Skip to Main Content

insightsarticles

"Free" COBRA for some employees: Employers may benefit, too

04.01.21

Read this if you are an employer with employees on COBRA. There are tax credits available to you. 

The American Rescue Plan Act of 2021 (ARP) creates a requirement that employers treat the total payment for Consolidated Omnibus Budget Reconciliation Act (COBRA) continuation coverage due from certain eligible individuals as being “paid in full” for April 1 through September 30, 2021 (Subsidy Period). The eligible individuals with COBRA coverage will not receive the subsidy directly from the government; rather, they will have a premium holiday during which time the employer pays 100% of the applicable COBRA premium. The employer will be reimbursed in full through refundable payroll tax credits.

The ARP provisions do not apply to all COBRA-eligible individuals; eligibility is limited to employees who lost health care benefits due to an involuntary termination or reduction in hours. While the loss of coverage event can be linked to COVID-19, it is not required to be. A loss of coverage event could have occurred as far back as November 1, 2019, since the law requires an employer to offer a continuation of COBRA coverage for 18 months after an involuntary termination (18 months from November 1, 2019 is April 30, 2021). Eligible individuals who opted not to pay for COBRA coverage will be given another opportunity to elect the free coverage.

Employers and COBRA administrators should prepare to distribute new COBRA election and subsidy notices and to make operational changes soon after further guidance is released. Eligible individuals not already on COBRA will need to act quickly after receiving the notice to elect subsidized COBRA coverage. Failing to timely elect COBRA coverage could result in forfeiting this valuable benefit.

It is expected many people will rush to take advantage of this opportunity, which can provide up to six months of health insurance at no cost. However, employers should keep in mind that the subsidy is available only for certain limited situations.

Which employers are eligible for the new subsidy?

Employers subject to federal COBRA provisions or to a state program that provides comparable group health care continuation coverage are not allowed to charge eligible individuals for COBRA coverage during the Subsidy Period. The subsidy applies to workers in every industry, most tax-exempt employers (except churches who are exempt from COBRA) and union, governmental, and Indian tribal government workers. The federal COBRA provisions generally apply to all private-sector group health plans maintained by employers that had at least 20 employees on more than 50% of its typical business days in the previous calendar year. Both full- and part-time employees are counted to determine whether a plan is subject to federal COBRA coverage. Many states have “mini-COBRA” laws that apply to employers who have fewer than 20 employees. The subsidy is mandatory for all employer-sponsored group health plans (i.e., all employers must offer the subsidy, regardless of whether the plan is fully or partially insured, or self-insured).

During the Subsidy Period, generally, the federal government will reimburse COBRA costs to employers by allowing credits against employers' Medicare (not Social Security or income) taxes (but for union plans, the plan would receive the subsidy and for insured, state “mini-COBRA” plans, the insurer would receive the subsidy). Guidance is needed to clarify how the flow of funds for the subsidy would work. The full cost of COBRA continuation coverage (including up to a 2% administrative fee) at any coverage level (e.g., single, “single-plus-one”, or family coverage) for employees and former employees and their spouses and dependents is eligible for the subsidy via the payroll tax credit. The subsidy applies to health, prescription drug, dental and vision plans, but does not apply to health flexible spending accounts (FSAs), health savings accounts (HSAs), or long-term care plans (further guidance is needed to clarify the scope of the subsidy).  

Due to the fact that most individuals who elect COBRA group health care continuation coverage usually pay 100% of those premiums (and in many cases they must also pay up to a 2% administrative fee), the new subsidy via the employment tax credit keeps the free COBRA coverage at zero cost to the employer. While the employment tax credit is taxable income, it will be offset by the employer’s deductible payment of the healthcare premiums.

Impact on eligible individuals

An eligible individual with an existing or new COBRA election will be provided tax-free health care coverage (both the premium and any administrative charge) at no charge for their remaining COBRA period that overlaps with the Subsidy Period.   

The free COBRA provided during the Subsidy Period would be “affordable” coverage under the Affordable Care Act (ACA). But it is not clear how this “affordable” coverage affects an individual who has purchased coverage on the exchange before they had an offer of affordable coverage.

A recipient of the free health care coverage must notify the employer or plan administrator when they become eligible for Medicare or another group health plan—other than coverage under an excepted benefit, an FSA or a qualified small employer health reimbursement arrangement (QSEHRA). Individuals who fail to promptly give this notice could be subject to a $250 fine and other penalties.

Who is eligible?

Generally, individuals are eligible for free COBRA coverage if (1) they are involuntarily terminated or have a reduction in hours that qualifies them for federal or state COBRA coverage and (2) the Subsidy Period overlaps with their COBRA coverage period.

The new COBRA premium assistance is not available to the following individuals:

  • Employees who are terminated for gross misconduct.
  • Employees who voluntarily terminated their employment or who retired.
  • Individuals who are eligible for COBRA due to other reasons, like divorce, death, or loss of dependency status.
  • Individuals who are eligible for other group health care coverage (such as from a new employer) or Medicare.
  • Individuals who are beyond their normal COBRA coverage period connected to the original qualifying event (i.e., the employee’s involuntary termination or reduction in hours that caused a loss of group health plan coverage).
  • Domestic partners who are not federal income tax dependents of the employee.

What’s the coverage?

