Archives: Enterprise Risk Management

Subscribe to Enterprise Risk Management RSS Feed

Cyberfraud Victims May Have Violated SEC Internal Control Requirements: Adding Insult to Injury

Just when you thought the hazards of cyberfraud couldn’t get worse, the SEC recently issued a Report of Investigation (more on that later) stating that nine recent corporate victims of cyberfraud may have compounded their problems by having insufficient internal accounting controls. Specifically, the SEC focused on Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange … Continue Reading

The DOJ’s Latest Compliance Program Warning

U.S Deputy Attorney General Rod Rosenstein recently announced the Department of Justice’s revised FCPA Corporate Enforcement Policy. The revised Policy is based on the DOJ’s FCPA Pilot Program (in place since April 2016), which provided mitigation credit for voluntary reporting of wrongdoing and specified levels of cooperation and remediation in connection with the resulting investigation. … Continue Reading

The FTC's New Data Breach Response Guide (and a Reminder)

The two-pronged mission of the Federal Trade Commission is to protect consumers and promote competition. According to the FTC’s website, protecting consumers includes “stopping unfair, deceptive or fraudulent practices in the marketplace,” which these days necessarily includes data security. To that end, the FTC recently published a user-friendly response guide for organizations that have experienced … Continue Reading

Sustainability Reporting Gains Momentum

A couple of years ago I suggested that companies should consider adding new, or enhancing their existing, sustainability disclosures. (See this Doug’s Note.) The trend toward sustainability (frequently known as “ESG” for environmental, social and governance) disclosure was picking up steam at that time, and has mushroomed since then. A recent speech by SEC Chair … Continue Reading

The Fundamentals of Social Media Communication Compliance

Communication via social media is now standard practice, to some extent, at almost all public companies. What once seemed limited to technology and other “forward-thinking” companies has now made its way into even the most traditional businesses. The SEC, and other affected agencies, have long struggled to stay on top of the breakneck pace of … Continue Reading

The PCAOB's Enhanced Auditor Performance Standards–Be Sure You're Ready

A little over a year ago the PCAOB issued new Auditing Standard No. 18, which enhanced auditor performance standards in three significant areas of a company’s audit: Company relationships and transactions with related parties, “Significant unusual transactions,” and Company relationships and transactions with its executive officers. These three areas were selected because of the frequency … Continue Reading

Cybersecurity at Small and Midsize Businesses

Cyberattacks against the country’s largest companies tend to garner the most press coverage and generate the most cybersecurity anxiety. For example, such high profile companies as eBay, JP Morgan, Home Depot and Target are often cited as examples of particularly spectacular cybersecurity breaches involving millions of customers. The temptation is to assume that cyberattackers focus … Continue Reading

Addressing Cybersecurity in Board Committee Charters

As boards of directors have become more focused on their fiduciary duties to oversee cybersecurity, new governance practices have begun to develop. For example, many companies have shifted cybersecurity oversight from the audit committee, which has more than enough other responsibilities, to the full board or to a risk oversight committee formed for that purpose. … Continue Reading

Data Breach Preparedness Continues to Lag

A recent study by an independent research institute suggests that the increase in companies’ efforts to prepare for data breaches may not be keeping up with the increased risk. A September 2014 report by Ponemon Institute LLC concludes that many companies remain “deficient in governance and security practices that could strengthen their data breach preparedness.” … Continue Reading

Using Board Executive Sessions to Manage Enterprise Risk

Boards of directors are now thoroughly immersed in enterprise risk management, so much so that separate risk oversight board committees are fast becoming common practice. (See this Doug’s Note.) Boards and management continue, however, to work out the logistics of their respective roles and how best to coordinate their risk-related efforts. Certainly careful board/management coordination … Continue Reading

Why Lawyers Should Care about the New COSO Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 1992 Internal Control—Integrated Framework has long been recognized as the starting point for designing, implementing and conducting internal control. As most of you now know, the Framework was updated for the first time in May 2013. (See this Doug’s Note.)… Continue Reading

Risk Oversight Committees–An Idea Whose Time Has Come

Earlier this year I wrote that directors have become much more educated in recent years about enterprise (not just financial) risk management and about their fiduciary responsibility to oversee ERM effectiveness. (See this Doug’s Note.) Directors are asking management to answer specific, substantive questions about how the company’s ERM functions and how they can (or … Continue Reading

Board-Level Risk Management–Bridging the Gap

The pendulum of board-level risk management has shifted. For many public companies, intentional risk management has evolved in recent years from virtually nonexistent to finance department driven (focusing on internal control) to operating segment driven (involving division heads and the various compliance functions) (see The Link Between Risk Management and Compliance). At the board level, … Continue Reading

Crisis Management

This winter edition of our Public Company Forum newsletter addresses a variety of topics, ranging from fine tuning disclosure controls and procedures for the new conflict minerals rules, to making sense out of the hodgepodge of rules regarding director independence, to a tip regarding responding to SEC comment letters. Also in this edition, Andrea Chomakos, … Continue Reading