tag:blogger.com,1999:blog-45948259800168701042024-02-19T16:13:29.625+01:00Governance, Risk Management and ComplianceAlso discussing about ethics, audit, management, fraud, SAP and monitoring tools
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comBlogger42125tag:blogger.com,1999:blog-4594825980016870104.post-78192204545299473632017-01-24T13:05:00.004+01:002017-02-04T23:24:56.506+01:00Tips and example on assurance mapping<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4I-WbGgvhA771PTAR96aaYBZfMyMgnUYiXrcCkFtScNgZOMbfjH2xDC4nR8HmqkVd2EMx0DGTT3inDprBz0ArChj-q7KjFLdXTxVKEC5xxyyz-fFusF5H6lcUPtQLRdQJhnnyth6sxt_j/s1600/Assurance+Map+Tips+Internal+Audit+Hernan+Huwyler.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4I-WbGgvhA771PTAR96aaYBZfMyMgnUYiXrcCkFtScNgZOMbfjH2xDC4nR8HmqkVd2EMx0DGTT3inDprBz0ArChj-q7KjFLdXTxVKEC5xxyyz-fFusF5H6lcUPtQLRdQJhnnyth6sxt_j/s400/Assurance+Map+Tips+Internal+Audit+Hernan+Huwyler.jpg" width="400" /></a></div>
<br />
<strong>Risk is an omnipresent driving force in all business activities. It requires producing information about the probability of different outcomes in the decision-making process. The assurance services improve the quality of this information across business activities (</strong>AICPA, 1996). Assurance, provided by internal and external auditors and many other parties, is the objective examination of evidence to perform an independent assessment over business activities. It adds credibility to the information, from the statutory financial reporting to other non-financial information in environmental and social reports. Assurance is the confidence of what needs to be controlled is actually being controlled in practice.<br />
<br />
<br />
<strong>Since the board is responsible for ensuring that there are robust internal control arrangements across the whole organization, assurance is also a key compliance issue.</strong> Moreover, most codes for good corporate governance require the board to attest the effectiveness of the internal control and risk management systems.<br />
<br />
<br />
There are tools to coordinate and to maximize how to provide assurance services.<strong> Assurance maps visually link the assurances from all the providers to the risks that affect the organizational objectives.</strong> They explain how the assurance activities (x-axis) apply to key risks in sequential business activities (y-axis). The assurance activities are usually arranged by the three lines of defense or the five lines of assurance models. The maps provide a quick and clear view of processes and risks to the board, in order to ensure a consistent management, oversight and reporting under a common methodology and language. Assurance maps promote the collaboration between departments while being cost effective.<br />
<br />
<strong>Keys to making decisions on assurance</strong><br />
<br />
<br />
The primary objective of the assurance mapping is to detect areas of gaps and duplications in assurance efforts between departments. These maps quickly reveal the level of assurance oversight to alleviate low-value and redundant auditing efforts. <br />
<br />
In order to join efforts for a strong GRC function, the risk methodology, particularly related to the taxonomy and the rating scales, should be standardize to express a common and holistic view. It allows the coordination and the interaction between business owners and assurance providers.<br />
<br />
With the purpose of identifying processes with missing or unnecessary assurance efforts, the risk exposition can be linked to each process to assess if the assurance costs are justified (“reasonable assurance” for the risk tolerance). When too much assurance is concentrated in one process, the causes for these efforts should be understood before reassigning controls and responsibilities across departments.<br />
<br />
When combining assurance programs and coordinating activities, the responsibilities defined by the policies or the audit chapter should be updated. The assurance map is a tool to update and coordinate departmental responsibilities, but not a policy by itself.<br />
<br />
Besides combining assurance efforts for duplicated tasks, or reassigning controls on gaps, the communication on issues and action plans for remediation should flow across all the departments. Removing a department to assure a process does not imply that it no longer receives information about the trust and quality of the related information and its controls.<br />
<br />
<strong>An assurance map in practice</strong><br />
As an example, the following map details the process steps and their risks for a simplified financial month-end closing in a SAP company. This process-based map consolidates controls and risks from assurance providers to assess how much coverage is achieved and needed. It combines the three line of defense model with a standard SAP process for a closing compatible for SOX or COSO compliance.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghFcRF9Ru0WWWvcsSMwkk4aLSBQv0z2qVZp6tnx07hdZZYG6-eTclG-qMfiZ_r-6xSqgf_wXKMRXME5yXRkzqJlODSLYVn2yJF09Lx2HCD_cCL9W7KLVppvHOw-wykIoFIGiHxuhsL2o2W/s1600/Assurance+Map+Three+Lines+of+Defense+Enterprise+Risk+Management+Hernan+Huwyler.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghFcRF9Ru0WWWvcsSMwkk4aLSBQv0z2qVZp6tnx07hdZZYG6-eTclG-qMfiZ_r-6xSqgf_wXKMRXME5yXRkzqJlODSLYVn2yJF09Lx2HCD_cCL9W7KLVppvHOw-wykIoFIGiHxuhsL2o2W/s400/Assurance+Map+Three+Lines+of+Defense+Enterprise+Risk+Management+Hernan+Huwyler.JPG" width="385" /></a></div>
<br />
<br />
The assurance level rating represents the quality and the level of evidence by each department.<br />
<br />
<strong><span style="color: lime;">H </span>High Assurance</strong>: assurance is detailed and cyclically conducted, the amount of audit evidence reduces risks to a low level (eg. low material accounting misstatement risks), controls are in place and adequately mitigate risks, policies are in place and communicated, IT/BI tools are deployed to automatize controls and to report red-flagged transactions, and performance metrics are closely monitored <br />
<br />
<strong><span style="color: yellow;">M</span> Medium Assurance:</strong> assurance is not cyclically performed, controls are not in place to cover some risks, policies are not fully in place or communicated, manual controls are not automated<br />
<br />
<strong><span style="background-color: white; color: red;">L</span> Low Assurance:</strong> low or none assurance, significant concerns over the adequacy of the controls in place in proportion to the risks; few policies in place<br />
<br />
Get the latest in corporate governance, risk, and compliance on <a href="https://twitter.com/hewyler"> Twitter</a>Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comCopenhague, Dinamarca55.6760968 12.56833710000000855.532822800000005 12.245613600000008 55.8193708 12.891060600000008tag:blogger.com,1999:blog-4594825980016870104.post-31905249870696249892016-12-29T00:11:00.001+01:002016-12-29T17:00:22.219+01:00Combining internal audits with anti-corruption compliance monitoring<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6ZLEGk5hO-y0RONN3xRNJ0uyp827aqpevCxG_5y5f-TXQIQ3ZCEhedHBStp5Y_XBQ-A1S3Gy9X4OT5SUkSUcuVwvW8dCbVPf26hJeLbMUBC1WulPYeza7mu2aMBesfIGZDL41hX3ywJVn/s1600/Combining-internal-audit-anti-corruption-compliance-monitoring.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Internal Audit Automatic queries tax haven countries Specific anti-bribery controls bribery risk map extra-territorial anti-corruption legislation compliance payments payments Hernan Huwyler" border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6ZLEGk5hO-y0RONN3xRNJ0uyp827aqpevCxG_5y5f-TXQIQ3ZCEhedHBStp5Y_XBQ-A1S3Gy9X4OT5SUkSUcuVwvW8dCbVPf26hJeLbMUBC1WulPYeza7mu2aMBesfIGZDL41hX3ywJVn/s400/Combining-internal-audit-anti-corruption-compliance-monitoring.jpg" title="" width="400" /></a></div>
<br />
<br />
<strong>Detecting illegal payments concealed in accounting records is a top priority both for internal audit and anti-bribery compliance</strong>. Corruption risk is a significant and growing concern for global companies. Many countries are passing and enforcing extra-territorial <a href="http://mydailyexecutive.blogspot.com/2009/02/value-of-active-fcpa-compliance-program.html">anti-corruption legislation</a>, and tips to the authorities are increasing because of financial incentives. Improper payments are difficult to identify. They could be disguised as agent and third party commissions, fees and expenses. Other schemes may be more complicated such as inflated invoices, deceptive commission arrangements, and the use of a complex web of intermediaries, shell companies and bank accounts. <br />
<br />
<br />
<strong>Specific anti-bribery controls, performed by the 3 Lines of Defense, should be proportionate to the risks</strong> created by each type of transaction. Compliance and internal audit should agree on the same risk factors and its assessment to combine their scope in testing and monitoring. <br />
<br />
<br />
The bribery and illegal payment risks are usually linked to:<br />
<ul>
<li><strong>where </strong>the service is provided, the payment is requested, and the supplier is domiciled (eg. high perceived corruption or tax haven countries, new market sectors, off-shore jurisdictions)</li>
<li><strong>who</strong> is involved (eg. public officials, small companies, new vendors, due diligence with comments/red flags, subcontractors, associations and JVs, requirements of associated persons)</li>
<li><strong>what </strong>service is provided (eg. consultancy, licenses, customs and shipping services, public procurement, complex or new projects, incentives and pressures to complete a project)</li>
<li><strong>how </strong>the service is contracted and paid (eg. the payment method, pre‐determined flat fee, success fees, commission clauses, reimbursed expenses, deal type)<span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";"></span></span></li>
</ul>
<a href="http://mydailyexecutive.blogspot.com/2011/07/simple-tool-to-indentify-risks.html" target="_blank"></a><br />
<br />
<br />
<a href="http://mydailyexecutive.blogspot.com/2011/07/simple-tool-to-indentify-risks.html"><strong>Risk mapping</strong></a><strong> for corruption should balance “the where”, “the who”, “the what” and “the how”.</strong> Many companies often link their bribery risks only to <a href="http://mydailyexecutive.blogspot.com/2011/06/do-you-want-to-see-how-your-country.html">high-corruption countries</a>, and they are missing the general environment for a transaction. <br />
<br />
<br />
<br />
<strong>Both compliance and internal audit are aimed in developing effective financial and commercial controls to mitigate bribery risks</strong>, as well as, money laundering and occupational fraud in general. Since the control objectives and the bribery risk map are shared, both areas can coordinate their actions to get the same comfort level while being accountable for their specific responsibilities. Internal audit will benefit from sharing its work programs with compliance to be focused on key controls and to avoid any duplication of efforts. As well as, compliance will benefit from receiving the audit reports and monitor the remediation plans to relocate its program to areas of heightened scrutiny. <br />
<br />
<br />
<br />
Compliance and Internal Audit may combine their reviews to <a href="http://mydailyexecutive.blogspot.com/2011/06/audit-procedures-for-fcpa-testing.html">detect illicit payments</a> by separating the process into 3 stages: design, control efficiency and monitoring. The following chapters suggest ideas for a collaborative approach. <br />
<br />
<strong></strong><br />
<strong>Testing the control design by Internal Audit</strong><br />
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Review
of segregation of duties in approving new vendors, contracts, service receptions
and payments, assuring the appropriate seniority of approvers and their effective
counterbalance. </span></span></div>
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Review
of</span><span style="margin: 0px;"><span style="font-family: "calibri";"> </span></span><span style="font-family: "calibri";">anti‐corruption obligations in
contracts with business partners and the appropriate indemnities and warranties
clauses.</span></span></div>
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Ensure
that the accounting staff is trained to properly book to proper purchasing and payment
categories, and to add meaningful and clear descriptions for entries. No
auxiliary spreadsheet should support a global journal entry without disclosing itemized
information about the service and the supplier. </span></span></div>
<br />
<div style="margin: 0px 0px 13px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Ensure
that the financial controllers are trained about the anti-bribery, travel and
expense rules, cash and bank controls, and how to identify red flags. </span></span></div>
<br />
<br />
<strong>Substantive testing for control efficiency by Compliance</strong> (reassured by Internal Audit)<br />
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Test
the effectiveness of the pre-contract due diligence, the verification of
services and the fairness of the paid amount by selecting payments linked to
all levels of risk (including any suspiciously unnecessary contracting by non-statistical
sampling). Focusing the payment testing only to high-risk transactions or statistical
sampling may be ineffective to cover all risks. </span></span></div>
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Audit
of third parties (on‐site compliance audits): background checks on executives,
owners and assigned employees (party screening<strong>);</strong> assure the training on extortion and bribery provisions
and controls for vendor employees; and confirm the circumstances under the
third party was engaged and instructed; check that the service was engaged
after the due diligence was finished.</span></span></div>
<br />
<div style="margin: 0px 0px 13px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Review
the existence of enquiries from the approvers to validate the service legitimacy.
