The third step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) is the implementation of a risk appetite and tolerance statement. This step is meant to set boundaries on how much risk your organization is prepared to accept in the pursuit of its strategic objectives.

An organization-wide risk appetite statement provides direction for your organization and is a mandatory part of your assessment. As defined by COSO (one of the risk management standards measured in the RIMS Risk Maturity Model umbrella framework), the risk appetite statement allows organizations to “introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits.” A risk appetite statement should be reflective of your organization’s strategic objectives and serve as a starting point for risk policies and procedures.

Once your organization has documented your risk appetite (and received the board’s approval), the question becomes: How do you measure whether your organization is adhering to it? The answer is to implement risk tolerances.

While risk appetite is a higher-level statement that broadly considers the levels of risk that management deems acceptable, risk tolerances set acceptable levels of variation around risk. For example, a company that says it does not accept risks that could result in a significant loss of its revenue base is expressing appetite. When the same company says that it does with to accept risks that would cause revenue from its top 10 customers to decline by more than 1%, it is expressing a tolerance.

Why Set Tolerance Levels?

Operating within risk tolerances provides management greater assurance that the company remains within its risk appetite, which in turn provides a higher degree of comfort that the organization will achieve its objectives.

The second step of RMORSA, risk identification and prioritization, outlines a risk assessment process for your organization that provides quantitative language for risk-based decision making. This standardized scale allows you to discuss the resulting assessment indexes to determine a uniform tolerance throughout the organization. It may not be possible to set accurate tolerances until risk intelligence has been collected over a period of time, but eventually you’ll be able to prioritize resources to the risks with the highest variation.

The process of articulating a risk appetite statement and setting tolerances brings your ERM program into alignment. Every day, process owners make operational decisions about risk far from the organization’s risk appetite statement, which is set at a senior executive level. By setting tolerances, process owners are provided benchmarks they can use to measure their performance.

Align with Strategic Goals

When risk tolerances are aligned with both overall risk appetite and strategic goals, they will improve risk mitigation effectiveness and contribute to achieving your strategic goals. It is important to remember that risk appetite and tolerance levels are not static. They should be reviewed and reconsidered periodically by senior executives to keep your organization moving in the right direction.

To learn more about implementing risk appetite and tolerance in your business, download our complimentary eBook “5 Steps Towards an Actionable Risk Appetite.”

The post RMORSA Part 3: Risk Appetite and Tolerance Statement appeared first on insBlogs.

On September 7, big-three credit reporting company Equifax reported that hackers gained access to the personal information of about 143 million U.S. consumers, and have now recently reported that as many as 100,000 Canadian consumers were affected as well.

As I watch the Equifax scandal unfold, it becomes clear to me that many are at a loss of what to do, or even how to think about this data breach. The first reaction people have is centered on if they, their friends, or family were personally impacted. Rightfully so.

In addition to the personal reaction, however, I would call on all employers to consider how this breach, and future breaches, could affect their business. Contrary to popular belief, the answer to avoiding the consequences of this breach have nothing to do with technology. The weakest links right now are people, processes, and procedures. First and foremost, your business is comprised of people—people who have access to sensitive information from bank accounts to what gets published on your website—people whose identity is now at risk of being stolen.

Hackers will always go for the lowest hanging fruit with the most bang for their buck. Finding weaknesses in a corporation’s technology is time consuming. But with the information gained from the Equifax hack, it is now exponentially easier for identity thieves to impersonate those with access to sensitive information and authorize fraudulent actions that could do immense damage to your company, from both a financial and reputational perspective.

The answer to protecting your company from these damages is actually quite simple, and will cost you absolutely nothing. You have to rewrite your processes, or playbooks if you will, of how you protect your employees and authenticate sensitive activities both internally and through your third-party vendors.

Playbook One: How to take care of your employees after the Equifax Breach

The first step is to take care of your employees. The sheer awareness of this data breach and its extreme potential consequences are enough to induce a great deal of anxiety in your employees and reduce productivity a great deal. Ultimately, the only way you can ensure that your business is running smoothly, and that your customers are getting the service they deserve, is to alleviate your employees’ anxiety.

The best way to do this is to educate them on what this breach means for them, and what they can do to protect themselves. Direct them to articles outlining the difference between credit monitoring, fraud alerts, and credit freezes. Give them recommendations on which option is best and the next steps to pursuing that option.

Another way to alleviate your employees’ anxiety is to encourage them to get identity restoration support, or better yet, offer it to them through the company. Knowing that even if they are victims of identity theft, they’re covered provides a huge sense of relief.

I have already written this playbook outlining what American consumers should be doing to protect themselves after this breach. Feel free to read the article here.

The benefits of writing this playbook are manifold. Your employees will feel safe and secure enough to focus on their work. Taking demonstrable steps to help your employees protect themselves and their families will also improve company culture and inspire your employees to look out for your best interests in return.

Playbook Two: Change Internal Authentication Procedures

The next step is to change how sensitive requests and actions are authenticated internally. With a flood of SSNs, birthdates, drivers’ licenses, addresses, and names now on the marker, it’s no longer effective or prudent to authorize these actions based on this information.

Banks have gotten better at rewriting this playbook. You may have noticed that in recent years, banks have switched from asking you questions found in the public domain, to questions only you would know. For example, asking what your first car was isn’t as effective as asking you what your favorite color is because the former can easily be found by identity criminals, while the latter cannot.

Although most companies have been gearing up for years for digital hacking prevention, fewer resources have been put into employee identity theft vulnerabilities. The truth is, if verbal authentication is based on information breached by Equifax, any impersonated employee can have their accounts manipulated, addresses changed, and passwords reset and sent, which bypasses all of your existing digital controls of two-factor authentication and other defenses.

Every company in every industry should be reviewing and changing internal controls to an authorization process that does not involve information that can be found in the public domain, like favorite animal, best friend’s name, first pet’s name, etc.

For example, if you have sensitive equipment or restricted areas at your facilities, how will you prevent identity thieves from impersonating employees to gain access? How do you know you are not authorizing a breach of your data by an impersonated partner or employee authorizing access for change of password assistance or other activities? Your employees’ information is now likely for sale, and the buyers may not only be interested in direct credit card theft, but business espionage, terrorism, and competitor actions, as well.

Playbook Three: Change Third-Party Authentication Procedures

Once you have rewritten your internal authentication processes, you must make sure that all third-party vendors are dealt with similarly. Today, every company is outsourcing one process or another. The fact is, these vendors are dealing with sensitive information and processes that could have an immense impact on your company. As I often say, you can outsource the process, but you can never outsource the risk.

For example, although most companies process payroll electronically, what is there to prevent a phone call to your payroll provider to make administration changes? What information is used to authenticate payroll distributions if provided verbally? There must be a phone protocol that does not rely on information that can be impersonated.

Every company has different impersonation/identity theft risks, but there are some universal questions each company should ask of themselves:

• Who are the key control personnel with security clearances and access to sensitive information?
• What would be the impact if their personal identities were compromised by third parties and used in the workplace against the company?
• What information do you depend upon to authenticate verbally with your third-party vendors like datacenters that manage your customer’s sensitive data to issue new ID cards, entrance badges or changing personnel records?
• Have you updated your vendor forms for collecting information and data privacy consents including photographic images?
• How will you conduct due diligence on your key suppliers performing a rewrite of their internal control procedures described above?
• How will you monitor their compliance with your new policies and procedures?

The Equifax data breach has redefined operational risk and is a point of no return for enterprise risk management, as every corporation will need to develop an ERM program that can help them answer these questions. For more on the business implications of the Equifax data breach, read my blog Equifax Data Breach: The Point of No Return.

Fortunately, if all authentication processes internally rely on information not found in the public domain, and if all authentication processes of third parties rely on information not found in the public domain, then all of your bases are covered, and you have dramatically reduced the risk of suffering the consequences of identity impersonation.

Tips for rewriting these playbooks

At first glance, rewriting all of your authentication procedures seems a daunting and even impossible task. But in fact, enterprise risk management at its core is designed to achieve this exact goal in a timely and cost-effective manner.

1. The first step is to perform risk assessments. Every company is different and there’s no cookie-cutter way to prepare for the risks of a data breach or identity impersonation. The best way to rewrite these playbooks in a way that best supports your company is to perform risk assessments. Risk assessments will tell you which personnel, processes, policies, and technology need to be taken care of first.
2. While you need to take care of all of your employees, it might be overwhelming to do this all at once. Therefore, you may choose to determine which employees are most critical from a security perspective and what the impact would be if they were to be impersonated, and take care of these employees first.
3. The same goes for your authentication processes. It would be overwhelming to rewrite all process, control, and policy combinations at once, so it’s important to determine the processes and controls that would have the most impact on your company if compromised in order to allocate your time and resources effectively.
4. Remember to repeat steps 1, 2, and 3 above for your third-party partners and customers. Since there are so many vendors and so many internal and external relationship owners, a risk assessment will quickly identify which vendors are higher risk than others for any process, department or function.
5. Document the steps you are taking to protect your company. This way, if a breach occurs, you will be able to prove to regulators that you were aware of the risk and were doing everything you could to mitigate it. In turn, you will be protected from punitive damages and lawsuits due to negligence.

To help get you started, download a copy of our eBook 5 Steps for Better Risk Assessments, or download our free risk assessment template for excel.

The post Equifax Data Breach: What Businesses Should Be Doing To Protect Themselves appeared first on insBlogs.

Recently, Forrester Research published “GRC Vision 2017-2022: Customer Demands Escalate As Regulators Falter,” which explores the challenges GRC will inevitably face as it develops and the solution that enterprise risk management provides. We’ve broken this report down to reflect our key takeaway: Approaches to enterprise risk management must now consider the company’s consumer base, reputation, and ethical conduct.

Traditionally, approaches to ERM entail responding to published, well-established, and legally binding regulations. As it happens, however, the social and technological climate is changing at a rate that regulators can’t keep up with.

Consider this example: Facebook’s revenue relies largely on selling targeted advertisements, which the company has done without regulation and limited scrutiny for many years. Recently, however, Facebook reported that Russian-linked accounts bought thousands of politically divisive ads during the 2016 campaign that reached 126 million users. By the time Sen. John McCain and other lawmakers could introduce a new “Honest Ads Act” that would hold sites like Facebook and Twitter to the same federal disclosure requirements as ads sold on TV, the damage had already been done.

Shortcomings in good governance such as this are proof that there is a new and better approach to GRC.

Consumers

Even if regulators can’t always keep up with the times, consumers can. We’re in a see-through economy—a dizzyingly fast-paced age of transparency where consumers are empowered to impact a company’s reputation.

