Santa’s Impact on Business and Finance

Just as Santa Claus brings gifts down chimneys, his name alone also carries the stigma of risks that transcend all industries. Indeed, thanks to the logistics of his job we better understand the risks of reindeer-led aviation. But perhaps more importantly, Kris Kringle’s presence has long influenced finance and business.

Mentioning him on Wall Street this year may trigger an underlying wealth management risk. The annual “Santa Claus Rally” marks an uptick in the stock market and a 1.4% average return of the S&P 500 index from the last five trading days of the year through the first two of January. This phenomenon can be attributable to people spending and investing a bit extra – possibly from holiday bonuses – leading to a generally happy mood on and off trading room floors.

Since 1950, the market has declined only 15 times during the Santa Claus Rally period. But due to the uncertainty surrounding the tax reform plan making its way through Congress, that 1-in-4.4 chance of downturn is on the minds of cynical investors. As reported recently by Investopedia, “Some bears think that, if Congress fails to make appreciable progress on tax reform before their holiday recess, Scrooge or Krampus will elbow Santa aside, and send the markets downward at year-end.”

And similar to the way Punxatawney Phil seeing his shadow on Groundhog Day can predict six more weeks of winter, Santa skipping stock exchanges’ chimneys may indicate a frosty new year. According to The Stock Trader’s Almanac, some of the more recent holiday seasons without a rally included the last two, as well as in late 2007 and early 2008 leading up to the financial crisis, and just before the dotcom bubble burst in the 1999-2000 holiday period.

Santa’s influence isn’t just relegated to stock speculation and short-term investments, however. Some executives and employees may emulate his work ethic without realizing it. All eyes turn to him in good times and especially during the bad. He’s trying to meet year-end quotas while keeping a workforce happy and focused. Plus, Santa has the burden of trans-meridian travel with frequent stops over a 24-hour period, which is sure to cause jet lag. Sound familiar?

While one all-nighter might not have major long-term effects, regular ones could lead to shift work disorder, which has been linked to chronic diseases and illnesses. Anyone known to “Santa Claus it” too frequently may accumulate a large “sleep debt” over time. According to the Sleep Foundation, “if you work at night, you’re also going against your biological clock, which is naturally cueing you to become less alert and encouraging you to sleep during the nighttime hours.”

This can lead to seasonal “presenteeism,” an issue Risk Management magazine recently explored, detailing pain management in the workforce. Presenteeism occurs when a worker inhabits a space at their job, but “is unable to focus and perform as expected” and can be an even greater drag on productivity than absenteeism. The condition is indiscriminate – it can affect interns and CEOs – and may cause someone to “miss out not only on the income, but also the sense of meaning, purposefulness and belonging that can be gained from a job. Initial distress may lead to chronic anxiety and even depression.”

Identify these risks now, so that the mention of Santa Claus doesn’t put a humbug in your eggnog this holiday season.

What Organizations Need to Know about Risk Culture Audits

Today’s risks require more proactive oversight by boards of directors on the issue of risk management. Transitioning to this approach is easier said than done, however. The trouble is that many organizations are weighed down by antiquated risk management frameworks that prevent them from being proactive. Even today, how financial services and other industries address risk is deeply ingrained in organizations’ character, requiring a broader change which extends beyond simply implementing new risk management frameworks.

Overcoming this hurdle is easier said than done. In fact, businesses across the capital markets are prime for a risk culture rewiring.

What’s in a risk culture audit?
A risk culture audit is a critical first step in reinventing risk management because it helps identify challenges in behavior and reorients how companies think about today’s increasingly complex risk landscape.

Here are the key focus areas in any risk culture audit:

Organization Vision and Values: Evaluating leadership and established communications by senior leaders relative to risk and compliance.

Risk Management: Evaluating the maturity of risk frameworks, defining clear roles and responsibilities, and implementing education and training programs designed to empower individuals to include risk management in their decision-making consistently across the organization.

People Management: Understanding how risk management is introduced early in the onboarding process on the front end and back end, as well as directly into incentive compensation programs.

Risk culture audit lessons learned
I recently led OCC (Options Clearing Corporation) through one of these trailblazing exercises, leading me to my new mantra of “identify, escalate and debate.”

Rather than promote a reactive risk culture in which specific risk incidents derail teams from business-as-usual, we’re adopting a risk-focused culture that enables our teams to escalate an event immediately, assess its impact quickly, and debate its resolution broadly.

While every financial institution has unique considerations in its risk management framework, OCC’s risk culture audit revealed some key hurdles that are commonplace across financial services firms.

The first challenge is developing a risk management framework that boards and management can easily implement for risk oversight. This framework can be difficult to pin down because it must be formal, objective, and metrics-driven—and ultimately must map back to a risk appetite and process that team leaders can follow.

The second challenge is developing an action plan to help team leaders manage the shift toward a proactive risk culture. To effect change, team leaders need to be able to demonstrate that the new approach reduces risk or manages new risks within the firm’s risk appetite. Oftentimes, this means replacing human judgment with transparent rules and objective criteria.

Finally, the third challenge is shifting employees toward adopting a risk-based mindset at the individual level. A successfully retooled risk culture ultimately comes down to the people. Doing this successfully requires firms to reinforce the new risk culture at every turn, such as linking positive risk culture behaviors to performance rewards. At OCC, we are working on this third piece of the puzzle by identifying “risk champions” across the business and training them on the techniques needed to evaluate risk.