Generally, the COBRA coverage will be the same as the coverage elected just prior to the involuntary termination or reduction in hours. However, employers can (but are not required to) allow individuals who are eligible for premium assistance to change their coverage provided it does not result in an increased premium cost. Further guidance is needed regarding the scope of who can change to a lower cost health plan as a result of the new law.

Eligible individuals who lost health care coverage after October 31, 2019 but do not have COBRA coverage on April 1, 2021 due to nonelection or lapse of payment will have a new, 60-day opportunity to elect COBRA coverage. If timely elected, the COBRA covered period will begin on the date of the individual’s qualifying event, but it appears that no payment is due for months prior to April 2021 and no claims can be filed prior to April 1, 2021. For the months remaining in the COBRA period that coincide with April 1 through September 30, 2021, the employee makes no payment but will have claims paid in accordance with the plan’s provisions. To have continued coverage after September 30, 2021, the employee must make the payments required under the plan. If the individual finds this unaffordable, they can simply drop the coverage.

What notices are needed?

The federal government is expected to issue model required notices addressing the existence of the subsidy, the availability of the 60-day election period and advance notice of when the Subsidy Period will be ending. In the meantime, employers should prepare for the following new notice requirements.

  • Group health plans must modify their COBRA election notices for individuals who become eligible for federal or state COBRA during the Subsidy Period to notify them of the premium assistance (and, if applicable, the option to enroll in a lower priced plan).
  • By May 31, 2021, individuals who previously rejected (or terminated) COBRA coverage and to whom a new election period must be offered, must be notified of their new election period and the availability of the premium assistance. This essentially creates a special COBRA enrollment period for such individuals.
  • Between August 17 and September 15, 2021, group health plans must provide a notice to individuals receiving the premium assistance stating that the subsidy will expire on September 30, 2021, and that they may be eligible for COBRA coverage without the subsidy. But if the subsidy would end earlier for any individual, the plan must provide a notice that the subsidy is expiring no earlier than 45 days and no later than 15 days before the subsidy expiration date.

It is not clear how these required notices must be delivered (sending paper mail to former employees may be needed).

How does the subsidy work?

Individuals who are eligible for COBRA premium assistance do not receive a payment from the federal government, group health plan, employer, or insurer. Rather, their COBRA costs are waived during the Subsidy Period.

Employers that sponsor a fully insured plan would continue paying the full premium to the insurer for the assistance eligible participants. Employers that sponsor a self-insured plan would pay the claims incurred by the assistance eligible participants. In both cases, the employer would receive no payment from the eligible individual during the Subsidy Period but would instead recover its COBRA costs (102% of the COBRA premium) for the assistance-eligible individuals by claiming a refundable federal tax credit against the employer’s Medicare taxes.

The COBRA subsidy is prospective only and cannot begin before April 1, 2021.

Although the law does not require employers to pay for any COBRA coverage, some employers pay for some or all of COBRA coverage (for example, as part of a severance package). Such employers can cease those contributions during the Subsidy Period and the federal government will provide the subsidy for 6 months. And although the subsidy is tax-free to employees, employers who take the COBRA premium tax credit must increase their gross income by the amount of such credit for the taxable year which includes the last day of any calendar quarter with respect to which such credit is allowed.
 
Also, under a “no double dipping” rule, employers cannot take the COBRA premium tax credit for any amount which is taken into account as qualified wages for the employee retention credit (ERC) under the Coronavirus Aid, Relief, and Economic Security Act (CARES) and Consolidated Appropriations Act, 2021 (CAA), or as qualified health plan expenses for the Families First Coronavirus Response Act (FFCRA), as amended by CAA and ARP. Likewise, amounts attributable to the COBRA premium tax credit would not be eligible payroll costs under the Paycheck Protection Program (PPP).

Guidance from the Internal Revenue Service (IRS) is needed to clarify how exactly employers would claim the tax credit, but it appears that employers would claim the credit on their quarterly IRS Form 941 or in advance on IRS Form 7200 if the actual or estimated amount of the credit exceeds the employer's Medicare taxes for any calendar quarter. Further guidance is also needed regarding the mechanics of the subsidy for employers that have insured state COBRA coverage, since under Section 9501(b) of the ARP the tax credits reimbursements would go to the insurer, not the employer.

Other considerations

For past COVID-19 relief tax credits, such as the ERC and FFCRA, IRS guidance allowed employers to dip into withheld income and Social Security taxes as a source of claiming those refundable tax credits. But the IRS has not yet authorized such actions for the ARP COBRA subsidy tax credit. Social Security taxes may not be available as a source for the new COBRA tax credits, since the ARP was enacted under budget reconciliation rules which prohibit any changes to Social Security.

Employers are not allowed to voluntarily expand the group of people who are eligible for the special COBRA premium subsidy, because the federal government is paying the full COBRA premium for the designated class of assistance-eligible individuals.

We expect the IRS to issue FAQs on the new COBRA Medicare tax credits, similar to the FAQs that the IRS issued on the ERC and FFCRA payroll tax credits.

This new COBRA subsidy may be economically more valuable than using qualified health care expenses for the ERC, because ERC nets 70% on the dollar whereas the COBRA subsidy is 102% (premium plus administrative charge).

What should employers do now?

