In a Changing World, Questions For the CRO

Before the financial crisis in 2008-2009, many businesses didn’t think of risk as something to be proactively managed. After the crisis, however, that paradigm shifted. Companies began perceiving risk management as a way to protect both their reputations and their stakeholders.

Today, risk management is not just recommended, it is considered crucial to successful operations and is required by federal and state law. The SEC’s Proxy Disclosure Enhancements, enacted in 2010, mandate that organizations provide information regarding board leadership structure and the company’s risk management practices. Company leadership is required to have a direct role in risk oversight, and any risk management ineffectiveness must be disclosed.

The CRO’s role

Volatility in the current business environment—a confluence of factors including transfers of power, the world economy and individual markets—is nothing new. Political transitions have always been accompanied by new agendas and shifting regulations, economies have always experienced bull and bear markets, and the evolution of technology constantly changes our processes.

Even so, recent events like Brexit, the uncertainty of a new administration’s regulatory initiatives, and thousands of annual data breaches have contributed to an unprecedented atmosphere of fear and doubt. To navigate this environment, the chief risk officer needs to adopt a proactive risk management approach. Enterprise-wide risk assessments grant the visibility and insight needed to present an accurate picture of the company’s greatest risks. This visibility is what the board needs to safely recognize opportunity for innovation and expansion into new markets.

To grow a business safely—by innovating and adding to products/services and expanding into new markets—risk professionals should not focus on identifying risk by individual country. This approach naturally leads to a prioritization of “large-dollar” countries, which aren’t necessarily correlated with greater risk. Countries that contribute a small percentage of overall revenue can still cause major, systemic risk management failures and scandals.

A better approach is to look at risk across certain regions; how might expanding the business into Europe, for example, create new challenges for senior management? Are there sufficient controls in place to mitigate the risks that have been identified?

When regional risks are aggregated to create a holistic picture, it becomes possible for the board to make sure expansion efforts are aligned with strategic goals.

Three processes that require ERM

Risk management is an objective process, and best practices, such as pushing risk assessments down to front-line process owners who are closest to operational risk, should be adhered to regardless of the current state of the international business arena.

While today’s political climate has generated a significant amount of media strife, it’s important not to let emotion influence decision-making. By providing the host organization with a standardized framework and centralized data location, enterprise risk management enables managers to apply the same basic approach across departments and levels.

This is particularly important when an organization expands internationally, which involves compliance with new sets of regulations and staying competitive. Performing due diligence on an ad hoc basis is neither effective nor sustainable. Instead, the process should follow the same best-practice process as domestic risk management efforts:

  1. Identify and assess. Make risk assessments a standard part of every budget, project or initiative. This involves front-line risk assessments from subject matter experts, revealing key risks and processes/departments likely to be affected by those risks. For example, financial scrutiny is no longer a concern just for banks. Increased attempts to fight terrorism mean transactions of all kinds are becoming subject to more review. Anti-bribery and anti-corruption processes estimate and quantify both vulnerability and liability.
  2. Mitigate key risks. Connect mitigation activities to the resources they depend on and the processes they’re associated with. ERM creates transparency into this information, eliminating inefficiency associated with updating/tracking risks managed by another department. Control evaluation is the most expensive part of operations. Use risk management to prioritize this work and reduce expenses and liability.
  3. Monitor the effectiveness of controls with tests, metrics, and incident collection for risks and controls alike. This ensures performance standards are maintained as operations and the business environment evolve. Evidence of an effective control environment prevents penalties and lawsuits for negligence. The bar for negligence is getting lower; technology is pulling the curtain back not only internally but (through social media and news) to the public as well.

Lastly, the CRO role is increasingly accountable for failures in managing risk along with other senior leaders and boards—look no further than Wells Fargo.

Disruptive Technologies Present Opportunities for Risk Managers, Study Finds

PHILADELPHIA–Disruptive technologies are used more and more by businesses, but those organizations appear to be unprepared. What’s more, companies seem to lack understanding of the technologies and many are not conducting risk assessments, according to the 14th annual Excellence in Risk Management report, released at the RIMS conference here.

The study found an apparent lack of awareness among risk professionals of their company’s use of existing and emerging technologies, including the Internet of Things (IoT), telematics, sensors, smart buildings, and robotics and their associated risks. When presented with 13 common disruptive technologies, 24% of respondents said their organizations are not currently using or planning to use any of them. This is surprising, as other studies have found that more than 90% of companies are either using or evaluating IoT technology or wearable technologies and that companies in the United States invested $230 billion on IoT in 2016.

Another finding was that despite the impact disruptive technology can have on an organization’s business strategy, model, and risk profile, 60% of respondents said they do not conduct risk assessments around disruptive technologies.