Approvals should be based on a statement of received services, summarizing the woks
and deliveries provided. The review need to cover the disclosed conflicts of
interest.</span></span></div>
<br />
<br />
<strong>Monitoring by Compliance</strong> (quarterly watch-lists to trigger specific reviews by Internal Audit)<br />
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Automatic
queries to list gifts, meals, entertainment, travel expenses, sponsorships, and
political and charitable contributions to link them to the approval by sr.
executives and limits.</span></span></div>
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Automatic
queries to list payments to third parties, including vendors, suppliers,
resellers, distributors, agents and consultants (lawyers and accountants).</span></span></div>
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Payments
to offshore bank account or in different locations or currencies.</span></span></div>
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Automatic
queries to list upfront payments, advances and customer rebates.</span></span></div>
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Out
of tendency paid commissions by type of service or versus monthly average.</span></span></div>
<br />
<div style="margin: 0px 0px 0px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Substantial
price increases or decreases.</span></span></div>
<br />
<div style="margin: 0px 0px 13px 48px; text-indent: -0.25in;">
<span lang="EN-US" style="margin: 0px;"><span style="margin: 0px;"><span style="font-family: "calibri";">-</span><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "times new roman"; margin: 0px;">
</span></span></span><span lang="EN-US" style="margin: 0px;"><span style="font-family: "calibri";">Automatic
queries to highlight changes in lease expenses, in particular for equipment.</span></span></div>
<br />
<br />
Get the latest in corporate governance, risk, and compliance on <a href="https://twitter.com/hewyler"> Twitter</a> Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comCopenhagen, Denmark55.6760968 12.56833710000000855.532822800000005 12.245613600000008 55.8193708 12.891060600000008tag:blogger.com,1999:blog-4594825980016870104.post-63657754608508539862016-12-20T11:34:00.002+01:002016-12-26T00:02:00.187+01:006 Tips for Compliance Risk Mapping<h3>
How to create a world-class compliance risk assessment</h3>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIsJvFhQudOQvG_9XazIf3rHkZ1jQBv-gn1WkHRjtTrf_Wb9Llx53hUYL_uZokX9FFBEjtndqrlJG66VF2yV3RFjnOPGQwSxUA9KtgO-u1Ujvszfox6BbBu6MTZg_1cu0JwOoEdo-aRq6x/s1600/Tips-Compliance-Risk-Mapping-Hernan-Huwyler.JPG" imageanchor="1"><img alt="Tips for Compliance Risk Mapping Compliance Risk Assessment " border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIsJvFhQudOQvG_9XazIf3rHkZ1jQBv-gn1WkHRjtTrf_Wb9Llx53hUYL_uZokX9FFBEjtndqrlJG66VF2yV3RFjnOPGQwSxUA9KtgO-u1Ujvszfox6BbBu6MTZg_1cu0JwOoEdo-aRq6x/s400/Tips-Compliance-Risk-Mapping-Hernan-Huwyler.JPG" title="" width="400" /></a></div>
<br />
The Spanish Criminal Code provides specific requirements for the implementation of corporate compliance programs to regulate the criminal liability of legal entities. The Spanish framework is similar to the U.S. Federal Sentencing Guidelines for Organizations when the adequate oversight efforts to prevent a compliance breach are proven to reduce penalties. Having a criminal compliance risk map is one of the compliance program requirements mentioned by the Spanish criminal code.<br />
<br />
<br />
<b>Building a program to reach high business values requires the chief compliance officer to be focused on addressing criminal, compliance and ethical risks</b>. This approach is supported by a risk map to assess business actions which may result in criminal offences, or more generally, in a regulatory, legal, contractual or ethical breach. This map will guide prevention actions, such as training or developing policies and internal controls, or contingency actions such as incident management or dealing with investigations.<br />
<br />
<br />
There are many different approaches to produce a compliance risk map. I would like to highlight key best practices for a world-class assessment: <br />
<br />
1- <b>Set the risk mapping scope</b> with a comprehensive list of criminal offences (locally the art .31 bis), regulations, contracts, voluntary commitments, and fraud schemes. This risk universe allows classifying risk factors to facilitate mitigation and communication actions. The compliance risk landscape should address industry-specific, counter-party and general regulations. Multinational companies should group the compliance risk domains by general topics to link them to different local jurisdictional requirements. This compliance requirement list should be validated by subject matter specialists from the compliance and the legal departments. <br />
<br />
2- <b>Follow a global ERM policy</b> to assure this map can be easily integrated into the GRC management. While the ERM practices or the internal audit risk assessments are not specifically performed to identify legal and regulatory compliance risks, they can be combined, calibrated or linked to a legal compliance map. This project should be built on the current ERM activities. Also, assessing the financial impact ensures that the compliance risk map will not be limited in a qualitative category. Using international standards, such as the ISOs 31000, 37001 and 19600, allows better supporting the methodological framework. <br />
<br />
3- <b>Plan from the top to the bottom</b>. Expanding the risk map may be time consuming. The compliance officer may perform an initial risk assessment to articulate efforts. <br />
<br />
This is a simplified example for planning the risk mapping in a multinational company:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPSK-5sTLr8pkS1UhUy1O6ZFY7V5GtaqxQHuXbcv82N04gChMgWIS4M0DqbGTKqxIRrFTILiS7Qu75KezjPQfd1ftuRxVAJlCkp3yRvvHK1o6vLCr2tP-Sqg4vURcdErs7CAHDkVNQ0IcL/s1600/Capture1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPSK-5sTLr8pkS1UhUy1O6ZFY7V5GtaqxQHuXbcv82N04gChMgWIS4M0DqbGTKqxIRrFTILiS7Qu75KezjPQfd1ftuRxVAJlCkp3yRvvHK1o6vLCr2tP-Sqg4vURcdErs7CAHDkVNQ0IcL/s400/Capture1.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<a href="https://drive.google.com/file/d/0B03TPoDJDTnmbWlBM0JpR1RTOE0/view?usp=sharing">expand</a><br />
<br />
You can expand this example with more data from compliance exception reports, detailed whistleblowing statistics, external and tax audit findings, transactional records, client complaints, surveys and social media data. <br />
<br />
4- <b>Cover the business actions</b> produced by administrators, directors, managers, executives, employees, consultants and suppliers. Involve employees at many company levels, jurisdictions and functions to limit the risk biases while capturing both top and bottom risks. Set a clear ownership of the compliance risks to facilitate managing the action plans and reporting (my related <a href="https://www.linkedin.com/pulse/useful-tool-strengthen-risk-compliance-performance-huwyler-mba-cpa?trk=mp-reader-card">article</a>). Performing the assessments close to the operations increases the chances of identifying the most relevant risks. The chief compliance officer should understand the full spectrum of compliance requirements and issues. External legal advisors can be a good help. <br />
<br />
5- <b>Involve key people in the risk assessments</b>. Risk owners will disclose their risks, their vulnerabilities, if they trust in the people in charge of the risk assessment. Involving locally well-recognized directors in the risk mapping is a must to do. Introducing the initiative with training also creates a positive working environment. <br />
<br />
6- <b>Compliance risks should be frequently followed-up</b> according to their exposure by reviewing results of action plans, producing <a href="http://mydailyexecutive.blogspot.com/2011/06/key-indicators-kpis-kris-kcis-and-klis.html" target="_blank">key risk indicators</a>, and escalating them to different risk committees or executive boards. Ethics and compliance risks appear each day by regulatory pressures, <a href="http://mydailyexecutive.blogspot.com/2011/08/risks-in-new-business-ventures.html" target="_blank">new strategic objectives</a>, organizational changes, and cybercrime. Just getting a compliance risk map is false compliance (locally called make-up compliance in Spain). The dynamic follow-up of risk actions builds the compliance culture. <br />
<br />
<br />
What lessons have you learned produce a compliance risk map? Please, expand this article with your comments.<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span>Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-73597822093970992122016-12-20T11:32:00.001+01:002016-12-26T00:05:57.403+01:00Business intelligence in governance, risk and compliance<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQfDDmyUExINh3I-ewGqoXWnSpIQnkiVSE9BvzU5nVj9bnxN14c0O0lAi5BNNHkUiBxoRkkm3tnuGU8PvQJWOjHOc7FRjRD6ZCwDB-gUcn7qcQvJPUTUMPPFx-iLFXuoKsGixgivjXYM1a/s1600/Business+intelligence+in+governance%252C+risk+and+compliance+Hernan+Huwyler.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Business intelligence in governance, risk and compliance Audit, Compliance, Risk Mapping, SAP Hernan Huwyler" border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQfDDmyUExINh3I-ewGqoXWnSpIQnkiVSE9BvzU5nVj9bnxN14c0O0lAi5BNNHkUiBxoRkkm3tnuGU8PvQJWOjHOc7FRjRD6ZCwDB-gUcn7qcQvJPUTUMPPFx-iLFXuoKsGixgivjXYM1a/s400/Business+intelligence+in+governance%252C+risk+and+compliance+Hernan+Huwyler.jpg" title="" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
The importance of risk and compliance has dramatically increased over the last years to improve corporate governance. Organizations are addressing the governance challenges, primarily as a consequence of regulatory requirements, business transformation, emerging risks and large scandals in corporate governance. Many organizations are struggling to focus their risk and compliance programs to meet stakeholders’ expectations.<br />
<br />
<br />
A large number of <a href="http://mydailyexecutive.blogspot.com/2011/06/key-indicators-kpis-kris-kcis-and-klis.html" target="_blank">GRC services</a> and solutions are currently available from large and niche consulting firms to support an integrated control model. A GRC platform is offered as a transparent system of collaboration to orchestrate control activities across business. While organizations can fairly deal with the “G”, the “R”, and the “C” as independent departments, the integration of them was proven to be difficult, leading to control gaps, redundancies, inefficiencies and conflicts. A plethora of GRC modelling proposals exists both in the commercial arena and in the research community (Racz et al., 2010). Business intelligence has the ability to easily model control objectives and to address holistic risks.<br />
<br />
<br />
The integration of controls, protocols,<a href="http://mydailyexecutive.blogspot.com/2011/06/key-indicators-kpis-kris-kcis-and-klis.html" target="_blank"> key indicators</a> and reports into a GRC platform facilitates the automated detection of risks and the audit of compliance procedures. A major issue about this approach is inflexibility to maintain the control repository for a complex and dynamic environment while using a single solution. The diversity of emerging risks requires a grounded approach to support a “compliance by design” model. Business intelligence allows the GRC departments to model the control framework to produce breach alarms, monitor performance and simply assurance.<br />
<br />
The capability to capture and to change control requirements through a common GRC modeling framework facilitates the management of the controls and the enterprise applications. Business process management, as a common framework for business intelligence, allows enforcing corporate compliance and meeting control objectives. It helps to link what need to be done (nominative compliance approach) with how the control activities should be performed by the business process owners (descriptive internal audit approach). It is essential, then, that business, compliance, and control objectives are jointly designed to converge in common rules (Shazia at al., 2007). Regulations, compliance and internal control directives are complex and vague. These mandates of permissions and prohibitions, often written in legalese or technical jargon, are translated by subject experts into rules for a single control repository. These rules can trigger violation alarms and control remediation protocols that may surface at runtime.<br />
<br />
<br />
<h3>
<b>Example: U.S. anti-boycott laws scenario</b></h3>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIGjEjCZgCzrr5Oucnj3GZQppDIjDKXkHZEpyAWS-96_Bhb6Xk_qyMZbdMw22Us9MoXPjIdtAtCdDJUNRFAr5PquEubo9sQ4BfVoO7CbFTcnTDTt7hmgXF_NpA691khvAa0iKjtFMgZ1cQ/s1600/AAEAAQAAAAAAAAhFAAAAJDVjZWE4OGU0LTQxZTQtNDE4NC04ODc0LTM1NTU1ZmFiNDQ3NA.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIGjEjCZgCzrr5Oucnj3GZQppDIjDKXkHZEpyAWS-96_Bhb6Xk_qyMZbdMw22Us9MoXPjIdtAtCdDJUNRFAr5PquEubo9sQ4BfVoO7CbFTcnTDTt7hmgXF_NpA691khvAa0iKjtFMgZ1cQ/s400/AAEAAQAAAAAAAAhFAAAAJDVjZWE4OGU0LTQxZTQtNDE4NC04ODc0LTM1NTU1ZmFiNDQ3NA.png" width="325" /></a></div>
<br />
This scenario shows a set of simple rules to integrate control actions with <a href="http://mydailyexecutive.blogspot.com/2016/12/6-tips-for-compliance-risk-mapping.html" target="_blank">compliance risks</a> in a company under SAP and business intelligence.<br />
<br />
A GRC platform based on business intelligence allows organizations to easily maintain and adjust their compliance requirements to highlight control violations and report key compliance indicators.<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span>Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-38226133968357840432016-05-08T21:08:00.000+02:002016-12-25T18:57:00.040+01:00Corporate compliance and stock volatility in top 35 Spanish companiesCompliance is a major ethical consideration that has an impact on the business strategy to improve the financial performance and to limit the risk of failure to a tolerable level. <a href="http://mydailyexecutive.blogspot.com/2016/12/6-tips-for-compliance-risk-mapping.html" target="_blank">Compliance risks</a> are today a mainstream issue in Spain after increased exposition to new criminal liabilities and globalization. <b><a href="http://mydailyexecutive.blogspot.com/2016/04/why-compliance-is-such-hot-topic-in.html" target="_blank">Spanish companies</a> from all sectors revised their codes of conduct and whistleblowing policies to adapt them to the new business landscape, but the relationship with sustainability risks was not explored.</b><br />
<br />
<br />
In order to study the correlation between risk management and compliance, I generated 700 data sets to weigh them according to their relative market capitalization for the 35 public companies that make up Spain's benchmark IBEX 35 index. The compliance maturity was taken from analyzing the code of ethics and other publicly available ethics and corporate governance documents for these factors:<br />
<br />
<ul>
<li>corruption, business conduct & gifts,</li>
