About Steven Minsky

Steven Minsky is CEO of LogicManager and co-author of the RIMS Risk Maturity Model for Enterprise Risk Management.

In a Changing World, Questions For the CRO

Before the financial crisis in 2008-2009, many businesses didn’t think of risk as something to be proactively managed. After the crisis, however, that paradigm shifted. Companies began perceiving risk management as a way to protect both their reputations and their stakeholders.

Today, risk management is not just recommended, it is considered crucial to successful operations and is required by federal and state law. The SEC’s Proxy Disclosure Enhancements, enacted in 2010, mandate that organizations provide information regarding board leadership structure and the company’s risk management practices. Company leadership is required to have a direct role in risk oversight, and any risk management ineffectiveness must be disclosed.

The CRO’s role

Volatility in the current business environment—a confluence of factors including transfers of power, the world economy and individual markets—is nothing new. Political transitions have always been accompanied by new agendas and shifting regulations, economies have always experienced bull and bear markets, and the evolution of technology constantly changes our processes.

Even so, recent events like Brexit, the uncertainty of a new administration’s regulatory initiatives, and thousands of annual data breaches have contributed to an unprecedented atmosphere of fear and doubt. To navigate this environment, the chief risk officer needs to adopt a proactive risk management approach. Enterprise-wide risk assessments grant the visibility and insight needed to present an accurate picture of the company’s greatest risks. This visibility is what the board needs to safely recognize opportunity for innovation and expansion into new markets.

To grow a business safely—by innovating and adding to products/services and expanding into new markets—risk professionals should not focus on identifying risk by individual country. This approach naturally leads to a prioritization of “large-dollar” countries, which aren’t necessarily correlated with greater risk. Countries that contribute a small percentage of overall revenue can still cause major, systemic risk management failures and scandals.

A better approach is to look at risk across certain regions; how might expanding the business into Europe, for example, create new challenges for senior management? Are there sufficient controls in place to mitigate the risks that have been identified?

When regional risks are aggregated to create a holistic picture, it becomes possible for the board to make sure expansion efforts are aligned with strategic goals.

Three processes that require ERM

Risk management is an objective process, and best practices, such as pushing risk assessments down to front-line process owners who are closest to operational risk, should be adhered to regardless of the current state of the international business arena.

While today’s political climate has generated a significant amount of media strife, it’s important not to let emotion influence decision-making. By providing the host organization with a standardized framework and centralized data location, enterprise risk management enables managers to apply the same basic approach across departments and levels.

This is particularly important when an organization expands internationally, which involves compliance with new sets of regulations and staying competitive. Performing due diligence on an ad hoc basis is neither effective nor sustainable. Instead, the process should follow the same best-practice process as domestic risk management efforts:

  1. Identify and assess. Make risk assessments a standard part of every budget, project or initiative. This involves front-line risk assessments from subject matter experts, revealing key risks and processes/departments likely to be affected by those risks. For example, financial scrutiny is no longer a concern just for banks. Increased attempts to fight terrorism mean transactions of all kinds are becoming subject to more review. Anti-bribery and anti-corruption processes estimate and quantify both vulnerability and liability.
  2. Mitigate key risks. Connect mitigation activities to the resources they depend on and the processes they’re associated with. ERM creates transparency into this information, eliminating inefficiency associated with updating/tracking risks managed by another department. Control evaluation is the most expensive part of operations. Use risk management to prioritize this work and reduce expenses and liability.
  3. Monitor the effectiveness of controls with tests, metrics, and incident collection for risks and controls alike. This ensures performance standards are maintained as operations and the business environment evolve. Evidence of an effective control environment prevents penalties and lawsuits for negligence. The bar for negligence is getting lower; technology is pulling the curtain back not only internally but (through social media and news) to the public as well.

Lastly, the CRO role is increasingly accountable for failures in managing risk along with other senior leaders and boards—look no further than Wells Fargo.

Key Steps to a Robust Risk Management Program

rm-monitoring
Our business environment is constantly changing—technologies improve, regulations are modified, competition increases, and demand evolves. Effective risk management grants an ability to adapt to these changes.

Recent headline events, including the Volkswagen emissions deception, the Wells Fargo scandal, and the penalty paid by Dwolla to the Consumer Financial Protection Bureau (CFPB), illuminate powerful motivators for strong risk management programs. Key to a robust program is preventing stressful, and possibly catastrophic, surprises.

