IN THIS ISSUE
According to Mike
Looking Into the Crystal Ball
By Michael Pidzamecky, CMA, CFE
Director, ERM and Compliance Services
I usually prefer writing with a smile, but last year held more challenges than laughter for much of the world, as well as for me personally. Always the optimist, however, I dust off my fortune-teller's turban and gaze into my crystal ball — otherwise known as my goldfish bowl — to see what lies ahead for control self-assessment in 2006.
First to appear through the mist is a busy year for the U.S. justice system. In 2006, more executives of U.S. companies will be accused of fraudulent activity and face possible prosecution. They will most likely try to stave off convictions with claims that they did not know — or were not told — about the illegal activity of their subordinates. As the mist further clears in my crystal ball, I am shocked to see the foreperson of a jury declare each corporate defendant "not guilty." Although some will say they were truly ignorant of how their employees, management teams, and operation systems were malfunctioning, others will be getting away with unadulterated malfeasance. The IIA's 2005 Risk and Control Conference highlighted this prevalent scenario and focused on some of the more common chinks in companies' armor.
In two separate sessions, organizations at the conference revealed that one of the most surprising risks uncovered through their risk-assessment workshops was a lack of strategic oversight over contract commitment. Not factoring contracts into the company's strategy poses the question: Do you really know what contracts your staff and management have committed your company to and how they may affect your future finances and/or operations? According to the conference speakers, senior executives often had no idea what commitments were being made by their departments. In one case, it was discovered that a company's subsidiary entered into a contract that was deemed unacceptable to its corporate office. The entire operation was shut down the day after the assessment because risks resulting from the venture would have gravely impaired the stability of the company.
When the mist is gone, I can see that the executives on trial really did not have any idea about the misdeeds of those for whom they are responsible. They are truly ignorant of important operational facts — facts that could have been disclosed if a proper and well-functioning ERM program had been in place. Consequently, I see them paying a heavy fine for their lack of knowledge … wait … no, I see them losing their jobs … uh, oh — the crystal ball never lies — I see them going to jail!
So for those of you out there who don't want to be the next newspaper headline, I suggest you start thinking about ERM and, in particular, how you can inform your executive team of risks they should be aware of before it's too late.
Show Them the Way and They Will Come
As the guilty executives are clouded from my view, the haze parts on another vision of the future: IIA leaders at the 2006 Risk and Control Conference making presentations about how The IIA uses CSA and ERM programs internally. Okay, so maybe I'm pushing an agenda here.
In my new role of providing ERM and compliance consulting services, I have met with executives from many organizations. Our discussions have centered on the development and implementation of CSA and ERM programs to meet not only the requirements of the U.S. Sarbanes-Oxley Act of 2002 and other regulations around the world, but also new stakeholder demands for better overall, enterprisewide internal control and risk management.
However, the dilemma is no one really wants to be the leader. I can understand this phenomenon, given the fact that the first round of Sarbanes-Oxley compliance was an onerous and expensive undertaking because of a lack of standardized guidance and practice. Although many can visualize the output — tantamount to a paper version of Mount Everest — and are cognizant of the resources necessary to implement Sarbanes-Oxley mandates, they really don't comprehend the benefits their organizations have derived from these new practices — or even know if they are carrying them out effectively.
The same problem is happening with CSA and ERM. People understand what they are about, and they have some awareness of the potential benefits. However, they are tenuous about stepping out in it because there is no shining, standardized public example that could serve as a benchmark. They do not want to waste money and time; they want it to be right the first time.
I'd like to see The IIA take up the challenge and use its research and education resources to implement within the organization a program of CSA and ERM — a program that will demonstrate to members and their organizations that The IIA is applying the very measures it counsels other organizations to adopt. If The IIA leads the way through practical application, I believe CSA and ERM will be more readily accepted and put into practice by the outside world.
The Must-have in 2006
The last thing I see in my crystal ball is the push toward elevating ethics on a personal and organizational level. In past columns I have written about some of the reasons for the great financial debacles of the last few years. They resulted from root rot that penetrated deeper than a mere lack of internal controls. The paucity of sound ethics created a toxic environment in which internal controls could be circumvented. With the establishment of Sarbanes-Oxley and sundry compliance programs, the vast majority of organizations have implemented codes of conduct and ethics hotlines — also known as whistleblower programs.
All of these programs are important, but they are only tools. The real need is to develop training and self-assessment programs specific to ethics so that these tools can be effectively assimilated into an organization's corporate culture. We need to train people to understand what ethics is, how it affects individuals and organizations, how to determine when the "ethical line" has been crossed, and how to rectify breaches.
I see 2006 as the year that starts the adoption of CSA and ERM as the primary foundations for good business practices throughout all organizations. Let's hope I am not wrong. I wish all of you a very prosperous and healthy year.
Michael Pidzamecky, CMA, CFE, is an independent consultant providing internal audit, enterprise risk management, and compliance solutions. He is currently under contract with Resolver Inc. as director ERM and compliance services. Pidzamecky has developed several self-assessment approaches, presented sessions for IIA courses and conferences, and has written questions for the Certified Control Self-assessment exam.