3 Questions Every Board Needs to Ask About Enterprise Risks As today’s risk landscape continues to change and evolve, it can create

challenges for Boards of Directors in their oversight of risks confronting their companies. A 2015 study conducted by the American Institute of Certified

Public Accountants (AICPA) concluded that a majority of companies were affected by these emerging risks. Collectively, 65 percent of participating managers and directors admitted that they were caught-off guard by an operational surprise over the past five years.

It is crucial that senior management and Board members are well-versed on the risks that affect their companies. Failure to adequately understand the areas at highest risk and the procedures in place to mitigate them can decrease the effectiveness of the Board’s oversight of management and its ability to constructively challenge proposed changes in the best interest of the company. Asking these three questions at your next Board of Directors meeting can help educate members on existing risks and procedures to make sure the entire committee is on the same page.

How is our organization identifying risks across the enterprise?

It is necessary that a Board understands the risks across the entire organization,

(Continued on page 2)

1-866-956-1983 | www.cbiz.com/ras© Copyright 2016. CBIZ, Inc. NYSE Listed: CBZ. All rights reserved.

IN THIS ISSUE:

CBIZ BizTipsVideos@cbiz

3 Questions Every Board Needs to Ask About Enterprise Risks PAGE 1

3 Ways to Improve Your Credit Card and Data Security

PAGE 3

5 Major Risks Construction Project Owners FacePAGE 5

Risk Advisory Services

QuarterlyRisk AdvisorMAY 2016 | 2ND QUARTER

With over 100 offices and 4,000 associates nationwide, CBIZ (NYSE: CBZ) delivers top-level financial and employee business services to organizations of all sizes, as well as individual clients, by providing national-caliber expertise combined with highly personalized service delivered at the local level.

Our national Risk & Advisory Services practice helps companies address unique risk factors through internal audit sourcing, SOX-404 and PCI DSS compliance programs, cybersecurity services, business continuity planning, and cost savings and recovery programs.

PAGE 21-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

MICHAEL GALLAGHERManaging DirectorHouston, Texas713.562.1154 | mgallagher@cbiz.com

Members should also be aware of how they can affect operations and profitability. A Board can’t evaluate these risks, however, if the organization hasn’t identified what they are. Pinpointing risk factors early allows time to plan a strategy for mitigation, which could save a business from continuity-disrupting events in the future.

Risk identification could be done at the Board-level, management-level or even individual business unit-level. Some strategies to consider integrating into an enterprise risk identification program are:

n Facilitate a Brainstorming Session: Invite key stakeholders, such as Board members, management and business unit leaders, to share the risks that they are aware of that may be unknown to others.

n Conduct a SWOT (strengths, weaknesses, opportunities and threats) Analysis: Focus on the weaknesses and threats to your organization. Take the learnings from the discussion to map out your current and emerging risks.

n Use Information Technology Resources: Organizations with robust IT departments can use their expertise to scan for potential digital threats against the organization, such as a cyber-attack or data breach.

n Hire a Third Party to Conduct Analysis: Enterprise risk management specialists can review your opera-tions, exposures and current risk management strate-gies and insurance to identify ways to improve them.

What emerging risks are we currently aware of?

Even if a mitigation plan is developed based on identified enterprise risks, the plan needs to remain flexible and easy-to-update to account for rapidly changing or emerging risks. These risks can evolve quickly and often destroy businesses that are not prepared to face them. The emerging risk landscape is uncertain, but some key risks to watch out for in 2016 include:

n Cyber-related Risks and Attacks: Any company that uses technology to conduct business and manage client information needs to know what’s at stake. When cybersecurity is not part of the business process, it leaves a company vulnerable to data breaches and the loss of financial, personal or proprietary information. IT risks should be continually monitored and systems need to be updated to keep pace with the ever-evolving cyber threat environment.

n Predictability and Uncertainty in Foreign Markets: The fluctuation of commodity prices and currency values has created uncertainties that make strategic planning difficult. In 2016, growth and volatility is expected to define the global economy, but with

this degree in variation comes tremendous risk to companies. Be sure that you understand the rules and regulations you face in the international market. Reassess your budgets and forecasts on a semi-annual basis to account for changes that could affect your cash flow or profitability.

