Tag: Risk


The Influence of Board of Directors’ Risk Oversight on Risk Management Maturity and Firm Risk-Taking

The following post comes to us from Christopher Ittner of the Department of Accounting at the University of Pennsylvania and Thomas Keusch of the Department of Business Economics at Erasmus University Rotterdam.

The following post comes to us from Christopher Ittner of the Department of Accounting at the University of Pennsylvania and Thomas Keusch of the Department of Business Economics at Erasmus University Rotterdam.

A variety of external events, including inquiries into the causes of the 2008 financial crisis and changes in regulations and listing rules have fostered rising expectations for boards of directors to exert greater oversight of their organizations’ risk management processes. The primary impetus behind these external pressures is the belief that stronger board oversight over risk management processes will lead to substantive improvements in risk management and more informed risk-taking. Many observers, however, argue that board members often lack the time, skills, and information necessary for effective risk oversight. They contend that the adoption of governance practices that are advocated or mandated by external parties is often window-dressing. This point of view suggests that board risk oversight will have little effect on companies’ risk management practices or risk-taking.

READ MORE »

Key Points From the 2015 Comprehensive Capital Analysis and Review (CCAR)

The following post comes to us from Dan Ryan, Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP, and is based on a PwC publication by Mike Alix, Steve Pearson, and Armen Meyer.

The following post comes to us from Dan Ryan, Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP, and is based on a PwC publication by Mike Alix, Steve Pearson, and Armen Meyer.

The 2015 stress test results published on March 11th as part of the Federal Reserve’s (“Fed”) CCAR follow last week’s release of Dodd-Frank Act Stress Test (“DFAST”) results. [1] CCAR differs from DFAST by incorporating the 31 participating bank holding companies’ (“BHC” or “bank”) proposed capital actions and the Fed’s qualitative assessment of BHCs’ capital planning processes. The Fed objected to two foreign BHCs’ capital plans and one US BHC received a “conditional non-objection,” all due to qualitative issues.

READ MORE »

Cybersecurity and Privacy Diligence in a Post-Breach World

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on a Weil Alert authored by Mr. Ferrillo and Randi Singer; the complete publication, including footnotes, is available here.

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on a Weil Alert authored by Mr. Ferrillo and Randi Singer; the complete publication, including footnotes, is available here.

“By the time you hear thunder, it’s too late to build the ark.”
— Unknown

In November 2014—just two weeks after Admiral Michael Rogers, director of the National Security Agency, testified to the House Intelligence Committee that certain nation-state actors had the capability of “infiltrating the networks of industrial-control systems, the electronic brains behind infrastructure like the electrical grid, nuclear power plants, air traffic control and subway systems”—Sony Pictures announced it had experienced a major cyber-attack, one many sources believe was likely perpetrated by or on behalf of a nation-state. This destructive cyber-attack was a game-changer for corporate America because it became clear that hackers are not simply focused on credit card numbers or personal information. Indeed, the attack on Sony was designed to steal the Company’s intellectual property, disseminate personal emails of high-ranking executives, and destroy Sony servers and hard drives, rendering them useless.

READ MORE »

2014 Year-End Review of BSA/AML and Sanctions Developments

The following post comes to us from Sullivan & Cromwell LLP, and is based on a Sullivan & Cromwell publication by Elizabeth T. Davy, Jared M. Fishman, Eric J. Kadel Jr., and Jennifer L. Sutton; the complete publication is available here.

The following post comes to us from Sullivan & Cromwell LLP, and is based on a Sullivan & Cromwell publication by Elizabeth T. Davy, Jared M. Fishman, Eric J. Kadel Jr., and Jennifer L. Sutton; the complete publication is available here.

This post highlights what we believe to be the most significant developments during 2014 for financial institutions with respect to U.S. Bank Secrecy Act/anti-money laundering (“BSA/AML”) and U.S. sanctions programs, including sanctions administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), and identifies significant trends. The overarching trend that is likely to continue for the foreseeable future is an intense focus on BSA/AML and sanctions compliance by multiple government agencies, combined with increasing regulatory expectations and significant enforcement actions and penalties.

READ MORE »

Corporate Risk-Taking and the Decline of Personal Blame

Steven L. Schwarcz is the Stanley A. Star Professor of Law & Business at Duke University School of Law.

