Showing posts with label Management. Show all posts
Showing posts with label Management. Show all posts

Risk in New Business Ventures

The most critical opportunity to perform a risk analysis is at the development of a business plan. Investors do not expect business plans without risk, but entrepreneurs often fail to include a solid risk analysis into their business plans. Business plans need to anticipate risk in order to build flexibility to react by creating alternatives. In this post, I would like to discuss how risks need to be analyzed in aiming new business ventures.

Traditional ERM approaches are not tailored for startups (or proposals, or new projects) (1), however, risk is the source of their competitive advances. The skills of the entrepreneurs to strategically manage risk determine the success of their endeavor. Potential losses need to be assessed in other to prioritize the venture vulnerabilities.

There are particular decision-making needs involving a business idea. Then, risk categories for startups could be different than those for well-established companies. Most relevant risk categories for startups may include:

Product development risk can be defined as the likelihood to successfully transform a prototype or a business idea into a marketable product. This risk can be mitigated by extensive I+D and customer research.

Market risk can be defined as the likelihood to reach a smaller target than expected (for a given period). This risk can be mitigated by indentifying secondary niches or segments (for instance, a market for by-products) and performing a reliable competitive analysis. Having a good strategy to reach early adopters could mitigate this risk too (for instance, by discounts for first purchases).

Managerial risk can be defined as the likelihood to loss key members or to not attract the right employees. The managerial ability to adjust and strive is affected by this risk. As managerial incompetence increases costs, Cost controlling can be very effective to treat this risk.

Cash generation risk can be defined as the chance to become unable to get liquid moneys. Balanced scorecards and projected cash flows can play a key role in monitoring this risk. In order to mitigate it, budget assumptions should be validated, potential funding should be available, and capital requirements should be adequately calculated.

There are also several tools to identify risk and create strategies. For instance, Monte Carlo simulation can be an effective method to indentify the variables with the highest impact in profitability. Some of these tools are included in by the traditional ERM systems.

A compressive risk analysis adds the reality check to business ideas.

(1) For instance, there are not references to startups in ISO 31.000

Opportunity-based Audit

Business risks are increasingly the prime focus of Internal Audit (1). Risk-based Audit (RBA) is the methodology which provides assurance that risks are being managed to a level considered acceptable by the board. This methodology covers the enterprise risk management (ERM) framework (2). Risk-based auditing is increasingly widening the coverage to support management decisions to achieve more objectives. By adding opportunities management to this process, the decision-making process will be improved. In this post, I would like to take a first step towards a definition for Opportunity-based Auditing.

Effective since 2006, the SASs No. 104-111 required that auditors should evaluate the design and implementation of internal control on all audits to properly identify and assess risks. The assessed risks need to be linked to the nature, timing, and extent of audit procedures performed in response to those risks. These new standards significantly altered the methodology that audits were performed over the past three decades. Risk-based audits focus on the areas of the highest risk to the business. These audits start from business objectives rather than controls. Their recommendations are then risk-evaluated to ensure highest benefits (3).

Auditors have the chance to look right across their companies and identify not only best practices but also business opportunities. So, internal auditors should be seen as business partners by directors. Directors (as well as investors) don’t like unexpected risks, but they are attracted to make profit of unexpected opportunities. They need systems to promptly indentify both business risks and opportunities.

An ERM system aligns the risk involved in a process to the accepted risk appetite. The risk appetite depends on the profitability of a business. Business needs more profits to undertake greater risks. In order to adjust the risk level of a business, new opportunities should be identify. An ERM/EOM system should link the targeted profitability with its risks and opportunities.

An Opportunity-based Audit (OBA) refers to an examination of processes based on a previous assessment to indentify the most promising opportunities to increase profits for a given risk appetite. Its goal is to recommend a strategy to change existing processes to make them more efficient.

Traditional Auditing + Enterprise Risk Management = Risk-Based Auditing

Performance Auditing + Opportunity Risk Management = Opportunity-Based Auditing

The traditional role of internal audit was reviewing the internal controls for financial statements reporting. The RBA modified this role to review the ERM system to reduce risks to an acceptable level. The OBA adds the review of the opportunity management (EOM) system to recommend business strategies. Its areas to audit are Corporate Planning, IT Planning, Marketing, HR, Public Relations and Project Management.