Employers should immediately identify all employees who lost group health plan coverage after October 31, 2019 due to an involuntary termination or reduction in hours, without regard to their COBRA elections, because such event would have entitled the individual to 18 months of COBRA coverage (i.e., through April 30, 2021). Guidance is needed on whether notices must be given to individuals in this group that declined COBRA due to eligibility in another employer’s plan or Medicare. Employers will need to notify individuals who have an unexpired COBRA period that premium assistance is available, and they have a right to reconsider their original COBRA election.  

Employers will also need to review and perhaps modify any existing, automatic processes that might otherwise terminate COBRA coverage when premiums are not received during the Subsidy Period.

Year-end reporting on health benefits should also be reviewed to ensure these increased COBRA participants receive the appropriate Form 1095-B or C for 2021.

Employers should develop a procedure to identify COBRA recipients who are eligible for the premium assistance and those who do not qualify (for example, employers will need to distinguish a voluntary quit from an involuntary termination of employment and whether the employee was fired for gross misconduct). For premium-assistance eligible individuals, employers must refund within 60 days any premiums paid during the Subsidy Period. Not all COBRA participants will qualify for the subsidy, so the plan administrator will still need to handle some premium payments from non-eligible individuals.

Vendor outreach

Many employers use outside service providers for their COBRA administration, so employers should reach out to their vendors as soon as possible to coordinate their response to the ARP changes to current COBRA rules, especially the special election period for certain assistance-eligible individuals.

Keep in mind that, separate from the ARP COBRA subsidy, many employees (and their family members) may currently have extended COBRA election rights due to COVID-19 deadline extensions. For example, ERISA Disaster Relief Notice 2021-1 issued on February 26, 2021, announced an individualized one-year deadline extension for COBRA elections, which begins on the date the clock for the particular deadline would have started running (i.e., the one-year extension is applied on a rolling basis to each deadline for each affected individual). But individuals electing retroactive COBRA coverage under those extended deadlines will generally have to pay the full COBRA premiums for such periods. Guidance is needed on how the deadline extension coordinates with the new COBRA subsidy.

Employers may recall that in February 2009, under the American Recovery and Reinvestment Act of 2009 (ARRA), the federal government subsidized 65% of COBRA premiums for certain individuals who were terminated or laid off between September 1, 2008 and March 31, 2010 due to the financial crisis linked to the bursting of the home mortgage lending bubble. The ARRA subsidy was extended through May 31, 2010, so perhaps with Democrats currently controlling both Congress and the White House, the ARP COBRA subsidy may be extended beyond September 30, 2021. Also, the ARRA may be a model for how the flow of funds will work for the ARP premium tax credits for insured state COBRA coverage.

If you have specific questions about your situation, please contact our Employee Benefits consulting team. We’re here to help. 

Related Services

Accounting and Assurance

Related Professionals

Principals

  • William Enck
    Principal
    Financial Services, Insurance Agencies
    T 207.541.2300

BerryDunn experts and consultants

Are you spending enough time on your paid time off plan?
Many questions arise regarding paid time off (PTO) plans and the constructive receipt of income, which can cause payroll complications for employers and phantom income inclusion for employees. In order to avoid being subject to penalties for not withholding income and payroll taxes and having employees be subject to tax on cash they have not received, certain steps need be followed if an employer wants to properly allow employees to cash-out PTO.

What the IRS is looking for.
The Internal Revenue Service (IRS) has issued a number of Private Letter Rulings (PLRs) that examine earned time cash-out programs. While such rulings don’t serve as precedent, it appears the IRS has come up with the following factors that it deems important in order to avoid constructive receipt in a PTO cash-out situation:

  1. Employees must make a written election before the end of December in the year prior to the year they will be earning and receiving the accrued earned time to be cashed-out.  This is an election to receive a cash payout of the earned time to be accrued in the following year.
  2. The election must be irrevocable.
  3. The payout can only happen once the employee has actually earned and accrued the earned time in the following year. Payouts are generally once or twice per year, but may happen more frequently.

The IRS appears to generally require that the earned time being paid out be substantially less than the accrued earned time owed to the employee. This is to ensure that the earned time program remains a bona fide sick or vacation pay plan and not a plan of deferred compensation. This particular requirement can get tricky and may be different in each employer’s case.

Why does it matter?
The danger of failing to follow IRS guidelines regarding earned time cash-outs is that the IRS could claim that the employees offered a choice to cash-out are in constructive receipt of their accrued earned time balances regardless of their choice. This would result in immediate taxation of all accrued amounts to the employees, even if they hadn’t received the cash. The employer would also be subject to penalties for not properly withholding federal and state taxes.

It is important to review your PTO plan to be sure there are no issues regarding constructive receipt and to make sure your payroll systems are correctly reporting income.

The IRS issued proposed regulations under Code Section 457 in June of 2016 regarding, in part, non-qualified deferred compensation plans of not-for-profit (NFP) organizations. Those regulations contain guidance regarding the cash-out of sick and vacation time and the possibility that certain cash-out provisions may create a plan of deferred compensation and not a bona fide sick leave or vacation leave plan. As noted above, such a determination would be disastrous as all amounts accrued would become immediately taxable. NFP organizations and their advisors should keep a close eye on the proposed Section 457 regulations to see how they develop in final form. Once the regulations are finalized, NFP organizations may need to make changes to their cash-out provisions.

Please note that the above information is general in nature and is not meant to provide guidance on any particular case. If you have any questions about your PTO plan, please contact Bill Enck.

