E&Y: Internal Audit should drive strategy

BusinessDay, a South African business news website, published a recent article referencing an E&Y study involving “more than 100 industry analysts from more than 20 disciplines”:

Organisations need to break out of the compliance cocoon and evolve into a fully fledged leadership role that delivers real value to the business. In the current economic climate, the biggest risk for most companies is not a failure to meet compliance requirements, but a failure to meet strategic targets.

The study also assessed last year’s top 10 business risks. In it, the analysts ranked the aftershocks of the credit crunch and the deepening global recession as the most important business risks, displacing regulation and compliance from the top spot.

Still more evidence that the Internal Audit profession demands an expanding skill set and well-rounded people with experience in more varied aspects of business. Auditors are going to have to continue to push themselves outside of their comfort zone in order to provide the greater value that shareholders require of the function.

How does your IA department stack up?

Survey says: IA feeling the squeeze

A survey conducted at the recent Institute of Internal Auditors annual conference by Protiviti has revealed that ⅔ of IA professionals believe their department is under-resourced and therefore unable to adequately carry out their duties.

Protiviti’s take is that due to increased expectations of the assurance Internal Audit can provide on an ever-widening spectrum of enterprise risks, auditors feel under-resourced. Sukhdev Bal, Director of Protiviti says:

This survey is a clear indication that internal auditors themselves believe that prior to the recession, they were not fit for purpose in terms of focus, skills and capabilities. Audit committees, Internal Audit leaders and management need to work more closely and collectively to agree the role of audit, objectives, criteria for audit and the overall approach of the internal audit function required to meet current and future evolving needs. Importantly, having agreed these, they need to ensure that the function is staffed with the right skills, capabilities and experience to meet these objectives.

There is evidence that spending on governance, risk and compliance didn’t decrease in 2009 compared to 2008, so I think Protiviti is correct with its assessment. IA is being asked to expand their risk coverage beyond traditional areas of expertise. It’s only natural to feel a little overwhelmed by the expectations. The key to adapting in my opinion (and experience) will be support for training in non-traditional areas.

The survey is available on Protiviti’s website (if you give them some personal information first).

Survey says: ERM implementations maturing

A survey conducted in July and August of 2009 by Aon has revealed that companies are moving beyond “basic” ERM implementations:

62% of the survey respondents in the Global Enterprise Risk Management Survey 2010 reported going beyond basic ERM, compared with only 38% in Aon’s inaugural ERM survey in 2007.

I wonder what happened between now and 2007 that would’ve affected companies’ willingness to ramp up their risk management practices…

The survey asked respondents (of which there were 201) to rate the maturity of their ERM implementation, from “initial/lacking” through “basic”, “defined”, “operational” and “advanced”.

My take is that respondents are more likely to overestimate the maturity of their implementation and generally more likely to respond the more advanced they (feel they) are in the process. Still, the survey is a welcome indicator that ERM efforts are on the rise.

I also think the fact that ratings firms are taking ERM into account when they determine their grading is helping executives point to a tangible financial benefit and obtain buy-in from all stakeholders, which is critical. In my mind the primary indicator of maturity in a company’s risk management program is how comprehensive it is across all departments and divisions, as the “initial/lacking” stage is exhibited by a rigid, siloed approach.

The survey is available on Aon’s website (if you give them some personal information first).

Political risk for market dominance

A recent article on the New York Times about the political costs that Google is facing due to its market dominance, and their strategy to reduce those costs, caught my interest:

Google has begun this public-relations offensive because it is in the midst of a treacherous rite of passage for powerful technology companies — regulators are intensely scrutinizing its every move, as they once did with AT&T, I.B.M., Intel and Microsoft. Some analysts say that government opposition, here or in Europe, could pose the biggest threat to Google’s continued success.

Google’s SEC filings make repeated mentions of the high level of competition the company faces in their business. Microsoft and Yahoo are specifically named as the two biggest competitors, and Google notes that Microsoft has more cash and employees, and both companies have longer relationships with advertisers.

I find it interesting that Google is taking the strategy of talking about the “formidable competition” they face as a risk to their business instead of (or in addition to) the risk posed by increased government regulation as a result of their perceived market dominance.

In the section where they talk about government regulation and the risk it poses to their business, they discuss issues like privacy laws, copyright infringement and even net neutrality. But I couldn’t find mention of the risk presented by regulation due to the perception of unfair competition.

Does your business face political risks like Google and other tech companies?

How the risk of a pandemic might affect your company

A few days ago, probably through Twitter, I found an interesting site for auditors and other risk and compliance professionals called Compliance Week. Based in Boston, they publish a monthly magazine, a weekly email newsletter, and host several blogs and forums on the web.

What led me to the site was a link to a blog post on the risk posed by the swine flu virus, and the observation was made that companies are beginning to include this risk in their disclosures to regulators.

The outbreak is more likely to impact the disclosures of companies in certain industries, such as those in the retail, hospitality, travel, restaurant, or gaming sectors, as well as cruise ship, theme park, and mall operators… For some companies, the pandemic could potentially affect customer traffic, while for others it could affect their ability to staff their own locations or their supply chain.

One of the most interesting projects I’ve worked on since leaving public accounting was a risk assessment, because it encompassed not just the types of risks that I was comfortable with such as reporting and compliance risks, but also more operational and strategic risks. The risk posed by a pandemic wasn’t one that I had thought of at the time, which is likely because my business isn’t in any of those industries mentioned in the article.

footnoted.org recently posted on the topic as well, noting that Starwood Hotels & Resorts included pandemics and specifically swine flu in their first quarter 10-Q, and in doing so have joined other companies such as American Express and Expedia.

How would a pandemic affect your company’s business?