<li>antitrust and market abuse,</li>
<li>workers´ protection, discrimination and harassment,</li>
<li>environmental and urban planning protection,</li>
<li>copyright and intellectual property protection,</li>
<li>IT data protection,</li>
<li>tax compliance,</li>
<li>money laundering,</li>
<li>occupational fraud, and</li>
<li>whistleblowing policy, available channels and management (30% of total score).</li>
</ul>
<div>
</div>
<div>
When the code of ethics and related governance policies set standard controls to mitigate the high level compliance risks a complete score was assigned to each factor. Other cases were particularly assessed according to mitigating controls. </div>
<div>
</div>
The risk level was defined as the historical 250-day return measuring the stock volatility or beta. This indicator spots the risk arising from exposure to general market movements as opposed to idiosyncratic factors. <br />
<br />
The market capitalization was taken from the last statistics update published by the <a href="http://www.bolsasymercados.es/esp/Estudios-Publicaciones/Estadisticas" target="_blank">Madrid Stock Exchange</a>.The sector classification also followed the Madrid Stock Exchange criteria. <br />
<br />
The data analysis revealed a weak negative lineal correlation (r):-0.18 between the compliance maturity and the stock volatility risk. The compliance/risk correlation, which does not imply causation, is stronger in the retailing and the telecommunications sectors.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEdnYzjjqi9xpa3UXr3rZNLJXnwG9Hqx5KO2mpv3EOhDWMK5hehPKm6CKRq9er6xLU2AW8kZt1DBQ9xM_c9yHufTUbeqXOuYJW_tsnm4tTi84gbOqtUtD2qhMqPu6TZGXc047gAxvSfd8J/s1600/AAEAAQAAAAAAAAfLAAAAJGRlM2RmYjkyLWI4N2QtNDJiYS04ZjMxLWZlMDZkNzFkNjcxYg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEdnYzjjqi9xpa3UXr3rZNLJXnwG9Hqx5KO2mpv3EOhDWMK5hehPKm6CKRq9er6xLU2AW8kZt1DBQ9xM_c9yHufTUbeqXOuYJW_tsnm4tTi84gbOqtUtD2qhMqPu6TZGXc047gAxvSfd8J/s400/AAEAAQAAAAAAAAfLAAAAJGRlM2RmYjkyLWI4N2QtNDJiYS04ZjMxLWZlMDZkNzFkNjcxYg.png" width="400" /></a></div>
<br />
<br />
<b><i>On balance, companies with strong and transparent ethics and compliance policies has better risk management in creating stakeholder value.</i></b><br />
<br />
There are 2 types of outliners in the analysis:<br />
<ul>
<li>Santander Bank, Repsol, OHL and Acciona have a mature compliance model according to the information in this study, but the stock value was highly volatile in the last 250 trading days, and</li>
<li>AENA, Endesa, Gas Natural, Dia and Iberdrola have low market value volatility, but opportunities to strengthen their compliance programs.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTTHk2mYxq0PY04yoqU9xidqYJT0GIWNCJBKxB356UrUfU-HZQY0ecox7328JwqpBKflHR_gwqDbpFvAszubVt2iwBThx4zKkJtn5wIA7nAG1ZXqx5aMiXtPflOhSC9GAvVDUgitzIwF20/s1600/AAEAAQAAAAAAAAczAAAAJGM0NTlhYjIzLTNhYWMtNGM2Yi1iNDkyLWVhNzQyODhjMWUwNw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTTHk2mYxq0PY04yoqU9xidqYJT0GIWNCJBKxB356UrUfU-HZQY0ecox7328JwqpBKflHR_gwqDbpFvAszubVt2iwBThx4zKkJtn5wIA7nAG1ZXqx5aMiXtPflOhSC9GAvVDUgitzIwF20/s400/AAEAAQAAAAAAAAczAAAAJGM0NTlhYjIzLTNhYWMtNGM2Yi1iNDkyLWVhNzQyODhjMWUwNw.png" width="400" /></a></div>
<br />
<br />
<br />
You can find the supporting data from these links:<br />
<br style="-webkit-text-stroke-width: 0px; background-color: white; color: #474b4e; font-size-adjust: none; font-stretch: normal; font: 11px/14.74px Verdana, sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" />
<a href="https://drive.google.com/file/d/0B2wLcc7MB3tPZzVLazJVSzZlY1k/view?usp=sharing" style="-webkit-text-stroke-width: 0px; background-color: white; color: #72179d; font-size-adjust: none; font-stretch: normal; font: bold 11px/14.74px Verdana, sans-serif; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" target="_blank">MS Access Datasets </a><br />
<a href="https://drive.google.com/file/d/0B2wLcc7MB3tPQmhSTFBkNTNtZWM/view?usp=sharing" style="-webkit-text-stroke-width: 0px; background-color: white; color: #72179d; font-size-adjust: none; font-stretch: normal; font: bold 11px/14.74px Verdana, sans-serif; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" target="_blank">Summary of dataset</a><br />
<a href="https://drive.google.com/file/d/0B2wLcc7MB3tPS2VvenBNaThsdDg/view?usp=sharing" style="-webkit-text-stroke-width: 0px; background-color: white; color: #72179d; font-size-adjust: none; font-stretch: normal; font: bold 11px/14.74px Verdana, sans-serif; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" target="_blank">Supporting Code of Ethics and Documents</a><br />
<br style="-webkit-text-stroke-width: 0px; background-color: white; color: #474b4e; font-size-adjust: none; font-stretch: normal; font: 11px/14.74px Verdana, sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" />
I will do further research to expand the conclusion of this study, by:<br />
- using the <a href="https://www.oecd.org/investment/investment-policy/WP-2001_6.pdf" target="_blank">OECD Guidelines for Multinational Enterprises</a> to set the compliance factors to assess<br />
- expand the study to other public non-IBEX35 companies<br />
- monitor de evolution in time<br />
- include the effective reporting of compliance and risks information<br />
<br />
Do you have any suggestions for improving the study methodology or scope?<span class="st"> </span><br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span>Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comMadrid, Spain40.4167754 -3.703790199999957640.0300434 -4.3492371999999575 40.8035074 -3.0583431999999577tag:blogger.com,1999:blog-4594825980016870104.post-53228537220129172882016-05-07T15:48:00.000+02:002016-12-26T17:54:09.745+01:00The 100 most critical and common segregation of duties conflicts in SAP<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0hwwTP6zv_Z0tatHvNOvM_vAi7o1vAL52ynUGLAc4g2ZbXm3uzVh8KJkngS6HKZhN_RiQGVvIpZDSUVR0QcHb56Zn56qPBJ90VnFu29sMAmfkFWSnjqbc4ss0eJuOq-c0dbaXPyagvkkq/s1600/The+100+most+critical+and+common+segregation+of+duties+conflicts+in+SAP.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="The 100 most critical and common segregation of duties conflicts in SAP Hernan Huwyler" border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0hwwTP6zv_Z0tatHvNOvM_vAi7o1vAL52ynUGLAc4g2ZbXm3uzVh8KJkngS6HKZhN_RiQGVvIpZDSUVR0QcHb56Zn56qPBJ90VnFu29sMAmfkFWSnjqbc4ss0eJuOq-c0dbaXPyagvkkq/s400/The+100+most+critical+and+common+segregation+of+duties+conflicts+in+SAP.jpg" title="" width="400" /></a></div>
<br />
The most visited post in my blog covers the 20 most critical conflicts that you may find in SAP auditing, SOX testing and user security controls. After several years of fine-tuning the user conflict matrix and having SAP HANA released, I expand this post by listing the 100 most critical and frequent segregation of duties incompatibilities. This list helps in simplifying the user reviews by internal auditors, functional roles and access security professionals while explaining the risk which may result in operational fraud.<br />
<br />
<br />
This is the list which you are welcome to get as a <a href="https://drive.google.com/file/d/0B2wLcc7MB3tPV2RlOE5vcWZXalE/view?usp=sharing" target="_blank">MS Excel file</a>,<br />
<br />
VA01 Create Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.<br />
VA01 Create Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.<br />
F.80 Mass reversal of documents and F-60 Maintain Table: Posting Periods are incompatible since the user may open accounting periods previously closed and make postings after month end.<br />
VA01 Create Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.<br />
VA01 Create Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.<br />
VA01 Create Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.<br />
VA01 Create Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.<br />
VA02 Change Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.<br />
VA01 Create sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
F.80 Mass reversal of documents and OB52 C FI Maintain Table T001B are incompatible since the user may open accounting periods previously closed and make postings after month end.<br />
VL02N Change outbound delivery and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.<br />
XK01 Create Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
XD01 Create customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.<br />
VA02 Change Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.<br />
VA01 Create sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.<br />
VF01 Create Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.<br />
VL01N Create outbound delivery with order ref and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.<br />
VA01 Create sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
XK01 Create Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
XD02 Change customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.<br />
MIGO Goods Movement and MM01 Create Material are incompatible since the user could create or change a fictitious receipt and create/change a material document to hide the deception.<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span><br />
<br />
<br />
<div id="spoiler" style="display: none;">
XD01 Create customer (centrally) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
XD01 Create customer (centrally) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.<br />
VA01 Create sales order and VL01N Create outbound delivery with order ref are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.<br />
VF01 Create Billing Document and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.<br />
VA02 Change Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.<br />
FK01 Create Vendor (FI) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
VA02 Change Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.<br />
VA01 Create sales order and F-26 Incoming payments fast entry are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
VA02 Change Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.<br />
XD01 Create customer (centrally) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
XD02 Change customer (centrally) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
XK01 Create Vendor (Centrally) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
XD01 Create customer (centrally) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. Th.<br />
XD02 Change customer (centrally) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.<br />
VD01 Create customer (sales) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.<br />
FK02 Change Vendor (FI) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
XK01 Create Vendor (Centrally) and VD02 Change Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
XD01 Create customer (centrally) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.<br />
XK01 Create Vendor (Centrally) and FD02 Change Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
VD02 Change customer (sales) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.<br />
FD02 Change customer (accounting) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.<br />
VA02 Change Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.<br />
MK01 Create Vendor (MM) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
FK01 Create Vendor (FI) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
VF01 Create Billing Document and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.<br />
VA02 Change sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
XD02 Change customer (centrally) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
ME21N Access to Create Purchase Order and ABAA Unplanned Depreciation are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.<br />
MK02 Change Vendor (MM) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
VF01 Create Billing Document and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.<br />
VF01 Create Billing Document and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.<br />
XD02 Change customer (centrally) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. <br />
XK01 Create Vendor (Centrally) and FD01 Create Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
VA01 Create sales order and F-51 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
FK02 Change Vendor (FI) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
XK02 Change Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
F.80 Mass reversal of documents and SCMA Schedule Manager: Scheduler are incompatible since the user may open accounting periods previously closed and make postings after month end.<br />
XD02 Change customer (centrally) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.<br />
FD01 Create customer (accounting) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.<br />
VD01 Create customer (sales) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
VF02 Change Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.<br />
VD02 Change customer (sales) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
MK01 Create Vendor (MM) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
VD01 Create customer (sales) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.<br />
FD02 Change customer (accounting) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
ME21N Access to Create Purchase Order and ABZU Write-up are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.<br />
XD01 Create customer (centrally) and F-51 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.<br />
VD02 Change customer (sales) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.<br />
MK02 Change Vendor (MM) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
VF01 Create Billing Document and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.<br />
FD02 Change customer (accounting) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.<br />
VA02 Change sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hid the misappropriation of goods.<br />
FK01 Create Vendor (FI) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
XD01 Create customer (centrally) and F-39 Clear customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. Th.<br />
VA01 Create sales order and FBCJ Cash journal are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
XK02 Change Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
ME21N Access to Create Purchase Order and ABMA Manual Depreciation are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.<br />
VA02 Change sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
FK01 Create Vendor (FI) and VD02 Change Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
VD01 Create customer (sales) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
VF02 Change Billing Document and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.<br />
VA01 Create sales order and F-52 Post incoming payments are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
FK01 Create Vendor (FI) and FD02 Change Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
FD01 Create customer (accounting) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
VA01 Create sales order and FF/4 Interface for check deposit data entered externally are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
VD02 Change customer (sales) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
