In today’s edition of Daily Compliance News:
Tag: Risk Management
Welcome to the Greetings and Felicitations, a podcast where I explore topics that might not seem directly related to compliance but influence our profession. In this special series, I consider many structural engineering concepts are apt descriptors for an anti-corruption compliance program. In this concluding episode 5, I consider the Tacoma Narrows Bridge failure and preventing failure in your compliance program. Highlights include:
- Why and how did the Tacoma Narrows Bridge fail?
- What are the key lessons it provides to compliance professionals?
- Why are 3rd parties still the greatest risk to any compliance program?
- What steps can you take to manage third parties most effectively?
- Why is continuous monitoring key to managing risk?
Resources
“Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler from The Teaching Company.
Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we deep dive into recent failures detected in the state of Wisconsin regarding cyber security risks around election integrity. Highlights include:
- The risks were uncovered.
- What is a material risk?
- Why Multi-Factor Authentication is important cyber security control.
- What are the consequences of a single point of failure?
- How and when should redefine a hazard?
- What does CISA say about MFAs?
Resources
Matt in Radical Compliance
Tom Fox welcomes back Vera Cherepanova on this episode of the Innovation in Compliance Podcast. Vera is an ethics advocate, consultant, author and speaker. She joins Tom to talk about behavioral risks, the steps behavioral scientists take to analyze risk, and strategies from financial institutions that other industries can use.
Behavioral Risk in The Banking Sector
Behavioral risk is more or less the same across every industry. What is specific to the financial industry however, and banking in particular, is that the individuals work with money. This creates higher risk as the outcomes can be more immediately seen and felt by the customers.
The Regulator’s Role
“The regulator has a very limited role in mandating culture because no regulator can mandate what kind of a culture and organization needs to have,” Vera begins. The compliance regulator can mandate what the culture is, but how that corporate culture is going to be in reality will not be up to them. Speaking specifically of the UK and the Netherlands, Vera expresses that the regulators in these regions have played a largely educational role in the business industries. She gives Tom a few examples of the events the regulators have done in these regions.
Assessing Behavioural Risk
Tom asks Vera to talk about some of the practical steps behavioral scientists take when analyzing behavioral risk. Vera cautions that the first thing to understand when applying behavioral science is that interventions don’t always work. The first thing that scientists do is assess risk using a method called ethnography. They want to understand what is really happening inside organizational teams. They focus on subcultures, and then compare that against what is written in policies and regulations. Holistic cultural assessments aren’t done as behavioral scientists concentrate on specific teams. Surveys are also only used to categorize the data the scientists have collected, and to generalize some of their observations.
Strategies To Emulate
The methods financial institutions use to conduct audits are accessible for any industry. Looking into behavioral risk on top of a risk management framework is one concept that can be emulated across industries, as well as using subculture audits. These skills will be modified for each industry but Vera remarks that the basic concepts will be the same across the board.
Resources
Vera Cherepanova | LinkedIn
Studio Etica
European Banks Are Behavioral Risk Pioneers. No, Really.
Ishan Girdhar is Tom Fox’s guest in this week’s show. He is the CEO and founder of Privva, a cloud-based platform that streamlines data security to enable law firms to easily implement their own risk assessment. Tom and Ishan explore risk management in the new hybrid work era and what compliance professionals need to be thinking about in the coming years in that regard.
The New Normal
The new hybrid work environment is here to stay. More companies are going back to the office but with fewer employees on site. This means that company leaders and compliance officers need to find a way to manage risk around virtual collaboration and communication technologies in a remote work environment. They will need to make sure that all employees are connected in a secure way. “When you have people working from home and working remotely, access to sensitive information grew exponentially… Many people have devices like Alexa or Google Home; those are devices that are recording every conversation that’s happening in your home,” Ishan cautions. Implementing policies that ensure employees aren’t working in the vicinity of these devices and making sure that companies lock-on set intervals, will go a long way in mitigating the risk that is posed from working in this environment.
Keep Communications Focus
Employees have to act as stewards and maintain and adhere to company policies surrounding risk and compliance. Tom asks Ishan how he keeps a communications focus in his organization, in a way that doesn’t lead to compliance fatigue. Compliance officers need to ensure that they’re actively capturing communication across their organizations, and that they have the tools to do so. “Make sure that your tech stack has the right capabilities to capture information and communication across your network,” Ishan remarks. Communicating the right ways to work with your clients and employees is also something that companies need to be thinking about. Use the right tools and the right steps to make sure your actions are in line with your internal corporate policies; the compliance departments can have access to that information if it’s required. Make sure that the data is integrated and that all of that dialogue is time-stamped so it can be captured together.
