Monthly Archives: May 2013

Archived Posts

2013-05-30 by: James Bone Categories: Risk Management C-Suite clawbacks on the rise

man in handcuffs

The risk of unintentional fraud charges may be rising for senior executives whether they actually commit fraud themselves or not. The SEC has been gradually broadening their interpretation of Section 304(a) of the Sarbanes-Oxley Act of 2002 using the term “misconduct” referring to behavior that leads to restated financial statements.

Prior to 2009, these cases were brought against the CEO and CFO only when the executives themselves engaged in “intentional and pervasive accounting fraud”, according to Junaid Zubairi, chair of the government enforcement and special investigations group at law firm Vedder Price.

The SEC has successfully used Section 304(a) to clawback compensation in cases where executives were not personally engaged in the fraud but were held accountable nonetheless. In an interesting twist, CFOs are under fire even after they leave the firm in “innocent-executive” cases although none have resulted in convictions at this point.

Now for the bad news! The SEC may expand its use of 304(a) further to include “negligence-based cases without regard to fraud”.

According to Zubairi, who was an attorney with the SEC’s enforcement division before joining Vedder Price in 2008. “As the SEC staff has made clear in litigation filings and during the investigative phases of these matters, there are ongoing discussions about whether mere negligence is enough to trigger a clawback, and the staff is taking the position that it is.”

Apparently, these cases have not yet included members of the board, internal audit, chief compliance or chief risk officer however firms such as J.P. Morgan exercised its right to clawback compensation from those individuals held responsible for its $6 billion loss in the “Whale Trade.”

The best offense may be a good defense.

Firms with strong internal controls, including disclosure of the operation of controls and a formal process for monitoring fraud and other key controls may fair better than firms lacking robust systemic controls. The SEC has broad authority to determine enforcement action with consideration given for minor infractions and substantive evidence of an effort to create a culture of compliance.

The SEC’s more aggressive stance on Section 304(a) may be the result of the public outcry to hold executives accountable for mortgage fraud and other unethical behavior. Whatever the reason, Section 304(a) may become the most troubling enforcement tool used by the SEC to hold senior executives accountable for unethical behavior. There is no more compelling reason for the CEO and CRO to work together to build a culture of compliance.

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

2013-05-29 by: James Bone Categories: Risk Management Remodeling Risk: Trends impacting Risk


The banking industry has led the way in developing and adopting technology to manage financial risk.  According to a survey by American Banker Executive Forum, large Wall Street banks have made significant investment in risk systems during the Great Recession in anticipation of new regulation.

Now it appears that “72% of all banks are planning to make purchases of risk systems over the next 12 – 18 months.  This sentiment is being echoed at conferences across the country and is a trend that may have room to grow.  Mid-tier banks are now jumping into the market for technology to manage risk and a few interesting trends have emerged.

According to the survey results, “banks with more than $10 billion of assets are satisfied with their enterprise risk systems yet 36% of small banks plan to implement an enterprise system.” “Firms continue to want to chop down the silos and provide more information across disciplines,” says Michael Versace, research director of IDC.

Improved management of regulatory risk is the trend that is driving increased investment in risk tools.

Secondly, revamping credit models to account for counter-cyclical trends in the economy are forcing risk professionals to rethink capital management, counterparty risk and adjustments to risk-weighted assets. 

Thirdly, social media is becoming a bigger factor in how firms use technology to manage risk.  Social media now presents a great deal of potential for data mining for market intelligence.

Trend #4 involves how risk is priced.  Banks are looking for ways to improve how they adjust to changes in customer behavior.  Integrating capital requirements into their systems for evaluating credit risk allow firms to allocate capital more efficiently as customer accounts change over time.

Model validation is trend #5.  Banks have incorporated a host of new risk models which are costly to maintain and update frequently.  The Officer of the Comptroller of the Currency has issued guidelines for best practice in model validation requiring banks to devise cost effective approaches for ensuring existing models, and their assumptions, are still relevant given changes in the business environment.

Trend #6 right-sizing dashboards with the key metrics customized for each firm.  Customized dashboards give senior executives the information they need in the way they expect to see it. 

Real-time and continuous risk monitoring is trend #7.  Risk solutions must be fine-tuned to monitor critical risks allowing for human intervention on a just-in-time manner while ensuring that routine limits remain in line with expectations.

