We’ve all heard what executives say after their companies suffered a significant failure, exclaiming that they’re now taking action to prevent such occurrences in the future:
Target recently announced it promised to enhance protection of customer data. It appointed its first chief information security officer and said it is establishing a protocol for responding to online security threats and will provide employee training on data security.
Wells Fargo said it had implemented significant changes to its mortgage servicing operations to correct problems that surfaced during the financial crisis and would fully comply with regulator’s expectations in the coming months.
Anthem’s CEO said, “[O]ur strategy is to create an improved customer experience as a distinguishing characteristic of Anthem.” This news followed hackers stealing Social Security Numbers and other personal information, having reportedly failed to use widespread multi-factor identification, employ sufficient monitoring technology, and encrypt sensitive data bases.
And BP, a few years ago in dealing with the aftermath of its Deepwater Horizon offshore oil rig explosion—and following then-CEO Tony Hayward’s attempt at apologizing for the loss of human and marine life and environmental destruction, which PR experts called a “public relations catastrophe”—issued an online apology that included the statement, “We are putting in place measures to help ensure it does not happen again.”
We see such announcements also with government and other organizations. The Internal Revenue Service, for instance, recently said it was stepping up efforts to prevent a repeat of past occurrences where taxpayer personal information and refunds were stolen—saying it will now install a more rigorous authentication process and bolster efforts to identify patterns of fraud.
With some exceptions, these statements (and similar ones from many other organizations) sound pretty good. The message is that they’ve learned from past mistakes and will make things better going forward.
Underneath the words are troubling issues. The overriding open question: Why didn’t these organizations act when they first encountered signs of problems with their processes and protocols? Target said its computer security systems alerted it to suspicious activity when hackers initially breached its networks but ignored the alert, allowing the subsequent huge data breach to occur. Wells Fargo confronted its issues in conjunction with the financial crisis way back in 2007-2008, but evidently didn’t do enough. Anthem’s new CIO said the company had been discussing encrypting sensitive databases and otherwise improving IT security, but had not yet done so. BP already had had other oil-related disasters, and it certainly was aware of the risks in deepwater drilling (for more on this, see my August 2010 column).
In the case of the IRS, we can look to the words of Frank Abagnale Jr., now a “security expert” whose life as a conman was detailed in the book and movie “Catch Me if You Can,” saying the IRS (and other government agencies) had been “easy targets” because they had been so slow to adopt sophisticated security protections, and that there’s no reason they “shouldn’t have that technology in place.”
Managing relevant risks is an essential part of management’s responsibility—and doing it well, or not, can be difference between corporate success and failure.
Further troubling is how much time can pass before a company takes needed action. After facing the mortgage-related problems of the 2007-2008 time frame, Wells Fargo, along with HSBC and other major banks, finally entered into a consent order with the government in 2011, which was amended in 2013. Why then, was it reported last month that Wells Fargo still hadn’t implemented 15 of the agreed 98 changes, and HSBC failed to act on 45 of the 98? After all the fines and penalties imposed on the banks and related reputational damage following the crisis, now these two banks are being barred from acquiring any new mortgage servicing rights from other banks.
Certainly these organizations spend huge sums on managing risks to their IT systems and compliance processes, and cost-benefit decisions always must be made. But there are some basics about risk management that need to be remembered.
Risk management can be relatively simple, or it can be extremely complex with the use of sophisticated probability models, scenario analyses, and other techniques. Some risk management experts put potential risk events into such categories as “known knowns,” “known unknowns,” and “unknown unknowns”—based on whether risk events are already recognized as potentialities, sometimes factoring in likelihood of occurrence and expected impact if they do.
In the context of the above mentioned events, I find it better to use a simpler categorization of risk events. (The term “risk events” is used here to represent bad things that could happen to an organization, and we’ll leave for another time such matters as the opportunity side of risk, as well as what is sometimes called “resilience”—which PwC defines as an organization’s capacity to anticipate and react to change not only to survive, but also to evolve and enable management to take on the higher levels of risk.)
As for identifying what can go wrong, we can simplify potential risk events as:
Something that already has happened to your company in the past, and might happen again;
What has happened to a competitor or other organization that could happen to your company;
An event that has not yet occurred, but could affect your company if it did.
The first two categories include a vast array of risk events, such as a competitor bringing a better product to market, supply chain disruption by natural or other disasters, key personnel lured away or otherwise unavailable, legal or regulatory compliance failures, hackers entering sensitive databases, oil spills, faulty products, and so forth; the list goes on and on. Such events need to be on a company’s radar screen, with appropriate analyses of likelihood, impact, and velocity.
The third category is more difficult to deal with, inasmuch as such events have not yet occurred. One example is the possibility of one or more airplanes crashing into an office tower, destroying human lives and property on a massive scale. Few if any people considered that risk—until the horrifying Sept. 11 attacks. Yes, such events can be conceptualized, but doing so and analyzing the related likelihood of their occurrence and potential impact makes them much more difficult to identify, assess, and manage.
But the types of events listed at the outset of this column that damaged those organizations—break-ins to sensitive IT systems, oil drilling explosions, and major legal/regulatory compliance failures—had already occurred in the past. And worse yet, such past events either affected these very organizations, or at the least such events damaged their peers while they witnessed it. These organizations already knew they were vulnerable to such risk events, yet not enough was done to prevent significant losses and reputational damage.
Keeping It Simple
Certainly large, complex financial institutions need to use sophisticated risk management techniques to deal with the likes of credit, market, and related risks. But for most companies—even many multinationals—risk management doesn’t have to be akin to rocket science. Companies know full well what has already damaged their own organizations, and what has adversely affected their peers and others. They need to be sure effective risk management processes are in place to identify what could go wrong (as well as opportunities to seize); assess their potential likelihood, impact and, if desired, velocity; and take appropriate actions to bring the risks to manageable levels. Supporting information and communication systems need to be in place, with direct management involvement and oversight to ensure risk is appropriately factored into decision-making processes.
As noted, you need to consider costs and benefits; it’s impractical (if not impossible) to deal with every potential risk event. But when a company allows the same things that occurred in past years to damage it again, one wonders whether an appropriate balance has been met. Managing relevant risks is an essential part of management’s responsibility—and doing it well, or not, can be difference between corporate success and failure.