What does this mean for risk management? Simply put, it means that risk management is an imperative business process; for, according to Forrester’s report, the consumer is taking matters into her own hands where regulators are falling short.

Reconsider the Facebook example: The Russian scandal was only a catalyst that brought the root of the issue to light—Facebook can allow others to use consumers’ personal data against them. It’s one thing to be shopping for a pair of shoes and notice that your sidebars are filled with Zappos ads; it’s another for our personal data to be used to create divisive messaging that we ourselves do not agree with.

Consumers are realizing that they can’t blindly trust tech giants to use their data harmlessly, and that it’s up to them to demand more explicit privacy and consent policies. In response to customer outrage, as opposed to new regulations, Mark Zuckerberg announced changes in advertising practices that would improve transparency and make clear the sources of political ads run on their site.

Essentially, consumers become the new regulators on the block as they leverage social media to respond to regulatory missteps within seconds of encountering them. This new age of rapid data sharing means that companies have nowhere to hide when their actions rub a customer the wrong way, be it a salty customer service rep or a threatening data breach.

The speed of our see-through economy means that risk managers must anticipate risk before it arises It’s time for risk management to be proactive, not reactive. Offensive, not defensive.

Reputation

Another symptom of this age’s data sharing habits is the inevitable effect it has on a brand’s reputation. If consumers are quick to share their negative experiences with a company, then patterns of negligence will surface. People can often forgive one faux pas, but they find it harder to forgive pervasive negligence.

Why does reputation matter to an organization? According to Forrester’s report, “Intangible assets — such as intellectual property, goodwill, proprietary ‘know-how,’ user base, customer experience, brand, and reputation — account for 87% of the net worth of the S&P 500.”

Why does reputation matter to risk management? Companies manage risk to achieve their business goals, which either explicitly or implicitly include building and maintaining a good reputation. But reputational risk does not exist in its own silo; it’s a negative impact of any risk event. And if a diminished reputation equals diminished market value, then companies today are more susceptible than ever to risk events that damage market perceptions.

Ethics

There is, of course, a direct connection between consumers and reputation. Ultimately, a company’s reputation is decided and propagated by its customer base. So how does a business ensure that their customer base is endowing them with a reputation that is “good.”

More easily said than done, businesses are tasked with discovering, first, what’s important to their customers, and second, what actions they can take to align their values with those of their customers.

As Forrester’s report states, “Executives skeptical of the need to invest in GRC will cite lack of customer interest in corporate ethics.” Here are a few statistics we found that prove otherwise:

• 66% of consumers are willing to spend more on a product if it comes from a sustainable brand.
• 85% of consumers would switch brands to one associated with a cause.
• 87% of consumers would rather purchase a product with a social or environmental benefit.
• 81% of millennials expect their favorite companies to make public declarations of their corporate citizenship.

The bottom line is that customers are overwhelmingly concerned with the social, environmental, and overall ethical ramifications of a business’s actions. It’s the new and unique challenge of risk managers to discover risks that may impact a brand’s alignment with its customers’ ethics, and therefore its good reputation.

Where is GRC headed?

ERM has slowly developed over the past 15 years, heeding the consumer’s voice, the business’s reputation and ethical conduct only when scandal manifests. But the rate of social and technological change is too high for risk to be managed retroactively anymore.

In order to comply with the changing climate in which risk abounds, ERM solutions must account for the consumer. How? In the report we’ve been discussing, Forrester shares some recommendations for better risk management, which we agree will lead to a new and better approach to GRC.

1. Work with marketing peers to understand your customers’ expectations. Consumers are speaking out, and it’s always been the job of marketers to listen. This means that your organization’s marketing department is one of the best resources for the board and risk managers to determine what matters to their customers, and therefore what potential risks could relate to future business conduct.
2. Create transparency for your business before your customers create it for you. Once again, consumers are talkative, and they have the means to expose any and all wrongdoings before you can even bat an eyelash. Companies are better off building a culture of responsibility into every area of their business, and being vocal about it.
3. Add reputational risk to all risk assessments so that you can work proactively to mitigate any risks that pose a threat to your company’s hard-earned reputation. Again, reputational risk doesn’t exist in any one silo. Take an enterprise risk management approach to ensure reputational risk is being managed across silos.

Read the full Forrester report here: McClean, Christopher, Nick Hayes, Renee Murphy, and Claire O’Malley. “GRC Vision 2017-2022: Customer Demands Escalate As Regulators Falter.” Forrester Research. 2 February 2017.

Hear how LogicManager has adapted to the see-through economy by providing a better way to GRC.

The post A Shift in GRC: Consumers, Reputation, and Ethics appeared first on insBlogs.

The hot water in which Uber has been simmering has just reached new thermal heights. Back in October 2016, hackers stole the personal data of 57 million customers and drivers containing their names, email addresses, phone numbers, and in the drivers’ cases, their driver’s license numbers. They finally disclosed the breach this month.

Now, in comparison to the scope and nature of other breaches such as Equifax and Yahoo, the Uber hack may appear to pale in comparison. However, this company represents countless organizations who have perpetrated repeated failures in risk management.

Other examples include Wells Fargo and Chipotle. My first Wells Fargo cross-selling blog foreshadowed their July 2017 data breach and auto loan scandal. Chipotle keeps poisoning their customers with food borne illnesses, and while two CEOs have stepped down, the food borne illnesses keep occurring.

Wells Fargo is a bank, Chipotle is a restaurant, and Uber is a ride-hailing company; yet, these seemingly unrelated companies have something in common. They have failed to identify the root cause of their risk, and so have fallen victim to multiple, preventable, failures in risk management. To this we say, time for risk management rehab.

Repeated scandals due to negligence in risk management will continue to produce additional scandals in other business areas that on the surface look different, but are caused by the same failed risk management processes and systems, until they’re addressed.

We can take a look into the Uber hack along with the other missteps Uber has perpetrated and see that there is a common thread between them that not only includes the absence of healthy risk practices, but a lack of senior leadership that recognizes the true value of these practices.

The Uber Hack Was Concealed for Over a Year

The Uber hack occurred in October 2016, but was not disclosed until this month, November 2017. After obtaining the information, hackers approached Uber with a demand for ransom. The company’s CSO and one of his deputies were able to keep the hack under wraps for a time by paying the attackers $100,000.

The problem is that there is a patchwork of state and federal laws that require companies to alert people and government agencies when sensitive data breaches occur. Uber was obligated to report the hack of driver’s license information at least, and failed to do so.

When this breach occurred, Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data.

Uber has earned a reputation for falling short of protecting its customers and drivers since its founding in 2009. The U.S. government had opened at least five criminal probes into possible bribes, illicit software, questionable pricing schemes, and theft of intellectual property. And, of course, the company suffered a sexual harassment scandal that surfaced in February 2017.

Good Risk Management Means Good Risk Culture

What we’re seeing at Uber and in their scandals is a common thread of bad risk culture, which is defined as weak governance processes and lack of an effective risk management system. In all of these instances, having an enterprise risk management program in place would have given the company the tools to prevent scandal.

In the case of the Uber hack, an ERM system could have identified and filled any gaps in their cybersecurity policies and procedures. And then, even if a breach did occur, it would have recorded their efforts towards improvement and automatically triggered alerts to relevant parties of the breach’s occurrence. Both measures would have safeguarded them from financial penalties.

However, these systems are only as good as the people who encourage their use. In order to leverage ERM’s full potential, there needs to be pervasive tone-from-the-top support. Joe Sullivan, Uber’s Chief Security Officer at the time, his lawyer Craig Clark, and former CEO Travis Kalanick deliberately chose bribery over adhering to federal regulations.

Companies need to be run by boards and C-suite executives that understand the importance of a healthy risk culture. Part of this culture is recognizing that compliance is more than a check-box exercise. Regulations exist to protect stakeholders of all kinds, from employees to consumers to investors. Uber may have avoided litigation and reputational catastrophe for a year, but the truth ultimately surfaced, as it always will in today’s see-through economy. Now, Uber will not only suffer the consequences of lofty financial penalties, but also of consumer outrage, as their users and drivers syphon into their competitors’ hands.

What Does the Future Hold for Uber Post-Hack?

The Uber hack is the latest scandal the new CEO, Dara Khosrowshahi, has inherited from Kalanick. In an emailed statement, he wrote, “None of this should have happened, and I will not make excuses for it. We are changing the way we do business.”

As a part of his goal to change Uber’s ways, Khosrowshahi asked for the resignation of Sullivan and fired Clark. This is an important step in building a new, healthy risk culture. The new CSO, as well as the new CEO, must comprehend the root cause of their issues and perform every effort to imbue their company with a culture that sees risk management as a top priority for keeping their reputation clean and their stakeholders safe.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” Only time will tell if Khosrowshahi learns the right lesson and takes this opportunity enroll his company in risk management rehab.

To learn about the 5 characteristics the best ERM programs have in common, download our free eBook.

The post Uber Hack: A Company in Need of Risk Management Rehab appeared first on insBlogs.

This September, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a much-anticipated update to their 2004 “Enterprise Risk Management—Integrated Framework,” a renowned and widely used risk management framework. The new release is formally called “Enterprise Risk Management—Integrating with Strategy and Performance.”

The COSO update comes to meet the rising expectations of risk management, according to Bob Hirth, COSO Chair: “The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting…Our overall goal is to continue to encourage a risk conscious culture.”

The risk landscape has changed drastically and will continue to do so. I often site the SEC’s Proxy Disclosure Enhancements as a proof point of this change. The Proxy holds boards explicitly responsible for their company’s risk management programs by requiring them to either adopt an effective ERM program, or disclose their risk management shortcomings. Other standards that underscore this transitional landscape is the Yates Memo, the IIA’s International Professional Practices Framework, and SEC Regulation S-K.

Failures in risk management have become all too common, and consumers, in addition to regulators, are taking action. Facebook and Equifax are poignant examples of this. Consumers will start to move their business and loyalty to institutions that can demonstrate effective risk management and governance because they are the only companies who will be able to prove their trustworthiness.

Managing risk has become undeniably complex and more imperative than ever before. However, frameworks like COSO 2017 provide a sense of assurance and a method to re-establish a world without catastrophic corporate scandals.

COSO 2017 Emphasizes Creating Value

The road to this restored confidence is enterprise risk management, which COSO defines:

“Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value.”

I couldn’t agree with this definition more. It touches on many attributes of ERM that I’ve long championed: integration across silos and levels, strategy and goal alignment, culture, and performance.

Another framework which I co-authored, the RIMS Risk Maturity Model (RMM), also emphasizes value. In fact, an independent study by Queen’s University, “The Valuation Implications of Enterprise Risk Management Maturity,” based on RMM data found that organizations with mature ERM programs realize a 25% market valuation premium over those in which “silo-based risk activities are dominant.”

