Risk Management Trends for 2010: James Pajakowski, Protiviti
James Pajakowski, EVP of Global Risk Solutions with Protiviti, shares his insight on:
Pajakowski oversees the delivery of Protiviti's services in the areas of finance and transactions, operations, technology, litigation, governance, risk, and compliance. He previously served as managing director and head of the Business Risk practice. He also was one of five founding members of the Protiviti Operating Committee, which was responsible for establishing Protiviti's vision and strategy and overseeing financial and administrative matters during the company's first five years. Prior to Protiviti, Pajakowski was a partner with Arthur Andersen, where he started his career in 1982. He has more than 25 years of professional services experience working with both public and private companies in manufacturing, public utilities, professional services and other industries.
TOM FIELD: What are the major risk management trends as we go into 2010? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am talking today with James Pajakowski, Executive Vice President with Global Risk Solutions with Protiviti. Jim, thanks so much for joining me.
JAMES PAJAKOWSKI: You're welcome.
FIELD: Just to give people a little context for this conversation, why don't you tell us a little bit about yourself, your background, and your role at Protiviti?
PAJAKOWSKI: Great. I have over 25 years of professional service experience, Tom. I started out with Arthur Andersen; I was a partner there until 2001, and at that time I helped found Protiviti, which is a wholly owned subsidiary of Robert Half. I have been in a few leadership positions at Protiviti since its inception, but currently as you mentioned I am Executive Vice President for Global Risk Solutions.
At Protiviti, we provide internal audit and financial control services, and also we provide a variety of consulting services, and I am responsible for the consulting side of that equation on a global basis.
FIELD: Very good. Let's go back to the question I started out here with, which is risk management. What do you see as the as the major trends as we head into 2010?
PAJAKOWSKI: Well I see a few major trends. First of all, risk oversight of the board is a topic that you are seeing a lot of publishing and discussion about. When you talk to board members, particularly audit committee members, it's a topic that they are very interested in discussing.
We see a lot more requests from boards for help in enterprise risk management or enterprise risk assessment in helping organizations do a better job of that, so that the requests oftentimes come from boards to management, and management is coming to us, and so that is telling us that is this issue of risk oversight that is getting a lot of attention. So that is one trend we see. The second trend we see is that companies are really starting to think about how they might change their planning, budgeting and forecasting process and do a couple of things: one, make them a lot more flexible and a lot more responsive. The idea of an annual sort of fixed operating plan for the year kind of got blown away last year when the economy changed so rapidly on people and all of the sudden they were stuck with annual plans that were largely meaningless given how much change had impacted their businesses.
In addition to that, they want to start injecting more risk into the planning, budgeting and frankly strategy processes that even front end that whole process -- more than they have in the past. So, that is big trend; more flexible plans, more risk enabled plans, or more intelligent plans.
The third area is liquidity. And organizations have done--even though I said what I said about planning, they still build their plans around earnings, and earnings forecasts are still much superior to what they were able to produce in terms of their budgets and their forecasts around cash flow. And not only cash flow in terms of the cash flow the business could generate, but also the cash obligations that they had coming, and many organizations found themselves in a liquidity crisis that they have never found themselves in in the past. So, understanding liquidity and understanding liquidity risk has been a big deal and will be a big deal over the next couple of years. Fourth, I would say, is the impact of compensation plans on risk taking and effective risk management. And the Federal Reserve has put out a draft, printouts that are out for public comment right now and others are looking at it, the SEC has a draft out there for proxies talking about greater disclosure on both compensation plans as well as risk management activities within an organization. So this idea of what is compensation, how are compensation plans incenting management and are there other ways that they are incenting them to do things that take too much risk, be too aggressive, that is getting a lot of discussion.
I think the next area would be the impact of models on decision-making and risk taking within their organization. And are the governance processes around those models, or the controls around those models adequate; have the assumptions that underpin the models, are they properly understood? Have they been evaluated? Do they make sense? I think some of the mortgage crisis issues have caused people to look back and say 'You know, the models that were being used for decision-making purposes really weren't--they were modeling history as it was but weren't considering the changes or all of the dynamics that could happen, and they weren't stress tested enough, and therefore they let people down.' And so people are going to be looking at that really hard going forward.
And then, finally, I think IT risk in managing the complexity of technology today, but also addressing the risks of security and privacy, which really has been from a couple of different angles. One is the organization and the sophistication of the criminal community in terms of the hacking activity that takes place today has really advanced in the last couple of years and is very targeted, pinpointed attempts to go after private data, and organizations need to respond to that, and that has increased a lot.
And I think the other thing is that the amount of private information, and you have got all the healthcare reform going on and the movement toward electronic medical records -- you know, the changes in that industry are just going to significantly increase the importance in the risk and the manner in which you protect all of that information that will be out there. So, I think those are some major trends that we see.
FIELD: Now, Jim, you have got the benefit of seeing different challenges. You get to see different organizations in different industries; do you see different challenges across the different industries?
PAJAKOWSKI: I think there is a combination of the common challenges across all industries, and some of those are the ones that I just mentioned to you. But then you have unique aspects within individual industries and the amount of change that those industries are going through so...you know, in banking and in financial services there is going to be a lot more regulatory reform over the next couple of years that people are going to need to respond to. And I think that is a major trend, although I didn't mention it earlier, but just the complexity and the amount of regulatory requirements that have been put on companies and how to manage and keep up with that and make sure it doesn't overwhelm the organization. So that is a big deal.