(1) According to the PWC surveys to CEOs, the role of internal audit gradually changed from being focused on financial and operations (2000) to risks (2007).
(2) ISO 31.000 defines risk as a deviation form the expected, both possitive and negative (2.1.1). However, the described risk treatment options to avoid, transfer or mitigate can only be aceptable for dealing with threats (not opportunities). When defining risk as a threat, managing risk is managing controls.
At the time of publishing this post (August 2011), there are not references to a framework for "opportunity-based auditing". The process to indentify and manage opportunities is generally overlooked by auditing.
(3) ISO 31.000 includes a chapter about risk monitoring and review (5.6). It encompasses the assurance that controls are effective and efficient. There is not a more detailed look to audit these controls when dealing with opportunities. Controls to deal with opportunities are done, for instance, by marketing, corporate planning and HR.

Enterprise Opportunity Management and ERM

The word risk can be traced to the Classical Antiquity in reference to a hazard to avoid in the sea (like an exposed rock or a barrier). Deriving from the Greek rhiza and the Latin risicum, we inhered the English words for both, cliff and risk, the Spanish risco and riesgo, and the French récif and risqué. It seems that Occident defined a risk with a meaning of danger and chance… usually with a negative outcome. However, the word rizq in the Arabic world means the blessing that has been given by God to make profit from. In this post, I would like to use the Arabic meaning of rizq in ERM.

A research done by Robert Ciardini concluded that most people would rather avoid a loss than receive a benefit. I think that this tendency gave the ERM approach to the uncertainties that might have negative impact rather than positive. From this perspective, risk management means a defensive tactic.

The same system that ERM uses to indentify, treat and report risks can be used to collect business insights about opportunities. This assessment process should not be limited to threats with negative impact. At the end, changing business environments create both risks and opportunities to innovate. The real value of this process is to anticipate opportunities. Opportunities indentified by top management should be communicated, validated and treated by all the employees across the organization (top-down), as well as employees should be able to communicate their ideas for innovation to the top management (bottom-up). Employees should be able to see market opportunities and transform them into realistic ideas, as they see risks to develop a specific mitigation strategy in a traditional ERM approach. Companies need to expose their employees to entrepreneurship and to understand the commercial dimension of new ideas.

The Enterprise Opportunity Management (EOM) approach may cover the following opportunities categories (as complement to risk categories):

1- Opportunities to create a new process or product.
2- Opportunities to improve existing processes or products.
3- Opportunities to broaden the range of products or services (geography, target).
4- Opportunities to use excess resources.
5- Opportunities generated from declined customer orders and requests.
6- Opportunities to cut costs.
7- Opportunities to improve the corporate image and reputation.
8- Opportunities to improve the HS&E standards.
9- Opportunities to build alliances.

Several of these categories can be related to a risk category (eg. the reputational risk is linked to opportunities to improve the corporate image). However, they are not limited to have negative impact. As well as in ERM, both historical and projected data may be used to detect patterns and tendencies.

An EOM Matrix can be used to prioritize all the collected opportunities from the assessments. This matrix can be an additional guidance in the strategy decision-making (as well as ERM). Even the assessment can be treated in more detail; the opportunity score can be calculated by multiplying the expected gain by the likelihood to succeed (both in a given range). High reward opportunities with high chances to succeed (in other words, involving low risks) are ranked high.

An EOM matrix would be displayed as follows (in a cold map);

In EOM, we can talk of an opportunity appetite (as complement of a risk appetite), as well as, a culture for innovation and entrepreneurship (as complement of a risk culture).

An opportunity is the opposite of a threat. Then, risk is a balance between the benefits and harms of an event and the probability of those benefits and harms. Both ERM and EOM should be part of a business model to guarantee that the enjoyment to create something that does not exist should overcome the fear of failure.

Defining a GRC culture

The GRC culture influences the management and employees decisions, sometimes even at an unconscious level. C-level executives should ensure that the “whatever it takes” attitude to get results does not affect stakeholders´ interests. Employees should understand that GRC rules apply to everyone in the company as they pursue their business goals. In other words, all levels of a company need to understand the boundaries within which they can operate. In this post, I articulated my ideas about the three aspects of a GRC culture.