Steven L. Schwarcz is the Stanley A. Star Professor of Law & Business at Duke University School of Law.

Federal agencies and prosecutors are being criticized for seeking so few indictments against individuals in the wake of the 2008 financial crisis and its resulting banking failures. This article analyzes why—contrary to a longstanding historical trend—personal liability may be on the decline, and whether agencies and prosecutors should be doing more. The analysis confronts fundamental policy questions concerning changing corporate and social norms. The public and the media perceive the crisis’s harm as a “wrong” caused by excessive risk-taking. But that view can be too simplistic, ignoring the reality that firms must take greater risks to try to innovate and create value in the increasingly competitive and complex global economy. This article examines how law should control that risk-taking and internalize its costs without impeding broader economic progress, focusing on two key elements of that inquiry: the extent to which corporate risk-taking should be regarded as excessive, and the extent to which personal liability should be used to control that excessive risk-taking.

READ MORE »

FSOC: Are Asset Managers’ Products and Activities Creating Systemic Risk?

The following post comes to us from Debevoise & Plimpton LLP and is based on a Debevoise & Plimpton Client Update.

The following post comes to us from Debevoise & Plimpton LLP and is based on a Debevoise & Plimpton Client Update.

In connection with its ongoing evaluation of the asset management industry, the U.S. Financial Stability Oversight Council (the “FSOC”) recently issued a notice seeking public comment (the “Notice”) on whether asset management products and activities may pose potential risks to U.S. financial stability. [1] Specifically, the FSOC seeks comment on the systemic risks posed by: (1) liquidity and redemption practices; (2) use of leverage; (3) operational functions; and (4) resolution, i.e., the extent to which the failure or closure of an asset manager, investment vehicle or an affiliate could have an adverse impact on financial markets or the economy. Comments on the Notice must be submitted by February 23, 2015; and we are working with several clients to prepare and submit such comments. This post summarizes some of the FSOC’s key concerns and questions outlined in the Notice.

READ MORE »

Changing the Cyber Security Playing Field in 2015

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on a Weil Alert authored by Mr. Ferrillo; the complete publication, including footnotes, is available here.

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on a Weil Alert authored by Mr. Ferrillo; the complete publication, including footnotes, is available here.

“If this incident [Sony] isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working—and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.”

— Author Brian Krebs, Dec. 20, 2014.

“For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”

— Professor Bruce Schneier, Dec. 19, 2014.

Without a doubt, the last month in the world of cyber security has been tumultuous. It has now been confirmed that two companies in the United States have potentially been the subject of cyber-terrorism. Servers have been taken down or wiped out. Businesses have been significantly disrupted. Personally identifiable employee information has been shoveled by the pound onto Internet credit card “market” sites. The cyber security world has changed. And two of the most respected men in cyber security have both iterated similar messages: it is time for U.S. corporations to take this stuff seriously.

READ MORE »

Ownership Structure, Voting, and Risk

The following post comes to us from Amrita Dhillon, Professor of Economics at King’s College London, and Silvia Rossetto of the Toulouse School of Economics at the University of Toulouse.

The following post comes to us from Amrita Dhillon, Professor of Economics at King’s College London, and Silvia Rossetto of the Toulouse School of Economics at the University of Toulouse.

In our paper Ownership Structure, Voting and Risk, forthcoming in the Review of Financial Studies, we investigate the interaction between the ownership structure of publicly traded firms and their risk profiles. In particular, we show how the potential for conflict of interest between shareholders on risk decisions may cause the emergence of activist mid-sized investors. In turn, ownership structure affects the risk decisions that firms make.

It is natural to believe that the choice of shares to hold in a company is a trade off between diversification and control: large size comes with control at the cost of diversification. Many firms, however, have mid-sized shareholders who are neither well diversified nor have control. For example, in the United States (where it is widely agreed that regulation helps dispersed ownership), 67% of public firms have more than one shareholder with a stake larger than 5%, while only 13% are widely held and 20% have only one blockholder (Dlugosz et al., 2006). In Europe (where concentrated ownership is the norm), in eight out of the nine largest stock markets of the European Union, the median size of the second largest voting block in large publicly listed companies exceeds five percent (data from the European Corporate Governance Network). Why do such mid-sized shareholders emerge?

