Executive Perspectives on Top Risks for 2013 Key Issues Being Discussed in the Boardroom and C-Suite

© 2013 2

Introduction

• Protiviti and North Carolina State

University’s ERM Initiative surveyed more

than 200 board members and C-suite

executives on risks likely to affect their

organizations over the next 12 months

• The survey provides perspectives on the

potential impact of 20 specific risks across

three dimensions:

– Macroeconomic Risks: Likely to affect

organization‟s growth opportunities

– Strategic Risks: Likely to affect the validity

of the organization‟s strategy for the pursuit

of growth opportunities

– Operational Risks: Likely to affect key

operations of the organization in executing

its strategy

© 2013 3

Survey Methodology

• Respondents were asked to rate 20 individual

risk issues using a 10-point scale:

− A score of 10 reflects Extensive Impact to

their organizations over the next year

− A score of 1 reflects No Impact at All

• Based on average scores, the risks were

categorized into one of three classifications:

– Significant Impact: Risks with an average

score of 6.0 or higher

– Potential Impact: Risks with an average

score of 4.5 through 5.9

– Less Significant Impact: Risks with an

average score of 4.4 or lower

© 2013 4

Survey Respondent Breakdown

Organization Size

Revenues $10 billion or greater 15%

Revenues $1 billion to $9.99 billion 34%

Revenues $100 million to $999.99 million 36%

Revenues less than $100 million 12%

Executive Position (Top 5 Respondent Groups)

Board Member 9%

Chief Financial Officer 14%

Chief Risk Officer 20%

Chief Audit Executive 26%

Other C-Suite 21%

Industry (Top 5 Respondent Groups)

Financial Services 28%

Consumer Products and Services 19%

Industrial Products 13%

Healthcare and Life Sciences 12%

Technology, Media and Communications 11%

Top Risks – Overall

© 2013 6

Overall Risk Concerns for 2013

The top risk is concern that regulatory changes and heightened regulatory

scrutiny may affect the manner in which the organization’s products and

services will be produced or delivered, indicating concerns that regulatory

challenges may affect strategic direction

The next highest-rated risk areas are concerns about overall economic

conditions restricting growth, as well as concerns about uncertainty

surrounding political leadership affecting U.S. and international markets

Other top areas of concern include the ability to grow organically through

customer acquisition, and challenges related to leadership and to

succession planning within the participating organizations

© 2013 7

Other Top Risks

• Cyber threats – Cyber threats have the potential to significantly disrupt

core operations for our organization

• Security/privacy – Ensuring privacy/identity management and information

security/system protection will require significant resources for us

• Resiliency – Resistance to change will restrict our organization from

making necessary adjustments to the business model and core operations

• Performance gaps risk – Our existing operations may not be able to

meet performance expectations related to quality, time to market, cost and

innovation as well as our competitors

• Trade restrictions/government sanctions – Potential changes in trade

restrictions or other government sanctions will limit our ability to operate

effectively and efficiently in international markets

• Technological innovation risk – Rapid speed of disruptive technological

innovations within the industry may outpace our organization's ability to

compete and/or manage the risk appropriately, without making significant

changes to our operating model

© 2013 8

Top 10 Risks – Overall

4.0 4.5 5.0 5.5 6.0 6.5 7.0 7.5

Regulatory risk

Economic conditions

Sovereignty risk/political gridlock

Organic growth concerns

Succession/talent

Financial markets/currencies

Cyber threats

Security/privacy

Resiliency

Performance gap risks

S

M

M

S

O

M

O

O

O

O

M MacroeconomicRisk Issue

O OperationalRisk Issue

S StrategicRisk Issue

Analysis Across Organization Size

© 2013 10

Analysis Across Organization Size – Key Findings

• Concerns about the potential impact of

regulatory changes and heightened

regulatory scrutiny are noticeably high for

all sizes of organizations

• Uncertainty surrounding political leadership

in national and international markets is high

across most sizes of organizations

• The regulatory environment and potential

for further change to it are of particular

concern to many organizations, influencing

decisions to expand, invest and hire

© 2013 11

Analysis Across Organization Size – Top Risks

Risk Issues Overall

Organizations

$10B or

Greater

Organizations

Between $1B

and $9.99B

Organizations

$100M and

$999.99M

Organizations

Less than

$100M

Regulatory risk

Economic conditions

Sovereignty

risk/political gridlock

Organic growth

concerns

Succession/talent

Financial

markets/currencies

Cyber threats

Security/privacy

Trade restrictions/

government sanctions

Significant Impact – Rating of 6.0 or higher Potential Impact – Rating of 4.5 – 5.9 Less Significant Impact – Rating of 4.4 or lower

