Manage Risk—Don’t React to It

Some senior managers take a passive or reactive approach to protecting their company’s systems from cyberattacks and other risks. While they may acknowledge the risks, they believe that the risks are too minimal—or the costs too high—to actively address the causal issues. Their solution may be to purchase cyber insurance to prevent a monetary loss if a breach were to occur.

This approach is not advisable. The insurance strategy may limit immediate financial loss, but the long-term damage to the company’s brand—and bottom line—can be great. The company may even be liable for legal penalties.

According to the Federal Trade Commission in its Prepared Statement of the Federal Trade Commission on Protecting Personal Consumer Information from Cyber Attacks and Data Breaches, presented on March 26, 2014 before the Committee on Commerce, Science and Transportation in Washington, D.C.:

“A company [is considered to be engaging] in unfair acts or practices if its data security practices cause or are likely to cause, substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or to competition. The Commission has settled more than 20 cases alleging that a company’s failure to reasonably safeguard consumer data was an unfair practice.”

An organization that addresses risk in a passive manner may also be negatively impacting its own growth. It is no longer uncommon for large clients to engage in the discussion of risk when considering purchasing your product or service. Risk is often reviewed during initial discussions prior to the development of a relationship, and risk is assessed during periodic vendor reviews during the relationship in client surveys and audits of the company’s business practices. Common areas of concern are the following:

-What means are used to protect information?

-What are the policies for the security, access, and retention of documents (in both electronic and paper formats)?

-Is there a plan for disaster recovery?

-Is the company in compliance with industry-specific regulations?

-Does the company have insurance coverage?

-Does the company have a plan for physical security?

If the company is unable to fulfill the client’s requirements, it may lose lucrative business, negatively affecting cash flow and leading to even more lost business when word spreads that doing business with you would be a risky move.

The Proactive Approach

The implementation of a proactive approach to manage risk begins with taking the following steps:

Know and implement the COSO Internal Control—Integrated Framework. COSO, the Committee of Sponsoring Organizations of the Treadway Commission, is a joint initiative of five private-sector organizations, including the American Institute of CPAs (AICPA), dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. COSO’s framework continues to be the gold standard for risk management and is a logical place to begin the process.

When you look at what the framework represents, it is obvious that both public and private organizations of all sizes will benefit from its adoption. The purpose of the framework is to prevent and detect fraud. It is a standard framework for designing, implementing, and conducting internal controls as well as assessing the effectiveness of your current internal controls. The framework was recently updated from the original 1992 version to the 2013 revision to account for the ongoing changes in the business environment. Some of those changes include evolving technology, increased outsourcing, and the changing regulatory environment. (Companies that report to the Securities and Exchange Commission were expected to have fully transitioned to the 2013 framework by Dec. 31, 2014.)

Start by reviewing the COSO Internal Control—Integrated Framework’s core areas, principles, and focus areas. Document how your organization abdresses the concerns embodied in the core areas, principles, and focus areas. This framework will be the basis of your plan. In general terms, the framework is as follows:

Control Environment. This relates to the responsibility of preserving an internal control environment, concentrating on people (ethics and integrity); employee development and training; and management and accountability. The importance of proper employee training cannot be understated. Employees represent an organization’s greatest assets and its greatest risks. All employees within an organization must become part of the risk management process.

Risk Assessment. This area is geared to the identification of entity objectives and the associated operations risks. Consider compliance with applicable regulations specific to your industry, as well as external financial reporting requirements. Identify areas where policies and procedures may allow for fraud to be conducted. Consider outside threats.

A best practice is to assign a seasoned veteran with a complete understanding of the organization’s business model to develop the risk-assessment plan.

Control Activities. The primary focus of this area is on the establishment and ongoing maintenance of policies and procedures; accountabilities; and security management, such as the segregation of duties and segregation of information access.

Information & Communication. This area concerns the gathering and dissemination of information related to support internal control activities.

Monitoring Activity. The COSO risk management model recommends that on an ongoing basis, management evaluate internal controls to understand their presence and effectiveness, communicate deficiencies, and report on the status of corrective measures.

Tips for success: The first three sections do not need to be completed by the same person, as they look at different but related activities. In fact it may be better to divide the tasks among senior managers to foster mutual ownership and responsibility of the plan.

Augment this information with other framework standards that may apply, including risks identified by industry-specific trade groups and associations. A good example of additional framework standards include ISO 27001, and Framework for Improving Critical Infrastructure Cybersecurity.