Risk Culture: It can be defined by the system of values and behaviors, called the culture, that affect the risk decisions. In practical terms, employees need to understand the company risk exposures. The risk culture is created by risk management training, risk assessment and guidance about decision-making. It involves organizational risk policies, as well as, risk statements and procedures. A strong risk culture is part of a good ERM practice. For instance, banks with a healthy risk culture were able to deal better than average the 2008 credit crisis.

Compliance Culture: It can be defined as the overall environment that affects how compliance issues are handed. In a strong compliance culture, employees follow the right processes and perform the right controls even without oversight. In practical terms, it refers on how effective a company is in meeting compliance regulations and deterring and detecting compliance problems. It covers how proactive are the employees in averting compliance issues, interpreting the meaning and the intention of rules, and getting examination resources. Compliance culture involves strategic planning, effective control points, careful audit traceability and documentation, proper disclosure and well known company procedures.

Governance culture: It can be defined as the attitudes and actions to build a strong and competitive company that enhances shareholder value. It involves the strategic direction of a company, and how this strategy is embedded into business practices and leadership capabilities at every level. A healthy governance culture would create a reputational advantage in the investors. The governance culture involves the beliefs about how business should be done and the ethical principles of the management and employees in general.

The boundaries about the tree aspects of the GRC culture are hard to establish. At the end, the general term for culture is also hard to delineate. These aspects are linked to create a company culture.

Building a GRC culture is a consistent and long process based on effective communication around ethics and practices and rewarding proper actions to comply with the GRC strategy. It is not enough to have good intentions. It is not enough to have an internal audit department. It requires leadership, accountability and infrastructure to create an environment that is conducive to ethical behavior and it is part of the company business model. There is an overwhelming amount of research to support that an ethical culture is part of the company success.

Strategic Risk Management

Companies are managing risks to seize opportunities since the Mercantilism. However, a company-wide framework to manage risks was developed few years ago. The first integrated framework for enterprise risk management was published by COSO in 2004. Strategic risks addressing the companies´ ability to archive business objectives within the stakeholders´ risk appetite are still immature. In this post, I will give an overview about strategic risk management.

Risk management and governance can be improved by developing strategic risk management processes. These processes encompass the identification, the assessment and the management of top risks in the business strategies. For a given risk tolerance, strategic risk management can assess internal and external events that potentially affect the company strategy to archive business objectives. This field is a concern of the boards, directors and top management. GRC approach should integrate it to allow align all the different business activities to common objectives. Additionally, ERM approach should include prioritization processes to indentify key risks (which are the input for strategic risks).

This area was not properly developed in an integrated manner, or even resourced by companies. Even though, it deserves attention from upper management and other stakeholders (eg. risk rating agencies). There are increasing cases of catastrophic losses because unaligned strategies to risk appetites (eg. managing debts and investments in 2008 crisis, dealing with cost volatility, poor data loss prevention measures, subordinated debt or lack of geographical diversification). In this world of “continuous surprises”, stakeholders´ value is neither protected nor created. Personally, I get the feeling that, in some cases, a specific control issue may get more attention and resources than indentifying an emerging risk to execute a strategy.

There were some current developments to integrate strategies into a holistic approach. Strategic Risk Management can be linked to the ISO 31000:2009 since the top management is responsible to integrate this standard to the decision marking processes (which involves the strategies). Also developed during the last decade, the Return Driven Strategy framework integrates the strategic goals to the risk management goals. Unfortunately, these approaches are not usually carried out to practice by most companies.

Key versus Non-Key Controls

There is not any official definition for a key control in SOX. Some guidance about this topic is taken from the PCAOB AS 5.11, but a clear distinction from “key controls” and “non-key controls” is not codified. It is entirely a matter of judgment and there is no commonly accepted definition of a key control. However, being able to distinguish both concepts can save time on documenting and testing controls that are not important. In this post, I described some common characteristics about these categories.