I think the model risks that I mentioned will have greater implication to certain industries that rely more on models, and banking and insurance companies and the like have great reliance on models, and so it impacts them more significantly.
IT privacy and security in healthcare, I mentioned that, but also in banking, retail -- anybody that has access to a lot of private information that would be valuable to somebody is more exposed there. I think retail from a liquidity standpoint, I think they saw a lot of the liquidity risks that I mentioned earlier in the overall trends, and there is a lot of change going on in terms of their ability to borrow money. They had a greater capacity for unsecured borrowings in the past, and they are now being required to go to more asset-based loans, and so that is putting infrastructure requirements on them that they haven't faced in the past in terms of being able to manage an asset-based portfolio of loans that they haven't had to use in the past. So those are some trends that I see that impact different industries in different ways.
FIELD: Let's bring it back to the information security organizations, Jim. What does that group have to do to help their organizations meet some of these challenges?
PAJAKOWSKI: For information security, I think, you know I mentioned earlier that the folks trying to access private information or sensitive information in organizations have gotten more sophisticated, so that IT security functions within companies have to get more sophisticated and have to continually look at and access a couple of things.
One is: What is the information that they have that is most sensitive? So there has to be a risk assessment, and they try and know what is it that they possess, information that you possess that would be most sensitive and most valuable and would create the most risk for the organization if it were compromised. So that is number one. And then, two, you have got to figure out where it is. A lot of time people don't realize how many different, disparate places that information exists. And then finally you have got to figure out how could it be compromised, and what could you do to put controls or protect it? And then you continually have to reevaluate that because things change. I think the final point is that there has to be a realization that in today's IT world, everything is connected. So you may be able to put protection around a particular server or aspect of an area of your IT operation, but you have to realize that everything is connected these days for the most part and it could be accessed from a lot of different places so you have got to take that into consideration as you put together your protection plan.
FIELD: So, Jim, given the complexity and the added challenges, what do the individual information security professionals need to do to better prepare themselves to tackle these challenges?
PAJAKOWSKI: Well, I think one is keep up. So you know, talk to others and stay connected with the broader IT community and share information; benchmark others, understand what other people are doing stay current; I think that is one really important thing. I think the second thing is understanding the business. So, it is not just a technology issue, it is a business issue ,and it is really important to understand the underlying business operations and what changes are happening with the business. What direction is it going, and what impact does that have on the technology responsibilities that they have?
Too often people get stuck in getting really technically deep in their area, but not sometimes stepping back and understanding how their technical jobs affects or fits in to the bigger picture of the organization from a business point of view.
FIELD: So, if we take a step back and you start of draw upon your experience Jim, what would you say is most misunderstood today about risk management?
PAJAKOWSKI: So, what is most misunderstood today about risk management, I would say that is one, that you can eliminate all risk in an organization. If you do that you are probably also going to eliminate all upside. So you have to live with risk, and it is just part of the equation, you know, risk and return; we sort of learn that the first day in business class. Sometimes people want to separate those two, and you have to realize that sort of managing the business is managing the risk of the business, and entering into business is entering into risk.
And so I wouldn't be scared of it; I wouldn't try to eliminate it all because you can't. But I do think there is an extraordinary responsibility on those responsible for managing the business for understanding, evaluating and elevating and bringing transparency to the risks that they face, and it is not a bad thing. It's not something that should be hidden, not discussed, people to be afraid of; it is just the reality that exists when you are in a business venture.
If you don't have risks, you probably don't have return. And that is what I would say, and I think that has changed a lot. I remember 10 years ago if you brought up the topic of risk with the Chief Executive Officer, they normally got very uncomfortable and they thought 'Yeah, here we go we'll have a negative conversation.' Now they bring it up, and they want to talk about it because they realize it is just an inherent part of business. And those that understand their risks better and bring them out and discuss them in an open way in their organization and aren't afraid of them, aren't afraid of the fact that risks exist and you need to manage it, you know, do better, and so I think that has evolved a lot in the last five to ten years.
FIELD: One last question for you, Jim. You have been in the field for a number of years now. If you were to offer career advice to somebody entering the field today, where should they start?
PAJAKOWSKI: You know, you could start at a number of different ways, in a number of different places. I would just suggest that wherever you start, be intellectually curious and take the opportunities to not only -- you know, I always tell everybody that starts at our firm, I end up giving them a presentation because we have a central school they come to and they all go there, and I always tell them, 'Look at yourself as a financial asset because you probably are the single most important financial asset for producing future cash flows that you have. Unless you have a large trust fund, you are going to be the biggest asset producer or income producer going forward, and look at yourself from not only an income statement perspective, but also from the balance sheet.' The balance sheet for an individual is their knowledge and their capabilities and their skills, and make sure that when you come into your career and you are working, that you are building up your balance sheet as much as you are your income statement. The balance sheet is developed by what you learn, and what you learn is usually the curiosity, the questions, and in any job you can step back and turn it into a mini case study of the business. And if you do that, you are going to learn a lot about business, and people lose that opportunity everyday because they put their head down and they just get the task in front of them done. They don't just take what could be a few moments to reflect on what they are learning.
FIELD: Very good, Jim. I appreciate your time and your insight today.
PAJAKOWSKI: You are welcome. Thank you.
FIELD: The topic has been risk management and we have been talking with Jim Pajakowski with Protiviti. For Information Security Media Group, I'm Tom Field. Thank you very much.