VA01 Create sales order and F-04 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
VD01 Create customer (sales) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. Th.<br />
FD02 Change customer (accounting) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.<br />
VA01 Create sales order and FB05 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
VA01 Create sales order and FF/5 Post check deposit data entered externally are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.<br />
FK02 Change Vendor (FI) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.<br />
VL02N Change outbound delivery and F-30 Post with clearing are incompatible since the user may create fictitious/incorrect delivery and enter payments against these, potentially misappropriating goods.<br />
FD01 Create customer (accounting) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.<br />
VD01 Create customer (sales) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.<br />
XD01 Create customer (centrally) and FBCJ Cash journal are incompatible since the user may create a customer and then post payments against the customer.<br />
XD02 Change customer (centrally) and F-51 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.<br />
VD02 Change customer (sales) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected.<br />
<br />
<i>A risk-based approach to SAP segregation of duties The top 100 most critical segregation of duties conflicts in SAP Segregation of Duties Fraud Risks & Solutions<br />Security SOD Segregation of Duties SOD Conflicts and Role Based Authorization in SAP SAP Segregation of Duties SOX 404 and Risks</i><br />
<br /></div>
<button onclick="if(document.getElementById('spoiler') .style.display=='none') {document.getElementById('spoiler') .style.display=''}else{document.getElementById('spoiler') .style.display='none'}" title="Click to show/hide content" type="button">Show/hide all the SoDs</button>Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-59898782341256962392016-04-05T22:02:00.002+02:002017-02-22T17:39:06.190+01:00What factors define a good risk and compliance culture?<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbhC5ojOgmfl0TA-n5Eahg3OGJMjBLYyVbUl1QTbhNDYftxa0F7hvJElKku_7HfUDXQEtf_l5e-nXehiyEBCGMtaAW-fThUgVaBYfH40-Hc_gN03E3zyqL81X99tRwujIfD_k7mEa0Xd7h/s1600/Risk+and+Compliance+Culture+Hernan+Huwyler+Good+Risk+Culture.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbhC5ojOgmfl0TA-n5Eahg3OGJMjBLYyVbUl1QTbhNDYftxa0F7hvJElKku_7HfUDXQEtf_l5e-nXehiyEBCGMtaAW-fThUgVaBYfH40-Hc_gN03E3zyqL81X99tRwujIfD_k7mEa0Xd7h/s400/Risk+and+Compliance+Culture+Hernan+Huwyler+Good+Risk+Culture.jpg" title="Risk and Compliance Culture Hernan Huwyler Good Risk Culture" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
The promotion of a sustainable risk and compliance culture across the enterprise is a responsibility of the board and the executive-level leaders, particularly, the chief compliance and risk officers. Their tone at the top filters down the elements of a “good culture” through the layers of management and risk takers. Where culture is favorable, behaviors are more desirable in terms of policy compliance, risk prevention, whistleblowing and accountability.<br />
<br />
Regulators and authorities have pronounced about a “poor culture” in enforcement cases to extend liabilities to governance areas. For instance in Spain, the State Prosecutor recently indicated that compliance programs should build the true compliance culture of a company rather than being an instrument to avoid criminal liability. Inadequate culture led by performance complacency, tolerance of improper behaviors or the justification of compliance breaches diverts resources from strategic objectives.<br />
<br />
We need to understand the internal and external factors of the risk and compliance culture to change them for the better. Perceptions of the governance structures such as remuneration incentives and performance measurement are critical to adjust risk behaviors. The compliance program should specify these desired expectations to align practices in all part of the company with business ethical values and shared risk tolerance.<br />
<br />
Research evidence suggested that culture is strongest in business units when:<br />
<ul>
<li>have smaller (up to 5) and less diverse members (Colquitt et al. 2002), </li>
<li>staff well-being, engagement and tenure are higher (Huhtala et al. 2015, Beus et al. 2010) </li>
<li>social interaction is high and leaders provide clear guidance (González-Romá et al. 2002), </li>
<li>communication network is more dense (Zohar & Tenne- Gazit 2008), </li>
<li>are focused on customer needs (Bedarkar et al. 2015), </li>
<li>more interdependent and have higher group identification (Roberson 2006), and </li>
<li>more cohesive with leaders who are transformational, share a clear strategic vision for the work and behave consistently (Luria 2008) </li>
</ul>
<div>
<br />
The ISO 31.000 on risk management defines that the organization's culture should be assessed as part of the internal context to adjust and to improve the risk policy. Strong culture factors suggested by research can be promoted by:</div>
<ul>
<li>setting a risk tolerance policy to consistently manage holistic risks including compliance, operational, financial and strategic functions, </li>
<li>focusing cost saving and performance programs to investigate accidents and losses, including those covered by insurance and fraud, </li>
<li>setting HR policies to avoid mutual accountability and to promote open
door communication, issue escalation and whistleblowing reporting, </li>
<li>adjusting the remuneration scheme to taken risks and internal control reviews, </li>
<li>developing a comprehensive training program to build skills to support behaviors such as detecting fraud red flags, team management and objective settings, workplace incident response, and regulatory compliance, </li>
<li>building a risk and compliance reporting channels for governance oversight, to aggregate risk management information and indicators and to decide on the risk reduction plans, the development of the compliance program, and the internal control effectiveness, </li>
<li>articulating an value-based compliance system with policies and procedures enhancing personal accountability, and </li>
<li>involving suppliers, investors, clients and regulators in creating and developing action plans to support a transparent culture and to anticipate risks. </li>
</ul>
<div style="border: 0px; box-sizing: border-box; color: #232629; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<span class="st"></span><br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span></div>
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-59639282313968084492016-04-05T21:58:00.002+02:002016-12-25T19:11:52.318+01:00Why compliance is such a hot topic in Spain?<div style="border: 0px currentColor; box-sizing: border-box; color: #232629; font-family: "georgia" , serif; font-size: 18.18px; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggHtI9F7Q9sS8wIlYFpl5TMiR6l1IMmh8lIKN-w025b70XVxTsTd1nKGSldj3iYHWXeZw8h1Lx2UF1AA9JgsYL5TSYTX2LfkldtzvvCA2LGaBF1IexIL68HxC4Svv6lp6w_-_IXXm681jW/s1600/Compliance+Spain+Espa%25C3%25B1a+Hernan+Huwyler.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Compliance Spain España Hernan Huwyler What factors define a good risk and compliance culture?" border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggHtI9F7Q9sS8wIlYFpl5TMiR6l1IMmh8lIKN-w025b70XVxTsTd1nKGSldj3iYHWXeZw8h1Lx2UF1AA9JgsYL5TSYTX2LfkldtzvvCA2LGaBF1IexIL68HxC4Svv6lp6w_-_IXXm681jW/s400/Compliance+Spain+Espa%25C3%25B1a+Hernan+Huwyler.jpg" title="" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
<br />
The Spanish Criminal Code was amended in 2010, and subsequently reformed in 2013, to introduce the concepts of criminal liability of legal persons. Many domestic legal entities are now criminally responsible for penal offenses committed in their name or for their benefit by those being empowered to manage and to control the business, and by their employees or contractors due to the lack of adequate controls. <b>The responsibility of a legal person does not exclude any criminal proceeding against a natural person, such as the perpetrator of a criminal offense, but it significantly increases the <a href="http://mydailyexecutive.blogspot.com/2016/12/6-tips-for-compliance-risk-mapping.html" target="_blank">compliance risks</a> and affects the corporate sustainability</b>. The first prosecuted case was recently confirmed by the Supreme Court to ratify a €776M imposed penalty to a machinery rental company for drug trafficking from Venezuela to Spain.<br />
<br />
This law responded to local business crime trends and it was focused on assigning moral culpability for the commission of serious offenses to the corporate entities lacking effective compliance surveillance and ethical measures. <b>Companies are excepted to be criminally liable if they provide evidence of effective supervision policies over their administrators and staff.</b> The law provides a detailed description of an appropriate compliance management system, domestically known as "corporate compliance", "corporate defense", "compliance program" or "crime prevention plan".<br />
<br />
During the past five-year period, the scope of compliance evolved from the criminal offenses to include business ethics in general, from external compliance to internal compliance, and it moved from the legal departments to the internal and external auditors, boards, shareholders, risk managers, consultants, information technology and security areas. The offenses expressly mentioned by the Criminal Code are general key compliance risks, such as bribery, tax evasion, market abuse, fraud, environmental crime, personal data breach, money laundering, and intellectual property infringement. They can all be treated by accepted international standards including the ISO 19.600 guiding the compliance systems, the ISO 37.001 for anti-bribery controls, the ISO 31.000 to identify compliance risks, best practices to manage whistleblowing reports, or just having comprehensive codes of ethics.<br />
<br />
The wide scope of compliance and the greater reputation and financial risks increased the need of professionals managing the implementation of compliance programs, the chief compliance offices, in all kinds of businesses and organizations whatever their size or activity sector, including multinationals, domestic subsidiaries, political parties, unions, and even soccer clubs. The compliance officers created a new association called CUMPLEN to share practices to implement accepted international frameworks.<br />
<br />
<b>Spanish companies are moving from "makeup compliance" to create effective compliance programs</b> in order to ensure the business sustainability and to improve the overall corporate governance. These new ethical objectives require much more professionals and with a new profile being able to translate legal requirements into comprehensive ethical behavior while designing and building <a href="http://mydailyexecutive.blogspot.com/2016/05/corporate-compliance-and-stock.html" target="_blank">risk-based</a> cost-effective preventive controls. This is the real challenge for Spain.<br />
<br />
<div style="border: 0px; box-sizing: border-box; color: #232629; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span></div>
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-40947734682227006772011-09-23T14:25:00.000+02:002016-12-24T18:30:22.812+01:00Rogue Trading and GRC<span style="font-family: inherit;">"When you have supervisors who rely on computer software rather than human contact, there is a false sense of security." </span><br />
<span style="font-family: inherit;">Stephen Brown, Professor of Finance at New York University's Stern School of Business (2011)</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">"You haven't heard of financial scandals where a rogue trader has earned $2 billion extra for the company" </span><br />
<span style="font-family: inherit;">Barry Staw, Professor of Leadership and Communication at the University of California (2011)</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">"Compliance monitoring is still regarded in most organizations as a second-class operation." </span><br />
<span style="font-family: inherit;">Stewart Hamilton, Professor of Accounting at Switzerland's IMD (2011)</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">"The current volatile market circumstances significantly heighten the chances that inappropriate trading practices could quickly lead to record losses, so early discovery and remedial action are even more important than in 'normal' times,"</span><br />
<span style="font-family: inherit;">UK's Financial Services Authority (2008)</span><br />
<br />
<span style="font-family: inherit;">Rogue trading risks are related to fraud, undetected errors (eg. typing an extra zero) or hedging strategies outside trader limits. Rogue traders usually deal with high risk investments expecting to create unreported large gains or win large bonuses. However, high risk investment may also create huge losses. A trader is, at the end, a trained professional to place large bets in a competitive environment. For the worse, trading losses can usually accumulate over time.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">In the case of the Union Bank of Switzerland, all rogue trading risks were not properly managed for a bank bailed with $ 5 billion from the Swiss taxpayers. According to the explanation from this bank, a junior trader exploited a loophole in contentious synthetic ETFs that caused a $2.3 billion loss on fake over-the-counter positions over the past three years. In Europe, these transactions were not required with a confirmation from banks on the the other side of the trade. The trader allegedly evaded detection by booking fake hedging trades to cover the magnitude of his losses. Because the losses do not affect client accounts, only proprietary trading was done. </span><br />
<br />
<span style="font-family: inherit;">Rogue trading is generally prevented by controls including:</span><br />
<span style="font-family: inherit;">a) checking for confirmation from the counterparty or broker by back office,</span><br />
<span style="font-family: inherit;">b) segregating back, middle and front offices (traders should not access to middle and back office systems, order entries and adjustments should be segregated),</span><br />
<span style="font-family: inherit;">c) monitoring the number of cancelled and suspicious trades,</span><br />
<span style="font-family: inherit;">d) requesting continuous holidays for traders,</span><br />
<span style="font-family: inherit;">e) implementing BI controls (real-time transaction monitoring, higher than normal profits, extended settlements),</span><br />
<span style="font-family: inherit;">f) reviewing trading activity by managers (settlement position reconciliations),</span><br />
<span style="font-family: inherit;">g) hiring practices for a strong GRC culture,</span><br />
<span style="font-family: inherit;">h) conservative remuneration structure, and</span><br />
<span style="font-family: inherit;">i) independent internal audits.</span><br />