A Key Control has the following characteristics:
It is required to provide reasonable assurance that material errors will be prevented or timely detected
It is the only control that covers a risk of material misstatement (it is indispensable to cover its control objective)
If it fails, it is highly improbable that other control could detect the control absence.
It is a control that covers more than one risk or support a whole process execution
It is usually part of entity-level controls or high-level analytic controls
It need to be tested to provide assurance over financial assertions (as part of the SOX Compliance)

A Non-Key Control has the following characteristics:
It is also referred as sub-process, secondary, activity or operative control
It can fail without affecting a whole process
It is in place to monitor certain information
It have an indirect effect on the risk of material misstatement
Its importance should not be minimized (they are subject to monitoring)
It should not involve significant transactions
It is generally eliminated for testing purposes (as part of control rationalization or streamlining efforts)
Its testing can involve getting the walk-though documentation
It could be evaluated under a Control Self Assessment (CSA) program

Since there is not an official definition, the risk categorization depends on each company, and sometimes in practice, by each business owner. In addition, some people call non-key controls as non-SOX controls. What is your experience about this?

Key Indicators: KPIs, KRIs, KCIs and KLIs

Key Risk Indicators (KRIs) are the foundation of any operational risk analysis, as well as, Key Performance Indicators (KPIs) are the foundation of any continuous improvement analysis. In this post, I will relate the desired performance level (KPIs) with the desired risk tolerance level (KRIs). I will also include a short description on other indicators including Key Control Indicators (KCIs) that set the desired internal control effectiveness of an organization and Key Lead Indicators (KLIs) that are being increasingly used to measure the achievement of strategy goals (for instance, in terms of customer satisfaction). All these indicators working together in scorecards improves the management information.

KRIs measure how risky an activity is, and KPIs measure how effective an activity was performed. KRIs are an early warning to identify any potential event that may harm continuity of the activity in the long term. In contrast, KPIs are related to past activities and they are done in the short term. KRIs are focused on Governance, the board and risk specialists, KPIs are focused on Management and operational specialists. KPIs address specific problems at business units or processes; and KRIs address systemic problems. Somehow, there is a controversy about whether or not both indicators are the same thing.

Both concepts are correlated but they are not identical. In other words, a tendency to decrease in a KPI may increase a related KRI if a company goal is not achieved. For instance, a continuous tendency to decrease the profitability per customer from year to year (KPI) increases the chances to discontinue operations in the related business line (KRI). Furthermore, according to the 2008 PWC Management Barometer survey to senior executives at multinationals shown that:
• 45% of the respondents said that their organizations do not link KPIs and KRIs at all;
• 27% of the respondents said their organizations linked key risk indicators to the management of earnings volatility, as well as, capital optimization and adequacy;
• 10% of the respondents said their companies employed risk-adjusted performance metrics to set business objectives and to monitor progress against them
• 18% did not respond

Key Risk Indicators (KRIs) show the risk to exceed the defined risk appetite in the future. A well constructed KRIs should be able to accurately predict losses. Therefore, KRI ratios usually contain forecasted information. For instance, a KRI may be calculated as the forecasted net balance in cash flows for next year (estimated outflows/estimated inflows) or a FX future (foreign exchange derivative). Creating tendencies about know activities could also predict risks. Some KRIs examples in this case are the number of annual frauds per transaction or the % of uncollected sales per year. In general, KRI are related to fluctuation rates at long intervals, forecasts or trends to provide an early warning (alert) about a future problem.

Key Control Indicators (KCIs) are used to define the company wide controls to and monitor the achievement of the set objectives. Managers define the related desired tolerances for controls before measuring. The KCIs´ role is to ensure that adequate responses and monitoring have been provided to a risk situation identified by KRIs. Control verification is a key component of a KCI, and it usually includes auditing, quality assurance and improvement programs. Typical KCIs cover the reliability of financial reporting, number of audit issues or product quality assurance ratios.

Key Lead Indicators (KLIs) are used to detect the root cause of a risk or a performance driver to provide an early warning if the achievement of strategic goals would be jeopardized in the future. Effective KLIs should drive behavior change. As predictive as KRIs, KLIs are linked to strategy goals of the company.

Key Management Indicators (KMIs) are used to refer to a comprehensive set of KPIs, sometimes involving quality and environment metrics. In addition to Key Activity Indicators (KAIs), KMIs they can be rolled under KPIs.