Analysis Across Respondent Role

© 2013 13

Analysis Across Respondent Role – Key Findings

• Nearly all executives rated economic conditions

and regulatory changes as “Significant Impact”

risks

• Board members, CAEs and CFOs did not rate

any of the other 18 risks as “Significant Impact”

risks

• Other C-suite executives identified two additional

risks as “Significant Impact” – volatility in global

financial markets and political uncertainty

• CROs named three additional risks as

“Significant Impact” – risks related to cyber

threats, succession issues and recruitment and

retention of managerial talent, and risks related

to privacy/identity management and information

security

© 2013 14

Analysis Across Respondent Role – Top Risks

Risk Issues Overall Board

Member

Chief

Financial

Officer

Chief Risk

Officer

Chief Audit

Executive

Other C-

Suite

Regulatory risk

Economic conditions

Sovereignty

risk/political gridlock

Organic growth

concerns

Succession/talent

Financial

markets/currencies

Cyber threats

Security/privacy

Significant Impact – Rating of 6.0 or higher Potential Impact – Rating of 4.5 – 5.9 Less Significant Impact – Rating of 4.4 or lower

Industry Analysis

© 2013 16

Industry Analysis – Key Findings

• Respondents across all industry groups believe

economic conditions in markets they currently

serve will significantly restrict growth

opportunities this year

• Most industry groups believe regulatory changes

and heightened regulatory scrutiny may

significantly affect the manner in which the

organization‟s products or services will be

produced or delivered

• While most industry groups identified three to

four risks as having “Significant Impact,” both the

Financial Services and the Technology, Media

and Communications industry groups had the

greatest number of “Significant Impact” risks

© 2013 17

Analysis Across Industry – Top Risks

Risk Issues Overall

Consumer

Products

and Services

Energy and

Utilities

Financial

Services

Healthcare

and Life

Sciences

Industrial

Products

Technology,

Media and

Communi-

cations

Regulatory risk

Economic conditions

Sovereignty risk/political

gridlock

Organic growth concerns

Succession/talent

Financial

markets/currencies

Cyber threats

Security/privacy

Resiliency

Performance gap risk

Technological Innovation

risk

Significant Impact – Rating of 6.0 or higher Potential Impact – Rating of 4.5 – 5.9 Less Significant Impact – Rating of 4.4 or lower

Plans to Deploy Resources to Enhance

Risk Management Capabilities

© 2013 19

Additional Resources to Risk Management – By Industry

All

Respondents

Consumer

Products

and Services

Energy and

Utilities

Financial

Services

Healthcare

and Life

Sciences

Industrial

Products

Technology,

Media and

Communi-

cations

Likelihood the

organization

plans to devote

additional

resources to risk

management

over the next 12

months

5.8 5.7 4.5 7.0 5.5 5.4 5.5

On a scale of 1-10, respondents rated whether the organization plans to devote additional

resources to risk management over the next 12 months. (1 – “Unlikely to make changes”; 10

– “Extremely likely to make changes”)

© 2013 20

Additional Resources to Risk Management – By Organization Size

All

Respondents

Revenues

Less than

$100M

Revenues

$100M –

$999.99M

Revenues

$1B – $9.99B

Revenues

$10B

or higher

Likelihood the

organization plans to

devote additional

resources to risk

management over the

next 12 months

5.8 6.1 5.8 5.3 6.7

© 2013 21

Additional Resources to Risk Management – By Organization Type

All Respondents Publicly Traded

Companies

Private, For-

Profit

Enterprises

Not-for-Profit

and

Governmental

Organizations

Likelihood the organization

plans to devote additional

resources to risk manage-

ment over the next 12

months

5.8 5.6 5.8 6.4

© 2013 22

Additional Resources to Risk Management – By Respondent Role

All

Respondents

Board

Members

Chief

Financial

Officers

Chief Risk

Officers

Chief Audit

Executives

Other

C-Suite

Likelihood the

organization plans to

devote additional

resources to risk

management over

the next 12 months

5.8 5.1 6.0 6.3 5.4 5.9

© 2013 23

Calls to Action

Ensure there is sufficient focus on the implications of a

changing environment

• Is management periodically evaluating changes in the business environment to identify

the risks inherent in the corporate strategy?

