Software and your Risk Management Culture

The long-term success of your Risk Management uplift programme can depend more on the role you want your software to play than the functions and efficiency it will bring.

Most boards are now putting pressure on senior executives to increase management involvement in risk oversight. Strong risk management practices are becoming an expected best practice. Senior executives are often seen tackling this demand by better integrating risk management into the day-to-day activities of their organisation and attempting to forge some kind of risk management culture.

The culture programmes usually start well by defining what needs to change, by identifying some measures and assigning champions to drive it. However, it is quickly realised that keeping these activities up to the standard required is like spinning plates. All it takes is for one of the champions to leave the firm, or a temporary change in focus by the organisation, and the whole programme quickly grinds to a halt, leaving a legacy of proposals, processes and guidelines.

A common mistake is the failure to identify the expected behaviours when forming the risk management culture and failure to adopt a rigourous enough approach to transform current behaviours to the target behaviours. McKinsey’s “four building blocks of change”, a popular transformation model, stresses the importance of “reinforcing the change with formal mechanisms” and the criticality of deploying systems that support the new behaviours.

Forming the firm’s risk profile and ensuring all your risks are adequately controlled is a complex business for any organisation. Attempting to manage this on spreadsheets generally adds to the burden and is prone to mistakes when compiling data and reporting. To drive a robust risk management culture, you need role-based software that supports the accountabilities and responsibilities of each, provides the crucial oversight, presents a work-flow so everyone is working in the same way and collates the data in a single repository from which to extract the wisdom.

There are many Enterprise Risk Management tools on the market, many are excellent, and most are very expensive. I believe that too many tools are executive facing and focus on the plethora of charts that are available. But, to form a robust risk management culture, licenses costs need to allow everyone to use the software because, until everyone is aligned to the working and behavioural practices, you do not have a culture.

Speak to us for more ideas and solutions: www.RiiSK.com

You are what you eat (and the hidden dangers of password reuse)

When it comes to personal information, if you thought you had already given all there is to give to Facebook, take some time to consider your candid use of nutrition and fitness apps, especially in light of the recent MyFitnessPal data breach. With 150 million usernames, passwords and email addresses stolen, MFP’s owner, Under-Armour, are recommending customers change passwords on other sites where the same or similar login information is reused.

The details you provide about your eating habits and your exercise routines builds a unique digital footprint of your life. There is a serious risk to your well-being should this data find itself in the wrong hands, especially if you link it to a fitness tracking app. US Military personnel using Strava to track their fitness routines were recently found to have accidentally disclosed enough data to locate their secret military base in Afganistan.

The data you provide to these apps reveal both sensitive and personally identifiable information about you – even if your family no longer recognise “the new slim and fit you”. These patterns could be used to further predict when you are away from home for example, dietary needs can reveal medical conditions and indicate other sites you probably use, and possibly with the same account credentials. Eventually, your whole life is reconstructed from your eating habits.

A recent survey by DigitalGuardian revealed that 61% of respondents reused passwords across multiple sites, generally driven by the difficulty to remember them. With 49% saying they only reused passwords for “non-sensitive” accounts, this uncovers a serious emerging risk. It may start by signing up for a free app with little apparent risk but when they become an integral part of your life, with upgrades to premium requiring credit card payment, links to other apps, and increased functionality with new releases, the threat grows rapidly.

Reducing password reuse is a difficult challenge and results from a fundamental weakness of this authentication mechanism. However, the survey does demonstrate a risk-based decision is being made, mainly around the sensitivity of the accounts. Unfortunately, the importance of reviewing risk frequently is often ignored, in this case a) are these accounts still non-sensitive and b) how many times have I reused these credentials?

Speak to us for some more ideas: www.RiiSK.com

GDPR - It’s not about the money

We are all doomed come 25th May 2018. All driven by an incremental change to a regulation we have been conveniently ignoring for 20 years. Most of us are not ready for the enforcement date of GDPR, we will all be fined 4% of our annual revenue and our businesses will collapse.

However, if we look back at the statistics and high-profile events of just last year we see a different story. The Data Protection Authority (DPA) for the UK, the Information Commissioner’s Office (ICO), freely provide statistics on cases they have investigated and the resulting fines. During 2016, 17,000 were concluded of which only 16 resulted in a fine. The maximum fine was £150,000, not the £500,000 ceiling specified by the current regulation. The Data Protection Authority for Italy, the “Garante”, recently handed out a fine of over €5m when the maximum penalty specified by law is €2.4m. And this is before GDPR is enforced!

By the way, the ICO is ramping up capability and statistics show that they have already concluded as many cases in the first half of 2017 as they did in the whole of 2016. So, start thinking of the probability of you being investigated.

That said, the importance of protecting sensitive personal data remains at the forefront of the public’s mind whether a personal concern, as a business’s operational risk or as a moral obligation. An interesting ICO statistic, from a 2016 survey, indicated that less than a quarter of the population trust companies with their data. Trust is the foundation of a sale. Given that most DPAs now provide Data Subjects with an easy online interface to share their grievances, and the publicity that this may attract, are we seeing an emergent risk to business reputation?