Get approval and implement the plan throughout the organization. Once your plan is complete, seek board/management approval on the concept implementation. After approval has been obtained, execute the plan throughout the organization. Be sure to include communication throughout the entity so all employees understand their roles and know exactly what the plan entails.

Continually update the plan. To be effective, a risk-management plan must be fluid and continually evolve. For example, if during the course of the year, your company receives an audit request of your product delivery or service, and during the course of completing your audit you discover an area not covered by your plan, immediately update your risk plan, as you must assume the same client will ask the same question at the time of the next audit.

I wrote this post for the Institute of Finance Management “Controller’s Report Member Briefing.”  It was published in the August 2015 edition.

Author: Regis Quirin
Visit Regis's Website - Email Regis
Regis Quirin is a financial executive with 23 years of corporate experience, i.e. New York Stock Exchange, JP Morgan Chase, and GMAC ResCap; and 15 years working with small and medium-sized entities, i.e. joint ventures, start-up entities, established businesses. In 2014, Regis published "Redesign to Turnaround Underperforming Small and Medium-Sized Businesses" available via Amazon.

COSO Internal Control—Integrated Framework 1992 vs. 2013

By December 31st 2014, companies that utilize the 1992 COSO Internal Control—Integrated Framework are expected to have fully transitioned to the 2013 framework.  If you are an organization that is required to report to the Securities and Exchange Commission, this change directly impacts you.  But when you look at what the framework represents, it is obvious that both public and private organizations of all sizes could benefit from adopting elements.  The purpose of the framework is to prevent and detect fraud.  It is a standard framework for designing, implementing, and conducting internal controls; as well as assessing the effectiveness of your current internal controls.

The standard was updated to account for the ongoing changes in the business environment, i.e. evolving technology, increased outsourcing, changing regulatory environment…  The most significant change in the 2013 framework from the 1992 framework was the addition of 17 principles and 77 focus areas.  These new items further define the five core areas – Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities.

 COSO 17 Principles

Elements that would be most applicable to small and medium sized entities include –

  • Control Environment – The entity demonstrates a commitment to integrity and ethical values. Senior Management is responsible to designate the individual(s) responsible to manage the satisfaction of reaching the entity’s internal control objectives; as well as continually developing the individual(s).

 

  • Risk Assessment –The entity sets its internal control objectives; as well as operations and financial goals. Externally the entity abides by frameworks, laws and regulations.  Internally, risks are identified and their significance established.  Approaches to respond to the risks are established.  Fraud and all the potential ways it can be committed are considered.

 

  • Control Activities – The entity develops control activities, which include segregation of duties, technology control activities, and policies and procedures.

 

  • Information & Communication – Obtain and generate information. Communicate this information internally and externally.

 

  • Monitoring Activity – On an ongoing basis, evaluate internal controls to understand their presence and effectiveness.

 

So how do you start?

Review the COSO Internal Control—Integrated Framework (Core areas, principles, and focus areas) to understand what elements apply to your situation; conduct an assessment of your organization, seek board/management approval on concept implementation, engage staff through training and communications, develop a transition plan, execute the plan, monitor success and adjust if required.

If you are looking to establish internal controls for the first time, it may make sense to bring in a third party that understands your industry and the common risks, which should be considered.  Team this individual up with an internal resource that understands your entity and your processes.

Additional posts on this subject include –

What is the proper way to roll-out an ethics program?

 Internal Audits – “Inspect what you Expect”

 The Best Way to Avoid Fraud is to Remove the Opportunity

 How Problematic is a Financial Restatement?

Update – WSJ (04/29/2015), “Almost three-fourths of the U.S. stock-listed companies that have filed 10Ks with the U.S. Securities and Exchange Commission since Dec. 15, 2014 have transitioned to using the updated COSO 2013 framework for reporting internal controls of their financial reporting requirements, said Bob Hirth, chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO Commission).”

Where are you in the process?

Author: Regis Quirin
Visit Regis's Website - Email Regis
Regis Quirin is a financial executive with 23 years of corporate experience, i.e. New York Stock Exchange, JP Morgan Chase, and GMAC ResCap; and 15 years working with small and medium-sized entities, i.e. joint ventures, start-up entities, established businesses. In 2014, Regis published "Redesign to Turnaround Underperforming Small and Medium-Sized Businesses" available via Amazon.