Between sessions, attendees and analysts met to share their thoughts on the conference and brainstorm ways they could better leverage the tool. Customers also connected with fellow users to exchange ideas. These relationships are what make LogicManager more than a software, but rather a partner in achieving excellence.

Above all, what continues to be the most striking part of IMPACT is the willingness with which each customer presents on their successes, challenges, and future goals, while openly sharing the steps others can take to overcome existing obstacles or conquer new initiatives. IMPACT has and always will be a conference by practitioners, for practitioners.

A lot happened during the two-day event, so we broke IMPACT 2018 down into some recurring themes alongside the tips every governance, risk, and compliance professional can use to mature their ERM program.

Steven Minsky, CEO and Founder of LogicManager, continued this theme throughout his opening keynote session. He explored what it meant to build a better tomorrow through risk management. Namely, it’s to prevent distracting mishaps that threaten to derail a company’s mission, whether that be keeping satellites in the sky or making sure every customer’s transaction is safe and secure.

To this end, Steven outlined the steps every risk professional can take to adapt to the see-though economy:

Take a Risk-Based Approach – Integrate all governance areas and activities into one iterative process, including governance, identification, assessment, mitigation, monitoring, and events.

Engage the Business – Reach out to as many departments and levels as you can to collect relevant, accurate information to anticipate and address enterprise risk.

Put it all Together – For any initiative, look at what processes need to be carried out under each step of a risk-based approach and engage the appropriate personnel.

Consolidate Reporting – Turn brick-sized board reports into one-page dashboards by aggregating and filtering information by what your audience is interested in.

Every presenter seemed to be on board with this integral step to taking a risk-based approach. As the name implies, enterprise risk management is a sprawling, company-wide process which should never be limited to one department. It takes a host of subject matter experts and front-line personnel to get an accurate picture of an organization’s risk profile.

So what are some tips the presenters shared on engagement?

Develop a Common Language – Departments talk about risk differently. One person’s “analysis” is another’s “assessment.” It’s important to speak the same risk language in order to engage people in a risk-based approach.

Grab a Cup of Coffee – During a panel on building an effective ERM program, three professionals shared their view on approaching other departments with a cup of coffee and genuine questions about which processes aren’t working. They stressed the importance of not imposing a new system or point of view, but sharing solutions to their individual challenges.

Create a Risk-Aware Culture – In a panel discussion, members of DigitalGlobe and Maxar Technologies discussed the effectiveness of regular, in-person training sessions. In these sessions, employees are encouraged to identify their own risks and have open dialogues about how to assess them.

Demonstrate Success – Regularly present on the success you’ve had with a risk-based approach. Even small wins entice others to join the journey and make improvements of their own with the same method.

Add Capacity to Add Value

Many presentations remarked how much capacity they were able to create with an online system. As the Risk-Based Approach Wheel demonstrates, there’s a lot that goes into a mature risk management process. Getting bogged down in manual processes takes a lot of time away from the value-adding initiatives a company could be pursuing.

Here are the top tips for creating more capacity:

Centralize Information – Create a centralized repository for all risk information. Almost every presentation cited Word documents and spreadsheet systems as prior pain points because of the amount of time they took to update and track down.

Automate Workflows – Shuffling tasks from person to person and manually following up with people takes time. Many of the presenters talked about how they leveraged incident forms and automated workflows to create more capacity for themselves.

Consider Dude’s Law – Christi Woods from Teacher Retirement System of Texas shared Dude’s Law, in which Value = Why / How. In other words, if the “why” of what you’re doing is greater than “how” you’re doing it, you’re adding value. Automated systems decrease the “how” and increase value.

Embrace Change

Every single presenter touched on change at their company. The changes they discussed came in many forms, from organic growth to mergers and acquisitions. This was a poignant theme to explore throughout the conference because ERM is about adapting to change and maintaining repeatable, yet flexible processes.

Stick to Your Guns – The folks from DigitalGlobe had a lot to say about change after being acquired by Maxar. They viewed the merger as an opportunity to speak up for the process they believed in and to be a champion for a risk-based approach across the new enterprise.

Standardize, Standardize, Standardize – In moments of change, everyone needs to be on the same page. Panelists from Cognition Financial, IHS Markit, and Reverse Mortgage Funding advised the audience to centralize information and methodologies. Having a point person to mediate the standardization process is a must.