“Today’s disruptive technologies will soon be — and in many cases already are — the norm for doing business,” said Brian Elowe, Marsh’s U.S. client executive leader and co-author of the report said in a statement. “Such lack of understanding and attention being paid to the risks is alarming. Organizations cannot fully realize the rewards of using today’s innovative technology if the risks are not fully understood and managed.” According to the study:

Organizations generally, and risk management professionals in particular, need to adopt a more proactive approach to educate themselves about disruptive technologies — what is already in use, what is on the horizon, and what are the risks and rewards. Forward-leaning executives are able to properly identify, assess, and diagnose disruptive technology risks and their impact on business models and strategies.

This lack of clarity presents opportunity for risk professionals. In fact, previous Excellence reports have indicated that C-suite executives and boards of directors want to know what risks loom ahead for their organizations and increasingly rely on risk professionals to provide that insight.

“As organizations adapt to innovative technologies, risk professionals have the opportunity to lead the way in developing risk management capabilities and bringing insights to bear on business strategy decisions,” said Carol Fox, vice president of strategic initiatives for RIMS and co-author of the report. “As a first step, risk professionals are advised to proactively educate themselves about disruptive technologies, including what is already in use at their organizations, what technologies may be on the horizon, and the respective risks and rewards of using such technology.”

One thing companies can do to manage risks associated with disruptive technologies is facilitate discussions through cross-functional committees—yet fewer companies, only 48%, said they have one, a drop from 52% last year and 62% five years ago.

Whether discussed in weekly, monthly, or quarterly organization-wide committee meetings, emerging risks — including disruptive technologies — need to be examined regularly to anticipate and manage the acceleration of business model changes. When risk is siloed, too often the tendency can be toward an insurance-focused approach to risk transfer rather than an enterprise approach that may lead to pursuing untapped opportunities.

The Excellence survey, Ready or Not, Disruption is Here, is based on more than 700 responses to an online survey and a series of focus groups with leading risk executives in January and February 2017.

Findings from the survey were released today at the RIMS 2017 Annual Conference & Exhibition. Copies of the survey are available on www.marsh.com<http://www.marsh.com> and www.rims.org<http://www.rims.org>.

Protecting Employees in the Face of International Risks

Increasing globalization and the growing world market presents employees with opportunities to travel and experience new countries and cultures. With travel comes risk, however. In the event of an unforeseen incident, it is an organization’s top priority to ensure its employees are safe and out of harm’s way.

By following proactive travel risk management strategies, employers can help ensure not only the safety of their employees abroad, but also the success of their businesses while avoiding major financial, legal and reputation costs. When developing travel policies, companies must consider the health, safety and security risks that their employees could encounter.

Security Risks
The frightening unknowns of crises such as sudden earthquakes or airport terror attacks can cause distress and chaos. It is the duty of a company’s human resources department to ensure employees are safe and secure, as being unprepared for such events could have dire consequences. For the best outcome, companies should proactively develop travel risk management plans before disaster strikes. Consider these guidelines for your company’s travel emergency plans:

  • Share information. Ensure employees are educated on how to avoid security risks in their destinations and share corresponding safety advice.
  • Develop a communication plan. Decide how employees should contact HR and/or other crisis response team members and vice versa in the event of an emergency.
  • Give employees information about who to contact if they’re in an emergency scenario. Create staffing patterns or third party resources that can accommodate after-hours calls.
  • Consider rearranging travel plans if there’s a high security risk. Use technologies, such as video conferencing, to keep business rolling as usual if employees need to conduct in-person meetings in destinations where it may be temporarily unsafe to travel.
  • Encourage employees to enroll in the Smart Traveler Enrollment Program (STEP). The app provides updated travel warnings and alerts via email. It can also help the nearest U.S. embassy or consulate locate individuals in the event of a disaster.

Health Risks
Recent disease outbreaks in several countries have caused concern among business and leisure travelers alike. If organizations have plans for employees to travel to areas experiencing widespread illness, consider exercising flexibility. If a disease epidemic is dominating news headlines, there is a good chance employees will be concerned about going to a destination that’s affected. In these cases, advise alternative options such as video calls or contacting local partners to help out. On the other hand, if employees elect to travel to the location, it is the employer’s job to ensure they have the knowledge and resources they need to have a safe and successful trip. To help protect the health of a traveling employee, HR professionals should:

  • Research and understand destination-specific health risks and share this information with employees. Education is essential to preventing life-threatening situations.
  • Ask employees to fill out personal medical information Forms. An employee should bring a copy on the trip and also leave copies with trusted friends or family. In the event of a medical emergency, the trustees will be able to obtain important personal medical details from the document, such as insurance coverage, current or past medical conditions and emergency contact information.
  • Remind employees to carry prescription paperwork. This can prevent issues at airport security and can be useful should a new or similar prescription be necessary locally.
  • Confirm that employees are covered by health insurance that is accepted overseas. This will help avoid monstrous fees later on.