<br />
<span style="font-family: inherit;">Without the conclusions of the investigations at this moment , it is not clear if all these controls could have prevented the USB case. Rogue traders can create complex structures and exploit control loopholes. </span><br />
<br />
<span style="font-family: inherit;">In response, some banks diminished the trading units and delta one desks, other banks split off its investment banking business from its core wealth management to shield private clients. Policymakers are also reacting by proposing new regulations intended to limit banks from making high risk transactions.</span><br />
<br />
<span style="font-family: inherit;">PS: The last facebook update in the accused rogue trader account was a “Need a miracle". </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrP3CfpU2bwV845xnHt7laf-5jC14j_oOZhYNignq-EyUpU6GNqUkRKvJ06AKIYmVGlqR45AtEWU0zJQZD59xmqbF_USApHaFmGnGYLkrInHSVpVpv3B4Ltj-YLmnAuGJHwZXIvHXoQjDt/s1600/rogue_traders_kweku_adoboli.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" hca="true" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrP3CfpU2bwV845xnHt7laf-5jC14j_oOZhYNignq-EyUpU6GNqUkRKvJ06AKIYmVGlqR45AtEWU0zJQZD59xmqbF_USApHaFmGnGYLkrInHSVpVpv3B4Ltj-YLmnAuGJHwZXIvHXoQjDt/s320/rogue_traders_kweku_adoboli.jpg" width="320" /></a></div>
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span>Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-48280692195571507662011-08-31T13:31:00.004+02:002016-12-26T00:08:14.241+01:00What events do not need to be included in ERM?<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_USegC2RS4MzQA2n5ZOGnOYpckmZjL_n6jsQLugBNl3RPlQ5r5BTU98zBnjUP7V-n4ps8GUqU8j4qjh7pj8EHahHn0UvEKgCkwP-705zf0HBpnavw6zMu17jYmsqQ7Ippf2OR5PgQ6bAI/s1600/Risk-Events-Hernan-Huwyler-+Enterprise-Risk+Management-Gesti%25C3%25B3n-de-Riesgos-Empresariales-Factores-de-Riesgos.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="What events do not need to be included in ERM? Hernan Huwyler Enterprise Risk Management, Compliance Program" border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_USegC2RS4MzQA2n5ZOGnOYpckmZjL_n6jsQLugBNl3RPlQ5r5BTU98zBnjUP7V-n4ps8GUqU8j4qjh7pj8EHahHn0UvEKgCkwP-705zf0HBpnavw6zMu17jYmsqQ7Ippf2OR5PgQ6bAI/s400/Risk-Events-Hernan-Huwyler-+Enterprise-Risk+Management-Gesti%25C3%25B3n-de-Riesgos-Empresariales-Factores-de-Riesgos.jpg" title="" width="400" /></a></div>
<br />
<b>Risk</b> is defined as the effect of uncertainty on objectives (ISO 31000 § 2.1). This effect is a deviation from the expected, either positive or negative. Even though the statistical science provided well-grounded notions of risk, non-quantitative variables affect their use in business environments. In this post, I would like to establish criteria about what <b>events cannot be treated by ERM</b>.<br />
<br />
Risk needs both a probable <b>frequency </b>and a probable <b>impact</b>. It implies that statements of absolute fact are not scoped by risk management. When the frequency or the impact is known, we are dealing with business facts and not business risks. For instance, a contract containing a penalty clause is not fulfilled because it is not longer profitable. At the time of the contact breach, there is not any risk involved since the company already knows its indemnity costs and when to pay them. <br />
<br />
<b>Uncertainties </b>are a deficiency of information about an event. They are intrinsic in risk (as well as unavoidable for most business decisions). Different from risks, uncertainties <b>cannot be valued</b>. Therefore, it is not possible to calculate an average loss associated with the event. For instance, goods not passing the quality tests are delivered to comply with a contract. For this contract, there is not any risk of lack of compliance. The company knows for sure that the quality is not acceptable under the contract terms and it will affect somehow the client relationships. <br />
<br />
Risk should be identified taking into account a <b>future point in time </b>when problems and opportunities will be treated. Immediate problems and opportunities are not scoped by risk management. It is usually said that rain is not a risk when it is raining. For instance, untreated risks in time would become an issue to have urgent attention. When risk is reality, crisis management becomes risk management, and the contingency plan becomes just the plan.<br />
<br />
Risk is <b>not a single point view</b>. Events can have an impact in the financial, operative, legal & compliance or environmental categories. They may have a different impact and frequency for each category. Uncertainty may partially affect the information about one or more of these aspects, but others may be certain. In this case, it is safe to consider the whole effect as certain and to treat it outside ERM. <br />
<br />
As a summary to treat issues in the right framework, risk management does not cover:<br />
- events with all the information to foresee their outcome and moment to occur<br />
- events which are not volatile<br />
- immediate issues<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-23332802583097854082011-08-17T13:47:00.002+02:002016-12-25T19:05:18.696+01:00Risk in New Business Ventures<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin5cYxidyxXPsB0x-HRWuaS2bNG3ldC_1K3QpBO2HnVbHYb2XxtIXByQori80nHBeWqJaz9Clpyeq4dgTlQevjzZQi3Srn_czXkRJiLhUdEWSpW-3wO3x6-Wf1FTHfjPKqjbBpsEUsuTt8/s1600/Risks+New+Ventures+Opportunities+Business+Growth+Hernan+Huwyler.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Risks New Ventures Opportunities Business Growth Hernan Huwyler" border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin5cYxidyxXPsB0x-HRWuaS2bNG3ldC_1K3QpBO2HnVbHYb2XxtIXByQori80nHBeWqJaz9Clpyeq4dgTlQevjzZQi3Srn_czXkRJiLhUdEWSpW-3wO3x6-Wf1FTHfjPKqjbBpsEUsuTt8/s400/Risks+New+Ventures+Opportunities+Business+Growth+Hernan+Huwyler.jpg" title="" width="400" /></a></div>
<br />
The most critical opportunity to perform a risk analysis is at the <b>development of a business plan</b>. Investors do not expect business plans without risk, but entrepreneurs often fail to include a solid risk analysis into their business plans. Business plans need to anticipate risk in order to build flexibility to react by creating alternatives. In this post, I would like to discuss how risks need to be analyzed in aiming new business ventures.<br />
<br />
Traditional ERM approaches are not tailored for startups (or proposals, or new projects) <i>(1)</i>, however, risk is the source of their competitive advances. The skills of the entrepreneurs to strategically manage risk determine the success of their endeavor. Potential losses need to be assessed in other to prioritize the venture vulnerabilities.<br />
<br />
There are particular decision-making needs involving a business idea. Then, <b>risk categories </b>for startups could be different than those for well-established companies. Most relevant risk categories for startups may include:<br />
<br />
<b>Product development risk </b>can be defined as the likelihood to successfully transform a prototype or a business idea into a marketable product. This risk can be mitigated by extensive I+D and customer research. <br />
<br />
<b>Market risk </b>can be defined as the likelihood to reach a smaller target than expected (for a given period). This risk can be mitigated by indentifying secondary niches or segments (for instance, a market for by-products) and performing a reliable competitive analysis. Having a good strategy to reach early adopters could mitigate this risk too (for instance, by discounts for first purchases).<br />
<br />
<b>Managerial risk </b>can be defined as the likelihood to loss key members or to not attract the right employees. The managerial ability to adjust and strive is affected by this risk. As managerial incompetence increases costs, Cost controlling can be very effective to treat this risk. <br />
<br />
<b>Cash generation risk </b>can be defined as the chance to become unable to get liquid moneys. Balanced scorecards and projected cash flows can play a key role in monitoring this risk. In order to mitigate it, budget assumptions should be validated, potential funding should be available, and capital requirements should be adequately calculated.<br />
<br />
There are also several tools to identify risk and create strategies. For instance, Monte Carlo simulation can be an effective method to indentify the variables with the highest impact in profitability. Some of these tools are included in by the traditional ERM systems. <br />
<br />
A compressive risk analysis adds the reality check to business ideas. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmhJ6zdd8_85halre5Mm0fQd-qVGXeFY9ZdtwXVJCWo2ERfo-b4nic6CcG2s9G8w4Yba0Dg__v4MTFfZitgfTTqQQ7zyhKsw-taiDm9Wa0HLuAhScrFAaBLUbzcxzg5UgyLBJ2xEyQLEjv/s1600/Risk+Versus+Opportunity+Project+Business+Plan+ERM+Balance+Ventures.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmhJ6zdd8_85halre5Mm0fQd-qVGXeFY9ZdtwXVJCWo2ERfo-b4nic6CcG2s9G8w4Yba0Dg__v4MTFfZitgfTTqQQ7zyhKsw-taiDm9Wa0HLuAhScrFAaBLUbzcxzg5UgyLBJ2xEyQLEjv/s400/Risk+Versus+Opportunity+Project+Business+Plan+ERM+Balance+Ventures.PNG" width="400" /></a></div>
<br />
<br />
<br />
<i>(1)</i> For instance, there are not references to startups in ISO 31.000Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-27105173420178518612011-08-12T12:36:00.005+02:002016-12-25T19:19:52.892+01:00Opportunity-based Audit<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyN210AAN577ExR8CZJjQypt18GvI6EAkHZjEs5A9gWuObWkksLWwVhNK-W_f_zjOYyrR38aQEp9IKgT1ezEo8ptswUw_fr2_KJh6lMnADBnTFopIW_pYuH5W7hf8Ppoc2kG4US3Tn3bFt/s1600/Opportunity-based+Audit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyN210AAN577ExR8CZJjQypt18GvI6EAkHZjEs5A9gWuObWkksLWwVhNK-W_f_zjOYyrR38aQEp9IKgT1ezEo8ptswUw_fr2_KJh6lMnADBnTFopIW_pYuH5W7hf8Ppoc2kG4US3Tn3bFt/s400/Opportunity-based+Audit.jpg" width="400" /></a></div>
<br />
Business risks are increasingly the prime focus of Internal Audit <i>(1)</i>. Risk<b>-based Audit (RBA) </b>is the methodology which provides assurance that risks are being managed to a level considered acceptable by the board. This methodology covers the enterprise risk management (ERM) framework <i>(2)</i>. Risk-based auditing is increasingly widening the coverage to support management decisions to achieve more objectives. By adding opportunities management to this process, the decision-making process will be improved. In this post, I would like to take a first step towards a definition for <b>Opportunity-based Auditing</b>.<br />
<br />
Effective since 2006, the SASs No. 104-111 required that auditors should evaluate the design and implementation of internal control on all audits to properly identify and assess risks. The assessed risks need to be linked to the nature, timing, and extent of audit procedures performed in response to those risks. These new standards significantly altered the methodology that audits were performed over the past three decades. Risk-based audits focus on the areas of the highest risk to the business. These audits start from business objectives rather than controls. Their recommendations are then risk-evaluated to ensure highest benefits <i>(3)</i>. <br />
<br />
Auditors have the chance to look right across their companies and identify not only best practices but also business opportunities. So, internal auditors should be seen as business partners by directors. Directors (as well as investors) don’t like unexpected risks, but they are attracted to make profit of unexpected opportunities. They need systems to promptly identify both business risks and opportunities. <br />
<br />
An ERM system aligns the risk involved in a process to the accepted risk appetite. The risk appetite depends on the profitability of a business. Business needs more profits to undertake greater risks. In order to adjust the risk level of a business, new opportunities should be identify. An ERM/EOM system should link the targeted profitability with its risks and opportunities. <br />
<br />
An <b>Opportunity-based Audit (OBA)</b> refers to an examination of processes based on a previous assessment to indentify the most promising opportunities to increase profits for a given risk appetite. Its goal is to recommend a strategy to change existing processes to make them more efficient. <br />
<br />
<i>Traditional Auditing + Enterprise Risk Management = Risk-Based Auditing<br />
<br />
Performance Auditing + Opportunity Risk Management = Opportunity-Based Auditing<br />
</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhrVNBNR-kDyainwvFOcQ1QQTCNgnCuXKGM0ecWYz1QSYU1YAocGdQjFHHSJaxaZQ4Jt_WUlRlZhUiQkn6wtMIHru6vPChz2FCMJzbHlDDm2r2xNfkWbC2TTt4w4rum_UnVgq82GlqP9GW/s1600/Inherent+Risk+Residual+Risk+Based+Auditing+Opportunity+Based+Audit.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhrVNBNR-kDyainwvFOcQ1QQTCNgnCuXKGM0ecWYz1QSYU1YAocGdQjFHHSJaxaZQ4Jt_WUlRlZhUiQkn6wtMIHru6vPChz2FCMJzbHlDDm2r2xNfkWbC2TTt4w4rum_UnVgq82GlqP9GW/s400/Inherent+Risk+Residual+Risk+Based+Auditing+Opportunity+Based+Audit.PNG" width="400" /></a></div>
<br />
<br />
<br />
The traditional role of internal audit was reviewing the internal controls for financial statements reporting. The RBA modified this role to review the ERM system to reduce risks to an acceptable level. The OBA adds the review of the opportunity management (EOM) system to recommend business strategies. Its areas to audit are Corporate Planning, IT Planning, Marketing, HR, Public Relations and Project Management.<br />
<br />
Notes:<br />
<br />
(1) According to the PWC surveys to CEOs, the role of internal audit gradually changed from being focused on financial and operations (2000) to risks (2007).<br />
(2) ISO 31.000 defines risk as a deviation form the expected, both positive and negative (2.1.1). However, the described risk treatment options to avoid, transfer or mitigate can only be acceptable for dealing with threats (not opportunities). When defining risk as a threat, managing risk is managing controls. <br />
At the time of publishing this post (August 2011), there are not references to a framework for "opportunity-based auditing". The process to identify and manage opportunities is generally overlooked by auditing. <br />
(3) ISO 31.000 includes a chapter about risk monitoring and review (5.6). It encompasses the assurance that controls are effective and efficient. There is not a more detailed look to audit these controls when dealing with opportunities. Controls to deal with opportunities are done, for instance, by marketing, corporate planning and HR. <br />
