I recently caught up with Jim DeLoach, an expert on Risk and a long-time contributor to Corporate Compliance Insights. He’s an invaluable source for tactical information for GRC professionals, and we at CCI are thrilled to announce the publication of “Reimagining Risk: An integrative Approach to Risk Management.”
Jim has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO. — Maurice Gilbert
MG: What do you see as the greatest business risks facing companies today?
JD: Protiviti recently partnered with the North Carolina State University ERM Initiative to conduct our third annual global survey to determine the top risks currently on the minds of boards of directors and C-level executives as they look forward over the next 12 months. Looking at the top five risks, the top risk overall for the third consecutive year is the risk of regulatory change and heightened regulatory scrutiny. Economic conditions in domestic and international markets is the second highest rated risk, suggesting continued concerns about adjusting to the slower rate of growth. The third highest survey result is cyber threats to core operations, a critical issue at the highest levels, especially for the largest organizations. The fourth rated risk is succession challenges and the ability to attract and retain talent, a risk that is likely triggered by the tightening market for the right skills needed for execution of demanding innovative growth strategies. Rounding out the top five risks overall is organizational culture not supporting timely risk identification and escalation. Longer term, we might cite other risks as top of mind, such as the obvious risk of disruptive change, but looking out over the next 12 months, these five risks represent the top overall concerns for senior executives and directors in many organizations.
MG: What do you see as the greatest regulatory risks facing companies today?
JD: A common concern I hear from executives and directors is how third party risk and outsourcing and offshoring can complicate regulatory compliance. In terms of specific compliance challenges, I think it varies by industry and type of organization. In financial services, there is continued scrutiny of consumer protection in the United States, along with the recent release of the OCC’s “Minimum Standards/Heightened Expectations” guidance, setting forth the roadmap for continuous improvement of risk and compliance management programs. And don’t forget Dodd-Frank; the regulations for that legislation are not even done yet. Globally, anti-money laundering remains in the spotlight, along with consumer privacy/data protection and various market conduct matters. In consumer products and services organizations, we see increased pressure from regulators to protect consumers and their data. In the United States, health care providers continue to deal with the uncertainties around complying with healthcare reform, particularly with when and how fast the industry will move to a true performance-based reimbursement system and understanding clearly what is required to capitalize on available incentives once it is clear that policy mandates will be enforced. Energy companies deal with myriad environmental, health and safety requirements. Organizations with international operations have had to deal with the continuing and growing focus on anti-bribery and anti-corruption mandates. We could go on, but you get the picture. Compliance is a pervasive challenge.
MG: How might Chief Compliance Officers, Chief Audit Officers and Chief Risk Officers prepare to face these risks?
JD: Both the CCO and CRO need to play a strong role to be truly effective as a second line of defense. Both should be viewed as having a seat at the table with business line leaders, with their positions and how they interface with senior line and functional management clearly defined. They need to be more than mere champions or advocates; they should be vested with escalatory authority and everyone should know it. For example, both should be empowered to escalate issues to executive management, including the CEO, and, through appropriate channels, the board of directors. In terms of preparation, the CCO should evaluate the state of compliance, quality of compliance risk assessments, design and implementation of risk mitigation plans, and operating effectiveness of those plans, all in coordination with internal audit and other evaluators. The CRO needs to supplement the work of the CCO by focusing on risk culture, aligning performance incentives, increasing organizational risk awareness and improving risk reporting for decision-making. Finally, the CAO should serve as a viable third line of defense by ensuring a quality risk assessment occurs for the organization as a whole, directing audit plans to focus on the most sensitive significant compliance risks, and watching the warning signs that indicate the potential for dysfunctional behavior. I think third-party risks merit careful attention from all of these executives.
MG: How does Protiviti helps its clients mitigate risk?
JD: In many ways. Through the risk management and internal audit heritage of our professionals, we have gained unique perspectives on the challenges faced by our clients. We use these perspectives not only to solve regulatory, risk and compliance problems but also to help our clients become more effective and productive. Because our clients recognize that the information required for effective risk management also provides powerful insights about the business that can drive enhanced performance, we partner with them to help them comply with regulatory requirements, respond to situations of noncompliance, and improve the processes around information systems supporting governance, risk and compliance. We help our clients take a disciplined approach to managing credit, market and operational risks through a combination of assessments, process improvements, and model review and validation. Our comprehensive suite of IT consulting services covers three main areas of focus to help our clients leverage technology to address critical business priorities: technology strategy and operations; security and privacy solutions; and enterprise application solutions. We work with audit executives, management and audit committees at all types of companies, from pre-IPO start-ups to members of the Fortune 500 as well as public or private, to assist them with their internal audit activities, either on a full outsourcing or co-sourcing basis. We help clients assess their fraud risks and implement solutions to better manage these risks. Finally, we partner with general counsel, outside legal counsel, CFOs and board members to address legal, economic and unforeseen events that threaten enterprise value.
MG: What new service offerings do you have in the queue?
JD: We have our line of sight on several areas. I’ll comment on one. For many companies, complex accountabilities for compliance have evolved in an ad hoc manner over a long time. Often, internal and external pressures result in changes being implemented at such a pace that new policies, procedures and controls are added onto the existing compliance infrastructure with little or no rationalization of how they interact within the existing compliance framework and business processes. As these new policies, laws and regulations have evolved, several elements of compliance management common to many companies emerged over time – fragmented control environments, unnecessary and often redundant infrastructures, lack of automation, redundant requests of process and risk owners, reduced organizational transparency, inefficient communications and high audit costs, among other things. As a result, we see proliferation of operating silos, which drive myriad risk and control activities feeding a high cost internal control structure and overlapping resource demands in large organizations (such as multiple self-assessment programs). We see gaps and overlaps in ownership of control responsibilities, which drive missing and duplicative internal controls and assurance activities. Fragmented, diffused reporting of risk and control data has evolved, which leads to a lack of transparency and uninformed decision making about the control structure. And the evolving technological innovations add further complexities to this picture. These and other factors create an opportunity for streamlining the compliance infrastructure to make it more efficient and cost-effective in reducing risk to an acceptable level.