In the modern world, everything is connected and risk is the common link.
Emerging technologies and new commerce models have transformed how businesses operate. Companies like Uber, AirBnB, Lyft, and Peapod are among the companies that have upended traditional business models. Customers can get a ride, book a hotel, and order groceries with just the push of a button. But with this convenience comes plenty of risk, says Steven Minsky, CEO of LogicManager, a provider of risk management platforms and mentoring services. The rise of peer-to-peer networks, for example, put businesses directly in contact with the consumer, but also amplify traditional risks and add new threats to the mix.
We spoke to Minsky following IMPACT 2016, LogicManager’s customer conference, held this year in Boston. Among the topics discussed at the event were the risks inherent with emerging technologies and the evolving sharing economy. How can companies balance innovation with risk mitigation? The concerns encompass third-party risk management, performance integration, cyber-security, and risk reporting to the board.
A backdrop to these challenges is a shift in how compliance is viewed. New updates from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and International Organization for Standardization—including ISO 19600 and COSO’s upcoming ERM update—emphasize a risk-based approach to compliance. In a broader view, the organizational understanding of the relationship between risk and compliance is changing.
Minsky offers the radical technology behind self-driving cars to underscore the butterfly effect that incubates risk for even traditional businesses. Consider auto insurance companies as an example.
“They have a fixed base of costs and with a reduced number of accidents they are going to have lower premiums,” Minsky says. “They are really investment companies, so that means they will have less money to invest. They must innovate to generate more revenue, somehow and somewhere.” The latter approach is where problems manifest. “Those new products are not going to have a history by definition,” he says. “They don’t have 30 years of risk data.”
These, and other emerging issues must be approached as a risk management problem, not necessarily as a compliance problem, according to Minsky. “Companies need to reframe the conversation to accept that innovation brings risk, so how do they look at this through a risk management lens rather than focusing on regulatory barriers,” he says.
LogicManager’s website sums matters up succinctly: “In our 21st century business environment, everything is connected, and risk is the common link. Misconceptions about the role of risk management, and how to accomplish it effectively, have resulted in countless organizations falling victim to preventable disasters. Preventable, that is, if only those companies had established an effective ERM program.”
Illustrations of potentially preventable disasters were hardly in short supply throughout 2016. Looking back at the year that was may help understand the changing risk and compliance roadmap going forward. Minsky details a handful of corporate brouhahas to make his point.
Problems haunting Chipotle actually began in 2015, but continued to hurt the restaurant chain throughout the past year. A quick recap: In August 2015, 243 customers in California reported norovirus illnesses after eating at the restaurant; in December, another 143 customers reported food poisoning from a Boston-area location; E. coli-related sickness was later identified in 11 states.
The reputational damage has dragged down the company’s financials ever since. The company has thus far settled with nearly 100 plaintiffs. In-store sales are down, and the stock price dropped 22 percent throughout 2016.
In many ways, Chipotle’s troubles were a side effect of good intentions and customer-pleasing innovation. The chain prided itself–and marketed accordingly–on a dedication to using fresh, locally sourced ingredients. The problem: Food safety management becomes far more difficult as the supply chain is decentralized.
The company failed to implement the risk management necessary to support its innovations, Minsky explains. A properly focused enterprise risk management solution might not have stopped the flow of tainted food, but standardized employee health protocols, testing, and preparation guidelines might have helped. At the very least, Chipotle would have been able to use its ERM software’s reporting capabilities to evidence its risk program, verify control activities, possibly avoiding regulatory penalties and ongoing reputational harm in the process.
“Companies need to reframe the conversation to accept that innovation brings risk, so how do they look at this through a risk management lens rather than focusing on regulatory barriers.”
Steven Minsky, CEO, LogicManager
“Chipotle is not a story about lack of compliance. It is actually a story of innovation and not looking at the risks that go along with innovation,” Minsky says. “What they did was a great innovation. Having a central distribution center, however, means you have one point of vendor management and food preparation oversight. When you move it to a thousand restaurants with local sourcing, you have a thousand points of food preparation oversight.” Proper food preparation and vendor due diligence are not great mysteries to explore. “The question is how you do it at 1,000 different places. That is a governance problem.”