Engage Early and Often – With innovation comes risk. When a new process is being created, you want people to automatically think what its risks are. Engaging as many people as you can, as often as you can, in the risk management process is the best way to keep them risk-aware.

What’s on the Horizon?

Each customer presentation ended with a look towards the future. What did they want to improve on? How were they going to get there?

LogicManager had a few goals of our own to share.

Say Hello to Horizon – The LogicManager team introduced LogicManager Horizon, the latest version of our software. Why Horizon? Because we believe risk managers are the harbingers of a better tomorrow, and we want to provide them a new line of sight to what’s possible.

Keeping Engagement at the Forefront – LogicManager Horizon prioritizes solutions that will impact the most end-users. We’ve already deployed our newly designed incident webforms to increase engagement across organizations.

What’s Next – Redesigned home screen. Mobile accessibility. Improved infrastructure. This is just some of what LogicManager users can expect from LogicManager Horizon. What lies beyond Horizon? To close the event, CEO Steven Minsky discussed the role artificial intelligence will play in the risk management industry. We’re encouraging our customers to provide feedback on what kinds of technology will provide them more intelligent insights faster.

That’s a Wrap!

As always, the customers were the stars of IMPACT 2018. We loved seeing those who believe in LogicManager every year and how much they’ve grown their ERM programs. We can’t get enough of the customer-to-customer interactions as they share their success, learn from each other, and grow their skill sets.

We can’t wait to see everyone back at IMPACT 2019!

This article was originally published on LogicManager.com

Last Friday, Marriott disclosed that the data of about 500 million guests had been exposed as a result of a hack that dates all the way back to 2014.

In 2014, hackers exploited the reservation system of Starwood Hotels and Resorts, which was acquired by Marriott in 2016. The breach exposed user data that not only included names, phone numbers, email addresses, passport numbers, and dates of birth, but even access to some encrypted credit card data.

As a result of this breach, Marriott may be one of the first organizations to feel the full force of the EU’s General Data Protection Regulation penalties. Implications of GDPR can lead to new unprecedented levels of financial penalties and liability for Marriott executives. Marriott acquired Starwood back in 2016, but did not find out about the 2014 breach until several months following the 2016 merger. Companies are required by GDPR to alert government authorities within 72 hours of a known breach. Given that Marriott did not disclose this breach until last week, Marriott could face fines of up to 4 percent of their global revenue. Given the shift of Starwood ownership, the investigation into the violation will take time, and may not be finalized until later in 2019.

Separately, the first of what is expected to be many class-action lawsuits against Marriott have already been filed on behalf of customers affected by the breach. On top of that, Marriott’s security is also facing probes from the New York Attorney General’s office.

Reputation risk is also a major factor for both customers and investors. For Marriott, the length of time it took to discover a series of breaches that date back to nearly 4 years ago, coupled with its post-breach reaction, is a considerable impediment to its efforts to regain user and investor trust after a series of privacy and security scandals.

Today the economy is strong and your business is doing well. But are you prepared for when this strength turns to weakness? Enterprise risk management has been proven to help companies survive a recession.

While there is much debate over whether a recession is looming or not, the fact is, you need to be prepared. Whether in 2019, 2020, or 2021, it’s not a question of “if,” it’s a question of “when” a recession will occur, as history has proven that fluctuations in the economy are both inevitable and normal.

What I would like to help organizations understand is that preparing for a recession has everything to do with enterprise risk management. Any good business prepares for changes within and outside of their environment. A recession is just like any other change, and the consequences of not having a recession strategy in place could be grave.

I will outline some of the ways in which having an effective ERM program in place can help you survive a recession and even gain a competitive edge.

Can ERM Really Help My Business Prepare for a Recession?

To start, I’d like to share a success story with you. When I started LogicManager in 2005, everything was going up economy-wise, and it was an incredibly difficult time to get people to realize they needed risk management when business was booming.

Our first customers were early adopters of ERM and understood that only risk management provided a mechanism to adapt to market changes, implement strategic initiatives, and gain internal operational efficiencies. All of those customers not only survived the great recession but thrived in their business, a feat which they attributed to ERM and the use of LogicManager.

For instance, a small, regional corporate credit union used LogicManager’s ERM platform to assess third-party risk. Prior to adopting LogicManager, they considered their riskiest vendors to be the ones they spent the most money on. With LogicManager, they risk assessed each vendor based on their business impact using multiple criteria.

As a financial institution, their assessment revealed that investment advisory services like Standard & Poors were the highest risk vendors because their advice determined where the credit union invested most of their capital. Realizing the connection between bad advice and bad investments, they set up a framework to risk assess investment recommendations.