Article
Paid time off plans: IRS guidelines and why they matter

When it comes to offering non-qualified deferred compensation to executives of not-for-profit organizations, there aren’t many options. Your organization must follow the rules and related guidance outlined in Internal Revenue Code Sections 457 and 409A. There are two types of non-qualified deferred compensation plans: Eligible (457(b) plans) and ineligible (457(f) plans)

  • 457(b) plans operate very similarly to 403(b) or 401(k) plans and have an annual benefit limit.
  • 457(f) plans have no annual benefit limit but the participants must include the benefits in taxable income when the substantial risk of forfeiture lapses.

Changes are on the table
And that's largely a good thing.The proposed regulations provide guidance in several key areas used to determine whether a substantial risk of forfeiture exists or not. For the most part, the proposed guidance is welcome news and provides an employer with more flexibility than originally expected.

Earlier this year, the IRS issued proposed regulations which describe just what constitutes a substantial risk of forfeiture under an ineligible 457(f) plan and what types of benefits are not considered to be ineligible 457(f) plans. Because of the tax implications to the executive, this is important for your organization to understand and communicate.

What the proposed regulations cover:

  1. Non-compete agreements
  2. Rolling risks of forfeiture (e.g., rolling vesting schedules)
  3. Determining the present value of accrued benefits
  4. Plans that are not considered 457(f) plans, including bona fide severance pay plans

In each of these areas, the proposed regulations provide employers with specific rules to follow in order to design and operate a plan, whether it's an existing plan or one adopted before or after the rules are finalized. Current plans will not have grandfathered status. 

What you need to do
For existing deferred compensation arrangements or employment contracts that provide for severance pay for deferred compensation arrangements,you must:

  • Take inventory of the types of benefits you provide (e.g., severance pay, 457(b), 457(f) plans)
  • Review plan provisions and determine the changes you need to make in order for them to be in compliance with the guidelines. 
  • Make the appropriate changes to the plan or employment contract provisions before the final regulations are effective.
  • The final regulations generally will not be effective until 90 days after they've been published. You may rely on them in the interim.

If you have questions or concerns
We've helped many not-for-profit organizations design and develop executive compensation packages, including deferred compensation plans. Our Benefits Compensation experts are well versed in the rules that apply to deferred compensation and severance pay plans and can help guide you through the process to:

  1. Create a plan that meets the needs of your executive and your organization
  2. Determine if any changes must be made to the benefits you’re currently offering

Contact Bill Enck if you have questions or need help.

Article
Do you sponsor a 457(f) plan? If so, keep reading!

Do you know what would happen to your company if your CEO suddenly had to resign immediately for personal reasons? Or got seriously ill? Or worse, died? These scenarios, while rare, do happen, and many companies are not prepared. In fact, 45% of US companies do not have a contingency plan for CEO succession, according to a 2020 Harvard Business Review study.  

Do you have a plan for CEO succession? As a business owner, you may have an exit strategy in place for your company, but do you have a plan to bridge the leadership gap for you and each member of your leadership team? Does the plan include the kind of crises listed above? What would you do if your next-in-line left suddenly? 

Whether yours is a family-owned business, a company of equity partners, or a private company with a governing body, here are things to consider when you’re faced with a situation where your CEO has abruptly departed or has decided to step down.  

1. Get a plan in place. First, assess the situation and figure out your priorities. If there is already a plan for these types of circumstances, evaluate how much of it is applicable to this particular circumstance. For example, if the plan is for the stepping down or announced retirement of your CEO, but some other catastrophic event occurs, you may need to adjust key components and focus on immediate messaging rather than future positioning. If there is no plan, assign a small team to create one immediately. 

Make sure management, team leaders, and employees are aware and informed of your progress; this will help keep you organized and streamline communications. Management needs to take the lead and select a point person to document the process. Management also needs to take the lead in demeanor. Model your actions so employees can see the situation is being handled with care. Once a strategy is identified based on your priorities, draft a plan that includes what happens now, in the immediate future, and beyond. Include timetables so people know when decisions will be made.  

2. Communicate clearly, and often. In times of uncertainty, your employees will need as much specific information as you can give them. Knowing when they will hear from you, even if it is “we have nothing new to report” builds trust and keeps them vested and involved. By letting them know what your plan is, when they’ll receive another update, what to tell clients, and even what specifics you can give them (e.g., who will take over which CEO responsibility and for how long), you make them feel that they are important stakeholders, and not just bystanders. Stakeholders are more likely to be strong supporters during and after any transition that needs to take place. 

3. Pull in professional help. Depending on your resources, we recommend bringing in a professional to help you handle the situation at hand. At the very least, call in an objective opinion. You’ll need someone who can help you make decisions when emotions are running high. Bringing someone on board that can help you decipher what you have to work with and what your legal and other obligations may be, help rally your team, deal with the media, and manage emotions can be invaluable during a challenging time. Even if it’s temporary. 

4. Develop a timeline. Figure out how much time you have for the transition. For example, if your CEO is ill and will be stepping down in six months, you have time to update any existing exit strategy or succession plan you have in place. Things to include in the timeline: 

  • Who is taking over what responsibilities? 
  • How and what will be communicated to your company and stakeholders? 
  • How and what will be communicated to the market? 
  • How will you bring in the CEO's replacement, while helping the current CEO transition out of the organization? 

