the questions I would have the board ask. Here are 5 questions I think boards should consider asking of management in formal session: 1. Are you, board and management separately and together, satisfied that the organization has an effective process for identifying, assessing, and responding to risks to the achievement of the organizations objectives? If so, please explain why you believe it is effective now and how you know it will continue to be effective as we go through the year. 2. Does that process provide sufficient timely information so that you are not surprised by changes in risk conditions, including changes in risk levels as well as by emerging risks? 3. Is the consideration of risk sufficiently integrated into management processes and operations, so that it impacts strategy-setting and decision-making across the organization, or is risk management performed in a silo that is separate from performance reporting and management and how the organization is run every day? 4. What are the plans for improving the maturity and effectiveness of risk management in 2013? 5. Where is the risk management program weakest (such as incomplete, unreliable, or untimely information) and what does this mean to the management of the organization? How are you compensating for the risk that this represents? Are these questions boards should be asking? What would you ask as a board member?

Norman Marks

Little Things Can and Will Hurt You

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years. Those of you who follow me on Twitter and LinkedIn may have seen some of the terrible customer service experiences I suffered over the last month. This post is not a rant about those companies. It is an opportunity to reflect on the damage such experiences, each of which is a little thing, can cause to organizations and what those organizations need to do. What too many people fail to realize is that how an organization treats one customer these days can swiftly spread to the eyes and ears of thousands. The viral effect of social media can lead to significant damage to an organizations reputation in moments and it only takes the actions of a single individual to spark the brush fire.

Consider how you select a restaurant for a special meal or a contractor for work at your home. If you are not checking on reviews (such as at Yelp, Travel Advisor, Angies List, etc.) you are taking an unnecessary risk. Personally, I travel around the world and use these reviews extensively. When negative reviews are posted, or I read stories of poor treatment of customers, I avoid those organizations. For example, check out these reviews on Yelp on Sears in Cupertino, California and United Airlines in San Francisco. Contrast them with the positive things said about Jet Blue and Nordstrom in San Jose. Bloggers also have their say: http://searssucks.blogspot.com/ andhttp://amplicate.com/hate/lufthansa . (By the way, I personally like United much more than Jet Blue these are for illustrative purposes only.) In fact, the contractors I have hired to work on my home have all been selected based on the excellent reviews they have received. The only trouble with getting a good review is having too much work smile. SAP is smart in many ways, including using a third party service to monitor what people say about the company, its services, and its people in social media. SAP realizes that there is little as important as its reputation, and it needs to understand what customers (including individuals at customers) have to say and then take action where needed. So what should this mean to board members, executives, and risk and assurance professionals? I suggest asking these questions: Does the organization monitor its reputation? If so, how? What are the trends? Who acts when there are reputation threats? Are you satisfied with your reputation? If not, what are you doing about it? If yes, what are you doing to preserve or enhance it? How do you monitor what people say about the business? Who replies, when, and how? Are you willing and able to change when perceptions turn downward?

Dont take the need to manage your reputation lightly. I recommend the work of Deon Binneman, a friend in South Africa who specializes in reputation management. This is a useful blog on the topic.

E&Y 2012 Global Fraud Survey

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years. Ernst & Youngs (E&Y's) latest survey (their 12th) is an excellent and essential read for all concerned with the risk of fraud. I especially like the separate sections for different regions. One word of caution: the report doesnt quantify the potential impact of fraud or corruption it only discusses the likelihood of such, and the presence (or otherwise) of the controls and environment necessary to combat it. See this earlier post for a review of the ACFE report on fraud, which does include estimates of fraud impact.