Realizing this value, however, is more than a matter of understanding the theories presented by COSO 2017. It’s a matter of taking actionable steps towards aligning with those theories. It’s also a matter of prioritizing these steps, as it is often too big a task to take on all at once. Not all components presented by the COSO update contribute equal business value; those that contribute more value should of course be prioritized.

Below are some of the theoretical goals of the updated Framework that I resonate with most, as well as some helpful resources I’ve published that show you how to implement COSO 2017.

The enhancements are ordered by percent contribution to business value, as determined by “The Valuation Implications of Enterprise Risk Management Maturity” study.

Identifying Risks Across Departments

As put forth by the Framework, “Organizations that integrate enterprise risk management throughout the entity can realize many benefits including…increasing positive outcomes and advantage while reducing negative surprises: Enterprise risk management allows entities to improve their ability to identify risks and establish appropriate responses, reducing surprises and related costs or losses, while profiting from advantageous developments.”

While I wholly agree with this sentiment, I would also add that there is a crucial difference between risk outcome and root cause, as this distinction is vital to effective risk identification. All organizations must not only understand the distinction between risk outcome and root cause, but actively identify root cause instead of outcome. A fundamental problem in risk management is the identification of risk symptoms, not root-cause risks, which allows the initial problem to persist.

The Queens University study revealed that, statistically, an effective root-cause discipline and consistent uncovering of risks combine for 31% of ERM’s total valuation impact.

Related resource: 5 Steps for Better Risk Assessments

Using ERM to Enhance Performance

The COSO update emphasizes the correlation between risk management and enhanced business performance:

“Every entity has a mission, vision, and core values that define what it is trying to achieve and how it wants to conduct business. Some organizations are skeptical about truly embracing their corporate credos. But mission, vision, and core values have been demonstrated to matter—and they matter most when it comes to managing risk and remaining resilient during periods of change.”

COSO’s acknowledgment of performance as being intimately related to enterprise risk management is a key step forward for the industry. To go beyond a mere understanding of this principle, and to achieve its implementation, organizations must measure their board risk oversight by collecting internal metrics, uncovering trends, and using that data to execute strategy.

Performance Management, one of the seven attributes defined by the RIMS Risk Maturity Model, accounts for 23% of the market valuation premium.

Related resource: Meaningful Metrics: Using ERM to Inform Strategy

Integrating ERM Throughout the Organization

“Enterprise Risk Management—Integrating with Strategy and Performance” clarifies the “importance of enterprise risk management in strategic planning and embedding it throughout an organization—because risk influences and aligns strategy and performance across all departments and functions.”

The Framework itself is a set of principles organized into five interrelated components: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information Communication and Reporting.

I’ve always believed that organizations should not operate as a collection of independent silos. Instead, risk management should extend across all business areas and ultimately align with the corporation’s strategic objectives.

• First, there is the principle of cascading: risks, regulations, and objectives should trickle down to the most appropriate hierarchical level so that all managers can align their activities with high-level goals.
• Then there’s the principle of aggregation: Organizations must be able to aggregate front-line concerns and escalate them to the appropriate level.
• Finally, the principle of linkages: The reason ERM is so important, and so much more effective than siloed risk management, is that it identifies previously unknown links between departments.

This RMM attribute, ERM Process Management, is generally defined as “Integration into business processes to support the reduction of uncertainty and promote exploitation of opportunities.” It accounts for 20% of the total valuation impact brought by mature enterprise risk management.

Related resource: How to Integrate Governance Areas

Building a Healthy Risk Culture

The new COSO update clearly emphasizes the board’s risk oversight responsibility, a point many organizations need to improve upon. Boards need to foster the development of a risk-aware environment.

Too often, however, organizations emphasize aspects such as risk appetite too early and do not focus enough on areas that can be easily measured. Risk appetites, while useful, contribute less than 1% of the valuation premium, according to the RMM. Risk tolerance at the process activity level, however, is where the value is most gained because of its ability to be measurable and promote accountability.

The Queens University study determined that “the most important aspects of ERM from a valuation perspective relate to embedding discipline throughout the organization.” This attribute has an individual value contribution of 17%.

Related resource: 5 Steps Towards an Actionable Risk Appetite

What COSO Means for the Future of ERM

The new Framework also considers how businesses will have to adapt to keep up with the ever-increasing uncertainty in the business world. Regulations will always be updating, data will get bigger, and accountability will continue to increase.

Specifically, COSO 2017 references dealing with the proliferation of data, advising “advanced analytics and data visualization tools will evolve and be very helpful in understanding risk and its impact.” The Framework also mentions artificial intelligence and automations, stating “it is important for enterprise risk management practices to consider the impact of these and future technologies, and leverage their capabilities.”

I believe this future has already arrived. Instilling a sense of certainty and simplicity enterprise-wide is more than a one-person, one-team, or one-department job. Achieving a truly integrated approach to ERM and drastically enhancing performance already demands a powerful software solution.

Related resource: 7 Ways to Build the Business Case for ERM Software

The post How to Use the COSO 2017 Framework Update appeared first on insBlogs.

2017 presented a whirlwind of corporate scandals: United Airlines, Wells Fargo, Facebook, Uber, Chipotle, Equifax, WannaCry…the list goes on and on. Many of these companies suffered second and even third scandals when they failed to learn their lesson from the first.

But for every company that’s suffered a failure in risk management, I believe there’s a company that’s looking over these headlines and doing everything they can to prevent a scandal of their own, for there are many lessons to be learned from 2017.

The most important lesson is that these scandals, although seemingly diverse, are far from unique. I’ve written a lot of blogs over the past year that detail how companies have perpetrated failures in risk management. They neglected to adopt the proper systems and processes that would help them prevent scandals from occurring in the first place, and certainly from occurring a second time.

It’s an exciting time for enterprise risk management. A time for progress and immense change. Here are my predictions for risk management in 2018.

1. The See-Through Economy Will Spur the Need for Risk Management in 2018

In recent blogs, I’ve talked about this idea of the see-through economy. Every day the business world is becoming more transparent as consumers adopt technologies that allow them to share their experiences.

Facebook, Twitter, Instagram, Glassdoor, and Yelp enable customers to record and spread corporate missteps in a matter of seconds. Gone are the days when PR teams could swoop in and make a scandal disappear. Maintaining a good reputation, upholding market shares, and retaining customer loyalty is now a matter of being proactive, not reactive.

Take the #metoo movement for example. Sexual harassment has been a pervasive problem at work and beyond for decades. Social media empowered many to speak out against it and effect change. According to a recent Wall Street Journal article, the movement has grabbed investors’ attention, as well.

According to their study, “77% of boards hadn’t talked about sexual harassment, 88% hadn’t implemented a plan of action as a result of recent revelations, and 83% hadn’t evaluated the company’s risks when it came to sexual harassment. Their most commonly cited reason for inaction? A perception that sexual harassment wasn’t a problem at the company.”

The see-through economy has unearthed shocking oversights and practices that companies can no longer cover up. Issues all the way from sexual harassment to corrupt data practices have been unearthed too many times to be considered one-off incidents. Rather, they are systemic issues with specific root causes that can be uncovered, mitigated, and monitored.

Effecting change isn’t about responding to isolated incidents of irreprehensible behavior; it’s about recognizing and resolving systematic problems. ERM provides the foundation and processes needed to connect departments and prevent these problems from materializing.

For a deeper dive into this particular prediction, check out this blog: A Shift in GRC: Consumers, Reputation, and Ethics.

2. While Federal Regulations Dip, State Regulations Will Spike

For many, risk management has been and will continue to entail responding to the demands of regulators. Under the current administration, regulations on the federal level have slackened.

For example, financial regulators at the SEC, FINRA and the Commodity Futures Trading Commission have imposed a third of the amount of penalties in President Trump’s first six months in office, compared to the first six months of Barack Obama’s 2016 term.

However, I believe slackened federal regulations will only mean increased regulations at the state level.

Take the Equifax data breach as an example. States have taken it upon themselves to sue the credit bureau for putting their citizens’ personal data at risk. Massachusetts has entered into a class-action lawsuit with Equifax, and the penalty for violating Chicago’s consumer fraud ordinance includes a fine of $2,000 to $10,000 for each offense and for each day that a violation continues.

To put it plainly, increased state-level enforcement means increased uncertainty. New compliance regulations, penalties, and laws can arise at any moment from any state. Compliance will no longer be a matter of monitoring changes to one federal regulation, but for changes coming from multiple, unpredictable angles.

Managing this change will take more than compliance software. It will require an integrated risk management software that can keep up with the sheer volume of changes.

Check out my article on FEI Daily to learn how to overcome uncertainty with risk management in 2018, or download this free GDPR eBook to learn about the biggest data privacy regulation in history.

3. Risk Disclosures Will Become More Meaningful

On a more tactical note, the SEC recently issued a proposed rule in response to recommendations in the SEC staff’s Report on Modernization and Simplification of Regulation S-K. The proposed rule would make specific revisions to a group of items in Regulation S-K and is intended to improve disclosures.

Let’s look at their proposed changes to item 503(c): Risk Factors.

Current guidance in Regulation S-K requires disclosure of the most significant risk factors related to a registrant’s business and includes specific examples of factors that a company may consider for such disclosure. Although the current requirement is intended to be principles-based, the inclusion of risk factor examples led certain registrants to disclose generic information.

The proposed rule would eliminate the examples from the risk factor disclosure requirements to encourage registrants to revisit their risk assessment and disclose the risks that are most significant to them.

I believe this is a huge step in the right direction for risk management in 2018. The current risk disclosure process has historically consisted of doing a copy/paste job from other companies, not including input from risk professionals, and not conducting risk assessments.

This proposed change will encourage companies to abandon vagueness in favor of real risk assessments of real risks specific to their industry, and more importantly, to their actual corporate risk profile.

Discover how to adapt to changes like these by downloading our complimentary eBook on risk-based compliance.

4. Boards Will Take a More Hands-On Approach to ERM

This last prediction is also a strong hope I have for risk management in 2018. The sheer volume of corporate scandals topping news headlines should be enough of a wake-up call to Boards, CEOs, and senior management alike in every industry to take risk management seriously.

United lost $1 billion in market value the day after Dr. Dao was dragged from the plane, Chipotle’s stock prices have yet to recover from the E. coli outbreaks of 2015, and Uber is struggling to keep customers on their side of the fence.

Equifax is a particularly poignant example, as their massive data breach not only reflected poorly on them, but on every single company who gave away their customers’ information to the credit bureau in the first place.

Consumers are outraged, fed up, and will move their money elsewhere to companies who can prove their trustworthiness in regard to protecting their data and their best interests.