Only 15 years passed already from the first publication of the book Balanced Scorecard by Robert Steven Kaplan and David P. Norton. We are still in an early state to develop a KRI, KCI or KLI framework. There are numerous differences about the usage and definitions by organizations and institutions.

Motion Charts and Dynamic Risk Maps

There is an increasing interest in motion charts (Gapminder by Prof. Hans Rosling, motion bubble charts by MicroStrategy). Fortunately, creating motion charts in Excel is easy. I am sharing a motion chart to show how risks evolve in several periods. This worksheet can be used to present risk mapping results.

You can download my demo worksheet from here:
MS Office 2007
MS Office 2003/97

The worksheet contains a risk map with 6 risk categories (populated with mock data). The chart can be animated by clicking on play or using the bar to display the risk changes in frequency (axis X), impact (axis Y) and exposure (bubble size). The worksheet contains a macro to increment the displayed period and a linked table to feed the chart.

I think that the result is very impressive, especially considering that only MS Excel is needed.

Ad: A nice page to recommend about Cutting-edge charts and dashboards

The Personal MBA by Josh Kaufman

I am reading this book for my MBA. It is a very effective summary of new theories and business models. My favorite MBA book so far.

Global Turmoil Affecting Oil Companies´ Market Value

I measured the impact of the global economic slowdown in the market value for Companies in the oil and gas industry. Price of oil has fallen nearly 60% since October and still suffering from weak demand (WTI price is the barometer of the world economy). The disruption in world finance markets and the drop in share value affected the market capitalization for Oil & Gas Companies. I compared the current, highest and lowest values (in billions USD) since Jan/08 to Jan/09, and I divided the analysis into 1) Oil & Gas Companies (Exxon, Shell, Chevron, BP, Total and ConocoPhillips), and 2) Oilfield Services Companies (Schlumberger, Halliburton, Varco, BakerHughes, Weatherford, Cameron). Oil companies shown lower drops from 1-year peaks (from 50 to 26%) than oil service companies (from 60% to 77%).

Companies in the oilfield services were the most affected, since service companies suffered from both high inventories and the cancellations of current and new projects. It is expected that energy prices will recover and the oilfield service industry will likely be one of the biggest beneficiaries. At the end of the recession, the Oil & Gas companies need to be well prepared for the next cycle by controlling cash flows, improving efficiency, and managing new operational and regulatory risks.

Offshoring Finance Activities in Buenos Aires (Shared Services Centers)

Organizations follow the strategy to integrate, consolidate, and standardize processes as part of success of continuous improvement initiatives. The creation of Shared Services Centers (SSC) plays a key role in this strategy. These entities are responsible for the flawless execution of operational tasks mostly related to accounting, payroll/HR, IT, auditing and supply chain functions. Their functions are migrated from corporate headquarters and subsidiaries, and then, standardized for better implementation (eg. process streamline, elimination of duplicative or non-value added activities, staffing rationale). SSCs are location sensitive in terms of labor costs/market and operational security. In the last years, Buenos Aires was chosen as a major business hub for SSCs. Buenos Aires is a preferred platform because of the sizable qualified staff, availability English/Spanish bilinguals, good communication infrastructure, time-zone between Europe and US, top international living standard, Western European culture, workforce flexibility and cost competitiveness.

I will describe the current SSC projects related to accounting functions in Buenos Aires (Argentina).

Exxon: The ExxonMobil Business Support Center Argentina (Catalinas) was established in Buenos Aires in 2004 to provide centralized services to affiliates in Controlling (Accounting/Processes), Procurement, and Human Resources. Controllers supports the Upstream, Downstream, Chemicals and Corporate functions in Financial accounting & reporting, Fixed Assets and Intercompany accounting, Inventory and Exchange accounting, and AP/AR. It employs 580 professionals.

Chevron Texaco: The Chevron Buenos Aires Shared Services Center serves the LATAM, UK and US region for accounting posting and reconciliation. It typically hires junior and senior accounting analysts, some of them with some experience in SOX and US GAAPs since 2007.