• Is the board sufficiently involved in the process, particularly when such changes involve

acquisition of new businesses, entry into new markets, the introduction of new products

or alteration of key assumptions underlying the strategy?

Ensure the risk assessment is sufficiently robust to inform

board/management communications

• Does management apprise the board in a timely manner of significant risks or significant

changes in the organization‟s risk profile?

• Is there a process for identifying emerging risks?

• Does it result in consideration of response plans on a timely basis?

© 2013 24

Calls to Action

Ensure the board is knowledgeable of the key enterprise risks and the

capabilities in place for managing those risks

• Is the board aware of the most critical risks facing the company?

• Does the board agree on why these risks are significant?

• Do directors understand the organization‟s responses to these risks?

• Is there an enterprise wide process in place that directors can point to that answers these

questions and is that process informing the board‟s risk oversight?

Enrich the strategy setting process with a risk appetite dialogue

between management and the board

• Is there a periodic board-level dialogue regarding management‟s appetite for risk and

whether the organization‟s risk profile is consistent with that risk appetite?

• Is the board satisfied that the strategy-setting process appropriately considers a

substantive assessment of the risks the enterprise is taking on as it formulates and

executes its strategy?

Break

Risk Management Hot Topics:

Major Challenges Facing Businesses

Shaping the 2013 Risk Oversight Agenda

Five Risk Categories for Focusing Risk Oversight

Identifying Emerging Risk

Preparing for a Black Swan

Oversight of Information Technology Risk

Ten Ways Risk Oversight Can Fail

Ten Risk Oversight Principles

© 2013 27

Major Challenges Facing Businesses

The complexity and velocity of change in an increasingly interdependent world are altering the dynamics

of doing business. As the business environment continues to change, so does the risk landscape that

companies and their audit committees face.

Ten Major Challenges Facing Businesses

As discussed, below are some observations and ideas for consideration by boards and their audit

committees when setting the 2013 agenda.

1. Regulatory changes and increased regulatory scrutiny

2. Economic conditions in current markets and the possible lack of significant growth opportunities

3. Volatile global economic and political conditions

4. Succession challenges and the ability to attract and retain top talent

5. Challenges with organic growth through existing customers

6. Ensuring privacy/identity management and Information security protection; cyber threats could significantly disrupt

core operations

7. Resistance to change

8. Inability to meet performance expectations as well as its competitors can

9. Unexpected crisis and the likelihood of a significant impact on reputation given the organization's existing

preparedness

10. Inability to utilize data analytics and "big data" to obtain needed market intelligence

© 2013 28

Major Challenges Facing Businesses (Continued)

The 2013 Mandate for Audit Committees We have summarized an agenda below that is broken down into two categories – enterprise, process and technology risk

issues and financial reporting issues. The following agenda is based on our interactions with client audit committees,

director roundtables we have conducted, and discussions with directors at conferences and other forums.

Enterprise, Process and Technology Risk Issues

1. Update the company's risk profile to reflect changing conditions - The pace of change in the business continues to

escalate.

2. Oversee the capabilities of the finance organization and internal audit - Capabilities in these functional areas must be

aligned with the company's changing needs.

3. Continue to provide oversight for significant changes in the control environment - Tone at the top, culture, and

controls in critical risk areas should be areas of inquiry.

4. Understand how new technological developments and trends are impacting the company - Understand the

implications of technological innovations to security and privacy, financial reporting processes, and the viability of the

company's business model.

5. Take a fresh look at the compliance infrastructure - Recent actions of regulators with respect to enforcement actions

and offering clarifying guidance may provide insights for evaluating compliance practices.

6. Assess audit committee effectiveness - Evaluate whether committee composition and expertise are sufficient in light

of the changing environment and company risk profile.

© 2013 29

Major Challenges Facing Businesses (Continued)

Financial Reporting Issues:

7. Work with the external auditor to upgrade the communications process - In some countries, the auditor may be

required to enhance communications with the audit committee, so expect more.

8. Be aware that the auditor's report may expand in the near future - It's possible that the expanded report may

incorporate topics the auditor addresses to the audit committee.

9. Inquire whether PCAOB inspections impact the audit approach - The PCAOB has provided guidance to audit

committees for these discussions with the auditor.

10. Keep an eye on developments with respect to mandatory auditor rotation - The PCAOB continues to consider this

alternative to increase audit effectiveness.