If corporations want to be counted among those whom customers, investors, and employees believe in, then they’ll need to seek out and implement strong ERM processes and systems that are capable of breaking down silos, assessing risk objectively, prioritizing resource allocation, and monitoring the effectiveness of controls.

I believe 2018 is going to be another big year for ERM, one of heightened awareness, increased implementation, and, hopefully, less scandal.

Check out this complimentary eBook that describes the 5 timeless characteristics of the best ERM programs.

The post 4 Predictions for Risk Management in 2018 appeared first on insBlogs.

Here we are. February 2018. For many, February is a trying month. How well are those New Year’s resolutions holding up? Have the early-morning January gym visits started to fade? Are salads getting old? Personal goals aside, here’s one thing we hope won’t decline: the excitement over your freshly finished 2018 budget.

The new year tends to bring about an intense wave of optimism for what we can accomplish in the next 12 months. Too often, however, this optimism gets stomped on by the surprises of everyday life.

Your car broke down, you say? You can’t make it to the gym today, you say? Oh well, there’s always tomorrow. And then, hello 2019, when did you get here?

So it goes with budget planning. As hard-working, driven professionals, we can’t wait to forecast the year to come. New markets, new customers, new challenges are ours for the taking! Then it’s hello June and somehow, we’re not feeling quite so optimistic…

This year, let’s collectively vow to avoid that disenchantment. Risk management is the key to good forecasting. Just like any new process or policy being introduced at your company, budgets are essentially change documents. And what do we say about change? It carries risk.

It’s time to connect risk management to budget planning.

Risk Management and Budget Planning

Think about expecting a package. You picked out the perfect gift for a friend who’s only in town for one night and it’s projected to arrive on X day. If it arrives late, you won’t have the chance to give it to your friend. Or what if you chose to go out of town beforehand, and the package arrives early? It could be swiped off your porch if you’re not there to receive it!

The point is, there are risks associated with predictions of all kinds. A budget is a prediction that carries immense consequences for a business.

Under budgeting can create corporate shortfalls and unexpected cuts. While over budgeting might sound like a good thing, it means capital has gone uninvested. In either scenario, the company has missed out on a competitive advantage. A company with better forecasting will have the advantages of higher market value and the creation of value-adding products and services.

These risks can be avoided. The only question is, are risk managers at your organization involved in the budget planning and review process?

Connect Risk Management and Budget Planning

The ultimate goal when integrating risk management into budget planning is to understand the assumptions your budget is based on. Here are some steps you can take to come to that understanding:

1. Identify the major line items of your budget and the personnel who contributed to them

Risk assessing an entire budget may seem like a daunting task, but the best course of action when addressing the risks of any new process is to break it into pieces and tackle those with the highest potential impact.

Fortunately, a budget is already broken down nicely into line items. Now all that’s left to do is use risk assessments to determine which items are most critical.

A risk assessment with a common scoring criterion will help you compare and prioritize line items by which ones would have the highest impact on your company’s objectives.

Then, find out why line items are what they are. Who contributed to these numbers, how did they arrive at this number, and who is responsible for executing the objective on time and on budget? Is this number based on historical performance? Is it based on new laws, regulations, or operational changes?

You probably won’t know the assumptions that led to every line item you’re interested in. The only way to get the information you need is to engage key personnel associated with each estimate. The beauty of enterprise risk management is that it’s cross-functional in nature and can help you bridge the gaps between departments to get accurate data.

2. Ask key personnel to provide insight on major line items

Let’s use an example here. There are two different budgets. One pertains to expanding an existing product or service your company has performed for the past 20 years. Another pertains to a new product for an existing segment of your customer base.

The line items for the 20-year-old product or service may be historically based, but perhaps misses the complexities related to the expansion.

And what about the other budget—the brand new product? What assumptions were made in this case?

What you’re after here is whether or not all the risks have been identified and how confident the team is in the assumptions they’ve made.

A great way to obtain this insight is to have these personnel perform risk assessments that ultimately answer questions like these:

• What are the potential risks that could interfere with the accuracy of this estimation?
• What is the likelihood of these risks materializing?
• What would the impact on the company be if they did materialize?

3. Engage subject matter experts to adjust low confidence line items

Get more information—It’s a hackneyed phrase, but it couldn’t be a more worthwhile venture. Let’s use another example. A major line item in everyone’s budget is taxes. This will also be, in most cases, a very low confidence line item since the tax bill recently underwent a major overhaul.

The new tax bill is large, complex, and at this point, not very well understood. The big headline is that corporations will benefit from a huge tax cut. But the devil is in the details. No company is safe making that assumption. Company’s need to understand how the tax bill will affect them specifically.

The way to get more information, no matter what the line item pertains to, is to engage subject matter experts within and outside your company. Determine the questions you need answered to up the confidence level of critical line items and find the people who can give you the answers.

4. Mitigate the risks in your budgeting

Once you’ve collected all the information you can on critical line items, assessed the risks, and are as confident in your forecasting as you can be, you can continue to drastically improve the company budget with mitigation activities for each of the risks identified.

For instance, if a line item has a high risk score, you can ward against potential fallout. You can also have contingency plans in place far in advance of a risk event occurring.

You may even conclude, based on the risk assessment, that the budget needs to be adjusted to account for the risk-reward tradeoff you’ve uncovered. This is particularly important when looking at line items based on low confidence assumptions.

Overall, assessing and documenting the risks in budgeting will put every professional involved at ease. Months down the road, no one wants to be put in a position of scrambling to justify their forecasting after it’s gone south.

5. Continuously monitor risks and efficacy of controls

After you’ve taken steps 1 through 4, don’t stop there! A budget is a living document, constantly affected by changes within the company, fluctuations in the market, or even natural disaster.

To ensure your budgeting is on the money, you’ll need to implement a system for looking out for changes to the risks you’ve identified, and for collecting metrics to prove the effectiveness of the controls you’ve implemented.

Tying risk management to budget planning has many benefits. Acting on these 5 steps will help you solidify a more accurate forecast, be more agile and responsive to changes in the months to come, and enable you to have a better relationship with your managers and peers, ensuring a favorable experience at performance review time!

Request a free LogicManager demo to learn how our ERM software can help you achieve forecasting with a 95% confidence

The post Risk Management and Budget Planning: The Key to Good Forecasting appeared first on insBlogs.

The post Widespread Negligence Uncovered Following Oxfam Scandal: Steps to Improving Company Awareness and Prevention appeared first on insBlogs.

The Forrester Wave: Governance, Risk, and Compliance Platforms, Q1 2018 evaluates and ranks the 14 most significant GRC platforms available, and LogicManager has been named a Leader! But beyond measuring the current offering, strategy, and market presence of GRC providers, the report also dives into the current risk climate.

As the report states, “Managing risk is more important than it’s ever been.” In support of this statement, the report points to three growing trends in the corporate world: reputation, regulatory fines, and disruptive business models.

We’ll explore these trends shortly, but I believe the single most pervasive trend which encapsulates all three of these is that of the see-through economy. The increasing adoption of social media and advanced technologies have granted consumers and investors multiple platforms to express their expectations of the companies they choose to do business with.

With these platforms centrally contained in one easily accessible device, consumers are empowered to record and disseminate any message they want, from a good customer experience, to a horrible one. The bottom line is the general public has the power to monumentally impact a company’s reputation.

What does this mean for businesses?

It means they need better governance, heightened oversight, and advanced risk management infrastructures in order to stay ahead of this omnibus trend pervading the business world.

Corporate Reputations at Risk in Today’s See-Through Economy

The first trend the 2018 GRC market report points to is the increasing importance of a corporation’s reputation. The report reads, “Corporate reputations are at risk. The hit to their reputation after a mishap, and the ensuing loss of customers and other stakeholders, damaged companies more than any other category of loss.”

I have often gone to great lengths to bring attention to the reputational consequences of a scandal. United Airlines reached a settlement with Dr. Dao, the man they dragged off one of their flights. But the amount paid in this settlement is likely nothing compared to the reputational damage the airline incurred.

The see-through economy has a specific connection to this scandal. With 66,000 passengers involuntarily bumped from United flights in 2016 alone, it would be naïve to assume this is the first time this situation escalated to conflict. In truth, this was the first incident caught on tape, or rather, caught on smartphone.

United’s market value plummeted by $1 billion the following day, proving that reputation is a huge concern for shareholders. And while their value has slowly risen since the incident, there is no denying that customers and competing airlines have taken note of this mishap and are expecting better.

The benefit of GRC platforms in regard to this trend is their ability to integrate and account for reputational risk across silos.

Regulatory Fines Are Climbing Higher and Higher

The second trend the 2018 GRC market report addresses is increasing regulatory fines. The report states, “With the uncertain regulatory landscape, managing compliance is becoming a challenge for most risk managers.”

I have also used the word “uncertain” to describe the current regulatory environment. As I saw the presidential administration decentralize regulations, I predicted states would take it upon themselves to enforce new regulations. In early February, the Wall Street Journal published this headline: “States Look at Establishing Their Own Health Insurance Mandates: Congressional repeal of Obamacare’s individual mandates leaves a number of lawmakers examining replacement measures.” The same pattern of new state regulations has occurred on topics like corporate pollution in June 2017, net neutrality rules in March 2018, and cyber violations in September 2017.

The see-through economy has a connection to this trend, as well. Compliance is more than a check-box exercise. It’s a reflection on the company’s ability to meet the needs, demands, and rights of their consumers. States will jump as quickly as they can to impose new regulations that fade from federal view in honor of protecting their consumers, who have made their expectations clear through digital open forum.

This uncertainty, that is, the uncertainty of new regulations coming from multiple angles, necessitates the adoption of GRC platforms with robust change management capabilities.

Innovation Is the Root Cause of New Risk

The third trend the GRC market report explores is innovation. It claims, “Disruptive business models are introducing new risks.”

Many of the scandals I’ve taken the time to study and write about it in 2017 have fallen victim to material risks inherent to their own innovative business models.

Chipotle is a poignant example of this trend. Since the fall of 2015, the fast-food chain has been the cause of multiple outbreaks of foodborne illness across the U.S. While the restaurant has pointed the finger at sick employees and earnestly claimed the isolated nature of these incidents, it’s clear they did not assess the risks associated with their latest innovation: fresh, locally sourced ingredients.

With a decentralized business model, they now have 1,000 or so points of food sourcing and contamination whereas typical centralized systems have a fraction of that.

GRC platforms assist organizations assess the risk of innovation, centralize or decentralize controls as needed, and implement monitoring at the activity level.

