Categories
Innovation in Compliance

A Behavioral Approach to Risk Management with Vera Cherepanova


 
Tom Fox welcomes back Vera Cherepanova on this episode of the Innovation in Compliance Podcast. Vera is an ethics advocate, consultant, author and speaker. She joins Tom to talk about behavioral risks, the steps behavioral scientists take to analyze risk, and strategies from financial institutions that other industries can use.
 

 
Behavioral Risk in The Banking Sector
Behavioral risk is more or less the same across every industry. What is specific to the financial industry however, and banking in particular, is that the individuals work with money. This creates higher risk as the outcomes can be more immediately seen and felt by the customers. 
 
The Regulator’s Role
“The regulator has a very limited role in mandating culture because no regulator can mandate what kind of a culture and organization needs to have,” Vera begins. The compliance regulator can mandate what the culture is, but how that corporate culture is going to be in reality will not be up to them. Speaking specifically of the UK and the Netherlands, Vera expresses that the regulators in these regions have played a largely educational role in the business industries. She gives Tom a few examples of the events the regulators have done in these regions.
 
Assessing Behavioural Risk
Tom asks Vera to talk about some of the practical steps behavioral scientists take when analyzing behavioral risk. Vera cautions that the first thing to understand when applying behavioral science is that interventions don’t always work. The first thing that scientists do is assess risk using a method called ethnography. They want to understand what is really happening inside organizational teams. They focus on subcultures, and then compare that against what is written in policies and regulations. Holistic cultural assessments aren’t done as behavioral scientists concentrate on specific teams. Surveys are also only used to categorize the data the scientists have collected, and to generalize some of their observations. 
 
Strategies To Emulate
The methods financial institutions use to conduct audits are accessible for any industry. Looking into behavioral risk on top of a risk management framework is one concept that can be emulated across industries, as well as using subculture audits. These skills will be modified for each industry but Vera remarks that the basic concepts will be the same across the board.
 
Resources
Vera Cherepanova | LinkedIn 
Studio Etica
European Banks Are Behavioral Risk Pioneers. No, Really
 
 

Categories
Innovation in Compliance

Right Question to the Right Person at the Right Time with Ishan Girdhar


 
Ishan Girdhar is Tom Fox’s guest in this week’s show. He is the CEO and founder of Privva, a cloud-based platform that streamlines data security to enable law firms to easily implement their own risk assessment. Tom and Ishan explore risk management in the new hybrid work era and what compliance professionals need to be thinking about in the coming years in that regard.  
 

 
The New Normal
The new hybrid work environment is here to stay. More companies are going back to the office but with fewer employees on site. This means that company leaders and compliance officers need to find a way to manage risk around virtual collaboration and communication technologies in a remote work environment. They will need to make sure that all employees are connected in a secure way. “When you have people working from home and working remotely, access to sensitive information grew exponentially… Many people have devices like Alexa or Google Home; those are devices that are recording every conversation that’s happening in your home,” Ishan cautions. Implementing policies that ensure employees aren’t working in the vicinity of these devices and making sure that companies lock-on set intervals, will go a long way in mitigating the risk that is posed from working in this environment.
 
Keep Communications Focus
Employees have to act as stewards and maintain and adhere to company policies surrounding risk and compliance. Tom asks Ishan how he keeps a communications focus in his organization, in a way that doesn’t lead to compliance fatigue. Compliance officers need to ensure that they’re actively capturing communication across their organizations, and that they have the tools to do so. “Make sure that your tech stack has the right capabilities to capture information and communication across your network,” Ishan remarks. Communicating the right ways to work with your clients and employees is also something that companies need to be thinking about. Use the right tools and the right steps to make sure your actions are in line with your internal corporate policies; the compliance departments can have access to that information if it’s required.  Make sure that the data is integrated and that all of that dialogue is time-stamped so it can be captured together. 
 