Google: With more than 100 professionals, Google Shared Services (Puerto Madero) supports adwords clients from LATAM, Italy and Spain. Finance is focused on billing, and customer care. Google was chosen as one of the best company to work for by Fortune.

McDonalds. The McDonalds Centro de Servicios Compartidos (Martinez) supports AR, AP, accounting, reporting, planning, administration and controls from the LATAM region from 2007.

IBM: The IBM Service Delivery Centers (Martinez) employs 300 professionals since 2000 (headcount increase is recent). They are currently migrating more activities.

SAP: The SAP Latin America Shared Services Center (Puerto Madero) supports areas related to billing, contact admin, procurement, AR/AP and internal customer care since 2007. The German software developer employs 40 professionals in this center. It supports North American operations (Can&US).

Cargill Shared Services Center delivers services for regional HR and payroll functions.

Other players are DHL Buenos Aires Shared Service Center related to imports/exports, MySpace, Phillip Morris, Huawei, Accenture for consulting and backoffice services, Quilmes (Inbev) for backoffice services, Centro de Servicios Compartidos de SC Johnson (Global Shared Services Center), TMF Argentina and Axial Analytics outsourcing finance services. The Big Four audit firms are implementing global audits and outsourcing to Argentina.

Hiring Talent in Current Economy

I believe that this blip in the global finances will create opportunity for Companies to right-sizing by combining layoffs and hiring to reshape the workforce in order to meet current and future conditions. Even companies conducting sizable layoffs keep looking out for potential new hires. The long war for talent will not be affected. In bull or bear markets, top performers are always in demand.

As I discussed, applying a companywide hiring freeze is not a good alternative since there is not control about which areas need to grow or shrink. On the other hand, the current economy allows recruiting staff in high demanding areas as finance, IT, bilingual executives, and Oil & Gas experts. For the last years, finance and IT, in particular, have been hard-pressed to find all the qualified staff they need, ever since the Sarbanes-Oxley Act stirred up demand for professionals in these areas (even with low expertise). These candidates have been firmly in control and salaries have risen.

The risk is that real talent does not get laid off often. Top performers know their value (as they can detect an unevaluated stock). Also, they can easily start their own projects and 2009 will see the born of multiple consultancy firms. Best talent is always on move seeking for new opportunities.

Audit Risks and Objectives for 2009

The current global economic crisis has placed extraordinary pressure on Internal Audit to reevaluate short and long term performance management objectives. As expected, risk and cost management objectives have risen in priority, in large part due to the worsening economic environment, while priorities such as SOX 404 testing have waned. Also, there is greater emphasis on technology tools (automated work-paper solutions and data mining), as well as, continuous controls monitoring CCM (with Business Intelligence initiatives).

Several new risks are rising this year. At a time when companies are carrying out major reductions in their workforces, employment laws are changing. Companies must carefully consider and manage their layoff and reduction-in-force activities with gender, age, and race discrimination concerns in mind. As well, many customers and suppliers are renegotiating contract terms with operative staff that are often bad equipped to know how to respond and actively trying to avoid legal department involvement.

A key objective for 2009 is to minimize SOX efforts via controls rationalization process. Internal Audit have been generally moving away from SOX-related objectives since 2007 (although SOX remains a priority) I expect this year to transition control testing and SOX management to business process owners (it implies more application of Control Self Assessments). AS5 facilitated this objective because it is a more streamlined process.

As a general conclusion, internal audit is aiming to go beyond providing control assurance to providing more comprehensive risk management and reporting.

Scorecards and Key Performance Indicators in Audit

Corporations utilize balanced scorecards and key performance indicators (KPIs) as a vehicle to manage performance and strategy. Studies show that companies have successfully implemented scorecards to improve customer satisfaction, increase sales and execute their strategic vision.

I found that KPIs integrated with implementation of business intelligence and process improvement (six sigma and others) increase the efficiency of the companywide audit process.