Trend #8 looks at the integration of risk systems.  Most silos within many firms have been artificially created by the technology silos that exist to address spot solutions or business processes.  Integrating risk systems breaks down silos allowing for a richer line of sight to enterprise risks.

Trend #9 is Big Data and the use of in-memory computing of existing database technology. 

The American Bankers Executive Forum study demonstrated that a variety of vendors are being used today to address these trends.

What these trends represent is the growing importance firms are placing on the management of risk and the tools needed to assist them in tackling real business problems.

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

by: James Bone Categories: Risk Management Cat Bonds: Managing event risk


The 100-year natural disaster that no one expects to happen appears to have become a more frequent event, at least, in the most recent time frame.  From Hurricane Katrina, earthquakes in Japan and Haiti, to the most recent F5 tornadoes in Oklahoma Mother Earth appears to be under attack by Mother Nature. 

Oklahoma’s damage has been conservatively estimated at $2 billion dollars and that doesn’t seem to come close to the disruption in business and life that result from such a massively destructive storm.  Most of us cannot even imagine living through and recovering from the floods, wind and storm damage left by nature’s forces but increasingly business must consider the possibility.  This is where cat bonds come into play.

Catastrophe bonds are an example of insurance securitization to create risk-linked securities which transfer a specific set of risks (generally catastrophe and natural disaster risks) from an issuer or sponsor to investors.  Like other derivatives, the terms used to create cat bonds must be negotiated to reflect the triggers which would cause an event to activate based on specified losses.

Cat bonds have been around since the 1990’s but has not taken off broadly as a risk transfer tool.  As property and casualty insurance rate accelerate due to increased risk exposure the lower cost of cat bonds may rekindle interest in these products to mitigate event risk.

Robert Shiller, of Case-Shiller Index and Professor of Economics at Yale University, has long been an advocate for creating new risk tools to manage a variety of risks that impact our homes, livelihood, and even the income of countries.  None of these ideas have resulted in markets for pools of risk outside of insurance, options exchanges, or credit markets…so far! 

As the cost of tail events increases the frequency of these events may prompt new and more creative solutions to recover from catastrophe.  Imagine a diversified pool of risk traded on an exchange, used as a hedge, or even originated by corporations or industries to manage a variety of business risks.

Turning risk into opportunity an exciting new approach to managing risk and adding value!

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

2013-05-28 by: James Bone Categories: Risk Management Aligning strategic value with risk management


The vision of risk management contributing as strategic partner in the executive suite has long been a dream of most serious risk professionals and now that vision may be coming into focus.  Senior managers now view risk managers as strategic partners in the execution of corporate objectives by assessing and identifying key risks resulting from strategic plans.  That’s the good news!

However, according to a study by Marsh and RIMS “only 15% of the risk professionals and 20% of the C-Suite respondents said the risk manager is a full member of the strategic planning and/or execution teams, suggesting that risk management has yet to be fully integrated strategically.”

The study does not attempt to explain why risk managers have not made the leap to equal partners in guiding the organization to successful outcomes but one key factor may be the relevance of risk information brought to the table.  This begs the question of what defines strategic value in risk terms?  Increasingly the answer is data and the analysis of risks impacting an organization.

It is hard to argue with the collective wisdom that is forming around the quest for a better understanding of data and developing better techniques for the analysis of data.  Senior management has begun to define the value proposition in the form of data analytics therefore risk management must be responsive to these expectations. 

The problem or challenge with these surveys is the generic use of the terms data analytics and the lack of specificity regarding what firms expect. 

Blindly conducting fishing expeditions for the sake of “doing” risk management may backfire and not produce the results firms are seeking.  Many obvious risks are lying around in plain view needing attention but are ignored because there is no systemic approach to investing in risk mitigation.  Other risks are the unknown risks that are inherent in the uncertainty of launching a new and unproven initiative or line of business. 

What appears to be missing is a clear and balanced approach to risk management with a focus on setting the context for discussing risks and the tools that should be employed to understand and address risks.  Risk management is not a science project where data analysis alone will uncover some universal truth.  Good risk management is the implementation of a clear baseline from which to judge changes in the environment that may create risks and opportunities alike. 

