IN THIS ISSUE

Volume 8 · No. 3 · October 2004

Print Article Print Entire Issue

According to Mike

Michael Pidzamecky, CMA, CFE
Senior Audit Consultant
 Desjardins Financial Security
Toronto, Canada

Prior to attending The IIA's Enterprise Risk Management and Control Self-assessment conference in Las Vegas this past September, where I also was a speaker at a pre-conference forum with Dave Harmon, director of financial management programs at the University of California Los Angeles, I was a little skeptical about the relevance of this year's conference. In this pivotal year of reporting under the requirements of the U.S. Sarbanes-Oxley Act of 2002 and the recently finalized Committee of Sponsoring Organizations of the Treadway Commission (COSO) enterprise risk management (ERM) framework, I wondered just how much more a person could learn about control self-assessment (CSA) and ERM. To me, it seemed that there is only so much to say about the subjects.

I am happy to say, however, that I was wrong. It was an eye-opening experience to see that practitioners have reached the point where words have been put into action and practice, and the times of lecturing, pondering, and debating have passed. Almost every conference session I attended provided information based on practical application, rather than theory. 

For example, the speakers from Prudential Financial looked in-depth at how their CSA ERM program is executed, helping their organization meet not only the needs of Sarbanes-Oxley, but of Basel II and other compliance requirements. In the presentation by General Motors Acceptance Corp., the practitioners were able to clearly define risk in terms that any business-minded person could understand, giving relevant examples of people risks, process risks, technology risks, and external risks.

In the Telus presentation, it was fascinating to see how this Canadian company has developed such an extensive annual risk and control assessment program. Its approach helps it not only meet its Sarbanes-Oxley requirements, but leads to greater management awareness of risk and controls, better planning and allocation of resources, and provides an improved foundation for the Telus audit plan.

Throughout the conference, I also could see that many of the elements of the new COSO ERM framework are being integrated into various companies' approaches. However, the one element that appears to be eluding everyone is effective monitoring. Yes, a plethora of vendors peppered the conference with good software applications that assist in the accumulation, analysis, and presentation of qualitative data from a control and risk evaluation program. However, the programs don't offer automatic real-time monitoring of quantitative data within an organization's data warehouse. They lack an ERM system that maps key risk indictors and risk appetite and tolerances to the organization's various administrative and financial systems to enable data mining to provide a scorecard on how well the company's mitigation efforts are working.

When looking at the new COSO ERM framework model, the monitoring element is at the base of the cube. In my view, this was done deliberately to signify that monitoring processes are the foundation for all ERM programs. Without effective, efficient, and timely monitoring, management cannot be held truly accountable for managing and controlling both the human and automated actions and processes within an organization. In my opinion, to have a monitoring system that will do this should be the quest of executives, risk officers, and auditors in today's turbulent financial world.

So, I have been doing some thinking. As risk professionals, we need an ERM system that will allow the collection of qualitative data to identify risk and controls that can be managed and monitored within all organizations. It has to be scalable to any size organization and have the ability to work on any information technology platform. It must be user friendly and able to easily mine data through the organization's systems, as well as provide reliable, real-time data on risk indictors to help manage risk and controls within the organization. While at the conference, both in and out of the sessions, I kept asking, is there such a system? The answer provided by vendors and practitioners was overwhelmingly "no," although many vendors said they are in the process of developing such a feature — but it's at least three years away. Unfortunately, we need it sooner rather than later. 

My first thought was that I could probably send myself into outer space before such a system is developed and that's when it hit me — why not have an "X Prize" for the development of such a system. Some of you may have already heard about another "X Prize."  It is made up of 24 teams from around the world who competed for a US $10 million prize to be the first non-government group to successfully launch a reusable manned commercial space vehicle to, and from, outer space.  

Now I personally cannot contribute $10 million for the ERM X Prize, but perhaps government, regulatory, professional bodies, and even corporations could come together to set out the specifications and financial reward to spur the development of this dream ERM system. Without such a system, we will not have the true ability to monitor and manage risk in our organizations.

So, I am willing to donate $50 to this cause to start the ball rolling. Anybody else willing to go along with me on this one?