When Plains All American Pipeline failed to detect corrosion in its pipeline, for example, the result was a 3,000-barrel oil spill and millions of dollars in fines. The corrosion had run under the radar because the company did not delegate sufficient inspection resources and did not maintain proper procedures and systems for preventing problems from escalating into emergencies. Risk management best practices, however, could have standardized these procedures throughout the organization and prevented the disaster from occurring.

Complying with regulators like the SEC and CFPB
Dwolla, a small, private e-commerce and online payment company, was found by the CFPB to be guilty of risk management negligence for inadequate data security practices. The catch is that Dwolla did not suffer a data breach and none of its customers were compromised. The CFPB fined Dwolla $100,000 as part of its increased focus on companies’ existing prevention strategies. Regulators are no longer simply pursuing organizations that have suffered risk management incidents; organizations need to take proactive approaches rather than simply hope to get by.

Improving productivity and encouraging innovation
An independent, peer-reviewed report, “The Valuation Implications of Enterprise Risk Management Maturity,” published in The Journal of Risk and Insurance, proved that organizations with mature ERM programs (as defined by the RIMS Risk Maturity Model) can achieve a 25% firm valuation premium over those without. Risk management does not have to be a burdensome addition to daily responsibilities—and if it is executed properly, it won’t. It simplifies daily operations by increasing transparency and allowing more resources to be devoted to value-add activities, like product development and customer services.

Checklist for evaluating your risk management efforts

A better question than “does my organization perform risk management?” is “how effectively does my organization identify and mitigate risks?” The following checklist outlines characteristics common to effective risk management programs. Your organization should prioritize development in these areas.

  1. Effective risk management governance

Boards, through their risk oversight role, are accountable for a risk’s material impact, whether the cause is at the executive level or on the front lines. The SEC considers “not knowing about a material risk” negligence, which carries the same penalties as fraud.

  • The board must monitor the effectiveness of the organization’s risk management process, ensuring it reaches all levels and business areas.
  • Internal auditors must independently confirm the board is informed on all material risks.
  • All material risks must be disclosed to shareholders, along with evidence that they are effectively mitigated.
  1. Performance management and goal management
  • Divide corporate objectives into business-unit contributions.
  • Identify business processes contributing to a goal within each business unit.
  • Cascade goals to all front-line managers within contributing processes.
  • Aggregate goal assessments and determine links between contributing business processes.
  1. Consistent risk identification and prioritization

Risk assessments must address more than high-level concerns. Effective assessments drill into risk events, uncovering the root cause, or problem “driving” the risk. Repeatable risk assessments are based on common numerical scales and scoring criteria across departments.

  1. Actionable risk tolerances

Risk appetite is a high-level statement that serves as a guide for strategic decisions. In order to be actionable, it should be accompanied by its quantitative cousin, risk tolerance. Risk tolerance is an effective monitoring technique for key performance goals and risk metrics.

  1. Centralized risk monitoring and control activities

Risk managers need to do more than design processes to identify risks and appropriate responses. A critical third component—monitoring—is the verification of a control’s effectiveness over the risk. A few key things to keep in mind to make monitoring effective:

  • Adjust risk assessments over time (spend less time on risks with decreasing indexes).
  • Reduce testing by identifying areas that can share controls (increase organizational efficiency).
  • Link risks and activities to determine which processes need to be monitored (prioritize activities/initiatives).
  • Monitor business metrics (discover concerning trends before they affect the organization).
  1. Forward-looking risk and goal reporting and communication

In order to continue funding their organizations’ risk management programs, boards need evidence that those programs are working. Risk managers should ask two basic questions before reporting to the board:

  • How might identified risks affect the board’s strategic objectives and key concerns?
  • Which metrics or trends most validate the program’s effectiveness?

These items are just a starting point for an analysis of your organization’s program. For a more in-depth blueprint and “state of ERM” report, take the RIMS Risk Maturity Model (RMM), a free best-practice assessment tool that scores risk management programs and generates an immediate report of your organization’s risk maturity.