11. Expect action on convergence to IFRS -If applicable, inquire about the company's readiness as the U.S. FASB issues

new standards over the next two years.

12. Consider other issues -Inquire about the company's compliance readiness with respect to the conflict minerals

disclosure, if applicable, and the likely impact of COSO's update of the Internal Control –Integrated Framework.

© 2013 30

Shaping the 2013 Risk Oversight Agenda

10 questions for board members to consider as they evaluate their risk oversight agenda

for this fiscal year.

Has the company's risk profile changed? Has management updated the company‟s risk assessment and provided the board a summary of

such risks with an indication of the risks that have increased, decreased or remained the same since

the previous assessment?

Do the board's delegations of risk oversight responsibility provide for adequate coverage

of the critical risks?

Are the most critical enterprise risks assigned to appropriate board committees to ensure coverage

in the normal course as part of their ongoing activities?

Is the board giving appropriate consideration to technology-related risks? Rapid technological innovation creates new risks in return for faster and more accessible data. In

addition, increasing demands for privacy and information security, intellectual property, and asset

protection, and growing complexity of regulations, are driving the need for more investment in

security.

Is the board satisfied that there is a process for identifying emerging risks? Are risk assessments providing directors with insights they didn't previously have? Is the company

thinking about the "known unknowns" and potential "unknown unknowns" that lie in the future?

© 2013 31

Shaping the 2013 Risk Oversight Agenda (Continued)

Does the board understand the key assumptions underlying the organization's strategy? These assumptions are management's "view of the world“ and should be used to identify risk

indicators to provide early warning of one or more critical strategic assumptions becoming invalid as

the company executes its strategy in a changing business environment.

Is the board satisfied with the risk reporting it receives? At minimum, risk reporting provides information about the critical enterprise risks and summarizes

how those risks are managed. It is up to the board to communicate to management the additional

information it needs. The board should also obtain substantive risk information from external sources

to supplement the information received from management.

Is the board satisfied the company's risk management is sufficiently resourced? Directors should inquire as to whether appropriate policies, processes, people, reporting, tools and

incentives, along with a supportive culture, are in place to mitigate key risks.

Does the board periodically assess whether there are potential issues in the company's

culture and its incentive compensation structure? Are there any dysfunctional behaviors that could undermine the effectiveness of risk management

and lead to inappropriate risk-taking or compromise established policies and processes?

© 2013 32

Shaping the 2013 Risk Oversight Agenda (Continued)

Is the company prepared to respond to extreme events? These are the events no one can predict or see coming, the so-called unknowable risks. Has the

company used scenario analysis to prioritize its "high impact, low likelihood" risks in terms of their

reputational effect, velocity to impact and persistence of impact, as well as the enterprise's response

readiness?

Does the board periodically assess its risk oversight processes? This assessment should be incorporated into the board's periodic evaluations of its overall

effectiveness.

The board of directors should consider the above questions when assessing its oversight focus within

the context of the nature of the entity's risks inherent in its operations.

© 2013 33

Five Risk Categories for Focusing Risk Oversight

As the board organizes itself for risk oversight, the question arises as to whether it should adopt its own

risk language to ensure it is covering all bases. While each board must decide for itself whether a risk

language is useful given the nature of the enterprise's operations, here we explore five risk categories

directors may want to consider.

Areas for Board Responsibility for Risk Oversight

1. Governance risks - Risks related to directors„ decisions regarding board leadership, composition and

structure, director and CEO selection, and other governance matters.

2. Critical enterprise risks - The top five to 10 risks that can threaten the company's strategy, business

model or viability.

3. Board-approval risks - The risks related to decisions the board must make with respect to important

policy areas, such as major strategic initiatives, acquisitions or divestitures, major investments, entry

into new markets, etc.

4. Business management risks - Risks associated with ongoing day-to-day business operations.

5. Emerging risks - External risks outside the scope of categories (1) through (4).

© 2013 34

Five Risk Categories for Focusing Risk Oversight (Continued)

Following are some suggested questions that boards of directors may consider in the context of the

nature of the entity's risks inherent in its operations:

• Is there a process for identifying the organization's critical enterprise risks for purposes of prioritizing

the board's risk oversight focus with management?

• Is the board approving major strategic and policy issues on a before-the-fact basis?

• Is there a process in place for identifying and communicating emerging risks to enable management

and the board to be proactive?