<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span>Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comMadrid, Spain40.4166909 -3.7003454000000640.2509674 -3.88584290000006 40.5824144 -3.5148479000000603tag:blogger.com,1999:blog-4594825980016870104.post-73955752265732173772011-08-10T12:47:00.003+02:002016-12-24T18:53:26.729+01:00Enterprise Opportunity Management and ERM<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeFmnWr1EkNGbKGRk-nL0s3IpJJ_eoLuhlAa7qBUY4oHciwRJaF108c0U8NIUHcfuiviIedKzHhpF0f5o2oPF0SLzdJFxUZYb0jRkYtwp_3ILcvrgtwr9Qd1ESSU5F23S2JggFL_LNHBns/s1600/Wallpaper_Mekdam_Nima_002-08%255B1%255D.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeFmnWr1EkNGbKGRk-nL0s3IpJJ_eoLuhlAa7qBUY4oHciwRJaF108c0U8NIUHcfuiviIedKzHhpF0f5o2oPF0SLzdJFxUZYb0jRkYtwp_3ILcvrgtwr9Qd1ESSU5F23S2JggFL_LNHBns/s400/Wallpaper_Mekdam_Nima_002-08%255B1%255D.jpg" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The word <b>risk</b> can be traced to the Classical Antiquity in reference to a hazard to avoid in the sea (like an exposed rock or a barrier). Deriving from the Greek <i>rhiza </i>and the Latin <i>risicum</i>, we inhered the English words for both, cliff and risk, the Spanish risco and riesgo, and the French récif and risqué. It seems that Occident defined a risk with a meaning of danger and chance… usually with a negative outcome. However, the word <i>rizq </i>in the Arabic world means the blessing that has been given by God to make profit from. In this post, I would like to use the Arabic meaning of rizq in ERM.<br />
<br />
A research done by Robert Ciardini concluded that most people would rather avoid a loss than receive a benefit. I think that this tendency gave the ERM approach to the uncertainties that might have negative impact rather than positive. From this perspective, risk management means a defensive tactic.<br />
<br />
The same system that <b>ERM </b>uses to indentify, treat and report risks can be used to collect business insights about opportunities. This assessment process should not be limited to threats with negative impact. At the end, changing business environments create <b>both risks and opportunities</b> to innovate. The real value of this process is to anticipate opportunities. Opportunities indentified by top management should be communicated, validated and treated by all the employees across the organization (top-down), as well as employees should be able to communicate their ideas for innovation to the top management (bottom-up). Employees should be able to see market opportunities and transform them into realistic ideas, as they see risks to develop a specific mitigation strategy in a traditional ERM approach. Companies need to expose their employees to entrepreneurship and to understand the commercial dimension of new ideas. <br />
<br />
The <b>Enterprise Opportunity Management (EOM)</b> approach may cover the following opportunities categories (as complement to risk categories):<br />
<br />
1- Opportunities to create a new process or product.<br />
2- Opportunities to improve existing processes or products.<br />
3- Opportunities to broaden the range of products or services (geography, target).<br />
4- Opportunities to use excess resources.<br />
5- Opportunities generated from declined customer orders and requests.<br />
6- Opportunities to cut costs.<br />
7- Opportunities to improve the corporate image and reputation.<br />
8- Opportunities to improve the HS&E standards.<br />
9- Opportunities to build alliances.<br />
<br />
Several of these categories can be related to a risk category (eg. the reputational risk is linked to opportunities to improve the corporate image). However, they are not limited to have negative impact. As well as in ERM, both historical and projected data may be used to detect patterns and tendencies. <br />
<br />
An <b>EOM Matrix </b>can be used to prioritize all the collected opportunities from the assessments. This matrix can be an additional guidance in the strategy decision-making (as well as ERM). Even the assessment can be treated in more detail; the opportunity score can be calculated by multiplying the expected gain by the likelihood to succeed (both in a given range). <b>High reward opportunities</b> with high chances to succeed (in other words, involving low risks) are ranked high.<br />
<br />
An EOM matrix would be displayed as follows (in a cold map);<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPt4BAnwNJXre8f4PHB7FVpAue11mFnl8nXfRpPDx7yUU87mo0R3KgJJty-qAs42ly_r5UiKRiddKWm1fqF9j7esJJAwYFqX1aYuvC2XBkYOefHlgw_j4kdzSCi1wsPIkjrhESImJVuuhv/s1600/Enterprise+Opportunity+Management+and+ERM+Risk+Map.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPt4BAnwNJXre8f4PHB7FVpAue11mFnl8nXfRpPDx7yUU87mo0R3KgJJty-qAs42ly_r5UiKRiddKWm1fqF9j7esJJAwYFqX1aYuvC2XBkYOefHlgw_j4kdzSCi1wsPIkjrhESImJVuuhv/s400/Enterprise+Opportunity+Management+and+ERM+Risk+Map.PNG" width="400" /></a></div>
<br />
<br />
In EOM, we can talk of an <b>opportunity appetite </b>(as complement of a risk appetite), as well as, a <b>culture for innovation and entrepreneurship </b>(as complement of a risk culture).<br />
<br />
An opportunity is the opposite of a threat. Then, risk is a balance between the benefits and harms of an event and the probability of those benefits and harms. Both ERM and EOM should be part of a business model to guarantee that the enjoyment to create something that does not exist should overcome the fear of failure.<br />
<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span><br />
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-85782757960865295802011-08-04T13:42:00.000+02:002016-12-25T18:56:47.355+01:00Defining a GRC culture<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSqp0RfKyhBVAJYSN5dvPuWMBtcCYDpxLgMWGOGaARY9HhsUvME6SlEQESYwaUcUEmHSwdGUVi_CZh8gcAuSGLse7Nkp8qpIVp3tWqZqWMlBz9MHs63Qe4y2SKkmzwJV9lIphUdtJjiUHe/s1600/tumblr_nm0w52eiF81qfcut3o1_500%255B1%255D.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSqp0RfKyhBVAJYSN5dvPuWMBtcCYDpxLgMWGOGaARY9HhsUvME6SlEQESYwaUcUEmHSwdGUVi_CZh8gcAuSGLse7Nkp8qpIVp3tWqZqWMlBz9MHs63Qe4y2SKkmzwJV9lIphUdtJjiUHe/s400/tumblr_nm0w52eiF81qfcut3o1_500%255B1%255D.jpg" width="400" /></a></div>
<br />
The GRC culture influences the management and employees decisions, sometimes even at an unconscious level. C-level executives should ensure that the “whatever it takes” attitude to get results does not affect stakeholders´ interests. Employees should understand that GRC rules apply to everyone in the company as they pursue their business goals. In other words, all levels of a company need to understand the boundaries within which they can operate. In this post, I articulated my ideas about the three aspects of a GRC culture.<br />
<br />
<b>Risk Culture</b>: It can be defined by the system of values and behaviors, called the culture, that affect the risk decisions. In practical terms, employees need to understand the company risk exposures. The risk culture is created by risk management training, risk assessment and guidance about decision-making. It involves organizational risk policies, as well as, risk statements and procedures. A strong risk culture is part of a good ERM practice. For instance, banks with a healthy risk culture were able to deal better than average the 2008 credit crisis. <br />
<br />
<b>Compliance Culture</b>: It can be defined as the overall environment that affects how compliance issues are handed. In a strong compliance culture, employees follow the right processes and perform the right controls even without oversight. In practical terms, it refers on how effective a company is in meeting compliance regulations and deterring and detecting compliance problems. It covers how proactive are the employees in averting compliance issues, interpreting the meaning and the intention of rules, and getting examination resources. Compliance culture involves strategic planning, effective control points, careful audit traceability and documentation, proper disclosure and well known company procedures. <br />
<br />
<b>Governance culture</b>: It can be defined as the attitudes and actions to build a strong and competitive company that enhances shareholder value. It involves the strategic direction of a company, and how this strategy is embedded into business practices and leadership capabilities at every level. A healthy governance culture would create a reputational advantage in the investors. The governance culture involves the beliefs about how business should be done and the ethical principles of the management and employees in general. <br />
<br />
The boundaries about the tree aspects of the GRC culture are hard to establish. At the end, the general term for culture is also hard to delineate. These aspects are linked to create a company culture. <br />
<br />
Building a GRC culture is a consistent and long process based on effective communication around ethics and practices and rewarding proper actions to comply with the GRC strategy. It is not enough to have good intentions. It is not enough to have an internal audit department. It requires leadership, accountability and infrastructure to create an environment that is conducive to ethical behavior and it is part of the company business model. There is an overwhelming amount of research to support that <b>an ethical culture is part of the company success</b>. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-y9bQdlzrjBe1T5sFvJh_GhMjIyRgSgpa-3rIiEhxJ4WnpcG6yPvwNUzIaGsPPSRAYoPzCV8GcBNOfFLgrfGYUUsfBq04ncUjkjy5C48jWOB2n6KTSmQ9bDub6dEfBdjgTIX4ZWyW1sPW/s1600/GRC+Risk+Culture+Compliance+Culture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-y9bQdlzrjBe1T5sFvJh_GhMjIyRgSgpa-3rIiEhxJ4WnpcG6yPvwNUzIaGsPPSRAYoPzCV8GcBNOfFLgrfGYUUsfBq04ncUjkjy5C48jWOB2n6KTSmQ9bDub6dEfBdjgTIX4ZWyW1sPW/s400/GRC+Risk+Culture+Compliance+Culture.PNG" width="400" /></a></div>
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comMadrid, Spain40.4166909 -3.7003454000000640.2509674 -3.88584290000006 40.5824144 -3.5148479000000603tag:blogger.com,1999:blog-4594825980016870104.post-40899404388269263622011-08-01T15:36:00.000+02:002016-12-25T18:56:50.677+01:00How do you assess risk in a changing business environment?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnDsgHVP5AsxRxoN5xZXd3J9geo5TZMuXGZveEYcWDZ2mCk2vkralloXb1vqkqmC7cO3KyAfGJMBWx9TkjOcA60O_8GpxzmwE6hofvVyDT9jGiH71xaHlYdLwdZq6DFgS-wDh-b60ARVI6/s1600/changing+business+environment.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnDsgHVP5AsxRxoN5xZXd3J9geo5TZMuXGZveEYcWDZ2mCk2vkralloXb1vqkqmC7cO3KyAfGJMBWx9TkjOcA60O_8GpxzmwE6hofvVyDT9jGiH71xaHlYdLwdZq6DFgS-wDh-b60ARVI6/s400/changing+business+environment.jpg" width="400" /></a></div>
<br />
There is not any approach to assess risks that does not involve some level of judgment. It is done, for instance, to establish risk goals and tolerance levels, or to predict risk outcomes. This judgment needs to be done a changing business environment for most industries. Companies may or may not control change; however they need to control their response to change. In this post, I am sharing some comments to assess risks in rapidly a changing business environment. <br />
<br />
There is some advice to assess risks for industries, companies or circumstances which involve a rapidly changing environment. The market never stands still (and it is hard to predict). Some example of business changes that impact risks are key staff movements, increased/decreased regulations, following different strategies, economy cycles, expiration of liabilities, changes in stakeholders´ needs and swifts in product lines. Changes can be either positive or negative to the original status. <br />
<br />
In order to manage change, it is important to <b>understand the key assumptions </b>done when assessing risks. This assumptions need to be described in the assessment process. When a business change affects the stated assumptions, the related risks need to be reassessed by their owners. Business owners and staff involved with ERM need to be alert of the internal and external changes to update the risk assessments. <br />
<br />
<b>Including potential scenarios </b>for assess the impact for all the risks can also help to deal with change. The risk assessment could include the most expected outcome, and also, the best and worst scenarios. At the end, risk assessments need to consider a full range of potential impact. Having different outcome scenarios helps to understand how volatile a risk is to change. Volatile risks should be monitored in with a different frequency. <br />
<br />
<b>Establishing and updating <a href="http://mydailyexecutive.blogspot.com/2011/06/key-indicators-kpis-kris-kcis-and-klis.html" target="_blank">key risk indicators</a> (KRI) </b>can also detect the impact of changes across the company (especially for sensitive business issues). This monitoring function is important to maintain a live project risk database to envision change. All relevant risk factors (including those classified as remote) need to be scanned to detect change. Even more, a system of early warning indicators (EWIs) could get the managers´ attention to changes in the environment (and the effectiveness of the current risk management actions). KRI and EWI reporting are effective to improve the risk radar. <br />
<br />
When setting an ERM for a company in a changing environment, the <b>information channels </b>need to be well oiled and fully operational. Also the staff responsible to assess risk at high-level need to determine how each reported change affects the entire company (risk interconnectedness or snowball effect). The process for risk prioritization and response will become dynamic and adaptive. The goal to use flexible tools and methodologies to assess risks is crucial when planning the ERM implementation in changing environments.<br />
<br />
At the end, the process to detect new risks is the same process to capitalize emerging opportunities.<br />
<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-25452153356993597152011-07-27T13:14:00.006+02:002016-12-24T20:17:32.690+01:00Simple Tool to Identify Risks<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv0HXyD2gDb56VOcZbJ6aaMjFA4Q_wXn9zc5Jh9z58rF7zaep9lFIHl3R9Pgtgt-5tLwOjM69HUj2Pvu5R-JhHbEkPa4LeBfYW9cjSgDjU8ZAiyCxXsiLPaIDPmaQHKBrWevKUrLgnxSoy/s1600/Simple+Tool+to+Identify+Risks.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv0HXyD2gDb56VOcZbJ6aaMjFA4Q_wXn9zc5Jh9z58rF7zaep9lFIHl3R9Pgtgt-5tLwOjM69HUj2Pvu5R-JhHbEkPa4LeBfYW9cjSgDjU8ZAiyCxXsiLPaIDPmaQHKBrWevKUrLgnxSoy/s400/Simple+Tool+to+Identify+Risks.jpg" width="400" /></a></div>
<br />
There are several <b>techniques to identify causes for risks </b>in order to map and prioritize risk mitigation efforts. Some techniques are brainstorming, questionnaires, industry scenarios and researches, workshops, audit programs and incident investigations. In this post, I would like to share a simple tool to be used in the process to identify risks when questionnaires are used.<br />
<br />
Some techniques to get field information about risks could be time consuming, for instance, to arrange individual interviews with key staff or to organize risk workshops. Other techniques only allow a specific approach (eg. top down or bottom up). Other fails to collect most relevant and meaningful risk control deficiencies. Some alternatives may require a solid IT infrastructure (eg. Microsoft InfoPath). GRC professionals face a real challenge in developing a proper methodology to balance the pros and cons of each alternative. <br />
<br />
A simple process would be to <b>distribute a MS Excel file with a predefined risk catalog by email</b>. Then, each survey participant (eg. area managers) can decide that areas to assess. For instance, a finance country manager would assess the finance and compliance areas; or a production manager would assess the operational area. Because this process needs to promote the employee participation, the risk catalog also includes the alternative to report other risks. In other to prevent errors, most of the fields are input from drop down lists. <br />