Here are some bits of interest:

Companies awareness of the risks posed by fraud, bribery and corruption is high, and a substantial majority of these companies are doing many of the right things to mitigate the risks. On a global basis, 39% of respondents reported that bribery or corrupt practices occur frequently in their countries. The challenge is even greater in rapid-growth markets, where a majority of respondents believe these practices are common. Respondents to our survey were increasingly willing to make cash payments to win or retain business, and a greater proportion including CFOs expressed an increased willingness to misstate financial performance. Globally, 15% of respondents are prepared to make cash payments, versus 9% in our last survey 5% of respondents might misstate financial performance, versus 3% in our last survey. Mixed messages are being given by management with the tone at the top diluted by the failure to penalize misconduct. Boards are ultimately responsible but, according to our respondents, they are sometimes seen as out of touch with conditions on the ground. Given the lack of progress since our last report on this issue, it is clear that boards need better and not just more information. Some feel swamped by voluminous risk management and control information and need more tailored, responsive and focused reporting. Despite the significant risks and specified demands of regulators, our survey suggests that the corporate response to mitigating third-party risks is still inadequate. Many companies are failing to adopt even the most basic controls to manage their third-party relationships.

E&Y has a number of recommendations for improving controls and the overall environment worth spending the time to read and discuss with the management team.

The Top 50 Apps Employees Sneak Into Work

Read more: http://www.businessinsider.com/apps-employees-byod-sneak-into-work-20133#ixzz2NNejJ3NG "Shadow IT" is the latest buzzword for when employees buy their own apps and use them at work. In a 2012 survey, PricewaterhouseCoopers found that as much as one-third of the money companies spent on technology was for these "shadow IT" apps. Sometimes employees buy apps to get their work done faster. Sometimes the apps are really for fun, but they've loaded them on their PCs, smartphone, or tablets connected to corporate networks. A startup that launched last week, Skyhigh Networks, helps IT departments discover these shadow apps so IT departments can stop or control them. It's been in beta with a handful of Fortune 2,000 companies like Cisco and General Electric.

Based on the scans it's done with its beta customers, Skyhigh came up with a list of the top 50 shadow IT apps that employees use at work. Most of these we've heard of, but a few surprised us. Here they are, in order of how many people use them. 1. Facebook 2. Dropbox 3. Google Mail 4. Apple iCloud 5. LinkedIn 6. Disqus (an app for leaving comments on Web sites) 7. Salesforce 8. Amazon Web Services (Amazon's cloud that hosts files and apps) 9. Hotmail 10. Box 11. Amazon S3 (Amazon's storage cloud) 12. Google Apps 13. Evernote (note taking app) 14. Twitter 15. Microsoft Office 365 (Microsoft's cloud version of MS Office) 16. 4shared (file sharing) 17. RightNow (Customer support app bought by Oracle in 2011) 18. Mozy (Online backup and storage) 19. AOL 20. Sourceforge (a site that stores and shares open-sourced apps) 21. Netsuite (cloud ERP app) 22. Marketo (manages marketing campaigns) 23. Flickr 24. VeriSign Geotrust (security app that ensures a Web site is safe) 25. Google Analytics 26. YouSendIt (file sharing) 27. New Relic (troubleshoots problems with Web apps) 28. Taleo (HR cloud app bought by Oracle in 2012) 29. Slideshare (Powerpoint presentations online) 30. Workday (HR app) 31. Carbonite (automatic, secure backup and storage) 32. Docusign (electronic signatures for legal, business documents) 33. Prezi (online presentations) 34. Typekit (adds fancy fonts to a website) 35. Skype 36. Sliderocket (online presentation tools) 37. Github (open-source projects and job site for developers) 38. Cloudfiles (file sharing) 39. SugarSync (file sharing) 40. PagerDuty (texting app for IT emergencies) 41. Bitbucket (stores open source projects) 42. Intuit Quickbase (creates custom business apps) 43. Constant Contact (email marketing) 44. Xobni (connects your Inbox to your social networks) 45. Snapfish (web photo printing) 46. Spiceworks (social network for IT professionals) 47. Olark (adds chat to your website) 48. Symantec Brightmail (email spam/security) 49. Addthis (adds social features/buttons to Websites) 50. Screencast (cloud storage)

Read more: http://www.businessinsider.com/apps-employees-byod-sneak-into-work-20133#ixzz2NNeb76Ug