Creating Effective Cybersecurity
“Every product that technology brings to make your lives easier, better, faster, and cheaper for your clients comes with cybersecurity risk,” Ishan tells Tom. In order to mitigate cybersecurity risk, consistent training of your employees is necessary. Cybersecurity needs to be built into the culture of your organization and is a way for you to do your jobs in a timely and efficient way. Compliance professionals should be on top of what’s happening in the market with regard to new threats and risks. Have detailed policy monitoring and reporting requirements, and ensure you’re adapting your policies to the new norm.
Third-Party Risk
Tom posits that third-party risk is beyond company to company, and that it’s actually the entire scope of your communication. Third-party risk is your suppliers, your partners, and your customers. Companies need to think about where their data is hidden, and where it’s going. “How is it leaving your environment? Where is it going? What’s the sensitivity of that data?” These are the questions Ishan implores leaders to think about. The biggest challenge with third-party risk management is that you have a say, but you don’t have full authority in enforcing change. It is also a two-way street in that as a company, you are also a custodian of information and you have to understand your minimum baselines, the security controls that are nonstarters for you, and what risks you’re willing to accept. If you are sending sensitive data to a third party, you have to include management and leadership as part of that conversation and process.
What’s Next
Buying technology that will be sustainable going forward is one of the best ways to respond to cybersecurity risks in the coming future. Privacy is also a big challenge that companies are going to face. “Build out your budget and make sure that you have the right investments in place as you continue to grow and continue to go into the future leading up to 2025,” Ishan advises Tom and the audience.
Resources
Ishan Girdhar | LinkedIn | Twitter
Privva
Categories
What is Risk?
Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week Matt and Tom take a deep dive into different types of risk including cybersecurity and anti-corruption to lead a broader discuss about the nature of risk, risk management and the future of compliance. Some of the issues we consider are:
- What is risk?
- What are the roles of the CISO and CCO for risk management?
- Who owns risk?
- What does a BOD want to see around risk management?
- What does this mean for compliance officers?
Resources
Matt’s blog post on Radical Compliance:
The Cracks in Third Party Risk Management
Director of Advisory Services at SAI Global, James Green, is this week’s guest on the Innovation In Compliance podcast. James’ role involves helping clients manage atypical risk concerns or situations, including business continuity, vendor risk, pandemic, workplace violence, and active shooters. He chats with Tom Fox about his company’s 360° view of risk management and how to survive risks that you never saw coming.
Compliance vs Operational Risk Management
James gives his perspective on the difference between compliance and operational risk management. Compliance, he says, is ensuring that you’re adhering to your own standards, policies, and regulatory requirements. Operational risk management, on the other hand, is mitigating any risk to the company, no matter where it originates. Hurricane Harvey is a classic example of checking all the compliance and risk management boxes, but failing to mitigate the actual risk. Tom comments that compliance and risk management are much closer than just complementary: a combined approach helps a business create a more robust strategy for overall risk management.
360° View of Risk Management
SAI Global advocates a 360° view of risk management; risk and compliance need to be seen holistically. “We believe a company needs to be assessing risk in totality wherever it comes from,” James says. “And it doesn’t matter where it comes from, because the goal is to increase your organization’s resilience, right. That is really the goal of all of our collective functions, is that when there’s a bump in the night, we can manage through it successfully, legally, ethically, to the satisfaction of our stakeholders.”
When Things Go Bump In The Night
Tom comments on SAI Global’s real-time risk management approach. He asks James how it allows an organization to be more agile and responsive to market conditions as they come up. James responds that while compliance and risk professionals are great at mitigating issues that just happened, they need to also be aware that there will always be unknown and unanticipated issues. “…The problem is in our world, there’s always an unknown that’s coming up. Right now we’re living through COVID-19 which was unknown to a lot of us,” James points out. “There’s always something that’s gonna happen. There’s always another bump in the night. So you can’t be planning based on what happened in the past. You need to be agile. You need to be nimble.” He gives tips on how to determine if a risk is strategically acceptable, and the role risk management should play in the corporation.
COVID-19 and Supply Chain
They originally saw COVID-19 as a supply chain issue, James says, and started advising their clients about it in January. It became much more than that, he remarks. “Supply chain really needs to be embedded in your risk model… because it can damage what your suppliers and vendors do, it can damage your brand to your customers.” He shares useful COVID-19 resources that his company has made freely available to the public.
Resources
SAIGlobal.com
COVID-19 Resources
James Green on LinkedIn | Twitter
In today’s edition of Daily Compliance News:
- What to do when the founder is toxic? (New York Times)
- Michael Senna informs 3rdparty risk management. (Wall Street Journal)
- Exxon sues Cuban companies for expropriation. (Wall Street Journal)
- Model airplane enthusiasts stop drone delivery. (Financial Times)
