Tag: Risk assessment

Big Data and Analytics in the Audit Process

Ruby Sharma is a principal at the EY Center for Board Matters. The following post is based on a report from the EY Center for Board Matters, available here.

In today’s business environment characterized by constant disruption, slow growth and uncertainty, boards face more challenges than ever in creating a risk-aware corporate culture and establishing sound risk governance and controls.

In just the last few years, the terms “big data” and “analytics” have become hot topics in company boardrooms around the world.

For many, embracing big data and analytics is crucial to keeping their organization nimble, competitive and profitable. Board members need to understand the complexities and have a grasp of the issues surrounding these technology trends. Equally important, they should be prepared to ask the right questions of the executives in charge of big data and analytics initiatives.

Boards and Internal Audit

Ruby Sharma is a principal with the EY Center for Board Matters. The following post is based on a report from the EY Center for Board Matters, available here.

The role of the board has always been an important and demanding one, but today’s board members face increasingly complex challenges in overseeing an organization’s risk management, including:

  • Demands for greater accountability from investors
  • Increasingly complex regulatory oversight
  • Sluggish economic growth
  • The convergence of industries
  • Disruptive new technologies
  • Scarcity of resources and the effects of a changing climate
  • Human capital and talent management challenges


Broker-dealers: Lock in your Liquidity

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Adam Gilbert, Grace Vogel, Armen Meyer, and Peter Melz.

The credit crisis of 2008 highlighted the criticality of effective liquidity management and demonstrated the difficulties broker-dealers face without adequate funding sources. In response, the Financial Industry Regulatory Authority (“FINRA”) has been taking steps to impose new requirements that will impact many broker-dealers, especially those that hold inventory positions or that clear and carry customer transactions.

Following up on guidance issued in November of 2010, FINRA last month issued new liquidity risk management guidance after a year-long liquidity review of 43 member firms under a stressed environment.


The SEC’s Focus on Cybersecurity

Jessica Forbes is a corporate partner resident the New York office of Fried, Frank, Harris, Shriver & Jacobson LLP. This post is based on a Fried Frank publication authored by Ms. Forbes, Joanna D. Rosenberg, and Stacey Song.

On September 22, 2015, the Securities and Exchange Commission (the “SEC”) issued a cease-and-desist order (the “Order”) and settled charges against St. Louis-based investment adviser R.T. Jones Capital Equities Management (“R.T. Jones”) for failing to establish required policies and procedures to safeguard customer information in violation of Rule 30(a) of Regulation S-P (“Rule 30(a)”) under the Securities Act of 1933. [1]

Rule 30(a) requires every broker, dealer, investment company and registered investment adviser to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and to protect customer information from anticipated threats or unauthorized access. According to the Order, from at least September 2009 through July 2013, R.T. Jones stored personal information of its clients and other persons on its third party-hosted web server without adopting any such written policies and procedures. In July 2013, a hacker gained access to the data on R.T. Jones’ web server, rendering the personal information of more than 100,000 individuals vulnerable to theft. In response to the cyber attack, R.T. Jones notified each individual whose information was compromised.


Asset Managers: AML ready?

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Jeff Lavine, Adam Gilbert, and Armen Meyer. The complete publication, including footnotes and appendix, is available here.

On August 25th, the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) proposed anti-money laundering requirements for US investment advisers. The proposal requires advisers that are registered with the Securities and Exchange Commission (SEC) to establish anti-money laundering (AML) programs, to report suspicious activities related to money laundering and terrorist financing, and to comply with other sections of the Bank Secrecy Act (BSA).

If finalized as proposed, the impact of these new requirements will vary. Advisers owned by bank holding companies (BHCs) are already subject to similar requirements that are applicable to their BHC parents and enforced by the Federal Reserve. These advisers will nevertheless likely experience an increase in regulatory oversight, as the proposal now allows the SEC to enforce AML requirements.


Cybersecurity: Enter Insurance Regulators

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Sean Joyce, Chris Joline, Adam Gilbert, Joseph Nocera, and Armen Meyer.

Since issuing its Principles of Effective Cybersecurity last July, [1] the National Association of Insurance Commissioners (“NAIC”) has been making progress in the development of cybersecurity examination manuals. NAIC’s regulatory guidance is intended to help state insurance regulators identify cybersecurity risks and communicate a uniform set of control requirements to insurers, insurance producers, and related regulated entities (collectively, “Insurance Companies”).

Given the priority regulators are placing on cybersecurity (including NAIC’s Cybersecurity Task Force) and the continued occurrence of high profile data breaches, we expect that cybersecurity examinations will commence as early as 2016 and will be performed by insurance regulators as part of their standard three-year exam cycle. While NAIC’s examination manuals will act as guidelines for state regulators, actual regulation will vary by state. Thus, Insurance Companies should be tracking state regulatory developments to ensure that their cybersecurity programs are rigorous and all-encompassing.