n Talent Management and Succession Planning: Company leadership is essential to keeping your business running smoothly, but when executives move on or retire, they create important gaps that need to be filled. You should be sure you have a process in place to identify the right successor or shift the responsibilities to reshape the vacancy to a role better suited to the needs of your organization.

n Third Party Vendor Relationships: Each of your organization’s third party vendors poses unique risks. For example, a vendor that assists your company with payroll and billing has increased risk because that vendor handles sensitive, financial information. Conducting an annual vendor risk assessment and performing necessary due diligence can help you identify what each vendor will require in terms of controls and monitoring.

Does our existing reporting structure meet industry standards?

How effective the overall risk management program is depends on how effectively the organization communicates. Risk reporting should be used by organizations to illustrate success, failure and opportunity to key stakeholders. These communications should be interactive, with time built in for the Board to ask questions and discuss components of the outputs. If your organization does not currently have a reporting structure in place, consider establishing this component to drive transparency to the process. If your organization does have a reporting structure, you could benefit from benchmarking your process and frequency against industry peers.

Enterprise risk management is an ongoing process. Identifying and reporting your risks a single time is not sufficient to keep your organization prepared for potential disruptions to day-to-day operations. Constantly revisiting your enterprise risk management program to account for emerging risks or changes to the reporting structure will ensure your business is always ready to respond to threats.

(Continued from page 1)

PAGE 31-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

The ability to accept and protect credit cards is essential. Data breaches are common in today’s environment. Security Affairs’ Data Breach Quickview found that 53 percent of the data breaches in 2015 occurred in the business sector, and governments, nonprofits, educational and medical communities made up another 39 percent of breaches.

The costs of just one attack can be staggering, particularly when they involve a breach of credit card information. These types of incidents may include fines levied by Visa, MasterCard or other payment brands that are usually passed along to the breached company. There are also costs associated with the forensic investigation used to determine the source of the breach, the nature of the information stolen, the number of cards involved and the extent of the compromised servers. In addition, the company often must cover costs associated with reissuing cards and repaying the actual losses. Finally, there are the costs of remediation work, such as rebuilding compromised servers, working with law enforcement agencies and submitting to the credit card issuer a detailed plan for fixing the security problem.

Fortunately, there are several ways you can secure your credit cards and mitigate your risk of a breach.

Protection for Your Company and Your Customers

Companies that facilitate the use of credit cards are permitted to store certain types of data, including the cardholder’s name, address, ZIP code and the card’s expiration date. Storage of data such as the sensitive authentication CVC2/CVV/CID code, data that make up the full magnetic stripe and the customer’s PIN or PIN Block is prohibited.

The best way to protect consumer cardholder data is simply not to store them. However, if you absolutely need to store the data, then the Payment Card Industry Data Security Standard (PCI DSS) provides the safeguards that you need to put in place to protect that data. PCI DSS was developed as an outgrowth of data security efforts

by Visa’s Cardholder Information Security Program and MasterCard’s Site Data Protection Plan and embraced by American Express, Discover Card Services and the Japan Credit Bureau.

As a result, all merchants that process, store or transmit cardholder data must comply with the standard.

Understand the Standard

The individual card brands require that many service providers and large merchants undergo an annual payment card industry (PCI) assessment conducted by a PCI Security Standards Council-approved Qualified Security Assessor (QSA) in order to demonstrate they are compliant with PCI DSS. Large service providers and merchants also must submit to quarterly network vulnerability scanning and penetration testing.

What constitutes a large merchant or service provider depends upon the number of payment card transactions the company processes and whether it has ever been the victim of a data breach involving credit card information. VISA places the most stringent PCI DSS requirements on merchants that process more than 6 million VISA transactions per year and service providers that process more than 300,000 transactions per year.