Risks, in all its forms, evolve as the business environment evolves requiring senior management and the risk manager to think about risk as a natural byproduct of business objectives.  Risk practice, no matter how quantitatively proficient will not eliminate risk.  Therefore, risk management should be perceived as a learning process informed by data and adjusted in response to new information as it becomes available.

When everyone understands that risk management is a process like all good business processes risk managers will have earned their place in the executive suite with other senior managers.

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

by: James Bone Categories: Risk Management A look back on Risk trends 2012 vs 2013

PRMIA and SunGard joined forces one year ago to project forward trends in risk management, risk technology and regulation’s impact on the practice of risk management.  While many of the findings in this report have yet to be fully realized the trends may be informative for 2013 and beyond given the rapid changes taking place globally.

The top three risks listed for 2012 included the ability to demonstrate the value of risk management, new regulations, and liquidity risk.  Interestingly the report accurately predicted the rise in commodity prices and risky asset classes which we saw begin in late 2012 and continue through 2013’s market rally. 

However, the jury is still out on other predictions by the respondents.  For example, close to 90% of respondents predicted that risk management will play an increasingly important role while almost 80% suggested that risk management will be a driving in bringing new assets to their firm. 

Additionally, and not surprisingly regulatory change was cited as playing a major role impacting risk managers while risk technology was expected to make positive contributions to risk practice through better reporting and more timely market data.  The single biggest prediction suggested that the organizations would adopt improved risk cultures at their firms including a well-defined risk appetite. 

Clearly, many of these findings were optimistic and aspirational in nature and the results are vague with some examples of specifics yet the data may provide guidance for improved progress being made and risk management and a recognition of the additional changes needing to take place. 

The PRMIA report noted that risk reporting has penetrated the C suite with 27% reporting senior management review risk reporting while another 27% of corporate boards are consumers of risk reporting.  Regulators, Fund managers, and investors all came in at 15% or higher rounding out the end users of risk reporting which is an improvement over the past few years.

Finally, the survey asked for a single factor to improve risk management. The top responses included:

  • Better risk culture  –  31%
  • Better defined risk appetite  –  19%
  • Flexible risk reporting  –  18%
  • Faster risk reporting  –  10%
  • Extended asset coverage in risk system  –  8%
  • More timely market data  –  5%

One third of respondents preferred cloud-based technology solutions with nearly two-thirds preferring home grown solutions due to concerns around security, slowed data processing, and a preference to store confidential data in-house.

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

2013-05-25 by: James Bone Categories: Risk Management Standard and Poors grade Corporate Governance: Only 6% get an A


As of May 2013, Standard & Poors has completed its evaluation of non-financial firm management and governance factors for 2,190 publicly and privately rated North American companies and the results are dismal.  S&P has also scored a global score to 3,868 firms with only 8% receiving its highest rating.

 “Standard & Poors uses the management and governance scores to modify its evaluation of an enterprise business risk profile, a key component of its credit rating.”  S&P’s methodology uses 15 criteria for evaluating corporate governance across five categories. 

The categories include:

  • Management, which includes;

  • Strategic positioning,

  • Risk management/financial management, and;

  • Organizational effectiveness; and

  • Governance

“The Management and Governance criteria for nonfinancial companies consist of eight management subfactors and seven governance subfactors. Depending on how an entity scores along these subfactor dimensions, S&P issues one of four scores: strong, satisfactory, fair, and weak.”

6% of firms scored “Strong”

26% of firms scored “Satisfactory”

65% of firms scored “Fair”

3% of firms scored “Weak”

In its May 13, 2013 press release, S&P disclosed the names of those companies that received a “Strong” or “Weak” designation. See the list in the May 13, 2013 press release.

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

2013-05-13 by: James Bone Categories: Risk Management When Big Data Doesn’t Work


With few exceptions, articles about Big Data start off with promises to be smarter, run more efficiently, or make more money.  As proof, each article cites standard examples of how data analytics and robotics have transformed warehouse operations, IBM’s Watson’s mastery over Jeopardy, the game show, and how firms will make decisions more effectively.

Examples of success may be far fewer than we realize given the context of a future state as opposed to the few actual case studies cited above.  Real or not we may learn more from stories of failure to gauge how much progress we have yet to achieve.

