Friday, April 24, 2009

Learning ERM from a 100-year old Start-Up - LINK TO SLIDES ADDED

As mentioned earlier today, David Fox of KBR was the guest speaker at NC State's ERM Roundtable in Raleigh. His slides will be shared and linked next week, and are definitely worth a view. All good stuff.

A speaker abstract and slides are now available at NC State's website.

KBR is the Houston-based, $11+ Billion engineering and construction firm that was spun out from Halliburton in 2007. At the time of the transaction, KBR was living in the shadows of FCPA wrong-doings, more than one hundred million dollar missteps in terms of long-term projects and equity investments, and a host of cultural challenges related to being a start-up.

Unlike many previous ERM speakers, David did not advocate a complex or elaborate risk system. He sees his role as a facilitator, to help KBR management talk about key risks and mitigants that could decrease the likelihood of business objectives being achieved.

The best soundbytes relate to David's own "risk management" of raising three teen-aged boys. Values, not dashboards, are his key to helping ensure the outcomes that he wants for his teenagers. Simplicity is key. Stay tuned for more interesting information on his CPE session.

NC State ERM Roundtable - GREAT Session from David Fox of KBR

Attended this morning's session in Raleigh for NC State's ERM Roundtable and had the pleasure to hear some thought-provoking ideas from both Dr. Mark Beasley (NC State) and David Fox of KBR in Houston. Thank you to Oversight Systems for their sponsorship of the event.

More on David's presentation later today, but for now here are a couple of resources that we know will be of interest to the ERM and Internal Audit community(s).

1) AICPA's Research on the Current State of Enterprise Risk Oversight, published April 2009.

Research by the American Institute of Certified Public Accountants (AICPA) and NC State ERM Initiative finds that while the volume and complexities of risks are increasing extensively, risk oversight is fairly immature, ad hoc, and the source of frustration for over 700 executives surveyed. Some great factoids from the survey...
  • Over 1/3 of organizations surveyed note they were caught off guard by an Operational Surprise either "Extensively" or a "A Great Deal" in the last five years. Another 1/3 of organizations faced a "Moderate" operational surprise.
  • Almost half (47%) stated that they are "Not at All Satisfied" or "Minimally" satisfied with the nature and extent of reporting of key risk indicators to senior executives regarding the entity's top risk exposure.
  • 44% of organizations surveyed have no enterprise-wide risk management process in place and no plans to implement one.
  • An additional 18% without ERM processes in place indicate they are currently investigating the concept, but have made no decisions about implementing ERM.
Said in a sentence or two...Firms have been bitten by risk, they are not satisfied with executive and board-level reporting about risk, but they're not doing much about it. No wonder ERM is so hard!

Read more about Enterprise Risk Management at NC State's very thoughtful and thought-provoking Portal.

Sunday, April 19, 2009

SuperStrategies 2009 Reflections

Kim and I spoke at SuperStrategies 2009 in Las Vegas last week, where our topic was Finding Money and Detecting Fraud with Transaction Monitoring. The session was well-attended and provided some nice opportunities to meet some new friends and prospects, as well as connect with several alliance partners, including ACL, IDEA, and Oversight Systems.

Our conference presentation is available for download on LinkedIn and SlideShare.

Data analysis and continuous auditing clearly remained top of mind for most internal audit and ERM executives, especially as firms are all challenged to do more with less. A number of excellent presenters also shared their experience in the area, including RLI Insurance, HCA, and Continental Airlines. It was especially encouraging to hear the keynote panel's predictions for the future, and have each point toward data analysis and continuous auditing as a continued area of focus.

Conference takeaways related to data analysis included: ; comparing relative size factor on invoices and PO's (HCA); team award for the data analytic innovation of the month (Bristol-Myers Squibb); Geocoding and Q-grams (RLI); and reading your competitors' 10K for risk assessment input factors (Protiviti).

