Tag Archives: risk assessment

Immediate Vault Immediate Access

Vendor Risks: Preventing Recalls with ERM

Posted on by

Recall
In 2016 alone, there have been dozens of recalls, by food companies, car manufacturers, and vitamin producers, among others. Not only do these recalls greatly impact a company’s bottom line, they can also affect the health and safety of consumers. With this in mind, what can organizations—both within the food industry and otherwise—do to improve their chances of uncovering suppliers operating in subpar conditions? How can they mitigate the risk of recalls?

buy ocuflox online meadfamilydental.com/wp-content/uploads/2023/10/jpg/ocuflox.html no prescription pharmacy

Customers of CRF Frozen Foods, for example, a full-line, individually quick frozen processing plant that packages fruits and vegetables for a variety of customers, recently had big problems when it was linked to a widespread listeria outbreak. Contaminated foods affected big-name distributors like Trader Joe’s, Costco and Safeway, and some customers fell ill as a result.
buy tadalafil online https://royalcitydrugs.com/tadalafil.html no prescription

Even though a series of sanitation concerns and other facility issues at CRF had been exposed by regulators as early as 2014, the factory was allowed to continue operating and its customers weren’t notified.

Red flags raised by regulators aren’t always seen by the companies they’re most relevant to, however.

buy cytotec online meadfamilydental.com/wp-content/uploads/2023/10/jpg/cytotec.html no prescription pharmacy

The fact that these outbreaks occurred seems to demonstrate that customers’ vendor management practices either failed or simply weren’t robust enough to detect issues. It all comes down to effective enterprise risk management (ERM). ERM provides the tools and framework that allow any organization to standardize processes and effectively mitigate vendor risk.

An ERM approach is characterized by standard criteria, interdepartmental communication, and automatic alerts and notifications. It keeps everyone in the organization on the same page and ensures assessment results are always understandable and accessible. This eliminates redundancy in the risk management process. As a result, you can quickly and easily determine the last time your organization evaluated a supplier. Something as simple as a notification that regulators have published new requirements might save your organization from acquiring infected or defective products.

There are three general stages that apply to any successful risk management effort:

  1. Identify specific risks, followed by assessment and evaluation
  2. Implement tailored mitigation activities to address those risks
  3. Monitor those mitigations to ensure long-term effectiveness

The first step serves as the foundation for steps two and three. Without a proper understanding of what risks your organization faces, it is impossible to prioritize and mitigate them. Especially across multiple business departments or within supply chains—it is quite difficult to identify and account for every variable.

To keep up with vendors’ fluctuating conditions, teams need to systematically identify and assess risks, catching them as they crop up. Preventing assessments from becoming obsolete is the key to keeping a pulse on everything that may affect the business, therefore avoiding unwanted surprises.

Risk assessments also help determine the best way to allocate limited resources. Minimizing vendor-related risks needn’t be burdensome, however. It should be a streamlined process that, by enabling you to avoid harmful incidents, improves operational efficiency. Once your risk assessments reveal the areas of highest priority, you can determine exactly how to mitigate those concerns.

The Freedom of Information Act can be extremely helpful when it comes to your third-party risk management efforts. It grants all companies the right to ask vendors for specific information about plant processes, worker training, sanitation practices, and maintenance. Suppliers are required to be forthcoming with all information (when asked), and teams need to take advantage of this opportunity. It is an important part of the risk management equation and will help you understand your risks before disruptions occur.

Performing vendor risk assessments—in the form of inspections, questionnaires, and service level agreements—generates an enormous amount of data and information. This information is useful for mitigating risk, but only if it is up to date, consistent and distributed to the appropriate individuals. The Freedom of Information Act provides an opportunity to evaluate suppliers with robust risk assessments, and ERM provides the means to capitalize on that opportunity. Ad-hoc assessments of current and prospective vendors, without standardized processes, will only get your team so far.

Steps to Effective ERM

Capitalizing on your vendor assessment rights is only part of the equation. Without an appropriate means of processing, distributing, and making data actionable, you’re back at square one. To make sense of important data, follow these steps:

  1. Create a taxonomy: define relationships between risks, requirements, goals, resources and processes. If each area of the business uses its own system for identifying and classifying risk, the resulting information is subjective and unusable by other departments. There is also significant information overlap—and therefore waste. Use your existing information to create a standard for data collection with minimal work.
  1. Streamline with the standardized risk assessments identified in step one. Risk assessments can be conducted in many different formats and qualities. Use resources already in place and streamline the results using the standard from step one. The most effective way to collect risk data is by identifying the root cause, or why an incident occurred. Honing in on the root cause provides useful information about what triggers loss and your organization’s vulnerabilities.
    buy tretiva online meadfamilydental.com/wp-content/uploads/2023/10/jpg/tretiva.html no prescription pharmacy

    When you link a specific root cause to a specific business process, designing and implementing mitigations is simpler and more effective.