The see-through economy is deeply ingrained in this trend, as well. When a myriad of voices ring out to call foul on one company, the systemic nature of a problem is revealed. The repeated offenses by Chipotle and many other innovative companies have been called out by millions of consumers with the hope that the “it’s a one-time thing” excuse will no longer be an option.

The Future of GRC Adoption

As with any problem, there may be a tendency to look at these trends and feel like the cards are stacked against corporations these days. But while the business world has become increasingly transparent and uncertain, there is an entire industry that has taken heed of these trends and is developing platforms to help companies overcome them and even use them to their advantage.

It’s all about improving bottom line performance and goal achievement. I believe the trends outlined in this GRC market report will continue to grow until GRC platforms are ubiquitous across industries of all shapes and sizes, which if you ask me, is an extremely hopeful message. Corporations and industry analysts and even COSO is finally agreeing with what we’ve been saying since 2006: ERM/GRC helps organizations achieve better business performance.

With the proper oversight and infrastructure, companies can act with integrity, serve their customers well, and carry out their missions successfully.

Read The Forrester Wave: Governance, Risk, and Compliance Platforms, Q1 2018 here!

This article was originally posted on LogicManager.com

The post 2018 GRC Market Report Emphasizes New Risk Trends: Reputation, Regulations, and Innovation appeared first on insBlogs.

The post The State of Risk Management in 2018: Infographic appeared first on insBlogs.

On Sunday April 1, Retail group Hudson’s Bay disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks Fifth Avenue and Lord & Taylor stores in North America.

As many as 5 million cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year.

Customers, investors, and regulators learned of this breach not through any press release issued by the company itself, but through news of the data available for sale online. This is a poignant proof point for the power of the see-through economy, an age of transparency where news travels far and wide at an incredibly fast pace. Hudson’s Bay couldn’t keep up, and the company’s shares fell more than 6% when the market opened Monday morning.

Data Breaches Are a Risk Management Issue

To make their systems more secure, retailers have been switching to a new form of payment called EMV—Europay Mastercard and Visa, which uses a computer chip in the card to authenticate transactions.

Although Hudson’s Bay said their stores had EMV systems installed by February 2017, hackers were still able to obtain mass amounts of data, which confirms that security is more of a risk management issue than a technology issue.

Gemini Advisory, a New York-based security firm, said the data appears to have been stolen using software that was implanted into the cash register systems at the stores, which siphoned card numbers until last month. Although it’s unclear exactly how the malware was installed in the stores’ checkout systems, Gemini said it was most likely through phishing emails sent to Hudson’s Bay employees.

Employees often go through training or attend yearly seminars that teach them about phishing and ways to recognize a suspicious email. However, this alone is not effective to protect your company. Studies show that only 20% of employees adhere to established policies they’ve been trained on. Companies need to implement enterprise risk management systems to identify the risks that could materialize if a policy isn’t followed and develop effective mitigation strategies to address those risks by monitoring the results.

More and more, the world is recognizing the connection between risk management and cybersecurity. The General Data Privacy Regulation (GDPR) is a new European standard and strict privacy mandate with worldwide enforcement including fines of up to 4% of annual global revenue or €20 Million, whichever is greater. As of May 2018, when this regulation comes into effect, I believe it will be a game changer for all data privacy issues and move corporations to rely more heavily on their enterprise risk management programs.

Tactical Tips to Improve Your Business and Personal Risk Management Program

Scandals like the Hudson’s Bay data breach are 100% preventable. Vulnerabilities are known by front-line employees within the organization for more than 6 months and often for years prior to the scandal, but not by the right level or adjacent business area which can solve the problem. An ERM program supported by ERM software enables employees to identify and escalate the risks they see as subject matter experts to bridge issues across business silos and up through layers of management.

How many risk assessments use a common standard in your organization? The total number of risk assessments of some kind already being done is typically 40% of the total number of worldwide employees. If your organization is tracking less than this number, it means there is a gap that needs to be addressed. If these risk assessments are not standardized or use a common platform, that is the cause of the gap.

The solution is typically not about creating more assessments, but rather about identifying what ad hoc assessments are already taking place, standardizing them, and improving their quality. If they can all be on a common denominator through standardization with a risk register and quantified using standardized evaluation criteria, they can be compared across business silos and linked together to identify the true cause of issues. The other key contribution of an ERM system is then being able to link existing controls to these risks which carry the risk score so that monitoring of controls can be prioritized.

Robotic process automation within ERM systems can then trigger follow-up or escalation tasks, provide transparency across workflows as tasks are moved along from one person to another, and provide reporting and monitoring to generate automated reminders for follow-up tasks.

From the description of the breach, this is what was missing from Hudson’s Bay risk management program to prevent password reuse and phishing identity impersonation that allowed the malware to get inside their organization and remain undetected for so long.

Studies show that patching habits can be divided into quarters: 25 percent of people patch within the first week; 25 percent patch within the first month; 25 percent patch after the first month; and 25 percent never apply the patch. The longer the wait, the greater the risk.

Steps to protect against phishing with built-in robotic process automation:

1. Risk assess patches, updates, and applications to prioritize monitoring of security policy and patch/update deployment. ERM will provide transparency on which system patches failed and their priority to get them followed up on.
2. Operationalize security policy with business logic that goes beyond password expiration and complexity to include password reuse, identify theft prevention, and access rights in compliance with policies.
3. Assess and monitor the effectiveness of web filters to block malicious websites.

Personally, get educated on what you can do in the midst of identity theft. Although the company released a statement that “those affected will not be liable for fraudulent charges,” this is only true if customers take the required steps to monitor and dispute charges within the time limits allowed. Customers are often typically not protected for identity theft and other consequential damages.

Review your credit card statements carefully each month. You only have protection if you dispute the fraudulent charge within 60 days. You must send a dispute letter within 60 days of the first statement that contained the mistake to the address for billing inquiries. Then the creditor must do an investigation and resolve it within two billing cycles or 90 days, whichever comes first.

This article was originally posted on LogicManager.com.

The post Hudson’s Bay Data Breach Confirms the Need for Enterprise Risk Management in the Retail Industry appeared first on insBlogs.

Wells Fargo has suffered the consequences of repeat scandals since 2016. This week, the bank agreed to a $1 billion settlement with federal regulators who have cited their lack of effective risk management practices as the root cause of their woes.

This settlement with the Consumer Financial Protection Bureau and Office of the Comptroller of the Currency would be another blow to Wells Fargo in a long line of many.

Let’s look at a timeline of Wells Fargo’s risk management scandals:

• 2009-2016 – Wells Fargo perpetrates a massive cross-selling scandal in which millions of accounts were created without consumers’ consent
• September 2016 – The CFPB levies a $185 million fine, the highest in their operational history
• August 2017 – The bank accidentally leaks the PII for over 50,000 accounts
• August 2017 – Wells Fargo charges 800,000 customers for insurance they did not need
• October 2017 – The bank wrongly charges homebuyers with fees to lock in mortgage rates
• March 2017 – The Federal Reserve imposes unprecedented sanctions on Wells Fargo prohibiting them from growing beyond their holdings in 2017
• April 2018 – Wells Fargo nears $1 billion settlement with its federal regulators

This timeline makes good on a prediction I made after the bank’s original cross-selling scandal. In an interview with business journalist L.A. Winokur regarding the Wells Fargo cross-selling scandal, I predicted: “Once the dust of this scandal settles, perhaps in two or three years, Wells Fargo will remain vulnerable in other areas of its operations to risk management failures.”

I immediately recognized the cross-selling scandal as a failure in risk management back in 2016. Now, regulators and the general public are beginning to demand more of Wells Fargo, not just from their sales department, but from the enterprise as a whole.

I’ve studied scandals for about 13 years now, and no matter what industry, product, or service the company is involved in, three things tie all scandals together:

1. Scandals are known by personnel, typically at the front line supervisory level, at least 6-12 months in advance.
2. Scandals are failures in risk management and are therefore 100% preventable.
3. Companies who do not recognize scandals as failures in risk management tend to suffer subsequent scandals in other departments.

These three common characteristics have been seen in recent scandals like Equifax, Chipotle, Uber, and of course, Wells Fargo. Let’s take a deeper look at how the Wells Fargo scandals leading up to this settlement to see how they signaled a need for better enterprise risk management.

How Are Wells Fargo’s Risk Management Scandals Related?

When news of the Wells Fargo cross-selling scandal broke, many people cited a poor sales culture as the root cause. In the blog I wrote about this scandal, I pointed to the fact that the same employees who were tasked with reaching certain sales goals were the same employees who were issuing new accounts and cards. With proper risk assessments and oversight, management would have identified the risk of employees meeting their sales goals by improperly, and they would have mitigated this risk by implementing separations of duties and access rights.

After an in-depth investigation into the scandal, the CFPB and the OCC alleged the bank “failed to establish an enterprise-wide sales practices oversight program to prevent and detect unsafe or unsound sales practices, or mitigate the risks resulting from such sales practices.”

While these regulators point to a failure in risk management in their allegations, the scope is too narrow. For organizations to truly protect themselves from the punitive damages and reputational consequences of scandals, they need to implement risk management and oversight practices across the enterprise, not just within select departments.

I predicted that Wells Fargo would fall victim to subsequent scandals because they focused too narrowly on their sales department without considering similar vulnerabilities in other areas of their business.

My prediction first came to fruition when the bank leaked the PII of 50,000 accounts, and again when Wells Fargo admitted to charging their auto-loan customers for insurance they didn’t need. Both of these scandals are tantalizingly similar to the bank’s original cross-selling scandal. To avoid the repeat scandals and headlines they’ve found themselves the center of, Wells Fargo needed to establish a robust enterprise risk management program and infrastructure, complete with risk assessments that extend across departments and levels

Under the Wells Fargo settlement, which is the largest ever imposed by the consumer bureau, Wells Fargo will reimburse harmed consumers and make improvements to its risk management and compliance programs. The string of punitive actions in addition to this latest settlement should be a warning to all risk managers, C-suite executives, and companies alike: scandals are failures in risk management, wrongdoings are preventable, and upper management will be held accountable for their failure to oversee operational activities.

This is a message I and LogicManager have expounded for many years, and now 18 months after Wells Fargo first topped news headlines, my prediction from September 20, 2016 has been accepted now by two federal regulators, and all major press will report how the Wells Fargo Scandal is now officially labeled a failure in risk management.

The Wells Fargo Risk Management Settlement Is a Result of the See-Through Economy

Why are regulators acting now and labeling Wells Fargo’s scandals failures in risk management? It comes back to my idea of the see-through economy: an age of transparency in which consumers, investors, and regulators can impact a company’s reputation. Today, new technology like social media and real-time, online news outlets leave companies with no where to hide when they fall short of expectations.