Companies that handle a smaller number of payment card transactions must still comply with the PCI DSS, but they can perform and submit the results of an annual self-assessment that demonstrates their current state of compliance. Self-assessments must meet the standard. It is important to note that the assessment is a “point in time” assessment that must be performed every year.

Credit card companies and sponsoring banks will hold organizations accountable for the information provided in the self-assessment in the event of a breach. Those that fail to meet the standards can be fined for non-compliance, may be subject to increased processing fees and can even have their ability to accept credit card payments revoked.

3 Ways to Improve Your Credit Card and Data Security

(Continued on page 4)

PAGE 41-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

(Continued from page 3)

KAREN CASSELLAManaging DirectorMemphis, Tennessee901.842.2859 | kcassella@cbiz.com

Focus on the Six Control Objectives

Whether you are subject to external reviews or you are conducting a self-assessment, you should ensure your PCI policies address the following six control objectives:

n Build and maintain a secure network: Companies must install and maintain an effective firewall configuration that protects internal servers against direct access from the Internet. This often involves employing separate servers for credit card transaction processing and segregating them from other servers by a firewall. In essence, network segmentation shrinks the security footprint so companies have fewer credit card servers to protect from exposure. Implementing hardening standards for servers – such as changing default passwords and other security parameters for all systems that interface with credit cards – also is required. Your company should also be sure to change the vendor-supplied default passwords because hackers may know them; default system passwords may be discoverable through a Google search.

n Protect Cardholder Data: PCI DSS will help protect stored cardholder data, but compliance does not guarantee that you will never experience a security breach. It is critical to make sure that if the worst happens, no sensitive data are compromised. There are two ways to achieve this. First, ensure that sensitive authentication data, such as CVV, CVC and CIDE are never stored after the transaction is authorized. Second, do not store the contents of the magnetic stripe on the back of the card as this data could be used to create a fake credit card. Finally, ensure that card numbers are always stored so that they are unreadable by an intruder. This can be achieved by encrypting and masking stored card numbers.

n Maintain a Vulnerability Management Program: Your company should use and regularly update antivirus software and vendor supplied security patches. You should only use systems that have been rigorously tested prior to deployment.

n Implement Strong Access Control Measures: Restrict access to cardholder data and only allow persons with a business need to access the systems processing, storing or transmitting card transactions. It is necessary to assign a unique user ID to each person with access to the above systems in order to establish an audit trail for a forensic investigation.

n Regularly Monitor and Test Networks: Access to network resources and cardholder data must

be tracked by a unique user ID. Security systems and processes also must be tested regularly. This includes quarterly network vulnerability scanning and penetration testing.

n Maintain an Information Security Policy: Finally, every entity must develop and maintain a data breach response plan, use only PCI DSS compliant service providers and ensure the organization adheres to a formal policy that addresses information security.

Compliance Can Be Challenging

To assist in your compliance efforts, consultants are available to conduct PCI assessments that show precisely where you are or where you do not comply with PCI DSS. A third party can also provide vulnerability scanning, application penetration testing and other critical services.

By understanding areas of weakness, implementing pivotal information security practices and continually monitoring the effectiveness of these efforts, your company can achieve compliance.

PAGE 51-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

The expansion and development of organizations year after year make construction inevitable. Values recorded by the Census Bureau indicate that construction is booming. In 2015 alone, cumulative U.S. construction project spends reached $1 trillion, the highest recorded amount since 2008. Although many organizations nationwide continue to break ground on new construction, undertaking these large projects comes with a fair amount of risk. Failing to adequately understand where your organization may be at risk can lead to overspending and, in certain cases, legal disputes. Knowing the five major risk areas in construction contracts can help you manage your ongoing or upcoming construction projects to ensure you are not overpaying.

Contract Language

The biggest risk to an owner lies in the contract itself. Too often construction contracts are muddied with unclear language that makes it difficult to determine reimbursable project costs. When a contract is drafted using clear and transparent language, it allows every party to know exactly what the scope of work entails, which costs fall within that scope of work and which costs do not. Clauses and provisions should be written so that someone unfamiliar with the project, such as an arbitrator or judge, can easily understand the costs to be reimbursed by the owner to the contractor on the project. Clear, concise contract language can also mitigate an owner’s risk related to potential project cost issues.