The mother of all regulatory scandals in 2016 was Wells Fargo. Government investigations uncovered the widespread practice of opening unauthorized customer accounts and credit cards, a practice blamed (correctly or not) on harsh sales quotas. The damage thus far: $185 million in fines, the loss of municipal business in some states, the resignation of its CEO, and 5,300 employees were fired.
To fully appreciate the bank’s risk management woes requires a time trip back to 2009, when the Securities and Exchange Commission approved rules “to enhance the information provided to shareholders so they are better able to evaluate the leadership of public companies.” In the following annual reporting and proxy season, those rules enhanced corporate disclosure regarding risk, compensation, and corporate governance matters.
Specifically, the SEC required disclosures in proxy and information statements about the relationship of a company's compensation policies and practices to risk management. It also required board-level accountability for enterprise risk management. Boards were required to disclose how their organizations identify risk and set risk tolerances.
Further back, in 2007, regulators released the Sarbanes-Oxley Audit Standard, which holds management accountable for the risk of misstated company financials. “The SEC disclosure rule is similar in the sense that it uses materiality, not specific risks, as a measure of what needs to be mitigated,” Minsky wrote in a recent blog post. “It differs, however, in the sense that it applies to all risks, not only financial concerns, and does not take into account an organization’s size. In other words, everyone should be concerned with ERM compliance. This leads to a fork in the road; organizations need to either adopt an effective risk management program or bite the bullet and disclose their ineffectiveness.”
The following is from a LogicManager blog post on what CEO Steven Minsky sees as missing in the new, forthcoming COSO ERM Framework.
While the framework is an important step forward for the industry and provides a more accurate reflection of the current risk environment, its biggest shortcoming is that it is not actionable enough. Improvement can be achieved by:
Providing more specific, quantifiable recommendations that can lead organizations to the concepts discussed throughout.
Providing a hierarchical prioritization, by percent contribution to business value, of risk management principles.
In order for organizations to use the framework to guide their own processes and lead to a measurable benefit, the framework needs to be more quantifiable. For example, rather than simply explaining the importance of a risk-based culture, the update should provide advice about how to achieve that culture.
An independent, peer-reviewed report, “The Valuation Implications of Enterprise Risk Management Maturity,” proved that organizations with mature ERM programs realize up to a 25 percent market valuation premium over those that don’t. This study, based on industry data collected by the RIMS Risk Maturity Model, outlines seven basic attributes of effective enterprise risk management. It then measures how much each attribute contributes to the 25 percent market valuation premium discussed above.
In my opinion, the following recommendations would make Enterprise Risk Management – Aligning Strategy and Performance more measurable and in line with statistically proven business processes. They are ordered from largest to smallest contribution to business value. For more details about each recommendation, please visit the full document on COSO’s feedback page:
The update needs to stress the crucial difference between risk outcome and root cause, as this distinction is vital to effective risk identification.
The “performance” attribute should be expanded so the update provides more support for internal initiatives, rather than emphasizing external elements.
The update should contain more actionable components regarding the integration of ERM into everyday activities.
The emphasis on engaging front-line management across all business areas should be quantified.
The framework should be substantiated with references/citations to established precedents: the SEC’s Proxy Disclosure Enhancement and the Yates Memo, for example. This would help educate management about the consequences of not effectively monitoring their risk management activities.
As for Wells Fargo’s travails, Minsky has a variety of questions.
How could activities on this scale go unnoticed to management for 5 years? “Not knowing” isn’t a valid excuse,” he wrote recently. “It’s negligence.”
Why was there no compensation oversight for employee sales quotas and incentives?
Where were the risk assessments on these processes? What about internal audits of both the risk management process and governance oversight?
When Wells Fargo designed its sales incentive program, why didn’t risk assessments reveal how unrealistic those sales goals were?