If you are in a crisis situation (e.g., your CEO has been suddenly forced out or asked to leave without a public explanation), you won’t have the luxury of time.  

Find out what other arrangements have been made in the past and update them as needed. Work with your PR firm to help with your change management and do the right things for all involved to salvage the company’s reputation. When handled correctly, crises don’t have to have a lasting negative impact on your business.   

5. Manage change effectively. When you’re under the gun to quickly make significant changes at the top, you need to understand how the changes may affect various parts of your company. While instinct may tell you to focus externally, don’t neglect your employees. Be as transparent as you possibly can be, present an action plan, ask for support, and get them involved in keeping the environment positive. Whether you bring in professionals or not, make sure you allow for questions, feedback, and even discord if challenging information is being revealed.  

6. Handle the media. Crisis rule #1 is making it clear who can, and who cannot, speak to the media. Assign a point person for all external inquiries and instruct employees to refer all reporter requests for comment to that point person. You absolutely do not want employees leaking sensitive information to the media. 
 
With your employees on board with the change management action plan, you can now focus on external communications and how you will present what is happening to the media. This is not completely under your control. Technology and social media changed the game in terms of speed and access to information to the public and transparency when it comes to corporate leadership. Present a message to the media quickly that coincides with your values as a company. If you are dealing with a scandal where public trust is involved and your CEO is stepping down, handling this effectively will take tact and most likely a team of professionals to help. 

Exit strategies are planning tools. Uncontrollable events occur and we don’t always get to follow our plan as we would have liked. Your organization can still be prepared and know what to do in an emergency situation or sudden crisis.  Executives move out of their roles every day, but how companies respond to these changes is reflective of the strategy in place to handle unexpected situations. Be as prepared as possible. Own your challenges. Stay accountable. 

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Article
Crisis averted: Why you need a CEO succession plan today

Read this if your CFO has recently departed, or if you're looking for a replacement.

With the post-Covid labor shortage, “the Great Resignation,” an aging workforce, and ongoing staffing concerns, almost every industry is facing challenges in hiring talented staff. To address these challenges, many organizations are hiring temporary or interim help—even for C-suite positions such as Chief Financial Officers (CFOs).

You may be thinking, “The CFO is a key business partner in advising and collaborating with the CEO and developing a long-term strategy for the organization; why would I hire a contractor to fill this most-important role?” Hiring an interim CFO may be a good option to consider in certain circumstances. Here are three situations where temporary help might be the best solution for your organization.

Your organization has grown

If your company has grown since you created your finance department, or your controller isn’t ready or suited for a promotion, bringing on an interim CFO can be a natural next step in your company’s evolution, without having to make a long-term commitment. It can allow you to take the time and fully understand what you need from the role — and what kind of person is the best fit for your company’s future.

BerryDunn's Kathy Parker, leader of the Boston-based Outsourced Accounting group, has worked with many companies to help them through periods of transition. "As companies grow, many need team members at various skill levels, which requires more money to pay for multiple full-time roles," she shared. "Obtaining interim CFO services allows a company to access different skill levels while paying a fraction of the cost. As the company grows, they can always scale its resources; the beauty of this model is the flexibility."

If your company is looking for greater financial skill or advice to expand into a new market, or turn around an underperforming division, you may want to bring on an outsourced CFO with a specific set of objectives and timeline in mind. You can bring someone on board to develop growth strategies, make course corrections, bring in new financing, and update operational processes, without necessarily needing to keep those skills in the organization once they finish their assignment. Your company benefits from this very specific skill set without the expense of having a talented but expensive resource on your permanent payroll.

Your CFO has resigned

The best-laid succession plans often go astray. If that’s the case when your CFO departs, your organization may need to outsource the CFO function to fill the gap. When your company loses the leader of company-wide financial functions, you may need to find someone who can come in with those skills and get right to work. While they may need guidance and support on specifics to your company, they should be able to adapt quickly and keep financial operations running smoothly. Articulating short-term goals and setting deadlines for naming a new CFO can help lay the foundation for a successful engagement.

You don’t have the budget for a full-time CFO

If your company is the right size to have a part-time CFO, outsourcing CFO functions can be less expensive than bringing on a full-time in-house CFO. Depending on your operational and financial rhythms, you may need the CFO role full-time in parts of the year, and not in others. Initially, an interim CFO can bring a new perspective from a professional who is coming in with fresh eyes and experience outside of your company.

After the immediate need or initial crisis passes, you can review your options. Once the temporary CFO’s agreement expires, you can bring someone new in depending on your needs, or keep the contract CFO in place by extending their assignment.

Considerations for hiring an interim CFO

Making the decision between hiring someone full-time or bringing in temporary contract help can be difficult. Although it oversimplifies the decision a bit, a good rule of thumb is: the more strategic the role will be, the more important it is that you have a long-term person in the job. CFOs can have a wide range of duties, including, but not limited to:

  • Financial risk management, including planning and record-keeping
  • Management of compliance and regulatory requirements
  • Creating and monitoring reliable control systems
  • Debt and equity financing
  • Financial reporting to the Board of Directors

If the focus is primarily overseeing the financial functions of the organization and/or developing a skilled finance department, you can rely — at least initially — on a CFO for hire.

Regardless of what you choose to do, your decision will have an impact on the financial health of your organization — from avoiding finance department dissatisfaction or turnover to capitalizing on new market opportunities. Getting outside advice or a more objective view may be an important part of making the right choice for your company.