With a new system for identifying risk in place, they were able to take a closer look at subprime mortgages and mortgage-backed securities. Ultimately, their risk-based due diligence showed that, contrary to S&P guidance of AAA ratings, these securities did not have a sufficient risk-reward tradeoff. Thus, the credit union stopped investing in them all together.

This was a particularly difficult decision to make since all their peer institutions were investing heavily in these financial instruments. They needed evidence to present to their committees and board why they should not be doing the same. ERM provided them this evidence.

ERM helped this credit union make good decisions in this case, identify new opportunities and guide their execution, and survive the recession. As a result, they rose from a regional company, to one of the largest corporate credit unions in the United States.

Even a $1 trillion company cannot hide in the See-Through Economy. After a fourteen-year-old boy discovered a serious bug in Apple’s group FaceTime feature, his mother e-mailed, faxed, and tweeted the report to Apple. However, it wasn’t until after her tweet went viral that the bug was disabled. How could Apple have responded more efficiently and avoided this reputational risk?

Most Apple users are familiar with FaceTime, Apple’s video chatting software. The feature had recently been upgraded, so that users could loop multiple people into a group FaceTime. However, the feature has been disabled as a result of a major glitch discovered a few weeks ago by fourteen-year-old Grant Thompson. The serious privacy flaw could force a user’s device to pick-up an incoming group FaceTime even if they declined the call. The bug even enabled access to the recipient’s camera if they interacted with their device’s hardware.

Upon discovering the significant security and privacy flaw, Thompson’s mother immediately e-mailed a bug report and video to Apple on their support site. She also called and tweeted at CEO Tim Cook and even faxed a letter using her law firm’s letterhead. Despite her efforts, after several weeks the incident report had still not been processed. Thompson didn’t hear back from Apple until after national media outlets broke the news about the FaceTime glitch and traced the report back to her original tweets. Ms. Thompson’s tweet on the other hand, was escalated to the public, instantly. This is an example of the See-Through Economy at work, which encapsulates the shift towards transparency and accountability brought on by social media and technology. Before Apple could formally acknowledge the issue, the public had been made well-aware that their privacy was at risk.

Companies can no longer effectively manage reputational risk after the fact, so they must take a proactive risk-based approach to ensure the risk does not occur in the first place. Customer-facing incident management software is essential to handling corporate mishaps. With connected incident management tools, organizations can immediately resolve issues through an efficient workflow that directs the incident to the appropriate parties.

Difficulties  in the reporting process prevented the issue from being resolved sooner. Although the tech giant has a bug reporting channel, it is available only to designated specialists in the tech or security field. Given there was no public-facing channel for users to report security and privacy issues, Ms. Thompson used traditional methods including calling their support line, faxing, and tweeting. Unfortunately, the support line she reached was for traditional product support, which was not prepared for escalating security and privacy issues. Once her tweet went viral, Apple’s social media team was able to escalate the issue to the appropriate people; however, the bug publicly demonstrated Apple’s slow response and lack of escalation process.

Apple is not the only corporation who has struggled with implementing customer-facing incident management. As a result of the change in “Know Your Customer” laws, it has been a challenge for financial institutions to execute anti-money laundering regulations properly. Citibank recently rolled out a compliance program designed to protect customers and the company from illegal financial activity. However, what was initially designed as a program intended to catch terrorists has left multiple innocent customers with frozen bank accounts and zero notice. Without a customer-facing website to escalate issues, the remediation process is time-consuming with significant barriers to reach the appropriate employees.

Citibank is not unlike other banks, financial institutions, and most companies. While many have internal whistle-blower hotlines to report misdeeds, very few companies have reporting channels accessible to customers. Surprisingly, many financial institutions even require physical mail as a part of their complaint reporting process. These channels primarily serve as a means for customers to feel “their voices have been heard”. Often times, financial institutions do not have the management processes to identify and filter risk, fraud and misdeed reported from outside the organization. As a result, the resolution process is ineffective and complaints are typically aggregated over time serving no real purpose over than for process improvement.

With effective enterprise risk management in place, customer responses for a variety of issues can follow a clear and cost-effective path to resolution. Customer-facing incident management offers customers easily-accessible channels to escalate their incident reports. In the See-Through economy, risk transcends every industry. Regardless of what the incident is, be it a major software bug or innocent customers’ bank accounts being inadvertently frozen, incident management and reporting are essential components of effective risk management.