READ MORE »

The Importance of a Battle-Tested Cyber Incident Response Plan

The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on a Weil Alert authored by Mr. Ferrillo.

The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on a Weil Alert authored by Mr. Ferrillo.

“The scope of [the Sony Pictures Entertainment (SPE)] attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public…. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”

— Remarks by Kevin Mandia, “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime,” Reuters, December 7, 2014. [1]

“The days of the IT guy sitting alone in a dark corner are long gone. Cybersecurity has become an obvious priority for C-Suites and boardrooms, as reputations, intellectual property and ultimately lots of money are on the line.”

— Priya Ananda, “One Year After Target’s Breach: What Have We Learned?” November 1, 2014. [2]

“Resiliency is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.”

— NSA Director and Commander of U.S. Cyber Command Admiral Mike Rogers, September 16, 2014. [3]

We have definitively learned from the past few months’ worth of catastrophic cyber security breaches that throwing tens of millions of dollars at “preventive” measures is simply not enough. The bad guys are too far ahead of the malware curve for that. [4] We have also learned that there are no such things as quick fixes in the cyber security world. Instead, the best approach is a holistic approach: basic blocking and tackling such as password protection, encryption, employee training, and strong, multi-faceted intrusion detection systems [5] really trump reliance on a “50 foot high firewall” alone. But there are also two more things that are critical to a holistic cyber security approach: a strong, well-practiced Incident Response Plan (IRP), and, as Admiral Rogers noted above, the concept of cyber-resiliency, i.e., the ability to take your lumps, but continue your business operations unabated.

In this post, we tackle two questions: (1) What are the essential elements of a Cyber IRP? and (2) Why are IRPs so important to your organization?

READ MORE »

Cyber Security, Cyber Governance, and Cyber Insurance

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on an article authored by Mr. Ferrillo and Christine Marciano, President of Cyber Data Risk Managers.

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on an article authored by Mr. Ferrillo and Christine Marciano, President of Cyber Data Risk Managers.

JP Morgan Chase. Community Health Systems. The Home Depot. Kmart. There has been no shortage of data breaches in recent weeks—with new developments on an almost daily basis. The age of cyber hactivisim, cyber extortion, and cyber terrorism is here, and it is not going away any time soon.

Data security issues are no longer just an IT Department concern. Indeed, they have become a matter of corporate survival, and therefore companies should incorporate them into enterprise risk management and insurance risk transfer mechanisms, just as they regularly insure other hazards of doing business. As the number of data breaches has increased, the demand for cyber insurance has likewise dramatically increased more than that for any other insurance product in recent years. Every board of directors should be questioning its officers and management as to “whether or not its company should be purchasing cyber insurance to mitigate its cyber risk.” If management answers, “Oh, it costs too much,” or “Oh, it will never pay off,” second opinions should be obtained. Rapidly. Because neither answer is correct.

READ MORE »

  • Subscribe

  • Cosponsored By:

  • Supported By:

  • Programs Faculty & Senior Fellows

    Lucian Bebchuk
    Alon Brav
    Robert Charles Clark
    John Coates
    Alma Cohen
    Stephen M. Davis
    Allen Ferrell
    Jesse Fried
    Oliver Hart
    Ben W. Heineman, Jr.
    Scott Hirst
    Howell Jackson
    Wei Jiang
    Reinier Kraakman
    Robert Pozen
    Mark Ramseyer
    Mark Roe
    Robert Sitkoff
    Holger Spamann
    Guhan Subramanian

  • Program on Corporate Governance Advisory Board

    William Ackman
    Peter Atkins
    Joseph Bachelder
    John Bader
    Allison Bennington
    Richard Breeden
    Daniel Burch
    Richard Climan
    Jesse Cohn
    Isaac Corré
    Scott Davis
    John Finley
    Daniel Fischel
    Stephen Fraidin
    Byron Georgiou
    Larry Hamdan
    Carl Icahn
    David Millstone
    Theodore Mirvis
    James Morphy
    Toby Myerson
    Barry Rosenstein
    Paul Rowe
    Rodman Ward