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Article
Three reasons to consider hiring an interim CFO

It’s one thing for coaching staff to see the need for a new quarterback or pitcher. Selecting and onboarding this talent is a whole new ballgame. Various questions have to be answered before moving forward: How much can we afford? Are they a right fit for the team and its playing style? Do the owners approve?

Management has to answer similar questions when selecting and implementing a cybersecurity maturity model, and form the basis of this blog – chapter 2 in BerryDunn’s Cybersecurity Playbook for Management.

What are the main factors a manager should consider when selecting a maturity model?
RG: All stakeholders, including managment, should be able to easily understand the model. It should be affordable for your organization to implement, and its outcomes achievable. It has to be flexible. And it has to match your industry. It doesn’t make a lot of sense to have an IT-centric maturity model if you’re not an extremely high-tech organization. What are you and your organization trying to accomplish by implementing maturity modeling? If you are trying to improve the confidentiality of data in your organization’s systems, then the maturity model you select should have a data confidentiality domain or subject area.

Managers should reach out to their peer groups to see which maturity models industry partners and associates use successfully. For example, Municipality A might look at what Municipality B is doing, and think: “How is Municipality B effectively managing cybersecurity for less money than we are?” Hint: there’s a good chance they’re using an effective maturity model. Therefore, Municipality A should probably select and implement that model. But you also have to be realistic, and know certain other factors—such as location and the ability to acquire talent—play a role in effective and affordable cybersecurity. If you’re a small town, you can’t compare yourself to a state capital.

There’s also the option of simply using the Cybersecurity Capability Maturity Model (C2M2), correct?
RG: Right. C2M2, developed by the U.S. Department of Energy, is easily scalable and can be tailored to meet specific needs. It also has a Risk Management domain to help ensure that an organization’s cybersecurity strategy supports its enterprise risk management strategy.

Once a manager has identified a maturity model that best fits their business or organization, how do they implement it?
RG: STEP ONE: get executive-level buy-in. It’s critical that executive management understands why maturity modeling is crucial to an organization's security. Explain to them how maturity modeling will help ensure the organization is spending money correctly and appropriately on cybersecurity. By sponsoring the effort, providing adequate resources, and accepting the final results, executive management plays a critical role in the process. In turn, you need to listen to executive management to know their priorities, issues, and resource constraints. When facilitating maturity modeling, don’t drive toward a predefined outcome. Understand what executive management is comfortable implementing—and what the business or organization can afford.

STEP TWO: Identify leads who are responsible for each domain or subject area of the maturity model. Explain to these leads why the organization is implementing maturity modeling, expected outcomes, and how their input is invaluable to the effort’s success. Generally speaking, the leads responsible for subject areas are very receptive to maturity modeling, because—unlike an audit—a maturity model is a resource that allows staff to advocate their needs and to say: “These are the resources I need to achieve effective cybersecurity.”

Third, have either management or these subject area leads communicate the project details to the lower levels of the organization, and solicit feedback, because staff at these levels often have unique insight on how best to manage the details.

The fourth step is to just get to work. This work will look a little different from one organization to another, because every organization has its own processes, but overall you need to run the maturity model—that is, use the model to assess the organization and discover where it measures up for each subject area or domain. Afterwards, conduct work sessions, collect suggestions and recommendations for reaching specific maturity levels, determine what it’s going to cost to increase maturity, get approval from executive management to spend the money to make the necessary changes, and create a Plan of Action and Milestones (POA&M). Then move forward and tick off each milestone.

Do you suggest selecting an executive sponsor or an executive steering committee to oversee the implementation?
RG: Absolutely. You just want to make sure the executive sponsors or steering committee members have both the ability and the authority to implement changes necessary for the modeling effort.

Should management consider hiring vendors to help implement their cybersecurity maturity models?
RG: Sure. Most organizations can implement a maturity model on their own, but the good thing about hiring a vendor is that a vendor brings objectivity to the process. Within your organization, you’re probably going to find erroneous assumptions, differing opinions about what needs to be improved, and bias regarding who is responsible for the improvements. An objective third party can help navigate these assumptions, opinions, and biases. Just be aware some vendors will push their own maturity models, because their models require or suggest organizations buy the vendors’ software. While most vendor software is excellent for improving maturity, you want to make sure the model you’re using fits your business objectives and is affordable. Don’t lose sight of that.

How long does it normally take to implement a maturity model?

RG: It depends on a variety of factors and is different for every organization. Keep in mind some maturity levels are fairly easy to reach, while others are harder and more expensive. It goes without saying that well-managed organizations implement maturity models more rapidly than poorly managed organizations.

What should management do after implementation?
RG: Run the maturity model again, and see where the organization currently measures up for each subject area or domain. Do you need to conduct a maturity model assessment every year? No, but you want to make sure you’re tracking the results year over year in order to make sure improvements are occurring. My suggestion is to conduct a maturity model assessment every three years.

One final note: make sure to maintain the effort. If you’re going to spend time and money implementing a maturity model, then make the changes, and continue to reassess maturity levels. Make sure the process becomes part of your organizations’ overall strategic plan. Document and institutionalize maturity modeling. Otherwise, the organization is in danger of losing this knowledge when the people who spearheaded the effort retire or pursue new opportunities elsewhere.