© 2013 35

Identifying Emerging Risks

Emerging risks are newly developing risks that cannot yet be fully assessed but that could, in the

future, affect the viability of an organization's strategy.

Identifying Emerging Risks:

• Validity of the assumptions underlying the strategy Are the critical assumptions underlying the Company strategy, becoming, or have become, invalid ? Fundamentals

eventually change, and management should identify relevant drivers to monitor the external environment for

changes that could invalidate one or more of those assumptions

• Global Trends: Economic, Environmental, Societal, Geopolitical and Technological factors categorized into three risk „clusters‟

Macroeconomic Imbalances

The Illegal Economy

Water-Food-Energy

• Organization's Pre-emptive Actions: Management must carefully consider the actual or anticipated effects (e.g., exposure to political/sovereign risk,

cultural issues, a different regulatory regime and catastrophic events) of pre-emptive actions that alter the entitiy‟s

risk profile.

• Game-Changing Risks Cybersecurity, demographic changes, resource security, retrenchment from globalization, infrastructure fragility and

fiscally distressed cities.

© 2013 36

Identifying Emerging Risks (Continued)

Questions to Consider

Following are some suggested questions that boards of directors may consider, based on the risks

inherent in the entity's operations:

• Is there anything management truly fears, and are those concerns out in the open? Does the

organization consider interrelationships among risks to identify relevant risk themes?

• Is the board apprised in a timely manner of significant changes in the enterprise's risk profile? Is there

a process for identifying emerging risks? Does the exercise result in appropriate response plans?

• Is the board satisfied that management is periodically monitoring changes in the business

environment to identify potential impacts on the assumptions and risks inherent in the corporate

strategy?

© 2013 37

Preparing for a Black Swan

A black swan is a high-impact, hard-to-predict and rare event that is beyond the realm of normal

expectations in history, science, finance , and technology.

Since no one can predict the future, we should think of how to gain an understanding of what we don't

know? One approach is to use the most critical assumptions underlying the strategy as a context for

understanding how much a black swan might hurt. The approach works as follows:

• Define your strategic assumptions:

These assumptions are management's "view of the world" for the duration of the strategic planning horizon.

• Develop contrarian statements:

These statements negate the strategic assumptions. If the strategic assumptions are management's "white swans,"

the related contrarian statements are potential "black swans.” They frame the impacts that could seriously damage

the company's ability to execute its strategy.

• Recognize that not all contrarian statements are black swans.

Look for the statements that are likely to have the greatest impact on the company if they were to transpire.

• Articulate the implications of high-impact contrarian statements:

An implication statement resolves the conflict between the strategic assumption and the contrarian statement by

asking: "What do we do if critical assumptions underlying our strategy are no longer valid?" and "How would we

know if our assumptions are no longer valid?" Action plans arising from an implication statement often include

implementing new trending and key factor metrics to monitor vital signs germane to the external environment

exposures that concern management and the board.

© 2013 38

Preparing for a Black Swan (Continued)

Questions to Consider

Questions that boards of directors may consider, in the context of the nature of the entity's risks inherent

in its operations:

• Is there a common understanding between management and the board as to the critical assumptions

underlying the enterprise's strategy?

• Is there a process for challenging underlying assumptions? Are key factors that provide insight

regarding the continued validity of the key underlying assumptions monitored over time?

© 2013 39

Oversight of Information Technology Risk

A recent survey of more than 200 board members determined that 47% of directors are dissatisfied

with their board's ability to provide IT risk oversight.

Following are suggestions for boards to consider to help them enhance their IT risk oversight:

• Start with the right questions: What are our risks? how are we managing them? and how do we know?

• Take an integrated, comprehensive view:

Integrate these risks into its oversight of strategic, operational, financial and compliance risks.

• Organize for IT risk oversight: Evaluate strategic IT issues as part of a separate strategy committee or the finance committee, mirroring how the

board oversees strategic planning and execution.

• Understand how technology fits within the business model:

For organizations where technology is a tool for building connections with strategic suppliers, channel partners,

customers and outsourcing providers, directors need management to present a picture of IT that is integrated with a

view of the business.

• Remember, there is a compliance aspect to IT risk:

New and expanding regulations continue to arise across and within industries. Noncompliance with regulatory

requirements can have severe consequences.