<br />
Once that all questionnaires are completed by key staff for different locations, responses can be compiled by using a macro. Reports to map risks or to get a risk matrix are also easy to obtain. Reports to risk profiling may rank risk by using the common formula frequency/probability (1 to 5) * impact/consequence (1 to 5). <br />
<br />
This tool can be downloaded from here:<br />
<a href="http://www.box.net/shared/17ds40iit7uisyxgf88e">Generic Risk Assessment Tool.xlsm<br />
</a><br />
The tool requires MS Excel 2007 and habilitated macros. Please let me know if you need this file converted to other formats.<br />
<br />
This tool would be simple, fast to complete, open to collect other risks and self-explained.<br />
<br />
Notes: The applied risk catalog is a high level collection of potential hazards for the oil industry. This tool is not intended to replace a robust system for risk assessment. This post is not done to cover any methodology for risk estimation or details about other risk techniques.<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comMadrid, Spain40.4166909 -3.7003454000000640.2509674 -3.88584290000006 40.5824144 -3.5148479000000603tag:blogger.com,1999:blog-4594825980016870104.post-55548287969140673212011-06-27T11:55:00.002+02:002016-12-24T19:50:21.318+01:00Strategic Risk Management<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRHp2fAxICsiZiuqyX7jHxyW7QA2Ge5Ja50WcJYd0gL_S2VaxX0elat-zsbRGZYEj2sTPtteWbrYOKrRMYg798eY7opcUVpZn91CIC_osQucHqtn3nSvKZAqWlE6fNPjBVhU-BbSx3TYfI/s1600/Strategic+Risk+Management.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRHp2fAxICsiZiuqyX7jHxyW7QA2Ge5Ja50WcJYd0gL_S2VaxX0elat-zsbRGZYEj2sTPtteWbrYOKrRMYg798eY7opcUVpZn91CIC_osQucHqtn3nSvKZAqWlE6fNPjBVhU-BbSx3TYfI/s400/Strategic+Risk+Management.jpg" width="400" /></a></div>
<br />
Companies are managing risks to seize opportunities since the Mercantilism. However, a company-wide framework to manage risks was developed few years ago. The first integrated framework for enterprise risk management was published by COSO in 2004. Strategic risks addressing the companies´ ability to archive business objectives within the stakeholders´ risk appetite are still immature. In this post, I will give an overview about <b>strategic risk management</b>.<br />
<br />
Risk management and governance can be improved by developing strategic risk management processes. These processes encompass the identification, the assessment and the management of top risks in the business strategies. For a given risk tolerance, strategic risk management can assess internal and external events that potentially affect the company strategy to archive business objectives. This field is a concern of the boards, directors and top management. GRC approach should integrate it to allow align all the different business activities to common objectives. Additionally, ERM approach should include prioritization processes to indentify key risks (which are the input for strategic risks).<br />
<br />
This area was not properly developed in an integrated manner, or even resourced by companies. Even though, it deserves attention from upper management and other stakeholders (eg. risk rating agencies). There are increasing cases of catastrophic losses because unaligned strategies to risk appetites (eg. managing debts and investments in 2008 crisis, dealing with cost volatility, poor data loss prevention measures, subordinated debt or lack of geographical diversification). In this world of “continuous surprises”, stakeholders´ value is neither protected nor created. Personally, I get the feeling that, in some cases, a specific control issue may get more attention and resources than indentifying an emerging risk to execute a strategy.<br />
<br />
There were some current developments to integrate strategies into a holistic approach. Strategic Risk Management can be linked to the <b>ISO 31000:2009 </b>since the top management is responsible to integrate this standard to the decision marking processes (which involves the strategies). Also developed during the last decade, the <b>Return Driven Strategy </b>framework integrates the strategic goals to the risk management goals. Unfortunately, these approaches are not usually carried out to practice by most companies.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comMadrid, Spain40.4166909 -3.7003454000000640.2509674 -3.88584290000006 40.5824144 -3.5148479000000603tag:blogger.com,1999:blog-4594825980016870104.post-28746093701295043712011-06-22T15:20:00.006+02:002016-12-24T19:51:00.852+01:00Collusive Fraud Schemes and Controls<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdqI7uUb5L06ZcLFtapcmCx-3uV1TMnpANjL6x0MUqw-1oabQqveZqI7g9uYCdTkibO3n6kHIMGB3Wgox1e7GjUdP4svdvmf46ytpTGsQRdwnc2sNPfxBn3a_VTD-W8yeJgtmiECeo8Wxc/s1600/Collusive+Fraud+Schemes+and+Controls.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdqI7uUb5L06ZcLFtapcmCx-3uV1TMnpANjL6x0MUqw-1oabQqveZqI7g9uYCdTkibO3n6kHIMGB3Wgox1e7GjUdP4svdvmf46ytpTGsQRdwnc2sNPfxBn3a_VTD-W8yeJgtmiECeo8Wxc/s400/Collusive+Fraud+Schemes+and+Controls.jpg" width="400" /></a></div>
<br />
Risk specialists and auditors often fail to consider collusion in their fraud risk assessments. According to the ACFE, when two or more people are involved in a fraud scheme, the median losses quadrupled those from single perpetrators. In addition, collusive fraud is one of the most difficult types of risks to identify. In this post, I am discussing about collusive schemes and measures to prevent them.<br />
<br />
When one employee has permission to make a transaction and other employee has the right to approve the same transaction, fraud may exist if they collude with each other. Some collusive schemes may involve redirecting payments, creating false invoice payments, asset misappropriations or creating non-purchase payments. These schemes can be done “bellow the radar” since insiders usually know well the company controls and loopholes, and they can plan the scheme better.<br />
<br />
Besides effective segregation of duties practices, mitigation measures involve disclosure of vendor relationship by directors and employees, monitoring by business intelligence software and reporting unwillingness to share duties. <br />
<br />
There are several business intelligence tools to detect and report transactions with collusion risks. Generally, they match the execution of critical transaction codes in SAP or other ERP with email or phone communications between related users in a short time. Some research was recently done to test collusion scenarios and its results were positive to properly identify transactions involving collusion risks. Data mining was also tested to be accurate to detect collusive fraud networks. To be effective, both business intelligence and data mining tools have to link ERP information with other databases (emails, call logs, business directories)<br />
<br />
Fraud 2.0 is here to stay. <br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-49493737123642309512011-06-20T11:42:00.008+02:002011-06-24T15:19:31.657+02:00Automation for GRC Management in Microsoft´s New PatentIn this post, I would like to discuss a recently published patent related to GRC. This patented was filled by Microsoft (US Patent # 2011/0112973 A1). It claims a computer-implemented method for <b>compliance management </b>of regulations for entities. The method comprises operations for receiving a set of control objectives and entities to generate test results. <br />
<br />
This patent covers a process hierarchy from business objectives and policies to get compliance reports on test results. In the middle, there is a “<b>compliance master framework</b>” to organize control objectives in regulations and IT terms, along with an “abstraction library” and a “<b>configuration management database CMDB</b>” to map compliance programs to entities. The CMDB concept was previously patented by a related team on 2006 (Anthony Baron et al). Some of the terms in this patent seem to be widely defined, for instance, the “abstraction library may support mapping the detailed reality of the real world into abstract layers" (sic). <br />
<br />
Microsoft offers GRC management solutions, which incorporate compliance software and risk management software. These solutions are designed to help organizations comply with current regulations, manage their risk, and facilitate required corporate disclosures. This patent shows Microsoft´s interest in continuing developing these solutions.<br />
<br />
You can view or download this patent from my Box.net service:<br />
<a href="http://www.box.net/shared/uu58jmzqbbv2ap3stdht">http://www.box.net/shared/uu58jmzqbbv2ap3stdht<br />
</a> . It is interesting to read.<br />
<br />
The inventor is <b>Ashvinkumar J. Sanghvi</b>. He has been filling patents related to automation of policies and procedures for information technology management since a decade ago. He already claimed 44 patents in the USPTO. <br />
<br />
Software patenting has a role in GRC to address the automation of controls and tests, and hopeful, to reduce errors and human intervention. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC1vjznfrc70Q3Wg7NfOWsC7USQhC06L7tNbVekOYw7W61xgBZVGCtqV_fR6dWKFF0ex4ev3wBBv_fPsPQYN_PDlfnSQo2KJ8t5TXfOUEkP9hUFgzzclfaHx6pP_DpZ0z_ksm-VECCLW0B/s1600/Automation+for+GRM+Management.PNG" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="200" width="149" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC1vjznfrc70Q3Wg7NfOWsC7USQhC06L7tNbVekOYw7W61xgBZVGCtqV_fR6dWKFF0ex4ev3wBBv_fPsPQYN_PDlfnSQo2KJ8t5TXfOUEkP9hUFgzzclfaHx6pP_DpZ0z_ksm-VECCLW0B/s200/Automation+for+GRM+Management.PNG" /></a></div>Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-21026927568802232092011-06-17T12:41:00.005+02:002016-12-24T20:05:17.263+01:00SAP and Business Cycle Controls for SOX 404<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmlBNSuAsdlgbPFfxa_RbP_g2QgmrwF7rTgY4h9y6jtXKXLU-QOg27GTj7ey4VptFO0iwuySnTWnF9i92046lj_F7He2AqBSmw43YTfbgp7yOLrSgpaklhIRv0ZEysQzUOEwTi5rD4rpbN/s1600/SAP+and+Business+Cycle+Controls+for+SOX+404.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmlBNSuAsdlgbPFfxa_RbP_g2QgmrwF7rTgY4h9y6jtXKXLU-QOg27GTj7ey4VptFO0iwuySnTWnF9i92046lj_F7He2AqBSmw43YTfbgp7yOLrSgpaklhIRv0ZEysQzUOEwTi5rD4rpbN/s400/SAP+and+Business+Cycle+Controls+for+SOX+404.jpg" width="400" /></a></div>
<br />
The IT department is well aware of SOX IT controls. However, this department may also assist in providing information for business cycle testing to comply with SOX. It is important that IT and SAP process owners know that to expect from these audits. Some auditors would not have the access privilege or the knowledge to perform data extractions in SAP. In this case, they need the IT assistance. In this post, I explained that a SOX auditor usually covers in reviewing processes based on SAP. <br />
<br />
<b>1- Incompatible SAP Accesses for a Business Process</b><br />
A SOX auditor would ask for a list of users with access to critical transactions. The definition on critical transactions depends on each company and process. However, most of the critical accesses are related to posting, creating and approving key transactions. Customized transactions (Y and Z) are also reviewed when involving high risk approvals. Manual tasks (eg. signing checks or approving reconciliations) are usually added to this analysis. Please refer to my post listing the most common <a href="http://mydailyexecutive.blogspot.com/2011/06/top-20-most-critical-segregation-of.html">Segregation of Duties Conflicts in SAP</a> for further details. <br />
<br />
<b>2- Inconsistencies in SAP Master Files</b><br />
A SOX auditor would ask for master files to check inconsistencies. Most of this audit process relates to applying filters in the same table or linking different tables. SOX auditors need to control the standardization of business processes and flows. For instance, SOX auditors would review customer credit limits (RF02L), tolerance keys (T169G), customer/vendor masters (eg. addresses, banks, duplications, payment terms, tax codes), and exchange rates (TCURR).<br />
<br />
<b>3- Inconsistencies in SAP Parameters</b> <br />
SOX auditors would ask for some parameters in SAP. Typically, they would need to assure that the 3-way match is set, the posting periods are limited in time, the approval flows are reasonable (parking and approving FI documents), and the approver delegations (FMWF_MDRUL) follow internal guidelines, etc.<br />
<br />
<b>4- Inconsistencies in custom interfaces to SAP</b><br />
SOX auditors would walkthrough and test SAP interfaces with external applications (generally related to eBanking and eBusiness). They would be concerned about data integrity and security.<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comMadrid, Spain40.4166909 -3.7003454000000640.2509674 -3.88584290000006 40.5824144 -3.5148479000000603tag:blogger.com,1999:blog-4594825980016870104.post-4948496200655228052011-06-16T10:35:00.003+02:002016-12-24T20:15:30.112+01:00Audit Procedures for FCPA Testing<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw6hsCta726RAyip2Sbqql6f_34peUS6bIJlL3l6GOwk2TxsOMiPeXDdpt3_nAR5Bb9wYus0XoWa0RMWtN9-ciQtSzl8dptIbCGv-LOyU66WNDgwXqN_LgU-Ist28GRnOju57QoL-sY9xu/s1600/Audit+Procedures+for+FCPA+Testing.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw6hsCta726RAyip2Sbqql6f_34peUS6bIJlL3l6GOwk2TxsOMiPeXDdpt3_nAR5Bb9wYus0XoWa0RMWtN9-ciQtSzl8dptIbCGv-LOyU66WNDgwXqN_LgU-Ist28GRnOju57QoL-sY9xu/s400/Audit+Procedures+for+FCPA+Testing.jpg" width="400" /></a></div>
<br />
<br />
FCPA compliance programs that require periodic testing of the anti-bribery controls are useful for revealing issues or areas of vulnerability. In this post, I detailed some common audit procedures for FCPA testing.<br />
<br />
<b>High Level Controls</b><br />
<br />
Review the existence of:<br />
1. clearly articulated FCPA policies and procedures for company personnel, directors, and intermediaries,<br />
2. proper FCPA policy communication to all levels of employees including translations for overseas employees,<br />
3. mandatory training for FCPA awareness (especially to sales, legal, internal auditing, accounting, and management teams; when necessary also to agents, sub-agents and business partners),<br />
4. a compliance hotline or other effective whistleblower process,<br />
5. assignment of responsibility to one or more senior corporate executives with responsibility to monitor FCPA compliance,<br />
6. appropriate disciplinary procedures to address violations, and<br />
7. a facilitation payments account.<br />
<br />
Work with legal advisors and business managers to indentify international business agreements, contracts are not competitively offered, governmental disputes, tax deficiencies, or any commercial litigation in foreign courts.<br />
<br />
<b>Commercial Cycle</b><br />
<br />
Indentify and audit transactions with customers, suppliers and distributors which are public companies or involve an one-time payment.<br />
<br />
Review discounts, rebates, refunds, promotional programs or other invoice “adjustments.”<br />
<br />
Perform audits for key agents or distributors.<br />
<br />
Analyze commission and finder’s fee payments.<br />