What’s next?
RG: Over the next couple of blogs, we’ll move away from talking about maturity modeling and begin talking about the role capacity plays in cybersecurity. Blog #3 will instruct managers on how to conduct an internal assessment to determine if their organizations have the people, processes, and technologies they need for effective cybersecurity.

Read our next cybersecurity playbook article, Tapping your internal capacity for better results: Cybersecurity playbook for management #3, here.

Article
Selecting and implementing a maturity model: Cybersecurity playbook for management #2

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

The concept of a slump transcends sports. Just glance at the recent headlines about Yahoo, Equifax, Deloitte, and the Democratic National Committee. Data breaches occur on a regular basis. Like a baseball team experiencing a downswing, these organizations need to make adjustments, tough decisions, and major changes. Most importantly, they need to realize that cybersecurity is no longer the exclusive domain of Chief Information Security Officers and IT departments. Cybersecurity is the responsibility of all employees and managers: it takes a team.

When a cybersecurity breach occurs, people tend to focus on what goes wrong at the technical level. They often fail to see that cybersecurity begins at the strategic level. With this in mind, I am writing a blog series to outline the activities managers need to take to properly oversee cybersecurity, and remind readers that good cybersecurity takes a top-down approach. Consider the series a cybersecurity playbook for management. This Q&A blog — chapter 1 — highlights a basic concept of maturity modeling.

Let’s start with the basics. What exactly is a maturity model?
RG
: A maturity model is a framework that assesses certain elements in an organization, and provides direction to improve these elements. There are project management, quality management, and cybersecurity maturity models.

Cybersecurity maturity modeling is used to set a cybersecurity target for management. It’s like creating and following an individual development program. It provides definitive steps to take to reach a maturity level that you’re comfortable with — both from a staffing perspective, and from a financial perspective. It’s a logical road map to make a business or organization more secure.

What are some well-known maturity models that agencies and companies use?
RG
: One of the first, and most popular is the Program Review for Information Security Management Assistance (PRISMA), still in use today. Another is the Capability Maturity Model Integration (CMMI) model, which focuses on technology. Then there are some commercial maturity models, such as the Gartner Maturity Model, that organizations can pay to use.

The model I prefer is the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. Department of Energy. I like C2M2 because it directly maps to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) compliance, which is a prominent industry standard. C2M2 is easily understandable and digestible, it scales to the size of the organization, and it is constantly updated to reflect the most recent U.S. government standards. So, it’s relevant to today’s operational environment.

Communication is one of C2M2’s strengths. Because there is a mechanism in the model requiring management to engage and support the technical staff, it facilitates communication and feedback at not just the operational level, but at the tactical level, and more significantly, the management level, where well-designed security programs start.

What’s the difference between processed-based and capability-based models?
RG
: Processed-based models focus on performance or technical aspects — for example, how mature are processes for access controls? Capability-based models focus on management aspects — is management adequately training people to manage access controls?

C2M2 combines the two approaches. It provides practical steps your organization can take, both operationally and strategically. Not only does it provide the technical team with direction on what to do on a daily basis to help ensure cybersecurity, it also provides management with direction to help ensure that strategic goals are achieved.

Looking at the bigger picture, what does an organization look like from a managerial point of view?
RG
: First, a mature organization communicates effectively. Management knows what is going on in their environment.

Most of them have very competent staff. However, staff members don’t always coordinate with others. I once did some security work for a company that had an insider threat. The insider threat was detected and dismissed from the company, but management didn’t know the details of why or how the situation occurred. Had there been an incident response plan in place (one of the dimensions C2M2 measures) — or even some degree of cybersecurity maturity in the company, they would’ve had clearly defined steps to take to handle the insider threat, and management would have been aware from an early stage. When management did find out about the insider threat, it became a much bigger issue than it had to be, and wasted time and resources. At the same time, the insider threat exposed the company to a high degree of risk. Because upper management was unaware, they were unable to make a strategic decision on how to act or react to the threat.

That’s the beauty of C2M2. It takes into account the responsibilities of both technical staff and management, and has a built-in communication plan that enables the team to work proactively instead of reactively, and shares cybersecurity initiatives between both management and technical staff.

Second, management in a mature organization knows they can’t protect everything in the environment — but they have a keen awareness of what is really important. Maturity modeling forces management to look at operations and identify what is critical and what really needs to be protected. Once management knows what is important, they can better align resources to meet particular challenges.

Third, in a mature organization, management knows they have a vital role to play in supporting the staff who address the day-to-day operational and technical tasks that ultimately support the organization’s cybersecurity strategy.

What types of businesses, not-for-profits, and government agencies should practice maturity modeling?
RG
: All of them. I’ve been in this industry a long time, and I always hear people say: “We’re too small; no one would take any interest in us.”

I conducted some work for a four-person firm that had been hired by the U.S. military. My company discovered that the firm had a breach and the four of them couldn’t believe it because they thought they were too small to be breached. It doesn’t matter what the size of your company is: if you have something someone finds very valuable, they’re going to try to steal it. Even very small companies should use cybersecurity models to reduce risk and help focus their limited resources on what is truly important. That’s maturity modeling: reducing risk by using approaches that make the most sense for your organization.