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Sunday, April 12, 2009

Are you a creditor? How FACTA compliance may affect your organization

It is not uncommon today for people today to rarely carry cash or coin on their person, and why would they need to? Most vendors accept credit/debit cards (one notable exception is Price’s Chicken Coop in Charlotte, NC; you must have cash and you had better know EXACTLY what you want to order when the cashier engages you. One wrong word and you get a quick rebuke!). We live in a credit society. Who are the creditors?

FACTA defines the terms “credit” and “creditor” the same as section 702 of the Equal Credit Opportunity Act:
• The term "credit" means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.
• The term "creditor" means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

This definition of creditor casts a large and wide net. In fact, the American Medical Association (AMA) recently wrote the FTC essentially pleading exemption under the FACTA covered accounts. However, in response, the FTC stated that it “believe[s] that the plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payment for goods or services. We also believe that implementation of the Rule will help reduce the incidence of medical identity theft; and that the burden on health care professionals need not be substantial.”

We seem to be getting further from the typical line of thinking with the term creditor and identity theft, but now that electrons carry out our human fiduciary responsibilities, the door is now wide open to applying the term “creditor” to most any firm.

Firms should consider implementation of a solid continuous controls monitoring for transactions (CCM-T) framework that can help them comply with the FACTA Red Flag Rules. More information on FACTA and CCM-T's application for FACTA compliance in the coming weeks.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Tuesday, April 7, 2009

Presentation to IIA Charlotte with Don Sparks

On March 31, Don Sparks (Audimation / IDEA) and I facilitated a day of continuing professional education (CPE) for the Charlotte IIA on the topics of data mining and continuous auditing. To the chapter's surprise and delight (and ours), more than 100 people signed up and attended, making the event a sell-out.

A common theme among the audit teams in attendance was that they are being asked to do much more with less this year, and their focus therefore is turning to data analysis. Some advanced users were in the room and contributed significantly (Thanks Mark LeRoy from Wells Fargo and the whole team from Arrowpoint Capital!). Several groups have made the transition from one-time use of data analysis to more frequent, interval-based analysis. These steps are critical on any journey toward continuous auditing, and it was energizing to hear of the successes.

Most teams are just getting started, and familiar roadblocks such as access to data were heard. The most valuable component of the session were facilitated sessions where tables collaborated on designing and identifying data analysis routines that they were running or would like to run in the near future. We distributed a list of recommended routines for common business processes, and also shared some additional lists by industry for HealthCare, Retail, Financial Services, and Manufacturing. All were particularly well received, and distributed both during the class and by email to those who requested soft copies.

For future sessions, Don and I would plan to have a larger room, with flipcharts, so participants can share both questions and successes with other participants. Look for a new and improved session at your IIA chapter in the near future, or contact one of us to bring such a presentation to your local chapter.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Monday, April 6, 2009

Monitoring and Preventing Insider Theft

In the course of identifying and preventing potential identity theft incidents, it is important to consider how the information could be used for ill-gotten gain. It is also important to know how that information is accessible. For especially valuable information, it is reasonable to expect outsiders to try to gain access to this information: the call center inquiry into changing an account’s physical address, the phishing for weaknesses in procedure… but what of the insiders who have greater access to the precious information?

Blue Lance recently blogged on the vulnerability of the information security firm Symantec and their recent insider theft incident. This shows how any firm, ANY, is susceptible to insider theft. A robust continuous controls monitoring platform, especially one that considers disparate data sources, could have identified patterns between in-bound calls and account inquiries by customer service reps, providing an early warning for inappropriate behavior. Actimize is a software vendor with an innovative application for monitoring call centers, primarily in the financial services space, and this space is one with increasing competition.

Enterprises should consider the access and use of company information by company employees as valid transactions that require monitoring. When an employee (or outsider!) begins accessing credit data that is outside of his typical area of responsibility, this should be a warning. While this may occur less frequently than outsiders’ attempts to steal an identity, the magnitude of a successful theft is much more significant.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA