The BDO RiskFactor Report for Retail Businesses, which examines the risk factors listed in the most recent SEC 10-K filings of the largest 100 public U.S. retailers, also found that IT infrastructure and security risks have increased, partially due to growth of the mobile platform. This year, concerns over the maintenance of IT systems and operations leapt from the 12th most cited risk factor to the 6th. Following the significant data breach at Global Payments, security risks jumped 31 percent from the 19th most cited risk factor to the 12th. As retailers have more data than ever to protect and increasing endpoints due to the increased use of mobile devices, business interruption risks are also more worrisome. Retailers also reported heightened concerns over geopolitical events and natural disasters, which moved from the 9th most cited risk factor to the 5th, largely due to the Japanese tsunami and volatility in the Middle East.

Further findings in The 2012 BDO RiskFactor Report for Retail Businesses:

Supply Risks Paramount Amid Pricing Pressures and Currency Fluctuation. Although commodity costs have stabilized, supply risks remain a significant focus for retailers. For the third year in a row, U.S. and foreign supplier and vendor concerns are the second most commonly cited risk factor. Rises in China sourcing costs and volatile foreign currency exchange rates contribute to these concerns. Among retailers who note supply risks, 81 percent of companies specify pricing pressures as a key factor of their concern. For retailers sourcing internationally, currency risk is also a mounting issue with 56 percent of retailers citing it as one of their top economic concerns. This marks a significant jump from 2011 (27 percent).

U.S. Expansion Risks at All Time Low. Risks associated with U.S. growth and expansion are at the lowest levels since the start of the study in 2006. Just 46 percent of retailers note concern over U.S. expansion, an indicator of softness in the retail real estate market and modest store expansion plans as commerce gradually shifts to the Internet. However, as the industry becomes increasingly global, international operations risks continue to be top of mind. A vast majority of retailers (68 percent) cite international risks as political turmoil and the European debt crisis impact sales, vendors and distribution channels.

Holiday Performance More in Focus as Consumers Recover. Positive sales results in the first quarter have left retailers feeling more confident about consumer spending. Concerns over consumer confidence still linger in 10-Ks for 81 percent of retailers, but are stabilizing following a peak in 2010. Risks associated with demand and the ability to stay up to date with consumer trends are also on the decline (83 percent vs. 87 percent in 2011). Still, a great deal of weight continues to be placed on fourth quarter results and the ability to attract shoppers during the holidays. Concern over holiday results and the seasonality of the industry increased to the 19th most cited risk, up from the 22nd in 2011. With year-end results impacting momentum and strategic plans for the year ahead, a strong holiday performance is crucial for success.

Regulation Risks Tempered. Despite the election year, retailers are less concerned about government regulation. As the conversation in Congress shifts from corporate taxes to individual taxes, government regulation risks eased with 85 percent of retailers noting concern over regulations, down from 92 percent in 2011. Risks associated with accounting standards also tempered. With IFRS on a less accelerated track, fewer retailers (58 percent vs. 72 percent in 2011) cite accounting challenges as a risk factor.

The 2012 BDO RiskFactor Report for Retail Businesses examines the risk factors in the most recent 10-K filings of the largest 100 publicly traded U.S. retailers; the factors were analyzed and ranked by order of frequency cited.

Maryland governor Martin O’Malley signed the bill into law Thursday. The law requires Maryland to not do business with companies that fail to comply with the federal law on conflict minerals, passed in 2010 as part of the Dodd-Frank Wall Street Reform Act. A provision in this federal financial reform legislation requires companies to disclose whether they source minerals from DR Congo or its neighbors and to exercise due diligence on their supply chains to determine if their products are not fueling deadly conflict in the central African country.

The state law adds a powerful incentive for companies to comply with federal law by denying them procurement contracts with the state of Maryland.

Tin, tungsten, tantalum and gold, all minerals found in consumer electronics, are mined in eastern Congo, where a decade-and-a-half of conflict has resulted in more than 5 million deaths. Armed groups that commit mass rapes and other atrocities make millions of dollars from the minerals trade and control most of the mining operations in a mafia-like cartel.

The Maryland legislation is the second state to deal with Congo conflict minerals after California passed a similar law last year. Similar legislation is also under consideration in Massachusetts. Dozens of college campuses and local governments have passed resolutions pledging to buy only conflict-free products. In June 2010, Stanford University became the first campus in the nation to adopt a policy combating the trade in conflict minerals from Congo.

“The average fine and disgorgement for FCPA-related settlements over the past two years approaches a staggering $66 million. And that doesn’t include the substantial legal and consulting fees related to internal investigations, or the lengthy jail time corporate officers have been receiving,” said Harfenist, an expert in continuous monitoring (CM). “Couple this extraordinary exposure with the Dodd-Frank Whistleblower Provision and you can see why oil and gas companies operating in high-risk venues are extremely concerned. In light of these risks, I am continually looking for the cost-effective processes companies can implement to minimize their exposure.”

Continuous monitoring systems, which involve the integration of forensic practices with powerful software to detect high-risk behaviors and transactions, evaluate policy compliance within an organization and report the results to appropriate individuals, are key to helping minimize compliance risk. Key elements of CM for oil and gas companies include:

• The financial impact of early identification of fraud schemes for oil and gas companies
• Applying CM to evaluate Books and Records compliance
• Using CM as part of an overall risk assessment process to answer questions such as:
  • What processes and forensic tools are available to address the growing compliance requirements and related corruption risks my company faces?
  • How do I determine whether someone in my procurement department has an undisclosed financial interest in a supplier?
  • How can I detect corruption schemes in their infancy?
  • How do I ferret out corruption, fraud, waste and abuse in my supply chain?

These questions create difficult challenges for energy companies as many of the countries they operate in pose extremely high fraud and corruption risks due to existing business and cultural practices which often run afoul of western anti-corruption statutes and operating norms.

“One only need look to the recent bribery-related disclosures by Wal-Mart to see the benefits a CM program would have had,” he said. “The early detection of bribery and corruption schemes — a key benefit of Continuous Monitoring — prevents Books and Records violations from accruing and tainted revenues subject to disgorgement from occurring. To minimize a company’s risk and exposure, shutting down these fraud schemes in their infancy is critical.”

For information about Jeffrey Harfenist, please go to http://www.brg-expert.com/professionals-158.html .

The first level of SCPro is Cornerstones of Supply Chain Management, and holders of this designation demonstrate a solid foundation of knowledge in all the functions of supply chain management, such as: demand planning, procurement, supply management, manufacturing, service operations, transportation, inventory, warehousing, and order fulfillment. Level One designees have proved they are solutions-focused and effective at collaborating with others to the benefit of the entire supply chain. This introductory designation, which demonstrates a clear commitment to growing one’s supply chain expertise, is awarded for a passing grade on a 160-question examination. Requirements for this level are four years of relevant work experience OR a bachelor’s degree.

The second level is Analysis and Application of Supply Chain Challenges. In order to obtain an SCPro Level Two designation, professionals must thoroughly analyze real-world case studies, pinpoint areas for optimization and recommend efficiency improvements in the supply chain. Requirements include Level One PLUS either a four-year degree and three years relevant experience OR seven years of relevant experience.

The third level is Initiation of Supply Chain Transformation. The highest SCPro designation requires an unprecedented use of practical application, a groundbreaking advance among supply chain certifications. Candidates must perform hands-on analysis of a working organization and create a detailed project plan that generates real results, such as increased ROI or improved cycle times. Requirements include Level Two PLUS either a four-year degree and five years of relevant experience OR nine years of relevant experience.

Learning doesn’t stop once the SCPro Level One Certification has been attained. Designees must participate in continuing education programs to maintain an active certification status. The certification cycle is three years. During the three years designees must attain no less than 20 hours of professional continuing education credits toward maintenance each year, for a total over the three years of no less than 60 hours. Upon completion of the three-year cycle, a new cycle begins.

We see this as a key foundational element for a complete understanding of supply chain risk. By combining education with experience in multiple SCM disciplines, SCPro certified professionals will be able to more effectively identify, consolidate and manage the complexities of SCM Risk.

Published by Marsh and the Risk and Insurance Management Society, The 2012 Excellence in Risk Management survey gathered the views of 1,322 risk managers, top executives, and others. Although primarily from North America, respondents represented companies with headquarters in nearly 50 countries.

Among the key findings:

• Fully 85 percent of risk managers said that leadership’s expectations of them have increased over the past three years. But that percentage dropped to 71 percent among C-Suite respondents.

• A majority of C-Suite respondents (51 percent) reported that adopting a formal strategic risk management process would better integrate risk issues with the short- and long-term strategic planning goals of the organization.

• More than one-third of respondents said that the economic downturn helped increase the use of analytics in risk management

• More than half of C-Suite respondents said their organizations do not measure total cost of risk (TCOR), up from 36 percent who said so in 2011.

The report also found that C-suite respondents and risk managers had differing views on the strategic value of total cost of risk (TCOR) measurements. Sixty-eight percent of risk managers said that they use TCOR measurements, but many C-suite respondents did not seem to be aware of this: 51 percent said that their companies do not measure TCOR. Even in firms where C-suite respondents understand that TCOR is being measured, they show little awareness of what goes into the calculation, an indication of the relatively low value they place on it.

”Measurements such as total cost of risk can bring certain value to risk management budgeting and benchmarking, but they do not necessarily give senior leaders the strategic view of risk they are seeking,” said Nowell Seaman, Manager of Risk Management and Insurance at the University of Saskatchewan and a member of the RIMS Board of Directors. “Organizations are better served when risk managers engage in strategy planning and strategy execution efforts by developing a formal strategic risk management framework, and consolidating the disparate emerging risk communication channels that already exist in organizations.”

In fact, according to the new 2012 PwC State of the Internal Audit Profession study, businesses are asking internal audit to play an increased role in helping companies navigate the rapidly changing risk landscape. To illustrate my point, here are a few key findings from the report:

• Data privacy and security is now the single most requested area for increased internal audit. Nearly half (46 percent) of stakeholders participating in this study want added capabilities in this area.
• Help with regulations and government policies was the second largest requested area. About one-third (32 percent) want internal audit to become more involved in how their business understands and manages this risk.
• PwC found that successful internal audit functions create plans through comprehensive, top-down risk assessments where the entire risk management process is considered. However, almost half (45 percent) of those polled said they do not create their audit plans using this kind of top-down risk assessment approach.
• When asked about the most common barriers to internal audit’s active involvement in a fully comprehensive risk management function, a majority of survey respondents cited organizational and cultural resistance, followed by a lack of internal audit resources and expertise.

“As the risk landscape continues to evolve, the majority of business leaders surveyed said they are not comfortable with how their risks are being managed, although 74 percent of those surveyed have formal enterprise risk management processes,” said Dean Simone, leader of PwC’s U.S. Risk Assurance practice. “To deliver what stakeholders want, the standard for an effective internal audit function has been raised and internal audit needs to elevate its performance to meet the always increasing stakeholder expectations. Businesses must evaluate total enterprise risk, coordinate with the internal audit functions and break down organizational barriers to provide a holistic approach to risk management.”

A copy of the report, PwC 2012 State of the Internal Audit Profession Study, is available for download here.

For example, the report says federal agencies are vulnerable to:

• Installation of malicious logic on hardware or software
• Installation of counterfeit hardware or software
• Failure or disruption in the production or distribution of a critical product or service
• Reliance upon a malicious or unqualified service-provider for the performance of technical services
• Installation of unintentional vulnerabilities on hardware or software

Although four US national security-related departments—the Departments of Energy, Homeland Security, Justice and Defense—have acknowledged these threats, responses so far have been spotty.

Two of the departments—Energy and Homeland Security— have not even taken critical first steps to mitigate risks, such as identifying supply chain protection measures for department information systems. Justice has made some initial progress, but it has not developed procedures for implementing or monitoring compliance with and effectiveness of any such measures, according to the report.

By contrast, the GAO says the Department of Defense has made greater progress through its incremental approach to supply chain risk management. The department has defined supply chain protection measures and procedures for implementing and monitoring these measures.

Still, officials at the four departments stated that their respective agencies have not determined or tracked the extent to which their telecommunications networks contain foreign-developed equipment, software, or services. Federal agencies are not required to track this information, and officials from four components of the US national security community believe that doing so would provide minimal security value relative to cost. (The four national security-related departments do participate in government-wide efforts to address supply chain security, including the development of technical and policy tools and collaboration with the intelligence community.)

GAO recommends the Departments of Energy, Homeland Security and Justice take steps, as needed, to develop and document policies, procedures and monitoring capabilities that address IT supply chain risk. According to the report, these departments generally concurred with GAO’s recommendations.

“Until comprehensive policies, procedures, and monitoring capabilities are developed, documented, and implemented, it is more likely that these national security-related agencies will rely on security measures that are inadequate, ineffective, or inefficient to manage emergent information technology supply chain risks,” the report concludes.

The full report, which includes detailed recommendations for executive action, is available here.

According to a recent article at Bloomberg Businessweek, industries around the world are confronting the impact of loose nuclear (i.e., radioactive) material in an international scrap-metal market worth at least $140 billion. From the article:

Radioactive items used to power medical, military and industrial hardware are melted down and used in goods, driving up company costs as they withdraw tainted products and threatening the public’s health . . . Abandoned medical scanners, food-processing devices and mining equipment containing radioactive metals such as cesium-137 and cobalt-60 are picked up by scrap collectors, sold to recyclers and melted down by foundries, the IAEA (United Nations International Atomic Energy Agency) says.

The problem made headlines earlier this year when retailer Bed Bath & Beyond had to recall a metal tissue holder from its shelves after the item was found to be slightly radioactive.  A Bed Bath & Beyond truck loaded with the tissue holders reportedly set off a surveillance monitor in California.

“We have been notified by regulatory agencies that a product we have carried since July, 2011, in approximately 200 of our 1000 stores in the US and Canada, as well as on our website, the Dual Ridge Metal boutique tissue holder  . . . contains a material which emits low levels of radiation,” Bed Bath & Beyond said in a statement at its website. “According to the Nuclear Regulatory Commission (NRC), although any unnecessary radiation exposure is not desirable, there is no threat to anyone’s health from these tissue holders. The NRC has also informed us that the material is believed to be in the tissue holder itself and cannot be inhaled, nor can it contaminate other objects (such as tissues). Out of an abundance of caution, we have pulled the product off of our sales floor and removed it from our website.”

It appears that more and more manufacturers and retailers (and even consumers) are going to have to start exercising a similar “abundance of caution.”

As a technical director for the Bureau of International Recycling told Bloomberg Businessweek, most people aren’t aware that they’re now “living in a radioactive world.”

Why? According to the newly released Trustwave 2012 Global Security Report, industries with franchise and chain store models are top targets primarily because franchises often use the same IT systems across stores. Once cybercriminals compromise a system in one location, they likely can duplicate the attack in multiple locations. In fact, more than one third of Trustwave SpiderLabs 2011 investigations occurred in a franchise business, and the report predicts this number will rise in 2012.

Here are a few more key findings from the 2012 report:

• Data breaches are on the rise. Trustwave performed 42 percent more investigations in 2011 than in the previous year – conducting more than 300 data breach investigations in 18 countries worldwide.
• Cybercriminals crave customer records. A whopping 89 percent of data breach investigations involved customer records. While trade secrets or intellectual property followed at a distant six percent, Trustwave cautions that highly targeted attacks designed to go after that type of data remain a growing concern, as their success rate is extremely high.
• Weak passwords put your business at risk. After analyzing the usage and weakness trends of more than 2 million business passwords, Trustwave found that the most common password used by global businesses is “Password1” as it satisfies the default Microsoft Active Directory complexity setting.
• Morning email can be risky. An email with a malicious attachment is most likely to arrive in your inbox at  8:00 a.m. and 9:00 a.m. (Eastern Time, US).

“Any organization can be a target, but as detailed in our report findings, those most susceptible are businesses that maintain customer records or that consumers frequent most, including restaurants, retail stores and hotels,” said Nicholas J. Percoco, senior vice president and head of Trustwave SpiderLabs. “We advise organizations review our strategic recommendations for 2012 and take steps toward employing better security across their organizations.”

Those strategic recommendations are available in this press release, and you can download the full Trustwave 2012 Global Security Report here.

The study, which surveyed 350 supply chain executives from leading companies across Europe, the US, Latin America and Asia-Pacific, found that:

• Familiar business challenges persist. Market volatility (52 percent) and the economic downturn (39 percent) are the biggest business challenges currently faced by respondents. Just 17 percent feel optimistic about the outlook for the economy in 2012.
• Leaders are focused on supply chains. Two-thirds (67 percent) of respondents said they have implemented measures to improve visibility and control within the supply chain, and 59 percent have taken steps to increase flexibility within supply chain operations. As Capgemini points out, companies that have taken these measures should expect to have a head start on their competitors in 2012 as they will be able to measure and adapt their supply chains more easily.
• Strengthening supply chain operations is a strategic priority. Supply chain visibility improvement (57 percent) and business innovation initiatives (56 percent) ranked high on the agenda of survey participants as market volatility continues to increase the need for a single, consistent view of the end-to-end supply chain.
• Supply chain improvements hampered by various factors. Survey participants cited business prioritization (44 percent) as the main bottleneck, closely followed by limited IT capabilities (42 percent) and financial resource challenges (39 percent).

Despite the challenges to supply chain improvements, it’s essential for companies to increase resiliency and visibility throughout their supplier networks, especially now that it’s clear market volatility is becoming the “new normal.”

“Continued market volatility is severely impacting supply chain strategies everywhere, but it would appear that lessons have been learned from previous periods of economic uncertainty as companies are better prepared for the challenges of 2012 and have implemented a number of measures to improve visibility, flexibility and control within their supply chain,” said Ramon Veldhuijzen, Global Logistics and Fulfillment Lead, Capgemini Consulting. “However, it is vital that supply chain executives and company management have a shared understanding of the benefits that supply chain projects can bring to the whole organization in order to establish a truly successful supply chain strategy and maintain competitive advantage.”