<br />
Audit government contracts.<br />
<br />
Review standard provisions in agreements, contracts, and renewals for compliance with the company’s policies and the requirements of the FCPA.<br />
<br />
Evaluate favorable or abnormal credit terms or lower than fair market prices.<br />
<br />
Indentify unusual duties taxes or involving excessive processing or shipping charges. <br />
<br />
<b>Services and Fees Cycle</b><br />
<br />
Scrutinize payments made to consultants, sales representatives, agents, attorneys, lobbyists, marketers (red flag unspecified services and lack of deliveries). Ensure they are fulfilling a legitimate business need and there is a written rationale for their use. Check if their qualifications and resources allow performing the services billed.<br />
<br />
Confirm that commissions and bonuses are in expected and reasonable ranges.<br />
<br />
Audit accounts related to FCPA risks: gifts, hospitality, entertainment, travel, rebates, refunds, commissions, donations, professional fees, event expenses, credit card advances, logistics and shipping expenses, and so forth.<br />
<br />
Query transactions with related keywords in different languages (eg. commission, fee, discount, charitable, bonus, pay to play, comps, expedite).<br />
<br />
<b>Treasury Cycle</b><br />
<br />
Flag unusual payments or financial arrangements (eg, involving consultants, to offshore holding companies, to countries where the company does not operate).<br />
<br />
Review cash payments and back transactions with rounded values.<br />
<br />
Monitor charitable and political contributions.<br />
<br />
Review employee expense reports and track high risk expenses (eg. entretaiment) for government employees. Check that expense reports or direct invoices are submitted to A/P.<br />
<br />
<b>Risk Mapping Indicators</b> <br />
<br />
FCPA risk by country (history of corruption, Corruption Perceptions Index by Transparency International).<br />
<br />
Nature of company products (higher risks in oil & gas, energy, infrastructure, communications, medical equipment and relating to regulated markets).<br />
<br />
Known red flags<br />
<br />
Joint ventures, partial ownership, and collaborative arrangements with governmental entities.<br />
<br />
Sales channels involving contacting with government officials or requiring to use third Parties (before and after sales).<br />
<br />
Transactions involving regulators.<br />
<br />
Useful Reference for a FCPA Audit Program<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span><br />
<br />
<br />
<iframe align="left" class="hbmjldkglweplfojbayf" frameborder="0" marginheight="0" marginwidth="0" scrolling="no" src="https://rcm.amazon.com/e/cm?t=governriskmaa-20&o=1&p=8&l=bpl&asins=0470527935&fc1=000000&IS2=1&lt1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="height: 245px; padding-right: 10px; padding-top: 5px; width: 131px;"></iframe>Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-88677899610328484552011-06-14T15:15:00.001+02:002011-06-14T15:16:54.650+02:00Key versus Non-Key ControlsThere is not any official definition for a key control in SOX. Some guidance about this topic is taken from the PCAOB AS 5.11, but a clear distinction from “key controls” and “non-key controls” is not codified. It is entirely a matter of judgment and there is no commonly accepted definition of a key control. However, being able to distinguish both concepts can save time on documenting and testing controls that are not important. In this post, I described some common characteristics about these categories.<br />
<br />
A <b>Key Control </b>has the following characteristics:<br />
It is required to provide reasonable assurance that material errors will be prevented or timely detected <br />
It is the only control that covers a risk of material misstatement (it is indispensable to cover its control objective)<br />
If it fails, it is highly improbable that other control could detect the control absence.<br />
It is a control that covers more than one risk or support a whole process execution<br />
It is usually part of entity-level controls or high-level analytic controls <br />
It need to be tested to provide assurance over financial assertions (as part of the SOX Compliance)<br />
<br />
A <b>Non-Key Control </b>has the following characteristics:<br />
It is also referred as sub-process, secondary, activity or operative control<br />
It can fail without affecting a whole process<br />
It is in place to monitor certain information<br />
It have an indirect effect on the risk of material misstatement<br />
Its importance should not be minimized (they are subject to monitoring)<br />
It should not involve significant transactions<br />
It is generally eliminated for testing purposes (as part of control rationalization or streamlining efforts)<br />
Its testing can involve getting the walk-though documentation <br />
It could be evaluated under a Control Self Assessment (CSA) program<br />
<br />
Since there is not an official definition, the risk categorization depends on each company, and sometimes in practice, by each business owner. In addition, some people call non-key controls as non-SOX controls. What is your experience about this?Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-35945989220964866962011-06-13T16:04:00.001+02:002016-12-24T19:56:34.989+01:00Do all failed SOX controls have to be remediated?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0HzVq_z7azl8hNetoaKTzfy7ABsVzMJywWDnP88u3chdKWNUJedz57RL4Klu6Kxm7kU-75YSJBMSzshJvfyu781dWHgJ3iJFBkYaScWR22FbSRmy49yger5hBKyx52YYNvq3v64i1oLDW/s1600/Do+all+failed+SOX+controls+have+to+be+remediated.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0HzVq_z7azl8hNetoaKTzfy7ABsVzMJywWDnP88u3chdKWNUJedz57RL4Klu6Kxm7kU-75YSJBMSzshJvfyu781dWHgJ3iJFBkYaScWR22FbSRmy49yger5hBKyx52YYNvq3v64i1oLDW/s400/Do+all+failed+SOX+controls+have+to+be+remediated.jpg" width="400" /></a></div>
<br />
It is clear that Management is not required to test all controls in all the business units for SOX 404 compliance. Only those which affect significant accounts and disclosures in the financial statements or involve significant risks are scoped. However, it is commonly believed that all failed controls have to be remediated at fiscal year end. <br />
<br />
Management and business process owners can choose to not remediate failed low-risk exceptions because the improvement plan is not practical or cost effective in the long term. For several companies, the remediation phase is where significant effort and money is spent. This decision should be informed to the auditors to get their feedback. <br />
<br />
Some aspects of the unremediated deficiencies should be considered, including the effect on the overall risk matrix if a failed control is compensating others, or whether individual deficiencies are aggregated to produce a greater weakness. In other words, unremediated control deficiencies should not rise to the level of a significant deficiency. Less frequent controls or control on processes (as different from entity level controls) may indicate that the remediation plan could be postponed. <br />
<br />
Conversely, general control deficiencies that have been properly communicated to Management and the Audit Committee and remain uncorrected after some reasonable period of time are a strong indicator of a material weakness.<br />
<br />
<span class="st">Get the latest in corporate governance, risk, and compliance on </span><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><a href="https://twitter.com/hewyler" target="_blank"><span style="background-color: white; color: #474b4e; display: inline; float: none; font-stretch: normal; font: 11px / 14.74px "verdana" , sans-serif; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </span>Twitter</a></span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-23509286336725911092011-06-09T15:25:00.007+02:002016-12-25T18:56:39.955+01:00Key Indicators: KPIs, KRIs, KCIs and KLIs<b>Key Risk Indicators (KRIs)</b> are the foundation of any operational risk analysis, as well as, <b>Key Performance Indicators (KPIs)</b> are the foundation of any continuous improvement analysis. In this post, I will relate the desired performance level (KPIs) with the desired risk tolerance level (KRIs). I will also include a short description on other indicators including Key Control Indicators (KCIs) that set the desired internal control effectiveness of an organization and Key Lead Indicators (KLIs) that are being increasingly used to measure the achievement of strategy goals (for instance, in terms of customer satisfaction). All these indicators working together in scorecards improves the management information.<br />
<br />
KRIs measure how risky an activity is, and KPIs measure how effective an activity was performed. KRIs are an early warning to identify any potential event that may harm continuity of the activity in the long term. In contrast, KPIs are related to past activities and they are done in the short term. KRIs are focused on Governance, the board and risk specialists, KPIs are focused on Management and operational specialists. KPIs address specific problems at business units or processes; and KRIs address systemic problems. Somehow, there is a controversy about whether or not both indicators are the same thing. <br />
<br />
Both concepts are correlated but they are not identical. In other words, a tendency to decrease in a KPI may increase a related KRI if a company goal is not achieved. For instance, a continuous tendency to decrease the profitability per customer from year to year (KPI) increases the chances to discontinue operations in the related business line (KRI). Furthermore, according to the 2008 PWC Management Barometer survey to senior executives at multinationals shown that:<br />
• 45% of the respondents said that their organizations do not link KPIs and KRIs at all;<br />
• 27% of the respondents said their organizations linked key risk indicators to the management of earnings volatility, as well as, capital optimization and adequacy; <br />
• 10% of the respondents said their companies employed risk-adjusted performance metrics to set business objectives and to monitor progress against them<br />
• 18% did not respond<br />
<br />
<b>Key Risk Indicators (KRIs) </b>show the risk to exceed the defined risk appetite in the future. A well constructed KRIs should be able to accurately predict losses. Therefore, KRI ratios usually contain forecasted information. For instance, a KRI may be calculated as the forecasted net balance in cash flows for next year (estimated outflows/estimated inflows) or a FX future (foreign exchange derivative). Creating tendencies about know activities could also predict risks. Some KRIs examples in this case are the number of annual frauds per transaction or the % of uncollected sales per year. In general, KRI are related to fluctuation rates at long intervals, forecasts or trends to provide an early warning (alert) about a future problem. <br />
<br />
<b>Key Control Indicators (KCIs) </b>are used to define the company wide controls to and monitor the achievement of the set objectives. Managers define the related desired tolerances for controls before measuring. The KCIs´ role is to ensure that adequate responses and monitoring have been provided to a risk situation identified by KRIs. Control verification is a key component of a KCI, and it usually includes auditing, quality assurance and improvement programs. Typical KCIs cover the reliability of financial reporting, number of audit issues or product quality assurance ratios. <br />
<br />
<b>Key Lead Indicators (KLIs) </b>are used to detect the root cause of a risk or a performance driver to provide an early warning if the achievement of strategic goals would be jeopardized in the future. Effective KLIs should drive behavior change. As predictive as KRIs, KLIs are linked to strategy goals of the company.<br />
<br />
<b>Key Management Indicators (KMIs) </b>are used to refer to a comprehensive set of KPIs, sometimes involving quality and environment metrics. In addition to Key Activity Indicators (KAIs), KMIs they can be rolled under KPIs. <br />
<br />
Only 15 years passed already from the first publication of the book Balanced Scorecard by Robert Steven Kaplan and David P. Norton. We are still in an early state to develop a KRI, KCI or KLI framework. There are numerous differences about the usage and definitions by organizations and institutions.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW9BKG3AjzzfP0Su6SixgZd5C9cDKWF2LmrufyKC1x6ixXDqQrVxJdSDxUB47kVUBuTz9qklRwO-VWmpsg8eCMavIJz3gYNSC9_VzsLCdd3WyM-EdiYJQFS2Bj5C6n_MLXSc6vYBOHKX5v/s1600/KRI.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW9BKG3AjzzfP0Su6SixgZd5C9cDKWF2LmrufyKC1x6ixXDqQrVxJdSDxUB47kVUBuTz9qklRwO-VWmpsg8eCMavIJz3gYNSC9_VzsLCdd3WyM-EdiYJQFS2Bj5C6n_MLXSc6vYBOHKX5v/s320/KRI.PNG" width="320" /></a></div>
Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comtag:blogger.com,1999:blog-4594825980016870104.post-3929621205351854102011-06-08T13:16:00.000+02:002011-06-08T13:16:36.215+02:00Motion Charts and Dynamic Risk MapsThere is an increasing interest in <b>motion charts </b>(Gapminder by Prof. Hans Rosling, motion bubble charts by MicroStrategy). Fortunately, creating motion charts in Excel is easy. I am sharing a motion chart to show how risks evolve in several periods. This worksheet can be used to present risk mapping results.<br />
<br />
You can download my demo worksheet from here:<br />
MS Office 2007 http://www.box.net/shared/zvq3c4days<br />
MS Office 2003/97 http://www.box.net/shared/dg1zrzystl<br />
<br />
<br />
The worksheet contains a risk map with 6 risk categories (populated with mock data). The chart can be animated by clicking on <b>play </b>or using the <b>bar </b>to display the risk changes in frequency (axis X), impact (axis Y) and exposure (bubble size). The worksheet contains a macro to increment the displayed period and a linked table to feed the chart. <br />
<br />
I think that the result is very impressive, especially considering that only MS Excel is needed. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg04L-9V4IGraC9UdOLtgCnFrPM7m_VrDHrVpOOJYwa2IcD1yPj4PdLsgzg9Z61QjkBZUnp6vssv3szQrEn0QE4pOQxtiqyQESF_BuiRnqTH2ogLKQhxNZRRBiRyHFD5pTCC8bYQhl5XIBx/s1600/Dynamic+Risk+Map+Motion+Chart.PNG" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="239" width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg04L-9V4IGraC9UdOLtgCnFrPM7m_VrDHrVpOOJYwa2IcD1yPj4PdLsgzg9Z61QjkBZUnp6vssv3szQrEn0QE4pOQxtiqyQESF_BuiRnqTH2ogLKQhxNZRRBiRyHFD5pTCC8bYQhl5XIBx/s320/Dynamic+Risk+Map+Motion+Chart.PNG" /></a></div><br />
Ad: A nice page to recommend about Cutting-edge charts and dashboards<br />
http://www.microstrategy.com/dashboards/<br />
<br />
<iframe src="http://rcm.amazon.com/e/cm?t=governriskmaa-20&o=1&p=8&l=bpl&asins=0007294662&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="align:left;padding-top:5px;width:131px;height:245px;padding-right:10px;"align="left" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>Hernan Huwyler Copenhagen, Denmarkhttp://www.blogger.com/profile/08368420247133451512noreply@blogger.comMadrid, España40.4166909 -3.7003454000000640.2509674 -3.88584290000006 40.5824144 -3.5148479000000603