Potential Costs for the Business
The costs of not following these strategies can be far-reaching. Your employees’ health and safety is always of utmost importance. However, there are also some continuity issues to consider.

At the most basic level, a health or safety issue that affects a traveling employee will likely cause a loss in productivity and, therefore, an impact to your organization’s bottom line. Companies could furthermore face cancellation fees, lost deposits, unused inventory or lost sales. Additionally, medical bills, medical evacuations and security evacuations can pose huge financial burdens on both employees and the company.

Furthermore, an organization that doesn’t adequately prepare for potential risks and therefore compromises an employee’s safety can lose loyalty quickly. If employees know their colleagues were put in risky situations, they will likely lose trust in their companies—which could cause engagement (and business results) to decline.

Adding to the strain of a disillusioned workforce, legal disputes could arise. An injured worker seeking remedies could bring an injury claim against their employer. The cost a company could face when it comes to duty of care disputes depends on the complexity of the case, the length of time and whether it reaches a full trial. Businesses should be prepared for the possibility of facing court cases by following key risk management strategies before being pulled through lengthy and costly litigation processes.

There are also reputation costs to consider. One of the most damaging scenarios may be that the company’s failure to fulfill their duty of care obligation leads to media headlines resulting in serious brand damage. In this case, the news can mar the company’s reputation, causing stakeholders to pull away and resulting in devastating loss in revenue.

Above all, employees are the backbone of an organization, and their safety and security should be the top priority for every business. Devising a sound risk management plan for travelling employees is crucial for ensuring the safety of employees as well as the longevity of your business.

Firestorm Over Forced Removal Proves Costly for United

United Airlines stock tumbled nearly 4% in early trading Tuesday morning before recovering late in the day as the company continued to deal with fallout after video surfaced showing a passenger being forcibly dragged from a United flight at Chicago’s O’Hare International Airport. United shares were down by as much as 6% in premarket trading Tuesday morning, according to MarketWatch.

Shocked viewers responded with universal outrage Monday to a video appearing to show a 69-year old man being brutally dragged off his flight by three uniformed officers from the Chicago Department of Aviation, one of which has since been placed on leave. The man’s face was bloodied and he appeared disheveled as officers dragged him along the narrow aisle of the plane.

“The incident on United flight 3411 was not in accordance with our standard operating procedure and the actions of the aviation security officer are obviously not condoned by the Department,” the agency said in a statement. “That officer has been placed on leave effective today pending a thorough review of the situation.”

Compounding the Airline’s misery was a letter sent to employees Monday night by United’s CEO, Oscar Munoz, saying that he supported the actions of the flight’s crew in removing the passenger, who Munoz accused of being “disruptive and belligerent.” Munoz later apologized directly to the passenger but his public sentiment was judged disingenuous in the wake of the leaked employee memo.

The passenger was removed from the flight to make room for four United employees, although it was initially reported that the passenger was removed from the flight to Louisville due to overbooking—a standard industry practice of selling more seats on any given flight than are actually available to shield the airline from lost revenue from no-shows. Although the flight was not technically overbooked, United followed the policy in order to seat the four employees.

In 2016, the 12 largest U.S. airlines bumped slightly more than 40,600 of 659.7 million passengers, for a rate of 0.62 per 10,000 passengers, down from 0.73 per 10,000 in 2015, according to the Bureau of Transportation Statistics, Bloomberg reported.

In this case, the airline requested that four passengers relinquish their seats to United employees. According to reports, the airline first offered passengers $400 in addition to hotel and flight vouchers, and then raised the cash component to $800. When there were no takers, the airline chose four passengers to be removed. Approached by the flight’s crew, the man declined to give up his seat, asserting that he is a doctor and needed to see patients Monday morning.

The incident also sparked an international outrage across China, where it was the top item trending on Sina Weibo, as it was reported the removed passenger was Asian. The BBC reported that a passenger seated next to the doctor said the doctor was originally from Vietnam, where there was also widespread negative reaction. The hashtag #UnitedForcesPassengerOffPlane had more than 270 million views and an online petition, “Chinese Lives Matter,” which has some 38,000 signatures and calls for a U.S. investigation into the case, according to Bloomberg.

Reputational damage can be potentially costly as a company may have to deal with expenses related to managing a crises, such as public relations and advertising, as well as any loss to the company’s stock market value. The incident is the second in as many weeks to envelop United, which previously suffered scorn in the court of public opinion after barring two nonrevenue passengers from boarding a flight based on a dress code violation.

United’s largest shareholder is Warren Buffet, whose 9% stake in the airline, worth roughly $2 billion, was down some $90 million when United’s stock was at its lowest point on Tuesday.