 Big Data requires an infrastructure that does not exist in its entirety today.  The infrastructure of Big Data is evolving very rapidly but exists at the lower end of the S-Curve in its development and sophistication.  In other words, it is still an immature concept.  What is this infrastructure? 

  •  A robust Big Data infrastructure requires the following
  •  Skilled knowledge workers – quantitative and qualitative
  •  A set of business standards succinctly defining Big Data
  •  Well defined data set of structured and unstructured data
  • Data scrubbing capabilities: in-house or vendor-based
  • Efficacious and repeatable operating standards allowing for industry adoption as opposed to one-off solutions

 This incomplete framework is not intended to be exhaustive or comprehensive.  Its intent is to acknowledge that Big Data may evolve along the same parallel path as the evolution of cloud computing which is also in its infancy as an industry.

 There is a major race to gear up and develop talent for what may become one of the largest growth industries in the 21st century.  At a recent business conference in Boston real case studies demonstrated the success and obstacles to realizing the potential of Big Data.

 Case story#1

Major tax preparer prepares to learn more about its customer’s needs for new product development. 

 Opportunity: a high velocity/volume business (data rich); high security IT  (demographic data); high contact (good historical data). 

Challenges: complex software (multiple versions); multiple SKUs (inconsistent data); high levels of text data (unstructured); data set definition (lack of taxonomy defining key data); recycle results (continuous trial and error cycles)

 Outcome: Long cycle project; steep learning curve; continuous restarts

 Case story#2

Web-based start-up for mothers focused on child development.

 Opportunity:  Multiple data collectors (suite of apps used to collect a variety of data); Baby social network (user-generated data); Adaptive learning (behavioral patterns discernible);

Challenges:  Lack of real-time processing of data (suboptimal feedback); missing data (gaps in clean data); lack of end-to-end clarity (cause and effect of change); length of big data projects costly and time –consuming (start small); lack of specialists to code scrubbing scripts (business acumen)

 Outcome: Costs exceeded budget; redundant processes; lack of appropriate skills to complete project

 These case stories represent a small sample of the not so successful implementations of Big Data.  Small samples should never be used to predict outcomes.  These case stories do however provide useful and sobering information and should be included along with the benefits of Big Data. 

 Here are a few additional observations:

  • The cost of storage of Big Data is large
  • What is the net present value of Big Data? ROI may be hard to quantify
  • The tools for system developers are very immature to process Big Data effectively
  • Redundancy of effort is a problem; but may be unavoidable due to immature processes
  • Bridge the gap between technical expertise, which exists, and a well-defined business vision for Big Data. 
  • Bioinformatics skills do not exist today or are in short supply
  • Understanding the right data to solve a specific business problem
  • Deciding early on if the right data exists to solve a business problem
  • Start small
  • Organize around small data upfront to ensure that Big Data produces reliable outcomes
  • The legal and regulatory environment may not keep up with technical product cycles – limits on trademark and intellectual property will be challenged

 Looking backwards from the future these observations may simply turn out to be speed bumps in the progress towards Big Data.  Unimagined new industries may undoubtedly follow yet much work is needed to build a sustainable framework in support of Big Data.  Failures in Big Data warn us not to become too complacent.

 The art and science of Big Data whether transformational or not is here to stay as a tool for converting data into information.   How we use and build the tools of Big Data will ultimately depend on the infrastructure to support these efforts.

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

2013-05-12 by: James Bone Categories: Risk Management Seeing Around Corners with Data


The 2010 Flash Crash is a perfect example of the disastrous effects of the unintended circumstances of Big Data and use of data analytics to perform tasks human are unable or no longer willing to do. 

Traders and investors far removed from algorithmic trading lost thousands if not millions of dollars in a matter of minutes because of unknown triggers that sent the Dow plummeting 600 points. 

Precisely because of these challenges a number of financial engineers are seeking to find ways to anticipate systemic risks in the economy before they happen.   The complexity of algorithmic trading and the interrelationships across global economies and markets will require a better understanding of the cascading effects of these systems.

Andrew Lo, a professor at Sloan Business School and director of MIT’s Laboratory for Financial Engineering, kicked off his talk, called “Measuring and Managing the Complexity of the Financial System,” by showing two charts that neatly illustrate the complexity and interdependency of the current financial system.

“The first shows relationships between various major financial institutions roughly 20 years ago:”

“The second shows the same relationships just 10 years later:”