  1. Connect mitigation activities to each of the key risks in these processes. A risk taxonomy gives you a more holistic understanding of all the moving parts in your organization. This makes it easier to design mitigation activities.
  1. Connect incidents, complaints and metrics (for each business process) to mitigation activities. Typically, companies already dedicate many resources to monitoring business performance, collecting information about incidents, complaints and metrics. These processes are often inefficient and ineffective. Simply connecting them to mitigation activities, however, identifies the reason such incidents happen. You can then take straightforward corrective actions, meeting top priorities and allocating resources with forward-looking measures. Risk management, after all, is not about minimizing fallout after an incident, but preventing such an incident from happening in the first place.

To make this entire process effective, management must work to develop an enterprise-wide risk culture. ERM is not just an executive-level process, but should be pushed all the way to frontline managers, where everyday decisions are made and the risks are known—but resources are often absent.

Approach your vendor risk assessments as you would any other risk assessment—they should be reoccurring and standardized. Perform them regularly and evaluate the results with the same scale and criteria with which you evaluate all other risks. Finally, automate information collection and review so that reporting reveals cross-silo dependencies before these risks turn into scandals. The result will be increased vendor security and the prevention of surprises, at a fraction of the cost.

Mastering IT Risk Assessment

Posted on by

The foundation of your organization’s defense against cyber theft is a mastery of IT risk assessment. It is an essential part of any information security program, and in fact, is mandated by regulatory frameworks such as SSAE 16, SOC 2, PCI DSS, ISO 27001, HIPAA and FISMA.

Compliance with those frameworks means that your organization not only has to complete an IT risk assessment but it must also assess and address the risks by implementing security controls.

In the event of a breach, an effective IT risk management plan—which details exactly what your IT department is going to do and how they’re going to do it—and implementation of the critical security controls that have the potential to save your organization millions of dollars in direct response costs, legal fees, regulatory fines, and costs associated with rebuilding a damaged corporate reputation.

Evaluating the potential compliance, operational and reputational risks to your organization and then ranking their importance and likelihood is not easy. Even more challenging is developing and then implementing the IT risk management plan. If your IT department is undergoing an IT risk assessment now or strengthening its cybersecurity strategy, look to qualified industry professionals and innovative technologies to help you master the process and stay compliant.

Here are six tips to keep in mind:

1. Get professional help. Hire an independent third party auditor and/or attorney.

buy bactrim online www.arborvita.com/wp-content/uploads/2023/10/jpg/bactrim.html no prescription pharmacy

Your IT hosting provider may even provide compliance and auditing services. These consultants can provide a comprehensive risk analysis, audit assistance and privacy and security guidance, including identifying potential risks, exposures and liabilities.

2. Use private cloud technology to protect sensitive data. Moving all or part of your infrastructure to a professionally managed, compliant private cloud offers benefits that drive business value. Your organization’s data and apps are hosted by experts in an environment that is independently audited for the specific regulatory compliance that you need, which is a big help in passing your own audit. Also, your IT department is freed up to focus on strategic projects without bearing the burden of solving compliant hosting complexities, hassling with maintenance and support, managing staff allocations, and providing expensive training.

3. Invest in annual IT risk assessments. Be sure to work with an unbiased, fully independent auditing team, which typically includes certified engineers and compliance experts. Comprehensive risk assessments pinpoint the many risks faced by your organization and address network security vulnerabilities. They are designed to give you the education, expertise, support and protection that you need to plan your security strategy, pass your audits and maintain a continuously-compliant IT environment.

buy pepcid online www.arborvita.com/wp-content/uploads/2023/10/jpg/pepcid.html no prescription pharmacy

4. Schedule frequent penetration testing and vulnerability scans. These uncover critical IT vulnerabilities and show how well you are protecting your network and data. Ask your auditors, compliance experts or compliant hosting provider to perform monthly or quarterly tests, help you to establish critical processes (such as data encryption and hardened authentication), and develop a clear understanding of how to avoid IT compliance disasters. Get a full report on external, internal and web application testing as well as strategies for remediation.

5. Ensure application security.  A good auditor or compliance team can help secure the design, development and deployment of your web-facing applications by thoroughly assessing any vulnerabilities and addressing design flaws or security gaps that impact compliance. Managing and remediating risks now saves time and money later.

6. Educate employees about security.  Frequent security awareness trainings and daily reminders throughout the workplace will help reduce violations. Your auditor or compliance team should customize a workplace awareness program for your business.

buy priligy online www.arborvita.com/wp-content/uploads/2023/10/jpg/priligy.html no prescription pharmacy

Ensure that the training is situational and fully engaging.