Wells Fargo: What Should Have Happened

wells-fargo

When Wells Fargo fired 5,300 employees in September for inappropriate sales practices, then-CEO John Stumpf approached the scandal with an outdated playbook. In response to the $185 million in fines levied by regulators, he first denied any knowledge of the illegitimate accounts. Attempting to mitigate press fallout by distancing the company from a group of “bad eggs” acting independently is not the answer, however. Even if Stumpf had maintained this assertion of innocence, changes in the risk environment over the past few years demand a proactive approach.

Rather than simply deflecting responsibility in these situations, executives must be able to accomplish two things:

• Provide historical evidence of due diligence and risk management (if such a program was actually used)
• Demonstrate how the company is adjusting its policies and/or implementing new policies to ensure a similar incident doesn’t happen in the future

In 2010, the SEC’s Proxy Disclosure Enhancement (rule 33-9089) explicitly made boards of directors responsible for assessing and disclosing risk management effectiveness to shareholders. It mandates the use of risk monitoring systems to demonstrate that existing controls (mitigation activities) are effective. Under this rule, “not knowing” about an activity performed by employees is considered negligence. This is a crucial development; negligence carries the same penalty as fraud, but it does not require proof of intent. The Yates Memo (2015) gave the SEC ruling more “teeth” by requiring organizations to provide the Department of Justice with all the facts related to responsible individuals.

As a result, many companies have suffered significant penalties and frequently criminal charges, even though their executives were allegedly unaware of illicit activities. Consider the emissions scandal at Volkswagen and fines paid (to the SEC) by global health science company Nordion Inc. In both instances, deceptions were perpetrated by individuals below the executive level, but senior management’s inability to detect/prevent the incidents came back to bite them.

How to Prevent Risk Management Failures at Your Organization

John Stumpf’s approach should have started with an admission of Wells Fargo’s failure in risk management processes across the enterprise, followed by evidence that a more effective, formal enterprise risk management process is being implemented. For example, risk assessments must cascade from senior management down to the front lines and across all business silos. This ensures that the personnel most familiar with operational risks (and how to mitigate them) can keep the board informed.

In other words, instead of simply apologizing and attempting to provide restitution, Stumpf should have demonstrated that Wells Fargo is taking proactive risk management measures to protect its many stakeholders. It is the company’s duty to ensure that something like this never happens again.

The scandal is predictably following the same track as have previous failures in risk management: it starts with regulatory penalties, then leads to punitive damages, class action lawsuits, and finally, criminal charges and individual liability, depending on the particular case. The key to this pattern is the absence of adequate risk management, which means negligence under the new enterprise risk management laws, regulations and mandates passed since 2010.

The good news is that avoiding serious, long-term consequences is possible if proper actions are taken. For example, by providing a historical record of risk management practices, Morgan Stanley avoided regulatory penalties when an employee evaded existing internal controls. Other corporations that can provide evidence of an effective risk management program (risk assessments, internal controls that address risks, monitoring activities over these internal controls, and an electronic due-diligence trail) are largely exempt from punitive damages, class-action lawsuits, and possible jail time.

When implemented proactively, effective risk management systems have and will continue to prevent scandals, regulatory fines, litigation and imprisonment. For a more in-depth analysis of the Wells Fargo scandal, read the LogicManager blog post “The Walls Fargo Scandal is a Failure in Risk Management.”

Vendor Risks: Preventing Recalls with ERM

Recall
In 2016 alone, there have been dozens of recalls, by food companies, car manufacturers, and vitamin producers, among others. Not only do these recalls greatly impact a company’s bottom line, they can also affect the health and safety of consumers. With this in mind, what can organizations—both within the food industry and otherwise—do to improve their chances of uncovering suppliers operating in subpar conditions? How can they mitigate the risk of recalls?

Customers of CRF Frozen Foods, for example, a full-line, individually quick frozen processing plant that packages fruits and vegetables for a variety of customers, recently had big problems when it was linked to a widespread listeria outbreak. Contaminated foods affected big-name distributors like Trader Joe’s, Costco and Safeway, and some customers fell ill as a result.

Even though a series of sanitation concerns and other facility issues at CRF had been exposed by regulators as early as 2014, the factory was allowed to continue operating and its customers weren’t notified.

Red flags raised by regulators aren’t always seen by the companies they’re most relevant to, however. The fact that these outbreaks occurred seems to demonstrate that customers’ vendor management practices either failed or simply weren’t robust enough to detect issues. It all comes down to effective enterprise risk management (ERM). ERM provides the tools and framework that allow any organization to standardize processes and effectively mitigate vendor risk.