A recent benchmarking report identifies five groups of performance measures that are most frequently employed in balanced scorecards across industries from five major dimensions (perspectives): Customer, Shareholders (Financial/PLs), Business Process, Employee, and Learning and Innovation. I would add the Compliance and Regulatory Perspective

Today, I will give some examples of KPIs that can be applied for audit purposes:

COST METRICS – Finance Perspective
· Total audit department cost as a percentage of revenue
· Total audit department cost per audit salaries
· Internal audit cost components (salaries, services, consulting, travel expenses)
STAFFING METRICS – Employee/Learning Perspective
· Audit staff as a percentage of total employees
· Staff backgrounds by grade/profile,/specialization matrix (IT, Ops, Fi)
· Measuring performance: results from 360 degree appraisal reviews (or better 720 degree)
· Staff joining/leaving the department —last 2 years
· Staff turnover by grade
· Impact of using external resources
· Staff from Operations joined to participate in individual audits
· Allocation of training budgets
· Days of training per staff member
· Mission, strategy, and objectives
· Age of the department
· Department organization
AUDIT PLANNING AND TOOLS METRICS – Business Process Perspective
· Relevance of key activities
· Stakeholders and manager risk awareness
· Duration of periods of forward plans for audits
· Tools used by the audit department
· Frequency in reporting to the audit committee
· Value and nature of audit recommendations
· Audit survey results
· Frequency and method of checking/reporting implementation
· Member of benchmarking discussion group
· Perception of the audit department (It can be done using the CSA forms)
· Value-added measurement tactics

Business Fraud Risks and Economic Downturns

Companies should be prepared for the risks that a downward economy poses. In my opinion, fraud risk for business is exacerbated in weak economic conditions because of the following factors:
1) reduction in employee headcount (creating improper segregation of duties),
2) weaker internal controls and fraud-awareness training,
3) diminished morale across the organizations,
4) salary reductions “rationalize” inappropriate activity by employees,
5) financial pressure to meet short-term performance goals (“whatever it takes” attitude), and
6) diverted attention from risk management issues.

Historically, fraud schemes committed during downturns include:
1) omitted or improper disclosures in financial statements,
2) manipulation of financial categories as revenue recognition (fictitious sales, premature recognition, channel stuffing), inventory and cost of goods, manipulation of reserves or expenses,
3) manipulative trading practices,
4) unreported violations of the Foreign Corrupt Practices Act (FCPA), and
5) asset misappropriation: skimming, check tampering, and expense reimbursement.

The regulatory apparatus should quickly adapt to respond to these criminal activities. The US Congress already has held hearings to address the issue of transparency in business conduct. Congress needs to fill these regulatory holes by passing legislation that would give regulators the power to rein in manipulative or fraudulent trading practices and help the public better assess the risks involved. The collapse of Bernard L. Madoff Investment Securities makes it easier to understand the importance of proper due diligence.

In a slowing economy, companies today will have to be more proactive in protecting themselves against fraud, and engaging in more stringent financial and investigatory due diligence to better evaluate regulatory risks and their impact on future investments. As I discussed bellow, initiatives for more robust fraud-risk assessments to reflect current conditions mitigate these risks.

Compliance As A Global Corporate Concern

According to a recent compliance benchmarking report from the Compliance and Ethics Leadership Council, current top priorities for managing of compliance and ethics programs are related to determine appropriate structures for overseas compliance, encourage overseas employees to report potential misconduct and develop capabilities of local compliance and ethics staff. Along the risks that pose the greatest concerns are corruption and bribery, noncompliance of external business partners, violations of financial and accounting standards, conflicts of interest, data privacy breaches, anti-trust violations and conflicting national regulations.

Indisputably, compliance is a global corporate issue, yet different countries and jurisdictions require varying elements for their audit functions. Although the mechanics of compliance programs may differ, the reasoning remains uniform:
1. Companies under government investigation can use the existence of an effective compliance program to prove good faith and thus minimize government action against the company;
2. An effective compliance program will set an ethical environment and create a corporate atmosphere that discourages wrongdoing; and
3. A compliance program can detect misconduct at an early stage, allowing the company to proactively minimize adverse consequences.
Generally speaking, policies related to gifts and entertainment, sales practices, investigation, anti-trust/fair trade and environment, health, and safety are often locally customized by country, region, or business unit.

The global compliance awareness is rapidly increasing from the 90s when the compliance function did not exist and was not an issue of concern, to today when this function is independently from the legal department, receiving separate financing and reporting to the CEO.