The see-through economy is accelerating the need for risk management, especially as scandals continue to wreak havoc on market valuation:

Proactive, enterprise-wide risk management programs and infrastructure is the only way companies can avoid the lessons-not-learned by these organizations and meet the rising demands and expectations of consumers, investors, and regulators.

This article was originally posted on LogicManager.com

The post Wells Fargo’s Failures in Risk Management Cost $1 Billion Settlement appeared first on insBlogs.

Year over year, scandals like Wells Fargo, Equifax, Chipotle and so many others have dominated news headlines as they wreak havoc on consumers, investors, and awaken industry and government regulators. What is driving this trend?

Consumers have entrusted corporations with increasing involvement and influence in their lives through the decades. In 2014, for example, the Supreme Court ruled that corporations have some of the rights and responsibilities as natural persons. In other words, corporations were granted a form of citizenship.

In many cases, this power has been yielded responsibly. However, some corporations are not acting like good citizens and have negatively impacted their communities and stakeholders.

We know that corporate misbehavior is nothing new, and that corporations may not be acting worse than they have in the past. What has changed is the technology that uncovers and disseminates their actions and inactions.

Every year, technology that allows us to share and acquire new knowledge advances. Newspapers have entered the digital age, while social media platforms like Facebook, Twitter, Glassdoor, and Yelp have enabled the public to share their opinions instantaneously. A simple Google search on a company keeps that scandal history visible for years.

New technologies such as these have left companies with nowhere to hide, which is why I’ve labeled this trend the see-through economy. We’re living in an age of transparency where the public is empowered to impact a company’s reputation. Now that PR departments can no longer control an organization’s image, the impact of their wrongdoings is amplified in three ways:

1. Consumers can easily set their expectations, voice when they aren’t met, and move their business to companies that do meet their expectations.
2. Investors can seamlessly connect scandals to corporate negligence and a company’s inability to retain customer loyalty, which has spawned many class-action law suits.
3. Regulators are more attuned to what rights are being neglected and impose sanctions to ensure they are met in the future.

The see-through economy makes risk management more important than ever. To demonstrate this point, the LogicManager team created this infographic:

Independent research firms like Forrester and Gartner have started to grasp the connection between technology and risk management, that connection being reputational risk. Employee performance goals are increasingly being tied to their ability to manage risks in their areas, and senior leadership and Boards of Directors can now measure the 25% market premium incentive accrued to companies that can demonstrate their risk management competence.

Organizations need a way to integrate and account for reputational risk across departments and levels of an organization. Implementing enterprise risk management programs with the right infrastructure is the most effective way for corporations to protect consumers, investors, communities, and themselves.

This article was originally posted on LogicManager.com

The post The See-Through Economy: New Technology and Risk Management appeared first on insBlogs.

This week, Wells Fargo launched a new ad campaign called Re-Established. The goal is to gain back customer trust after their repeat failures in risk management. It won’t work.

I’ve talked a lot about the see-through economy, and one of its major characteristics is fast-paced. Consumers and investors are constantly inundated with opinions, reviews, news, and updates at a pace that quickly outruns any ad campaign.

At this point, Wells Fargo is in too deep for a superficial ad campaign to be an effective approach to recovery, and if they don’t fix their issues at the root-cause level, the see-through economy will rear its head once again to expose their wrongdoings.

The public has already demonstrated a strong, skeptical response to the Wells Fargo ad campaign. One viewer felt the ad came across as “really insincere and inauthentic.” The fact is, PR has become entirely ineffectual. The world moves too fast for reactive measures to be a sure fire way to get a company out of the spotlight and their stock prices back up.

Simply put, reaction is out, prevention is in.

Wells Fargo needs to dig deeper and fundamentally improve its risk management program. They need to listen to the regulators who have explicitly cited their lack of risk management, and with whom they recently settled for $1 billion.

One of the Wells Fargo ads lists what’s new: “Building a better bank,” “Putting service first,” “Upgrading our banking features,” and “Increasing community impact.” Vague statements like these sound all well and good, but the time has come when the public needs proof Wells Fargo can be trusted again.

We can’t be sure what Wells Fargo has in store to “Re-Establish” themselves, but we can be sure of what they should have in store. In this article, I’ll provide a step-by-step guide every company can use to improve their risk management program.

1. Engage process and risk owners on the front lines through standardized, recurring risk assessments

While the see-through economy has presented a real challenge for companies to stay ahead of risk, the see-through economy can also be leveraged to a company’s advantage.

Organizations should consider front-line employees as the eyes and ears of risk. They can provide expert insight into what’s really going on at the company and what risks the business faces every day. A great way to leverage employees’ insight is to engage them in risk assessments where they can identify and assess operational risk.

It’s paramount that these assessments are standardized with a set numerical scale and evaluation criteria, so the information can be compared across departments and levels and then prioritized. Not every initiative to mitigate risk can be rolled out at once, which makes prioritization key.

2. Create relationships between risks, controls, departments, processes, and people.

Of course, it’s not enough to know what the company’s risks are; risk managers need to know their root-cause in order to develop effective mitigation activities.

LogicManager uses taxonomy technology to help customers connect the dots between risks and other facets of the business. Risk managers can make connections between a risk and a particular department, a specific control, or a certain procedure.

The benefits of this approach are numerous. First, sharing information across levels and departments cuts down on duplicate efforts, allowing more time for strategic decision making. Second, making these connections reveals gaps and prevents oversights symptomatic of a silo’d approach. Third, revealing the relationships between risks and other areas of the business provides insight into the level of impact a risk can have if it manifests, which helps prioritize improvement initiatives.

3. Integrate incident management into the risk management program

Many companies have an incident management process that empowers employees to speak up about adverse events, from customer complaints to internal fraud. However, not every company goes the extra mile to connect incident management with risk management.

In step 2 of this process, the company has developed a system to create relationships between risks and other aspects of the business. Organizations can again leverage this same system to drastically enhance their incident management program. When an incident is reported, it should be specified which department, people, and processes it’s associated with. Over time, these relationships will reveal trends that can then be remediated.

Incident management is another great way to leverage the see-through economy that exists within every company and make each front-line employee a process improvement specialist.

4. Present aggregated information and all gaps to leadership on a recurring basis to drive strategic decision making

Steps 1-3 of this process are designed to help risk managers standardize and prioritize risk information collected throughout the enterprise. With standardized risk assessments and a taxonomy system in place, risk managers are in an excellent position to aggregate risk information collected throughout the enterprise and present it to senior leadership in an organized, prioritized fashion.

C-suite executives and the board are most concerned with strategic objectives. Therefore, risk managers can and should organize risk information in a way that speaks towards how certain risks are impacting the company’s ability to achieve certain goals. This is a great approach to get executive buy-in and allocate resources most effectively.

Enterprise risk management software can help risk managers generate accurate and dynamic reports that can stay at a high level or drill down deeper into specific risks, departments, and initiatives.

5. Work with the audit team to implement proper monitoring activities to ensure controls are working effectively over time

Equally important to implementing a risk management program is monitoring it. Risk managers can work with the internal audit team to develop monitoring activities and collect metrics to determine how effective the controls are.

As a company’s risk management program matures, risk managers will be able to demonstrate its success to the board and senior leadership with quantitatively measurable metrics. Monitoring also helps risk managers determine how to evolve the program alongside the evolution of the company. As a business grows in size or capabilities, controls that were once effective may fall out of use and need to be reconfigured.

Maintaining a pulse on a risk management program is the best way to keep the company on the up and up and prevent it from falling into old habits of ineffectual risk management practices.

The Wells Fargo ad campaign will not be enough to help them recover from the failures they’ve perpetrated over the years. The only way forward for Wells Fargo is to fix their risk management program and advertise how their risk management program is protecting customers and investors.

These are steps that every company that has found themselves in hot water over risk management failures can follow to improve themselves, regain consumer and investor trust, and achieve success.

This article was originally posted on LogicManager.com

The post Wells Fargo Ad Campaign Misses the Mark: Overcoming Failure with Better Risk Management appeared first on insBlogs.

Chief risk officers and heads of operational risk responded to a survey held by Risk.net and identified their top risk concerns. Their number one concern was IT disruption, while their second highest concern was data compromise. Why is cybersecurity risk on everyone’s mind?

For one thing, technology is an inescapable reality of every business. Even the smallest of mom and pop shops have an electronic system to make credit card transactions, while larger corporations rely on immense data centers to safeguard thousands to millions of personal records. As technology continues to permeate throughout the business world, cybersecurity risk will start to creep to the top of the list.

But what are the risks associated with cybersecurity and what impact do they have on the average business?

There are of course cybersecurity risks like system downtime, human error, and other business continuity concerns that can cause a costly domino effect on other parts of the business. There is also the risk of regulatory non-compliance which can result in lofty financial damages. But what about the less tangible effects of IT disruption and data compromise, such as reputational damage?

According to a study by PwC, 60% of consumers hold the companies who collect their data wholly responsible for its protection. 87% of consumers say they will take their business elsewhere if they don’t believe a company is handling their data responsibly. These statistics show that the public’s expectation for data protection is extremely high. Therefore, there is a large potential for reputational fallout.

Advances in technology have not only increased cybersecurity risks, but have connected consumers, investors, and regulators – the three constituents that stand to greatly impact a business. Consumers have leveraged social media and fast-paced news outlets to make their expectations clear. Investors can now be immediate witnesses to consumer outrage when expectations are not met, which in turn affects their investment behavior. Regulators and law makers, while not as quick to react to scandal, are also on the watch and are ready to ramp up any means necessary to protect their citizens’ rights.

The following infographic provides more facts and figures on the current state of cybersecurity risk:

Although the facts and figures surrounding cybersecurity risk are daunting, there is good news. We believe 100% of cyber attacks are entirely preventable with an effective cybersecurity risk management program and infrastructure.

Here are some steps your company can take to get ahead of cybersecurity risk:

1. Ensure off-site backups are up to date

Backing up data with off-site servers is widely considered a best practice. Every organization and industry must determine the optimal frequency and scope of data backups, which depends on the type of information being handled.

Studies have shown that anywhere from 10-15% of critical organizational data – scheduled for backups – is not actually backed up due to preventable, operational errors. Without backup verification, ransomware attacks can have an enormous impact on business continuity.

2. Implement Windows patches and virus scan software updates as they’re released

Employees around the world are using computers that simply need to be updated. Your security team likely assesses and approves patches and updates on a regular basis. However, are implementations regularly verified? As many as 30% of patches fail to deploy. Without governance (in this case, regular reviews of actual patch deployment), you might have an inaccurate understanding of which vulnerabilities are covered.