Without effective incident management tools, incident reporting can be a large source of liability. Having a disconnected reporting process is not only a disservice to the customers, but can negatively impact the company as well with exposure for negligence.

With the help of an enterprise risk management system, you can stay ahead of the curve in the event of an incident. With incident reporting software, you can give customers an outlet to easily submit issues that are immediately forwarded through a remediation workflow. While social media will still be at customers’ finger tips, you can ensure they are satisfied with a seamless and efficient resolution process. Incident management software will also give you a better understanding of why, when, and where incidents are happening, so you can prevent them from recurring in the future. Implementing the following pointers will help to improve your incident management program, so you can avoid ending up like the aforementioned companies.

• Front-line reporting: Empower customers and employees to submit incidents in customized forms that collect all the information your organization will need to engage the appropriate business units  in the resolution process.

• Automate Workflows: Design a workflow for each incident to get it routed to the right people across business silos to resolve it efficiently and cost-effectively.

• Centralize Incidents: With all departments in one system, they can easily communicate with one another about issues that arise and work towards a solution.

• Generate Reports: With all of your incident information in one place, you’ll be able to uncover trends within your data. Then, implement controls to prevent future incidents.

This article was originally published on LogicManager.com

For the first time, reputation risk, organizational culture, and cybersecurity have all landed among the top five risks in the energy industry. How can energy companies tackle all of these risks without wasting time and money on additional resources?

This year at my IRMI Energy Risk and Insurance Conference session, I showed attendees how they could tackle all three of these top-priority risks with enterprise risk management.

The key is adopting a truly integrated approach to risk management. The truth is, energy companies already collect much of the information they need to build a mature risk management program. More often than not, however, organizations fail to engage all departments and levels of the organization to share this information cross-functionally and to the right levels to make decisions.

During my session at 2019 IRMI ERIC, I walked attendees through, step-by-step, how their organizations can implement a risk-based approach to build a risk culture and cybersecurity program that mitigates reputational risks before they occur.

Whether you made it to this year’s conference or not, I wanted to share some of my takeaways from the session, as well as some tools I presented to facilitated a risk-based approach.

According to the report “Executive Perspectives on Top Risks 2019”, energy and utility companies rated organizational risk to have a ‘significant impact’ on operations in response to the following statement: “Our organization’s culture may not sufficiently encourage the timely identification and escalation of risk issues that have the potential to significantly affect our core operations and achievement of strategic objectives.”

Interestingly enough, when asked about reputational risk such as social media, energy and utility companies responded with a ‘potential impact’ rating. What every company must realize is that in a See-Through Economy, social media is directly tied to reputational risk, which is in turn tied to the achievement of strategic objectives, and often related to cyber risk.

Deepwater Horizon Drilling Unit on Fire, Wikipedia

To drive home the importance of these emerging risks, I revisited some of the biggest scandals in the energy industry, such as the Merrimack Valley Gas Explosion, the PG&E electric fires, and of course, the Plains All American Pipeline Spill. Each of these mishaps carried immense reputational risk, and more importantly, were 100% preventable because they stemmed from severe negligence.

So how can you prevent negligence and corporate mishaps in the energy industry?

It all starts with having the right tools. At IRMI ERIC, I presented two physical tools attendees could use every day to facilitate a risk-based approach.

First, I showed them LogicManager’s Risk-Based Approach Wheel, which gives great visual insight into the activities performed during an end-to-end, iterative ERM process. You can download the Wheel here.

I also introduced them to another one of my favorite tools – the Risk-Based Translator. Often times, organizations have a lot of trouble communicating about risk because each department has their own secret lingo of sorts. Download the Translator here to see how you can create a common language across departments.

Cybersecurity vulnerabilities are an increasing concern for every company in every industry. Year over year, data breaches increase by 75%. Why are they becoming more prevalent, and how can you protect your business?

Before you can protect your company from a data breach, you have to understand why they’re occurring. So let’s look at some statistics:

• 81% of hacking-related breaches leveraged either stolen and/or weak passwords
• 70% of employees reuse passwords at work
• Ransomware is the top variety of malicious software, found in 39% of cases where malware was identified
• 59% of companies experienced a data breach caused by a third party

These stats start to give us an idea of the true root cause of cybersecurity risk. Yes, there are bad actors involved, but data breaches also have everything to do with governance.