Quantifying Supply Chain Risk

Posted on by

Today, more businesses around the world depend on efficient and resilient global supply chains to drive performance and achieve ongoing success. By quantifying where and how value is generated along the supply chain and overlaying of the array of risks that might cause the most significant disruptions, risk managers will help their businesses determine how to deploy mitigation resources in ways that will deliver the most return in strengthening the resiliency of their supply chains. At the same time, they will gain needed insights to make critical decisions on risk transfer and insurance solutions to protect their companies against the financial consequences of potential disruptions.

As businesses evaluate their supply chain risk and develop strategies for managing it, they might consider using a quantification framework, which can be adapted to any traditional or emerging risk.

  • Begin with a “bricks and mortar” risk assessment. Start with the traditional property business interruption risk, focusing first on exposures related to your company’s owned physical plants and facilities as well as those of critical trading partners.
  • Understand and analyze your global business model, as well as any changes that have been implemented to create efficiencies or as a result of mergers, acquisitions or divestitures. Determine exactly how and where value is created and use this information to identify and assess potential vulnerabilities.
  • Distinguish between volume and value. You may have significant trade volume in dollar terms with one partner that can be easily replaced while the dollar volume of trade with a supplier of a critical raw material, component or ingredient may be small, but difficult and costly to replace.  In this case, the supplier with the least spend could be the one that has the most impact if disrupted.
  • Tie financial impacts to risk of disruption. This will enable your company to establish priorities and allocate resources in dealing with potential exposures.
  • Beginning with your most significant potential exposures, understand what mitigation options are available and compare them to what you already have in place.
  • Quantify your worst-case exposures in terms of maximum foreseeable losses.
  • Know your company’s ability to respond to events and threats, especially those that might affect the most critical elements of your supply chain. Identify specific emerging risks that are likely to have the greatest potential financial consequences, such as: cyber network interruption; political and expropriation risk; infectious disease and pandemic; product liability and recall, as well as other potential exposures.
  • In evaluating various supply chain exposures, leverage findings from the traditional business interruption study conducted earlier in the process. This can help determine how other risks might affect specific operations and individual trading partners and, in turn, cause disruptions along the supply chain. Remember, all business interruption risk resides on your company’s P&L and within your unique business model, regardless of cause.
  • Revisit your business continuity, incident response and crisis management plans in the context of the wider range of potential risks confronting your supply chain and individual trading partners.
  • Quantify worst-case financial exposures.  This will give you the ability to pinpoint how and where to allocate resources to mitigate exposures as well as to set priorities with respect to your risk transfer decisions, including coverages purchased, limits and optimal program structure.

Reputational Risk Draws Increased Board Awareness, But Not Action

Posted on by

In its fifth annual board of directors survey, “Concerns About Risks Confronting Boards,” EisnerAmper surveyed directors serving on the boards of more than 250 publicly traded, private, not-for-profit, and private equity-owned companies to find out what is being discussed in American boardrooms and, in turn, what those boards are accomplishing as a result.

According to the report, reputation remains the top concern across a range of industries:

Most Important Risks

“The financial cost and damage to reputation from a cyber/privacy breach is growing exponentially,” said Nancy Brady, EisnerAmper’s director of IT risk services. “Directors have recognized the increasing risk companies face related to cyber/data security.

buy tamiflu online rebalancenyc.com/wp-content/uploads/2023/10/jpg/tamiflu.html no prescription pharmacy

Now they need to roll up their sleeves and, with the companies, address these risks.”

While reputational risk remained the top concern of respondents, the survey found that companies are not necessarily translating awareness into action. In fact, only 31% said they were concerned about crisis management.

“There were a surprising amount—close to a quarter of respondents—who had no plans, and others just informally ‘doing their best.

buy synthroid online rebalancenyc.com/wp-content/uploads/2023/10/jpg/synthroid.html no prescription pharmacy

‘ This lack of formality to address the most significant risk identified existed across all organizations,” the report said.

buy strattera online rebalancenyc.com/wp-content/uploads/2023/10/jpg/strattera.html no prescription pharmacy

“When plans existed, they included both everyday operations—such as to keep a positive reputation and reduce the risk—and strategies to address a crisis affecting reputation.”

Despite the minimal plans in place, the directors surveyed seem to hold themselves and other company executives primarily responsible for the response to a reputational crisis. When asked who is responsible for executing such a plan, they reported:

responding to reputational risk crises

Respondents also showed improving confidence in the performance of the board, committees, external auditors and accounting departments.

How well is board addressing risks

Click here for the full report from EisnerAmper.