3. Manage passwords and access rights

Most organizations have internal password policies, but not an efficient way to operationalize them. Automated governance tasks – such as monitoring the percentage of employees maintaining access rights policies – is an essential to staying ahead of cybersecurity risk.

Without regular monitoring, the evolution of employee roles and organizational structure can lead to unnecessarily high risk exposure. The technology to accomplish this step exists at most every organization. Usually, the missing component is effective governance in the form of recurring risk assessments and control monitoring.

Taking these simple steps will put your company at a huge advantage. It’s often the case that hackers aren’t trying to spend inordinate amounts of time and energy to break into a secure system; they’re looking for the lowest hanging fruit. When it comes to cybersecurity, you don’t have to outrun the bear.

While cybersecurity is and will continue to be top of mind for companies and consumers alike, risk managers should take comfort in the fact that there is a solution. Better yet, the solution doesn’t entail huge investments in technology; rather, all it requires is good governance and a proactive mindset.

This article was originally posted on LogicManager.com

The post Why Cybersecurity Risk Is a Top Priority: Facts and Figures appeared first on insBlogs.

Back in March, President Trump’s administration threatened to impose steep tariffs on imported goods from some of America’s biggest trading partners. In the following months, the administration set a 25% import tax on steel and 10% on aluminum. Just as I predicted, these decisions are impacting the supply chains of American businesses, forcing them to consider the effects this kind of tumult could have on their business.

In my first blog post on the subject, I detailed a few direct and indirect consequences of a trade war caused by these tariffs. I wrote, “Indirect impact: Production and price changes will require sourcing changes. Sudden shifts that affect supply chains may impact quality and availability since some companies may encounter issues when scrambling to reduce production in some places and ramp it up in others. Operational risk assessments will help identify areas where change can have a positive or negative impact.”

Last week, Harley-Davidson, an iconic American brand, landed in the news after announcing moving some manufacturing facilities to Europe to avoid the EU’s retaliatory tariffs.

Why did Harley-Davidson Move Manufacturing Facilities?

First, the European Union became a target of some American-imposed tariffs, which affected $7.4 billion in European products. Then, the EU hit back with $3.2 billion in tariffs on US products ranging from orange juice to motorcycles.

Harley-Davidson, a leading distributor of motorcycles, said it stood to lose as much as $100 million a year after the European bloc raised its 6% tariffs on motorcycles to 31%.

The company crunched the numbers and saw these tariffs would add an extra $2,200 to the export cost of each motorcycle. In a statement, Harley-Davidson adamantly refused to pass the cost onto their consumers: “The tremendous cost increase, if passed onto its dealers and retail customers, would have an immediate and lasting detrimental impact to its business in the region.”

Europe is the company’s second-largest market behind the United States, with European consumers purchasing nearly 40,000 Harleys in 2017, compared with the 148,000 bought in the United States.

Evidently, Harley-Davidson saw Europe as too promising a market to disturb their customer base. Instead of raising costs to the consumer, they decided to move some of their manufacturing facilities to Europe in order to circumvent the added costs of tariffs.

Did Harley-Davidson Make the Right Call by Moving Manufacturing Abroad?

Looking at the facts and figures above, avoiding the tariffs by moving some facilities overseas might seem like a logical business decision. However, Harley-Davidson’s stock dropped 2.6% after they announced the move. When stocks drop, it’s a telltale sign that something went wrong, that either the decision itself or the execution of the decision went awry.

While I wasn’t in Harley Davison’s board room, experience tells me there’s a large chance the company didn’t identify and assess the reputational risks of moving their manufacturing facilities by administering a risk assessment out to their front lines.

For many companies, certainly those as large as Harley-Davidson, supply chains are vast and complicated webs. It’s understandable that no one person can foresee every consequence a trade war or a response to a trade war could have throughout a company’s supply chain. The human mind can only think one or two steps ahead, aside from great chess players. Risk assessments transform companies into the greatest chess players by anticipating risk before it manifests.

Up until this year, all bikes had been manufactured in the US with domestically sourced materials. Recently however, Harley-Davidson decided to import a few of the materials for one of their new bikes. Announcements of freshly furnished tariffs on these materials, therefore, did not bode well for this new facet of their business model. It seems to me that Harley rushed into the decision to adopt international manufacturing processes, which not only introduced new quality control risks, but severe reputational risks, as well.

After the move was announced, a common sentiment was disseminated via Twitter and other social media: Harley-Davidson is an iconic American brand. For many, it logically follows that a move outside of the US greatly contradicts and disrupts the company’s brand.

Historically, consumers and investors are intensely perturbed when iconic brands disrupt what they’ve come to know and love. Take Coke for example. In 1985, Coca-Cola was losing market share to other soft drinks like Pepsi. In an attempt to compete, the company introduced New Coke. Despite acceptance by some Coke drinkers, many more resented the change in formula and branding. As it happened, many of the dissatisfied drinkers were Southerners, who considered Coca-Cola a fundamental part of their regional identity and were not shy about making their dissatisfaction known.

Of course, companies will always keep evolving, as any company who does not innovate will get left behind. However, it’s imperative for companies to ask themselves what they risk by innovating. No one was upset by the introduction of Cherry Coke, or the advent of Harley’s Softail Cruisers. It’s when companies contradict, as opposed to build upon, their brand that they find themselves in hot water.

The beauty of enterprise risk management is it’s foundationally built on risk assessments that reach across departments and levels to account for all types of risks. In Harley-Davidson’s case, and in all those cases that land in the news, they failed to identify and address the root cause risk: the reputational risk of moving beyond the US.

Risk assessments could have helped Harley-Davidson anticipate this kind of backlash and resulting loss in market value. Risk assessments help companies ask the right kinds of questions: Who is our customer base? What do they believe in? What will this move mean to them? How will it affect their opinion of us? How large will the impact be?

The last question is key. In a complex supply chain, risk is abundant. On the one hand there’s reputational and quality control risks from sudden shifts in suppliers, facilities, and employee base. On the other hand there’s the risks of incurring too many losses from rising tariffs. All of these risks exist, but none of them are equal because they stand to impact the company differently. Risk assessments uncover the potential impact of each risk and assist the company in making the best decision for their unique situation.

From an outside perspective, I can’t say what a risk assessment would have revealed for them in terms of to move or not to move. However, I can say with confidence that had Harley-Davidson administered a comprehensive, enterprise-wide risk assessment out to and including their suppliers, they would have considered the reputational risk of their actions. They could have mitigated this risk accordingly and avoided a 2.6% drop in their market value.

This article was originally posted on LogicManager.com.

The post Harley-Davidson Moves Manufacturing In Response to Trade War: Was it the Right Call? appeared first on insBlogs.

Michigan State University has employed a new Chief Compliance Officer in response to the Larry Nassar scandal. By creating an Office of Enterprise Risk Management within the university, MSU is getting on the right track.

Earlier this year, former MSU doctor and USA gymnastics coach Larry Nassar was charged with sexually assaulting 332 students. Shortly after this story broke, Michigan State was embroiled in two other sexual harassment scandals and has since struggled to escape the spotlight.

MSU’s belated and prolonged response to these incidents left many wondering whether the university would be able to regain the trust of their students, faculty, and staff. Recently, however, an MSU board member called for a new office at the school: the Office of Enterprise Risk Management, Ethics, and Compliance.

Nicholas Wittner, an MSU alumni, is the university’s new Chief Compliance Office tasked with creating the new office. In a statement he said, “I’m a Spartan. My wife is a Spartan. I’m embarrassed (by the university’s response to the sexual assault scandal involving Larry Nassar). I’m heartbroken (for the survivors). We can’t have anything like that happen again. I will do everything in my authority to make sure it never happens again.”

Wittner has a clear sense of mission at his troubled alma mater, as every Compliance Officer and Risk Manager should. As he put it, “I am here to ensure compliance. I’m not here to protect Michigan State’s brand.” Indeed, as much as reputational risk should be accounted for, Wittner understands that risk management is first and foremost a means to creating a better tomorrow, to doing what’s right.

What Is Nicholas Wittner’s Role?

President John Engler describes Wittner’s new role as Chief Compliance Officer as a person to check up on those doing the checking across campus.

He’ll be working with existing compliance officers across the university, and with schools and departments who don’t have compliance officers in place, to make sure regulations are followed.

Wittner is also intensely interested in getting every department and level of the university on the same page. As he says, “There needs to be an office that brings together all the reports and compliance efforts.” He believes that although there are many differences, especially in regulations, between the athletics department and the science department, for example, there is something that binds them.

While Wittner did not explicitly define this “something,” I understand him to mean that every part of a school should be committed to and joined by a common mission to protect the student body, above all.

To this end, he’ll be looking at how MSU can develop one consistent code of ethics that every branch of the university can adopt, which plays into his notion that compliance is only half of his job; it’s about creating a culture. He says, “After a university spends $500 million (in settlements), it needs to stand back and say, ‘What lessons have we learned?’

Compliance with external and internal codes of conduct are of course an important lesson to learn. However, I would hope that Wittner and other future members of their inchoate Office of ERM will come to realize that compliance is only a small part of a robust risk management program.

A successful program requires a balance between enforcement of known compliance issues and prevention of new issues through university-wide risk assessments and mitigation and monitoring activities. Without this balance, MSU could fall into the trap so many have fallen in, that is, creating a fix for a known problem without anticipating what’s ahead.

Is an Office of ERM, Ethics, and Compliance What MSU Needs?

There are, unfortunately, too many scandals to accept these days. For each one, after the dust settles, it’s easy for me to see which companies have made it out of the woods and those who haven’t. Companies who believe their issues were one-off, inevitable incidents and therefore treat them as such, do not make it out of the woods. See Wells Fargo, Uber, Chipotle, etc…

But companies who take a moment to step back and understand the true root cause of their problems have a far greater chance of preventing future scandals. In MSU’s case, some could look at this scandal and conclude something like the university needs to do a better job of hiring. But while background checks and thorough vetting processes may reduce the risk of scandal, every company runs the risk of hiring someone who will commit these offenses for the first time. The true scandal MSU is guilty of is letting the harassment continue by not implementing a system to escalate and remediate these incidents.

MSU itself has realized that a huge part of the issue with the Nassar scandal was that multiple people knew about the complaints, but their reports never made it to the school’s board. Wittner’s position will help mitigate this issue, as he reports directly to the board and is coming from a background of enough experience to know what the board needs to understand.

In addition to Wittner’s new role, the university’s new Office of ERM, Ethics, and Compliance signals a step towards integrated communication and a uniform risk culture. Wittner believes the new office will create consistency across the campus and get rid of silos that could allow various departments to sweep issues under the rug, as happened previously.