Everyone has a lot of work to do, it seems, and the advised risk-based approach provides the value and the focus needed. As someone who has had the responsibility of protecting personal information in a Swiss Bank, under the threat of a prison term, I can tell you, the road to acceptable risk is long.

Swiss GDPR with Jail time

Switzerland is widely recognised for its Banking Secrecy and, while these laws may be the cornerstone for wealth management for some of the richest people in the world, they have been widely criticised across Europe and the US for the lack of fiscal transparency.

Under continued pressure from foreign entities to revise these laws, it is worth noting that these are based on the fundamental rights of Swiss citizens through Article 13 of the Swiss Constitution:

• Everyone has the right to respect for his private and family life, his home, his correspondence and relations established by post and telecommunications.
• Everyone has the right to be protected against the misuse of data concerning him.

It is also worth noting that the US has no such fundamental protection for its citizens in its Constitution and the UK doesn’t even have a Constitution. It may surprise you to learn that among the few countries protecting a citizen’s right to privacy in a Constitution is China.

However, with the advent of the EU GDPR, Switzerland have realised that the current data privacy laws are not sufficient for today’s data-centric world. In December 2016, the Federal Department of Justice and Police announced a revision with an objective to be in-line with the EU Directives 2016/679 and 680 (1). This will further promote the easy exchange of data between Switzerland and the rest of the EU. No target date has been provided for the completion of the project.

At first glance the sanctions may seem rather paltry at a maximum fine of CHF 500’000 (EUR 440,000). However, it is worth reminding your board that, due to the intricacies of Swiss law, transgressors are at risk of personal criminal prosecution and this may include a prison term. There is further concern for companies processing personal data as Swiss law also dictates that the burden of proof will remain on the Data Controller.

As someone who has had the responsibility of protecting personal information in a Swiss Bank, under the threat of a prison term, I can tell you, the road to acceptable risk is long.

"Only those who will risk going too far can possibly find out how far one can go." – T. S. Eliot

You don't have to look too far to find a list of great quotes about taking risk. These quotes are tossed around at all sorts of business seminars, self-improvement experiences and coaching events. We enjoy them, we use them to motivate ourselves and to push ourselves outside of our comfort zone.

Our awareness of risk often starts with a dare when we are young - we look at the challenge, we sniff the glory, we make a brief assessment of the potential bodily harm and then we jump. Risk permeates everything we do and later in life we learn that assessing risk in pursuit of opportunity is fundamental to a good business strategy and many firms go to great lengths to assess that risk before making the leap. They document the risks, how far they are willing to go, and how to detect when it's all about to go wrong. And they communicate the mission, the performance targets and how the whole organisation can contribute to the success of the firm.

Now, firms seem to have mastered the performance measurement of staff but what about the risks? Considering the many studies about how performance and risk are intrinsically linked, are we seeing the cascade of responsibilities for risk in the same way as the mission is cascaded down across the organisation? Recently, I heard an organisational head say "I don't own the risk, risks should be owned by the risk management team". Is that a good recipe for an integrated risk culture?

We believe that, to ensure continuous assessment of risk, we need to be mindful of the strategic risks, aware of how the actions within our organisational unit affects those risks, and have visibility on how those risks are constantly changing. How will we know “how far one can go” if we don't know how far is "too far"?

Do I always need to Fix my issues?

The text books tell us we have 4 T’s when it comes to Risk Control - Transfer, Terminate, Treat, Tolerate.

Transfer: Usually involves some form of Insurance. I understand well the concept of Insurance, and of course there are times when this is the right action. But I can count on one hand the number of times when ‘Transfer’ was an appropriate action. Years ago, ‘outsourcing’ was seen as a way to transfer the risk, but I think we have all seen the folly of that view, and understand that the ‘impact’ still stays with us even after outsourcing and that we, as Risk Managers, must extend the reach of our Risk assessments to encompass our offshored, outsourced or cloud suppliers.

Terminating: Eliminating an inherently risky process, or one which the ‘treatment’ of the risk is not cost effective. Whilst a very attractive approach, its one which is often overlooked. A holistic view of risk.

Treating: Changing (or controlling) a process to reduce the likelihood of a risk occurring. One can argue that it is also possible to control the impact of the risk. Whilst this is certainly true, I see, too often, optimistic predictions of the reduction of the impact of a risk.

Tolerating: Usually means we have decided to take no action. This may be because of a cost-effective calculation, or the risks are deemed too low to warrant action (implicitly or explicitly that the risk is within appetite). Tolerating often employs some sort of Risk Acceptance or Risk Waiver. I would encourage the use of both within an organisation. All too often we have seen Risks being ‘dropped’ because they don’t warrant Risk Acceptance before a formal Risk Committee. No-one wants to take a trivial risk to the Risk Committee. So why not have a two-tier risk tolerance. A Risk Owner can accept alone, or perhaps with a Risk Manager a lower risk with a simple waiver, leaving more impactful risks to be escalated to the Risk Committee. It is important to continue to monitor these risks until the next review. A change in the risk may warrant a change in approach.