What’s management’s big takeaway?
RG
: Cybersecurity maturity modeling aligns your assets with your funding and resources. One of the most difficult challenges for every organization is finding and retaining experienced security talent. Because maturity modeling outlines what expertise is needed where, it can help match the right talent to roles that meet the established goals.

So what’s next?
RG
: In our next installment, we’ll analyze what a successful maturity modeling effort looks like. We’ll discuss the approach, what the outcome should be, and who should be involved in the process. We’ll discuss internal and external cybersecurity assessments, and incident response and recovery.

You can read our next chapter, Selecting and implementing a maturity model: Cybersecurity playbook for management #2here.

Article
Maturity modeling: Cybersecurity playbook for management #1

When last we blogged about the Financial Accounting Standards Board’s (FASB) new “current expected credit losses” (CECL) model for estimating an allowance for loan and lease losses (ALLL), we reviewed the process for developing reasonable and supportable forecasts for use in establishing the ALLL. Once you develop those forecasts, how does that information translate into amounts to set aside for loan losses?

A portion of the ALLL will continue to be based on specifically identified loans you’re concerned about. For those loans, you will continue to establish a specific component of the ALLL based on your estimate of the loss ultimately expected on the loans.

The tricky part, of course, is estimating an ALLL for the other 99% of the loan portfolio. This is where the forecasts come in. The new rules do not prescribe a particular methodology, and banking regulators have indicated community banks will likely be able to continue with their current approach, adjusted to use appropriate inputs in a manner that complies with the CECL model. One of the biggest challenges is the expectation in CECL that the ALLL will be estimated using the institution’s historical information, to the extent available and relevant.

Following is just one of many ways  you can approach it. I’ve also included a link at the end of this article to an example illustrating this approach.

Step One: Historical Loss Factors

  1. First, for a given subset of the loan portfolio (e.g., the residential loan pool), you might first break down the portfolio by the number of years remaining until expected payoff (via maturity or refinancing). This is important because, on average, a loan with seven years remaining until expected payoff will have a higher level of remaining lifetime losses than a loan with one year remaining. It therefore generally wouldn’t be appropriate to use the same loss factor for both loans.
     
  2. Next, decide on a set of drivers that tend to correlate with loan losses over time. FASB has indicated it doesn’t expect highly mathematical correlation models will be necessary, especially for community banks. Instead, select factors in your bank’s experience indicative of future losses. These may include:
    • External factors, such as GDP growth, unemployment rates, and housing prices
    • Internal factors such as delinquency rates, classified asset ratios, and the percentage of loans in the portfolio for which certain policy exceptions (e.g., loan-to-value ratio or minimum credit score) were granted
       
  3. Once you select this set of drivers, find an historical loss period — a period of years corresponding to the estimated remaining life of the portfolio in question — where the historical drivers best approximate those you’re expecting in the future, based on your forecasts. For that historical loss period, determine the lifetime remaining loss rates of the loans outstanding at the beginning of that period, broken down by the number of years remaining until payoff. (This may require significant data mining, especially if that historical loss period was quite a few years ago.
     
  4. Apply those loss rates to the breakdown derived in (a) above, by years remaining until maturity.

    Step Two: Adjustments to Historical Loss Rates

    The CECL model requires we adjust historical loss factors for conditions that may not be adequately captured by the historical loss period analysis we’ve just described. Let’s say a particular geographical subset of your market area is significantly affected by the economic fortunes of a large employer in that area.  Based on economic trends or recent developments, you might expect that employer to have a particularly bright – or dim – future over the forecast period; accordingly, you forecast loans to borrowers in that area will have losses that differ significantly from the rest of the portfolio.

    The approach for these loans is the same as in the previous step. However:

    These loans would be segregated from the remainder of the portfolio, which would be subject to the general approach in step one. As you think through this approach, there are myriad variations and many decisions to make, such as:

    Our intent in describing this methodology is to help your CECL implementation team start the dialogue in terms of converting theoretical concepts in the CECL model to actual loans and historical experience.

    To facilitate that discussion, we’ve included a very simple example here that illustrates the steps described above. Analyzing an entire loan portfolio under the CECL model is an exponentially more complex process, but the concepts are the same — forecasting future conditions, and establishing an ALLL based on the bank’s (or, when necessary, peers’) lifetime loan loss experience under similar historical conditions.

    Given the amount of number crunching and analysis necessary, and the potentially significant increase in the ALLL that may result from a lifetime-of-loan loss model, it’s safe to say the time to start is now! If you have any questions about CECL implementation, please contact Tracy Harding or Rob Smalley.

    Other resources
    For more information on CECL, check out our other blogs:

    CECL: Where to Start
    CECL: Bank and Branch Acquisitions
    CECL: Reasonable and Supportable

    To sign up to receive notification of our next CECL update, click here.

    • In substep (c), you would focus on forecasted conditions (such as unemployment rate and changes in real estate values) in the geographical area in which the significant employer is located.
    • You would then select an historical loss period that had actual conditions for that area that best correspond to those you’ve just forecasted.
    • In substep (d), you would determine the lifetime remaining loss rates of loans outstanding at the beginning of that period.
    • In substep (e), you would apply those rates to loans in that geographic area.
    • How to break down the portfolio
    • Which conditions to analyze
    • How to analyze the conditions for correlation with historical loss periods
    • Which resulting loss factors to apply to which loans
Article
CECL implementation: So, you've developed reasonable and supportable forecasts — now what?