Realizing the connection between good governance and cybersecurity is in itself a huge benefit to an organization. Not only do data breaches hold financial and intellectual property concerns, they also have the potential to impact a company’s reputation.

Because of the See-Through Economy, consumers are more aware of data breaches than ever before, they’ve cried out for better protection, and regulators have taken steps towards providing it for them. More opportunities to be hit with regulatory lawsuits mean more chances for a company’s brand to suffer.

The good news is, the leading causes of cyber breaches – weak passwords, ransomware, and third parties – can be entirely mitigated with good governance.

For another, many organizations react by conducting employee training. Training increases awareness but is proven ineffective at changing behavior.

Reducing the risk of a cyber attack is no different from reducing any risk; it begins with identification. Specifically, root-cause risk identification, as we’ve started to do with the bullets above.

If 81% of hacking-related data breaches leveraged weak passwords, then expensive point-of-sale solutions or artificial intelligence won’t work.

Additionally, trained employees rarely make an effort to change weak/reused passwords, and the problem lingers. In fact, a survey by LastPass of LogMeIn, a password management tool, found that although 91% of the employees claim to understand the risks of using the same passwords across multiple accounts, 59% said they did so anyway.

Moreover, if over half of data breaches that occur stem from third-parties, what good will more training with employees or more expensive point solutions do?

Chances are, you already have many solid security policies and advanced technology in place. The next step is to implement good governance over them to make sure they’re actually protecting your company.

So how is good governance achieved?

Good governance doesn’t happen overnight. It takes a village. A huge misperception people have is that cybersecurity is the IT department’s responsibility. But actually, every department plays a key role. The first step to good governance, then, is realizing what piece of the puzzle each department holds. Consider the following:

• IT Security – Does not have the complete asset list, meaning it cannot identify all login practices or monitor password quality or access rights
• Finance – Knows assets and process owner allocation, but has no method/system for sharing that information with the right parties
• Third-Party Management – Has no system for managing authorized assets or sharing information or enforcement of controls
• Legal – Has authority, but lacks any control implementation or monitoring
• HR – Has no way of notifying application administrators of user entitlement changes
• Audit – Has access to an entitlement policy, but doesn’t have a user access list mapped to specific assets

The problems detailed above persist as long as departments are unable to communicate effectively. The information they need does exist; it’s a simple matter of finding out how to access and coordinate that information.

The banking industry is perceived as the most advanced in their understanding and implementation of risk management. Although banks have indeed made huge progress in risk management, two areas all banks can improve is the structure used in conducting their assessments to enable actionable and insightful strategic reporting.

I’ve found that the understanding and implementation of risk management is driven not by industry or size of institution, but rather by its people: boards, executives, their teams and front-line managers keeping their organizations on track to achieve their goals and preventing missteps and scandals in the fast-paced age of the See-Through Economy.

In an effort to give these two groups some insight into how they can accomplish this, I presented at two conferences for risk managers in the financial industry on new best practices and emerging trends. At the American Banking Association’s 2019 Risk Management Conference in Austin, TX, I presented on how attendees could get more out of cross-functional risk assessments. A short day later, I dove into effective board reporting at the Risk Management Association’s GCOR XIII Conference in Cambridge, MA.

In this blog, I’ll recap some of the highlights of these two important, intimately related topics. I’ll also pass along the tools I showed to each session’s attendees to give you a head start on implementing these tips for risk management in the banking industry.

What’s the challenge? Today, there’s a lot to protect your bank from – data breaches, reputational damage, non-compliance, a recession, and so much more. So the challenge, in a word, is complexity.

To paint a small picture of this complexity, think about the main regulatory body your bank has to align with and how many different risk categories they define. What I’ve seen time and time again is banks trying to put together different risk assessments to match up with all these different categories – the FFIEC’s 6 risk categories, the OCC’s 9 risk categories, etc.

The problem with this approach is if you take one of these categories, say Reputation Risk, and try to ask someone in IT to fill out a risk assessment on this category, they won’t know where to begin. They can only speak to what they know, and most IT professionals haven’t made the connection between what they know and reputation risk.

A better approach is to attract as many as you can with honey. The honey in this case is cross-functional risk assessments.

With cross-functional risk assessments, you’ll be able to gather, re-aggregate, and report on all the information you need to protect your business from a myriad of risks.

First, my presentation is summarized in our eBook “5 Steps for Better Risk Assessments: A Special Edition for the Financial Industry,” so feel free to download a free copy for an in-depth recap.