© 2013 40

Oversight of Information Technology Risk (Continued)

• Strengthen internal audit: Establish an IT function, conduct and IT audit risk assessment, obtain the resources and skills in audit to evalaute

organization‟s IT risk.

• Don't forget board education:

IT risk oversight requires some education for most boards. Directors must look to the CEO, CIO and chief strategy

officer for assistance in this regard.

© 2013 41

Oversight of Information Technology Risk (Continued)

Questions to Consider

• Does the board devote sufficient time to IT risks and the organization's processes to manage them?

• Does the company monitor technology innovations, including how new technology can be deployed by competitors (or

employees) to create disruptive change? Are aging legacy systems preempting efficiency, agility and innovation?

• For IT projects, does the board understand the underlying assumptions about how each project will produce cost

savings, improve business processes or achieve strategic goals, as well as how success will be measured? Is there

follow-up to ensure each significant project delivers on promises made?

• Does the board receive adequate information on (a) the organization's overall IT costs and (b) allocations of IT spend

across all projects to assess optimization of ROI and ensure compliance and contractual obligations are being met?

• Does the board understand the data privacy and security risks faced by the company? Are data privacy and security

considered integral to all new business processes?

• Is the CIO organization effective in supporting the changing needs of the business? Are cloud solutions being

deployed? If so, does the board understand the risks associated with them?

• If the company uses outsourced providers, is the board satisfied such relationships are being managed effectively?

• Does the board stay current with respect to its knowledge and understanding of IT matters as they relate to the

company and industry?

© 2013 42

Ten Ways Risk Oversight Can Fail

Risk oversight is a top-of-mind issue for boards today because of the dramatic failures associated with

the financial crisis and the unanswered questions around what directors might have done to thwart it.

Following are 10 reasons that can contribute to failure of the board's risk oversight process:

1) Lack of a robust process for prioritizing, managing and monitoring the enterprise's critical risks

2) Lack of understanding of, or a failure to monitor, the significant assumptions underlying the strategy

3) Executive management and the board are not on the same page with respect to the entity's risk

appetite

4) Failure to identify and manage emerging risks

5) Insufficient time to think about the future

6) The company practices "enterprise list management“

7) Drowning in data with little knowledge or insight

8) Deficiencies in the enterprise's "tone at the top" and culture

9) Lack of an effective chief risk officer

10) The board isn't organized effectively for risk oversight

© 2013 43

Ten Ways Risk Oversight Can Fail (Continued)

Questions to Consider:

Following are some suggested questions to consider, in the context of the nature of the entity's risks

inherent in its operations:

• Has the company articulated its risk oversight objectives and evaluated the effectiveness of its risk

oversight processes in achieving these objectives?

• Is the company proactively taking steps to address any gaps that may impede its risk oversight

effectiveness?

© 2013 44

Ten Risk Oversight Principles

Below are 10 principles to assist boards in strengthening their oversight of the company's risk

management.

Ten Principles of Effective Risk Oversight

1. Understand the company's key drivers of success.

2. Assess the risk in the company's strategy.

3. Define the role of the full board and its standing committees with regard to risk oversight.

4. Consider whether the company's risk management system - including people and processes - is

appropriate and has sufficient resources.

5. Work with management to understand and agree on the types of risk information the board requires.

6. Encourage a dynamic and constructive risk dialogue between management and the board, including

a willingness to challenge assumptions.

7. Closely monitor the potential risks in the company's culture and its incentive structure.

8. Monitor critical alignments - of strategy, risk, controls, compliance, incentives and people.

9. Consider emerging and interrelated risks: What's around the next corner?

10. Periodically assess the board's risk oversight processes: Do they enable the board to achieve its risk

oversight objectives?

© 2013 45

Ten Risk Oversight Principles Continued

Questions to Consider:

Following are some suggested questions that to consider, in the context of the nature of the entity's risks

inherent in its operations:

• Has the company articulated its risk oversight objectives?

• Has the company evaluated the effectiveness of its risk oversight processes in achieving its risk

oversight objectives? Does the board plan to conduct this evaluation periodically?

• Is the company proactively taking steps to address any gaps that impede its risk oversight

effectiveness?

© 2013 46

Steven La France

Director

Powerful Insights. Proven Delivery.™

Phone: 213.327.1445

steven.lafrance@protiviti.com

Madhushi Kurera Associate Director

Powerful Insights. Proven Delivery.™

Phone:213.327.1488

Madhushi.kurera@protiviti.com

Protiviti Contacts

Thank you!