Project Budgets

For cost reimbursable guaranteed maximum price (GMP) contracts, contractors are compensated for actual costs incurred, in addition to a fee, up to a guaranteed maximum amount. Because the contractor will be compensated for actual cost as defined by the contract agreement, detailed project budgets are essential to ensure that the GMP budget is not artificially inflated. On cost reimbursable contracts, owners need to carefully review budget line items to confirm that budget amounts represent a contractor’s actual cost and comply with

the provisions of the respective contract agreement. By removing unnecessary or overstated budget line items, owners can save a significant amount of money on their construction projects before construction even begins.

Labor Rates

Each executed contract should detail the reimbursable labor rate costs associated with your contractor and subcontractors. It is important to review each of these labor rates prior to starting any work to determine whether they are in accordance with the contract agreement and represent a contractor or subcontractor’s actual cost to perform the work. Contractors selected through a competitive bidding process will likely present low, lump sum contract amounts in order to win the work. However, when contractors determine the price for change order work, it is not based on a competitive bid process. Pricing is often inflated as a result of overstated labor rates. Many organizations have benefited from contractor and subcontractor labor rate reviews in order to guarantee they are receiving the best possible price. You can drive down labor costs on your projects by using a third party construction auditor that has a database of national contractor labor rates and a comprehensive understanding of construction labor costs.

Change Orders

With any major construction project comes surprises that can increase the scope of work. Even if your organization drafted the project contract using clear language and selected a fairly priced contractor to do the job, there is still the possibility that additional work outside of the original estimate will be required. If you are required to deviate from your original plan, a change order will be needed. For example, if a renovation project required additional electrical work outside of the original scope, the owner and contractor would execute a change order detailing who would perform the additional work as well as the cost of materials, equipment and labor for the new scope. It is important to carefully review every change order to gain an understanding of why the change is

5 Major Risks ConstructionProject Owners Face

(Continued on page 6)

PAGE 61-866-956-1983 | www.cbiz.com/ras CBIZ BizTipsVideos@cbiz

(Continued from page 5)

MARK MCCARTHYSenior ManagerBoston, Massachusetts617.842.2859 | mmccarthy@cbiz.com

necessary and assess pricing to confirm that it is fair to both the contractor and the project owner.

Insurance and Bond Costs

Many contractors’ project costs are often overstated as a result of contractors using complex self-insured insurance and bonding programs. Contractors can also inflate their insurance costs by billing for additional coverages not required by the contract agreement or by billing for limits in excess of the coverage required in the respective contract agreement. It is important that every owner carefully review the insurance coverage and costs related to their project to guarantee adequate insurance coverage, while also mitigating financial risk to potential insurance over-billings.

Understanding the major risk areas you face prior to beginning a construction project will help you to manage that risk from project inception to completion. At a minimum, owners need to execute clear contracts that consider the pricing of project budgets, labor rates, changes in the work, and insurance costs so that your project can stay within budget. When each of these risk areas is taken into consideration, organizations avoid costly over-billings and potential disputes.

AUDIT WORLD CONFERENCE & EXPO HALLJUNE 14 - 15, 2016 | BOSTON

Hosted by the MIS Training Institute, the Audit World Conference brings together auditors, thought-leaders and experts from around the globe to collectively, as a group, help to improve the audit profession.

GOVERNANCE, RISK & CONTROL CONFERENCEAUG. 22 - 24, 2016 | FT. LAUDERDALE

The Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA) have collaborated bring together governance, risk and control professionals to embrace challenges, forge solutions and define the future of global GRC.

SUPERSTRATEGIES CONFERENCE & EXPOSEPT. 27 - 29, 2016 | LAS VEGAS

Hosted by the MIS Training Institute, the SuperStrategies Conference is designed to help internal audit executives understand these changes better and find new strategies to meet the challenges that accompany them.

Upcoming Industry Events