Were there mitigation activities to protect against customer account manipulation? If so, where were the risk monitoring activities that would have picked up on the appearance of two million accounts over a five-year period?
Wells Fargo, in his assessment, offers yet another lesson that boards and senior management are responsible for the risk management effectiveness of their companies, no matter how vociferously they claim ignorance when problems are uncovered. A company can try to defend itself by claiming that rogue employees evaded internal controls. The argument falls apart, however, when robust controls are missing in action and board and executive oversight is lacking.
“This wasn’t about mean, old Wells Fargo putting up high sales targets,” Minsky says. “That’s a smokescreen. When you are talking about 1.5 million unauthorized accounts, it is a failure of risk management, a failure in assessing the separation of duties, and a failure in assessing what those practices are and the effectiveness of the mitigation activities. It is a failure in risk management which is monitoring the controls against the risk.”
In December 2016, fast food giant Wendy’s was served with the latest in a series of class-action and shareholder lawsuits over a data breach that compromised payment security at more than 1,000 franchises. The problem was ultimately traced to point of sale systems at those restaurants.
The interesting twist on a traditional cyber-attack was Wendy’s post-breach mea culpa. The corporation tried to distance itself from the breaches by showing that no company-owned stores were affected.
“This isn’t just a story of failed cyber-security. It’s also a story of failed vendor and third-party management,” Minsky says. “There’s a reason no company-owned stores suffered a breach, while more than 1,000 franchised locations were affected. Wendy’s maintained its own cyber-security processes. What it failed to do was ensure that all locations maintained the same standards.”
Cyber-security is not necessarily about compliance, Minsky argues, “there are no laws in the world that are going to keep people safe. In fact, all the technologies to be safe pretty much exist. It is really a human problem.”
The majority of breaches occur because of weak, reused passwords and poor governance over password management. “It doesn’t really matter which technologies you use, there are still human beings with passwords,” he says. “Governance solves that problem very effectively for very little money, but people are still viewing it as a technology problem and spending millions—sometimes tens and hundreds of millions of dollars—on infrastructure and technology. Wendy’s had franchises with weak passwords, then they went out and bought tens of millions of dollars of new point-of-sale equipment. It didn’t do anything because there was still a governance issue with passwords.”
The solution isn’t limited to technology. It is answering the question of how to take a policy and operationalize it, making it real for the employees.
The solution should not rest on the shoulders on the IT department and in-house security experts. “They can’t do it by themselves,”” Minsky says. “[The rise of] Software as a service (SaaS) means that IT may not even know what is being used in the corporation. It used to be—and all the policies are still written this way—that IT knows everything and monitors everything. But in this day and age, 50 to 70 percent of the technology in some cases is no longer in house. How can IT even know what’s going on?”
The solution is to break down and bridge corporate silos. For example, incorporate the finance department into the security process because they know, definitively, what services they are buying, what the assets are, and what departments they are allocated to. “That’s what they do,” he says. “They pay for things and allocate them. They know the SaaS and devices in use. Because IT isn’t connected to finance, they might not even dream of going to them, not realizing they have a beautiful asset list, even if it is for a different purpose.”
Armed with an asset list from finance, combined with the IT department’s list of passwords, a company can begin to put governance to work with reminders and tasks for the process owners. ERM and GRC (governance, risk management, and compliance) systems can push tasks out to each of the process owners. “Here is the devices, applications, and services your group is using; here is the list of employees who are mapped to them.” Should they have that access? Have they followed all the policies? When they change roles do they still need access?
Log-in walls can streamline the use of passwords and, by keeping employees from having to constantly update individual passwords—creating weak ones out of the necessity to remember them—stronger passwords will be the result.
“If you recognize it not as a technology problem to spend money on, but a governance problem to organize your people, that’s when you actually solve the problem for pennies on the dollar,” Minsky says. “Yes, there can be a compliance problem; but lack of compliance is in itself a governance problem.”