Wittner’s employment and MSU’s office of ERM is of course in the infancy stages, but the identification of root-cause risk and the implementation of enterprise risk management practices are always steps in the right direction. From here, it will be incredibly important for MSU to grow their enterprise risk management program beyond compliance to gain overarching foresight into new risks and mitigation tactics.

I look at MSU’s efforts as a proof point that education risk management can be the means to a better tomorrow, when a better tomorrow is defined as one where parents can send their children to school feeling confident they’re safe and cared for.

This article was originally posted on LogicManager.com

The post MSU Creates New Office of Enterprise Risk Management in Response to Nassar Scandal appeared first on insBlogs.

Risk management in the insurance business is a bit of a head scratcher. On the one hand, insurance companies are selling what many people consider to be a risk mitigation. On the other hand, insurance companies themselves face a variety of risks they need to mitigate.

Let’s briefly consider a misconception about insurance as it pertains to risk management. Too often, people think insurance is a sufficient, catch-all control activity. But while insurance is a perfect way to protect a business from many risk scenarios, there are other scenarios insurance just can’t cover. Oftentimes, insurance does not cover the core competency of a business.

Insurance companies can “self-insure” or purchase coverage from a reinsurer, but this doesn’t ensure all of the company’s risk is accounted for. One of an insurance company’s core competencies is providing customer service to those who need to submit a claim. If customers consistently have poor customer service experiences, they’re likely to share their stories on social media, tarnish the company’s reputation, and the company will fall behind the competition.

How Can Insurance Companies Benefit from Risk Management?

According to a recent study by the National Association of Insurance Commissioners (NAIC), core risks in the insurance business include “underwriting, credit, market, operational, liquidity risks, etc.” Given this wide variety of concerns, there is a tremendous opportunity for risk management in insurance companies to make a positive impact.

To return to the customer service example above, let’s look at how enterprise risk management could help. Risk management involves identifying, assessing, and mitigating risk. The beauty of a well-implemented risk management program is it’s built on a foundation of standardized risk assessments to help companies prioritize their risk based on its potential impact. Naturally, this process will surface risks that will impact the business’s core competencies.

For an insurance company, customer service would inevitably come to the forefront of a risk assessment. To address this risk, the insurance company could take steps to integrate incident management and risk management. Most companies have a way to track incidents like customer complaints, but many do not have a way of categorizing, prioritizing, and escalating incidents across teams. Risk management in the insurance business helps centralize and identify trends in the customer feedback. From there, insurance companies can implement controls to address those trends, such as hiring more customer service reps to resolve long wait times or implementing call-screenings to identify less-than-helpful interactions.

Improving customer service is only one example of how insurance companies can leverage risk management. A fully integrated enterprise risk management program can help insurance companies develop proactive mitigation activities to protect the core of their business.

Risk Management in Insurance Companies Ensures Compliance

Insurance companies operate under the increased scrutiny of an ever-changing regulatory environment. Risk managers are expected to fully understand how changes at the federal and state level impact their organizations, as well as meet customer expectations for substantial coverage with fair requirement and claims processes.

The NAIC’s expanded Own Risk and Solvency Assessment (ORSA) requirement is just one example of a changing regulation designed to accommodate regulator and consumer expectations. ORSA is defined as “an internal process undertaken by an insurer or insurance group to assess the adequacy of its risk management.”

ORSA goes beyond the SEC disclosure requirements that have universal applicability. It requires firms to “analyze all reasonably foreseeable and relevant material risks…that could have an impact on an insurer’s ability to meet its policyholder obligations.”

The minimum threshold for an ORSA program requires yearly analysis of all material risks. Companies must prove risk assessments have been undertaken at the organizational level where the risk activity takes place, not just at the senior management level. Organizations ensure this occurs by setting a “tone from the top.”

To determine how well your organization’s risk management program meets regulatory and consumer demands, including ORSA requirements, take the complimentary RIMS Risk Maturity Model. Recommended by the NAIC and Institute of Internal Auditors, the RIMS Risk Maturity Model benchmarks the strength of your risk management program and enables you to identify areas that need the most improvement.

ORSA compliance alone can be a major risk management challenge without a connected ERM solution and risk management information system that consolidates information. When any manager can evaluate risks in his or her own sphere of responsibility, however, it’s very easy to “roll” assessments up to the next level. Reporting, whether for annual ORSA assessments or a board meeting, becomes a simple matter of presenting information that already exists in the system.

The insurance industry will likely face a changing federal regulatory landscape in the years ahead. Multiple regulatory influences at the state, federal and international levels continue to present significant challenges for the industry; the effect of Dodd-Frank on insurance companies remains uncertain; and how to classify insurance companies as systemically important financial institutions (SIFIs) still requires clarification. This is only a short list of items creating uncertainty in the insurance industry. Risk management enables insurance companies to succeed among this uncertainty by anticipating and addressing a wide variety of change before risk materializes.

This post was originally published on LogicManager.com

The post Do Insurance Companies Really Need Risk Management? appeared first on insBlogs.

The GDPR is the strictest set of data protection rules any nation has published, featuring some of the most severe penalties connected to data privacy seen yet. Now that the compliance deadline has passed, we started to wonder about GDPR readiness. How are companies stacking up to the new regulation?

We compiled a host of GDPR statistics to answer that exact question, alongside some quick facts about what this new regulation is asking of international companies. 92% of US-based multi-national companies view GDPR compliance as their top security priority for the next year, but only 30% of companies will be compliant within a year of the May 25th deadline.

Check out the following GDPR statistics to see how your organization’s GDPR readiness stacks up.

Companies are, quite understandably, anxious to ensure that they do not fall out of compliance with new data privacy laws. That’s why you see some companies willing to spend as much as $10 million on GDPR readiness.

We believe companies should be spending far less. The truth is, there is no new work to achieving compliance. At some level, somewhere within the business, organizations know what data they’re collecting and what they’re using it for – which is a huge part of complying with the GDPR. It’s just a matter of finding this information out, and ensuring corresponding policies, controls, and monitoring activities are in place.

Enterprise risk management is built on a foundation of organization-wide risk assessments. When you administer risk assessments to employees on the front-lines, you might be surprised by the wealth of information they have to offer about the company’s data practices. Remember, IT can’t know everything; oftentimes, the information you need lies with Finance or Sales.

After you’ve collected information about your organization’s data practices and how they stack up to GDPR readiness, you can start building and improving your data privacy systems. ERM can assist you with many of the GDPR’s requirements; it’s just a matter of choosing the right ERM software.

When choosing a software, use this checklist to decide whether it’s a good investment for GDPR readiness:

• Audit: Software can help you gain a clear understanding of where all of your data resides and bring this together into a single view

• Capture: Platform can help standardize your consent forms and capture the ensuing data in a compliant fashion

• Process: Framework can ensure sensitive information is properly encrypted

• Monitor: Dashboards can assist with monitoring your progress and set up automated alerts so you can act quickly if there are issues

• Customize: Software can be customized and configured to meet your company’s unique needs

With enough research, you’re sure to find an ERM platform that checks off all of these boxes and empowers you to achieve GDPR compliance without spending $10 million!

This infographic was originally posted on LogicManager.com

The post GDPR Readiness: How Do You Stack Up? appeared first on insBlogs.

Since 2015, Chipotle has suffered multiple scandals of food-borne illness. The latest Chipotle outbreak has left more than 700 people ill. What does the Mexican grill have yet to learn?

In my last blog, “Hey, Chipotle, Can You Say Risk Management Rehab?” I took a look at the company’s timeline, and more specifically asked the question as to whether changing their CEO structure twice in less than two years was really the answer to their spicy woes.

This latest Chipotle outbreak, which has been ongoing since July 26 at a location in Powell, OH, is proof enough the chain hasn’t uncovered the root cause of their repeated scandals.

Why Are People Still Getting Sick?

These outbreaks are likely to continue until Chipotle implements a robust enterprise risk management program. Let’s understand why:

CEO Steven Ells has commented multiple times on the recurring outbreaks with determination to make Chipotle “the safest restaurant to eat at.” So why can’t the restaurant get back on its feet?

I believe Chipotle has not realized this is a systemic risk management issue, as opposed to a smattering of one-off incidents to be addressed separately as if they have no commonality. This a classic whack-a-mole problem: each time a risk issue is “whacked, it only pops up again somewhere else.

To be sure, there has never been more than one outbreak at any one location. This is because, as soon as an outbreak occurs, the organization becomes hyper-focused on the incident.

For instance, after an outbreak in Sterling, VA in 2017, Ells cited a sick employee as the cause and announced the location’s employees would undergo “relentless training” on the company’s policies. Hyper-attention on one incident such as this is the wrong approach, as it only provides a band-aid solution, evidenced by the fact that hundreds of people are still falling ill.

The root cause of Chipotle’s outbreaks is not fallible sick policies or undercooked food, it’s ineffective risk management.

The 2015 Chipotle outbreaks occurred shortly after the restaurant launched an innovation to include locally sourced food in their recipes. A civil lawsuit filed in January 2016 alleged that the chain’s food-borne illness outbreaks were at least partially caused by the company’s decision to shift the process of prepping produce from central commissary kitchens to individual locations, which added about 1,000 points of food sourcing and contamination.

Innovation is great, but when risk assessments and mitigations are left out of the process, oversights and scandals are bound to occur. When new processes are created, or new policies are instituted, there needs to be a system in place to uncover the risks of new implementations and back-up plans for if these new processes fall short of excellence.

What Steps Can Chipotle Take to Stop the Outbreaks?

Whether the Chipotle outbreaks stem from incorrectly prepared ingredients, employees working while sick, or disparate food quality assurance practices, preventing future scandals means ensuring a common policy is followed across all locations.

All organizations, including Chipotle, can implement a risk-based approach to policy management and enterprise risk management by:

1. Identifying the stakeholders of a policy
2. Assessing the root-cause risks by engaging employees and contractors closest to the risks that threaten adherence to the policy across the organization
3. Addressing those risks with appropriate, centralized controls
4. Monitoring the effectiveness of those controls at each location with regularly-occurring tests and centralized reporting
5. Implementing proactive incident and complaint management for employees, customers, and vendors to report deviations from the policy both anonymously or by name
6. Repeating assessments regularly to proactively identify new emerging risks

With these steps, Chipotle can turn their attention away from band-aid, temporary fixes and focus on long-term, sustainable root-cause solutions. The customer-business relationship requires a lot of trust, as restaurants have a responsibility to their customers to protect them from harm. By implementing enterprise risk management across their locations, Chipotle will ensure a better tomorrow for their customers.

This article was originally posted on LogicManager.com

The post Chipotle’s Outbreak is Their Worst Risk Management Failure Yet: What Can They Do? appeared first on insBlogs.