It all starts with what the company is looking to achieve through cloud computing and whether the investment is worth the risk. For example, will the application hosted in the cloud be customer facing and subject to strict regulatory standards? If so, then the risk assessment should include the probability and impact of events such as a data breach or unplanned downtime.

Once the risk assessment has been completed and the investment decision has been made, then a comprehensive due diligence exercise should be conducted. Some vendors may suggest simply relying on their SAS 70 report from their external auditing firm rather than performing a due diligence exercise. While SAS 70 reports are useful, they are not specific to the relationship between the two companies. It is imperative that the following areas are examined in relation to a company’s current information security policies and overall operating expectations.

1. Organizational and Human Resource Security
2. Access Control
3. Asset Management
4. Physical and Environmental Security
5. Operations and Change Management
6. Disaster Recovery and Business Continuity
7. Privacy
8. Regulatory Compliance

Like any other partnership or outsourcing agreement, the time to address potential risks and issues with cloud computing is at the very beginning of the relationship. By doing so, both the company and the vendor will benefit from the opportunity to understand each other’s expectations. It will also serve as the foundation for a successful cloud computing solution.

If your company would like to learn more about performing a cloud computing risk assessment and due diligence exercise, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

ORM software can provide crucial risk self-assessment capabilities that enable organizations to document and evaluate their risk frameworks, including processes, risks, events, key risk indicators (KRI) and controls. Executives can stay on top of organizational risk activities through dashboards and reports that highlight key risk metrics and policy compliance.

Munich-based Allianz spent much of 2008 and 2009 focused on infrastructure and Pillar I of Solvency II. The company selected OpenPages ORM (Operational Risk Management) for loss data capture, risk self-assessment and quantitative scenario analysis. The operational risk framework involves the introduction of an updated methodology, improved business processes and new IT support systems. The goal is to integrate pragmatic operational risk management techniques in core businesses operations and decision making processes.

Allianz hopes that their efforts for Solvency II will form the basis of a deeper change in terms of building a risk management culture and the ability to generate good business from a risk and return perspective.

To learn how Allianz is managing Operational Risk and Solvency II, read the case study.

The UK’s Financial Services Authority, in a May 2009 policy document, Insurance Risk Management: The Path to Solvency II, warned that “the risks of not developing detailed plans for Solvency II implementation are great.

Firms should have completed or be in the process of completing a detailed gap analysis to identify any shortfalls in expected compliance with the emerging Solvency II requirements, as they bear on their operations.”

A gap analysis should evaluate the current state of an insurer’s risk management system against current risk standards and the desired state. The organization then must develop a roadmap on how to achieve that desired state. Organizations need to evaluate their entire risk management system and how all of its risk areas are being managed.

Given that executive management is charged with ownership of operational risk management and the need to embed it within the organization, many companies are turning to integrated risk management solutions to better understand and proactively manage the risks that can impact the business.

For more information on Solvency II and meeting the Solvency II operational risk challenge, check out this white paper.

I caught up with Chris after his presentation and discussed his experience at OPUS as well as how American Express utilizes the OpenPages technology to create an integrated and converged risk and compliance management program that can streamline and improve its risk management processes.

“Risk managers may have been effective in identifying risks; however, many firms appeared tone deaf to these subject matter experts. If senior management had elevated the risk officer position to one that had direct or even indirect reporting to the risk committee on the board of directors, it may have helped staunch some of the risk taking that occurred. Further, executive management must inculcate a culture of risk management where all employees actively are on guard for risks that exceed the risk appetite of the company. A clear vision of what risks the firm is willing to take must be part of the strategic roadmap, and deviations from that plan must be accompanied by sound analytics and information even if short-term losses of market share and key individuals are likely. A corollary to this recommendation is that risk vision and therefore business strategy must take a long-run view into account in shaping risk direction.”

It is refreshing to see an organization like the Mortgage Bankers Association taking a hard look at what went wrong and how we can work to prevent a similar crisis in the future. However, the report also reminds the reader that a crisis with similar causes occurred only 20 years ago during the Savings & Loan debacle. In the aftermath of that crisis, the U.S. Congress passed major legislation in the form of the Federal Deposit Insurance Improvement Act of 1991 (”FDICIA”). For those who may not know, FDICIA included internal control provisions for financial institutions that served as the predecessor of Section 404 of the Sarbanes-Oxley Act of 2002. During the late 90’s, these provisions evolved into a bureaucratic exercise for financial institutions that resulted in little or no value for risk management purposes. For those companies that are following the same path with Sarbanes-Oxley compliance, the end result could be the same. And, as we know now, the result can be disastrous.