An ERM approach is characterized by standard criteria, interdepartmental communication, and automatic alerts and notifications. It keeps everyone in the organization on the same page and ensures assessment results are always understandable and accessible. This eliminates redundancy in the risk management process. As a result, you can quickly and easily determine the last time your organization evaluated a supplier. Something as simple as a notification that regulators have published new requirements might save your organization from acquiring infected or defective products.

There are three general stages that apply to any successful risk management effort:

  1. Identify specific risks, followed by assessment and evaluation
  2. Implement tailored mitigation activities to address those risks
  3. Monitor those mitigations to ensure long-term effectiveness

The first step serves as the foundation for steps two and three. Without a proper understanding of what risks your organization faces, it is impossible to prioritize and mitigate them. Especially across multiple business departments or within supply chains—it is quite difficult to identify and account for every variable.

To keep up with vendors’ fluctuating conditions, teams need to systematically identify and assess risks, catching them as they crop up. Preventing assessments from becoming obsolete is the key to keeping a pulse on everything that may affect the business, therefore avoiding unwanted surprises.

Risk assessments also help determine the best way to allocate limited resources. Minimizing vendor-related risks needn’t be burdensome, however. It should be a streamlined process that, by enabling you to avoid harmful incidents, improves operational efficiency. Once your risk assessments reveal the areas of highest priority, you can determine exactly how to mitigate those concerns.

The Freedom of Information Act can be extremely helpful when it comes to your third-party risk management efforts. It grants all companies the right to ask vendors for specific information about plant processes, worker training, sanitation practices, and maintenance. Suppliers are required to be forthcoming with all information (when asked), and teams need to take advantage of this opportunity. It is an important part of the risk management equation and will help you understand your risks before disruptions occur.

Performing vendor risk assessments—in the form of inspections, questionnaires, and service level agreements—generates an enormous amount of data and information. This information is useful for mitigating risk, but only if it is up to date, consistent and distributed to the appropriate individuals. The Freedom of Information Act provides an opportunity to evaluate suppliers with robust risk assessments, and ERM provides the means to capitalize on that opportunity. Ad-hoc assessments of current and prospective vendors, without standardized processes, will only get your team so far.

Steps to Effective ERM

Capitalizing on your vendor assessment rights is only part of the equation. Without an appropriate means of processing, distributing, and making data actionable, you’re back at square one. To make sense of important data, follow these steps:

  1. Create a taxonomy: define relationships between risks, requirements, goals, resources and processes. If each area of the business uses its own system for identifying and classifying risk, the resulting information is subjective and unusable by other departments. There is also significant information overlap—and therefore waste. Use your existing information to create a standard for data collection with minimal work.
  1. Streamline with the standardized risk assessments identified in step one. Risk assessments can be conducted in many different formats and qualities. Use resources already in place and streamline the results using the standard from step one. The most effective way to collect risk data is by identifying the root cause, or why an incident occurred. Honing in on the root cause provides useful information about what triggers loss and your organization’s vulnerabilities. When you link a specific root cause to a specific business process, designing and implementing mitigations is simpler and more effective.
  1. Connect mitigation activities to each of the key risks in these processes. A risk taxonomy gives you a more holistic understanding of all the moving parts in your organization. This makes it easier to design mitigation activities.
  1. Connect incidents, complaints and metrics (for each business process) to mitigation activities. Typically, companies already dedicate many resources to monitoring business performance, collecting information about incidents, complaints and metrics. These processes are often inefficient and ineffective. Simply connecting them to mitigation activities, however, identifies the reason such incidents happen. You can then take straightforward corrective actions, meeting top priorities and allocating resources with forward-looking measures. Risk management, after all, is not about minimizing fallout after an incident, but preventing such an incident from happening in the first place.

To make this entire process effective, management must work to develop an enterprise-wide risk culture. ERM is not just an executive-level process, but should be pushed all the way to frontline managers, where everyday decisions are made and the risks are known—but resources are often absent.

Approach your vendor risk assessments as you would any other risk assessment—they should be reoccurring and standardized. Perform them regularly and evaluate the results with the same scale and criteria with which you evaluate all other risks. Finally, automate information collection and review so that reporting reveals cross-silo dependencies before these risks turn into scandals. The result will be increased vendor security and the prevention of surprises, at a fraction of the cost.