Corporate Risk-Taking and Public Duty

Steven L. Schwarcz is the Stanley A. Star Professor of Law & Business at Duke University School of Law. This post is based on a draft article by Professor Schwarcz, available here.

Although corporate risk-taking is economically necessary and even desirable, it can also be harmful. There is widespread agreement that excessive corporate risk-taking was one of the primary causes of the systemic collapse that caused the 2008-09 financial crisis. To avoid another devastating collapse, most financial regulation since the crisis is directed at reducing excessive corporate risk-taking by systemically important firms. Often that regulation focuses on aligning managerial and investor interests, on the assumption that investors generally would oppose excessively risky business ventures.

My article, Misalignment: Corporate Risk-Taking and Public Duty, argues that assumption is flawed. What constitutes “excessive” risk-taking depends on the observer; risk-taking is excessive from a given observer’s standpoint if, on balance, it is expected to harm that observer. As a result, the law inadvertently allows systemically important firms to engage in risk-taking ventures that are expected to benefit the firm and its investors but, because much of the systemic harm from the firm’s failure would be externalized onto other market participants as well as onto ordinary citizens impacted by an economic collapse, harm the public.


Operational Risk Capital: Nowhere to Hide

The following post comes to us from PricewaterhouseCoopers LLP and is based on a PwC publication by Dietmar Serbee, Helene Katz, and Geoffrey Allbutt; the complete publication, including appendix and footnotes, is available here.

The Basel Committee on Banking Supervision (BCBS) last month proposed revisions to its operational risk capital framework. The proposal sets out a new standardized approach (SA) to replace both the basic indicator approach (BIA) and the standardized approach (TSA) for calculating operational risk capital. In our view, four key points are worth highlighting with respect to the proposal and its possible implications:

The Risky Business of Cybersecurity

David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing in the areas of mergers and acquisitions and complex securities transactions. The following post is based on an article by Mr. Katz and Laura A. McIntosh that first appeared in the New York Law Journal; the full article, including footnotes, is available here.

The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.

—National Institute for Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0

In today’s technology driven environment, public companies must constantly confront the challenge of cybersecurity, in its complex, varied, and ever-adapting forms. Cybersecurity breaches regularly fill the headlines, the costs of cybercrime are skyrocketing, and the repercussions of corporate cyber-attacks are felt all the way from chief executives to retail customers. President Barack Obama has stated that “the private sector and the government can, and should, work together to meet this shared challenge,” while FBI Director Robert S. Mueller has described “the critical role the private sector must play in cyber security.” As companies become increasingly dependent on networked technology, and as an expanding number of people conduct transactions and other activities online, cybersecurity will continue to grow in importance for the business community, for the global economy, and for society at large.


Understanding and Implementing the NIST Cybersecurity Framework

The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on an article authored by Mr. Ferrillo and Tom Conkle.

Why the Cybersecurity Framework was created and why it is so important

Despite the fact that companies are continuing to increase spending on cybersecurity initiatives, data breaches continue to occur. According to The Wall Street Journal, “Global cybersecurity spending by critical infrastructure industries was expected to hit $46 billion in 2013, up 10% from a year earlier according to Allied Business Intelligence Inc.” [1] Despite the boost in security spending, vulnerabilities, threats against these vulnerabilities, data breaches and destruction persist. To combat these issues, the President on February 12, 2013 issued Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.” [2] The EO directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based Cybersecurity Framework that would provide U.S. critical infrastructure organizations with a set of industry standards and best practices to help manage cybersecurity risks.


  • Subscribe

  • Cosponsored By:

  • Supported By:

  • Programs Faculty & Senior Fellows

    Lucian Bebchuk
    Alon Brav
    Robert Charles Clark
    John Coates
    Alma Cohen
    Stephen M. Davis
    Allen Ferrell
    Jesse Fried
    Oliver Hart
    Ben W. Heineman, Jr.
    Scott Hirst
    Howell Jackson
    Robert J. Jackson, Jr.
    Wei Jiang
    Reinier Kraakman
    Robert Pozen
    Mark Ramseyer
    Mark Roe
    Robert Sitkoff
    Holger Spamann
    Guhan Subramanian

  • Program on Corporate Governance Advisory Board

    William Ackman
    Peter Atkins
    Joseph Bachelder
    John Bader
    Allison Bennington
    Daniel Burch
    Richard Climan
    Jesse Cohn
    Isaac Corré
    Scott Davis
    John Finley
    David Fox
    Stephen Fraidin
    Byron Georgiou
    Larry Hamdan
    Carl Icahn
    Jack B. Jacobs
    Paula Loop
    David Millstone
    Theodore Mirvis
    James Morphy
    Toby Myerson
    Morton Pierce
    Barry Rosenstein
    Paul Rowe
    Rodman Ward