And it wasn’t just a one-time event – not by a long shot. Rather, hundreds of bribes totaling tens of millions of dollars were paid in no less than 22 countries over a ten year period. In a number of instances so called “cash desks” were used to pay currency directly to government officials. In other cases the company used foreign bank accounts of shell companies to hide payments. Daimler reportedly also jacked up invoices for cars to generate still other payments.

What’s perhaps most disturbing is that the reports say this wasn’t a lower and middle management activity, but involved “important executives” including heads of overseas sales divisions, and more unsettling, even the company’s internal audit office. The Department of Justice complaint speaks to Daimler’s “longstanding violations” of bribery rules and a “corporate culture that tolerated and/or encouraged bribery.” The reports also says the complaint points to “a lack of central oversight over foreign operations.”

It’s well known the Justice Department in the U.S. is pushing hard on possible Foreign Corrupt Practices Act violations, and European regulators are increasing rule making and enforcement as well. And internal controls to help deal with the risk of improper payments are well known. Of course, if senior managers are turning a blind eye, or worse yet encouraging such payments, then all bets are off. For readers with responsibility for dealing with these kinds of issues, a company’s corporate culture, including the tone at the top of the organization, is the first place you’ll want to focus attention. And then you’ll want to look at the kind of risk management and compliance processes in place, and how they’re working, to hopefully gain comfort in your organization that anti-bribery indeed is under control.

© Steinberg Governance Advisors, Inc. 2010. The information presented here does not constitute legal or any other type of professional advice. Companies are encouraged to consult legal counsel concerning their responsibilities for legal and regulatory compliance.

While steeped in history and tradition, Old Mutual has a progressive approach to risk management which includes a ‘risk governance framework’ based on a ‘three lines of defense’ model:

• functions owning and managing risk
• functions overseeing the management of risk; and
• functions providing independent assurance.

Old Mutual recently adopted OpenPages Operational Risk Management (ORM) to improve its enterprise-wide risk management efforts. OpenPages ORM is being used by numerous global organizations like Old Mutual to manage risk through self-assessments, end-user surveys, automated workflow and executive dashboards that provide management with the visibility, control and decision support required to understand and manage risks throughout the organization.

He explained how explicit frameworks enable structured board discussions through a consistent and common approach, whereas implicit frameworks rely on “corporate culture and deep experience.”

In his session, Mr. Neels also detailed how multiple stakeholders use frameworks for ‘decision making, reporting and escalation’ and in particular, how the Board uses frameworks to:

• Provide an objective yardstick or measure
• Create a basis for understanding
• Identify situations and areas that need attention
• Highlight areas doing well
• Help differentiate between expected and unexpected 

The discussion then moved to how “driving board attention to the right areas can be difficult” as board reporting is often a “laundry list of potential risks, current issues and decision requests.” He stated, “Without a framework you have everything coming in at once without context.”  He then offered several suggestions for preventing information overload:

• Specific and quantifiable tolerance measurement is critical to driving board attention to the right areas
• Set your risk appetite
• Create a risk framework
• Determine standard metrics and KRIs
• Establish risk tolerances
• Establish risk limit

The goal according to Matthew is to establish a “common scale that enables cross-category comparisons and risk aggregation.”

All GCOR 2010 presentations will be made available at: http://www.rmahq.org/RMA/GCOR_Presentations

• We must work to develop and normalize operational risk management and measurement
• Outreach is critical: there is a lack of understanding or a misunderstanding regarding the nature and impact of operational risk
• Governance: the risk function must have sufficient stature and authority to take action against questionable practices (in other words they must have a seat at the table)

Mr. Valine also outlined how during 2002-2008, losses realized from the following events totaled $42b!

• Enron, WorldCom, Adelphia scandals
• Late mutual fund trading
• Overdraft and credit card excessive fees
• Auction rate securities
• Mortgage fraud

Of course this makes the Madoff scandal at $65b even more troubling (note: Harry Markopolos will provide an in-depth review of the factors that enabled Madoff and how to prevent similar fraud in the future in his Keynote Address at OPUS 2010). Yousef emphasized that 45% of the loss amount ($19b) was the result of loss events in “Client Products and Business Practices” and that while it represented 45% of losses, the number of events (frequency) only represented 11% of total. Conversely, “Execution, Delivery and Process Management” represented 35% of frequency but only a fraction of the dollars lost. Ultimately, organizations need to consider severity versus frequency when reviewing loss events and mitigation practices.

Stay tuned for more from GCOR 2010.