At the end of the day, financial institutions’ risk cultures must support risk management models that ensure market confidence does not erode, that issues are addressed, and that business continues as planned. I have concluded the best way for organizations to do this is to use a risk culture audit to identify opportunities that will help them transition to a strong risk-oriented business model. This enables them to comprehensively evaluate and understand the risk posed to their business, put mitigating controls in place, and enable an environment where risk can be discussed openly across the firm.

If companies can re-orient their risk culture to be more forward-thinking, they will put themselves in the best possible position to address today’s ever-evolving and complex risk environment.

Companies Must Evolve to Keep Up With Hackers

If you ask a CFO if their company’s current cybersecurity strategy is working, it’s very likely that they do not know. While at first they may think it is, because the company’s bank accounts are untouched, an adversary could be lurking in their network and collecting critical data to later hold for ransom—threatening to destroy it if the money isn’t paid. The truth is that many organizations are lacking effective risk management that ensures the integrity and availability of their most essential data.

Corporate America needs to take the power back and stop hackers before they compromise networks and exfiltrate data for criminal uses, or simply threaten to destroy it for financial gain. To shift the power back in their favor, they must safeguard data, implement an effective risk management program, and invest in risk reduction activities. Organizations need to assess the maturity of their cybersecurity efforts, determine if they have any pre-existing conditions, and focus on risk reduction efforts that truly protect their data, while ensuring the ability to deliver products and services.

The fastest way to check for pre-existing conditions is by doing a compromise assessment to identify any current suspicious activity within their network. From there, they can determine what exactly needs to be done to reduce their organization’s cyber risk and develop a risk management plan that outlines clear steps for protecting their most critical assets.

To develop a cybersecurity risk management plan, executives need to first define the company’s “crown jewels”—the things that if compromised, would cause the most damage or inhibit the ability to deliver products or services that generate revenue. For instance, for a bank, this could be access to funds by their individual or business customers, or banking information that could be used for fraudulent purposes. Once an organization knows what it’s protecting, the executives can then create a security roadmap that ensures the secure delivery of products or services.

The security roadmap should start with a business impact assessment that identifies those crown jewels that are needed for delivery of essential services or producing products. These can include the data itself, technical architecture or systems used by their customers to transact business. Once these have been identified a prioritized risk reduction plan needs to be developed and tracked by the company’s leadership. Every facet of risk should be considered, from legal risk, to the consequences of a data breach, or inability to deliver services resulting from an intrusion or denial-of-service attack.

While security assessments and roadmaps are essential for defining an organization’s adequate cyber defenses, one of the biggest mistakes we see businesses make is being reactive when it comes to their defenses—relying on traditional technologies that only identify known threats and leverage Indicators of Compromise (IoCs). This method does not capture new exploits fast enough, nor versions of malware or other obfuscation techniques that are introduced by sophisticated adversaries. A great example is the sheer speed at which WannaCry ransomware spread to organizations of all sizes across the globe. Adversaries are capitalizing on this reactive security shortcoming by taking advantage of this window of opportunity to comprise data or networks.

Instead, organizations must take a proactive approach that focuses on indicators of attack (IoAs) that identify adversary behavior indicating malicious activity, such as code execution or lateral movement. IoAs can alert businesses to adversary activity before any damage is done. To effectively make use of this data, businesses also need to leverage threat intelligence for deeper insights into these IoAs.

Threat intelligence provides a crucial layer of information on adversary motives, tactics, techniques and procedures. For instance, a bank could look at a threat and see if this particular adversary typically targets the financial services industry, which regions they operate in and the motive behind their attacks.

Going one step further, organizations should leverage technology that enables threat intelligence to be shared rapidly and can protect numerous customers at once. At the end of the day, effective security requires a community effort. Corporate America needs to come together and truly leverage the power of crowdsourced intelligence—to keep from becoming victims of the next big attack.

From a lack of risk management plans, to reliance on reactive security measures, there are a number of areas where companies are falling short of having an adequate cyber defense. By putting the necessary plans in place to secure the integrity of their critical data, taking a proactive approach to cyber threats and working together across industries and businesses, corporate America can collectively build a stronger cyber defense.

Second Quarter Sees 1% rise in Commercial Lines Rates

Closer attention to underwriting and losses has led to premium increases averaging 1% in the second quarter of 2017, continuing an upward trend this year. The transportation sector, most notably auto-related exposures, is seeing the highest increases, up to 4%, according to a report released today by MarketScout.

“We now have two consecutive quarters of composite rate premium increases. Insurers are adjusting pricing as they should, based upon losses incurred, expense loads and targeted returns on equity,” Richard Kerr, CEO and Founder of MarketScout said in a statement.

By account size, organizations smaller to medium-size saw the highest premium increases. Small accounts (under $25,000 premium) increased from up 1% to up 2%, medium accounts ($25,001 – $250,000) went from flat to plus 1%, large accounts ($250,001 – $1 million) were unchanged and jumbo accounts (more than $1 million) were down 1% compared to a drop of 2% the prior quarter.
By coverage class, commercial property and inland marine adjusted from down 1% in the first quarter, to up 1% in the second quarter. Commercial auto rates rose from up 3% to up 4%. EPLI also went from up 1% to up 2%. Fiduciary adjusted downward to flat or no increase compared to up 1% in the prior quarter. All other coverage classifications were unchanged from the previous quarter, according to the report.
By industry class, public entity rates moderated from up 1% to flat. Transportation risks experienced slightly lower rate increases with second quarter rates up 4% compared to 5% first quarter.