Creating Effective Cybersecurity
“Every product that technology brings to make your lives easier, better, faster, and cheaper for your clients comes with cybersecurity risk,” Ishan tells Tom. In order to mitigate cybersecurity risk, consistent training of your employees is necessary. Cybersecurity needs to be built into the culture of your organization and is a way for you to do your jobs in a timely and efficient way. Compliance professionals should be on top of what’s happening in the market with regard to new threats and risks. Have detailed policy monitoring and reporting requirements, and ensure you’re adapting your policies to the new norm. 
 
Third-Party Risk
Tom posits that third-party risk is beyond company to company, and that it’s actually the entire scope of your communication. Third-party risk is your suppliers, your partners, and your customers. Companies need to think about where their data is hidden, and where it’s going. “How is it leaving your environment? Where is it going? What’s the sensitivity of that data?” These are the questions Ishan implores leaders to think about. The biggest challenge with third-party risk management is that you have a say, but you don’t have full authority in enforcing change. It is also a two-way street in that as a company, you are also a custodian of information and you have to understand your minimum baselines, the security controls that are nonstarters for you, and what risks you’re willing to accept. If you are sending sensitive data to a third party, you have to include management and leadership as part of that conversation and process. 
 
What’s Next
Buying technology that will be sustainable going forward is one of the best ways to respond to cybersecurity risks in the coming future. Privacy is also a big challenge that companies are going to face. “Build out your budget and make sure that you have the right investments in place as you continue to grow and continue to go into the future leading up to 2025,” Ishan advises Tom and the audience. 
 
Resources
Ishan Girdhar | LinkedIn | Twitter
Privva
 

Categories
Compliance Into the Weeds

What is Risk?


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week Matt and Tom take a deep dive into different types of risk including  cybersecurity and anti-corruption to lead a broader discuss about the nature of risk, risk management and the future of compliance. Some of the issues we consider are:

  • What is risk?
  • What are the roles of the CISO and CCO for risk management?
  • Who owns risk?
  • What does a BOD want to see around risk management?
  • What does this mean for compliance officers?

 Resources
Matt’s blog post on Radical Compliance:
The Cracks in Third Party Risk Management

Categories
Daily Compliance News

April 9, 2021 the Risk Management Failure edition


In today’s edition of Daily Compliance News:

  • CC start up hires former CFPB rep for GC/CCo role? (WSJ)
  • Why did risk management fail so spectacularly at Credit Suisse? (WSJ)
  • Is GA.’s new voter suppression law based on corruption? (MSNBC)
  • Norberg leaving SEC Office of the Whistleblower. (WSJ)
Categories
Innovation in Compliance

Dealing with Bumps in the Night with James Green


Director of Advisory Services at SAI Global, James Green, is this week’s guest on the Innovation In Compliance podcast. James’ role involves helping clients manage atypical risk concerns or situations, including business continuity, vendor risk, pandemic, workplace violence, and active shooters. He chats with Tom Fox about his company’s 360° view of risk management and how to survive risks that you never saw coming.

 
Compliance vs Operational Risk Management
James gives his perspective on the difference between compliance and operational risk management. Compliance, he says, is ensuring that you’re adhering to your own standards, policies, and regulatory requirements. Operational risk management, on the other hand, is mitigating any risk to the company, no matter where it originates. Hurricane Harvey is a classic example of checking all the compliance and risk management boxes, but failing to mitigate the actual risk. Tom comments that compliance and risk management are much closer than just complementary: a combined approach helps a business create a more robust strategy for overall risk management. 
360° View of Risk Management
SAI Global advocates a 360° view of risk management; risk and compliance need to be seen holistically. “We believe a company needs to be assessing risk in totality wherever it comes from,” James says. “And it doesn’t matter where it comes from, because the goal is to increase your organization’s resilience, right. That is really the goal of all of our collective functions, is that when there’s a bump in the night, we can manage through it successfully, legally, ethically, to the satisfaction of our stakeholders.”
When Things Go Bump In The Night
Tom comments on SAI Global’s real-time risk management approach. He asks James how it allows an organization to be more agile and responsive to market conditions as they come up. James responds that while compliance and risk professionals are great at mitigating issues that just happened, they need to also be aware that there will always be unknown and unanticipated issues. “…The problem is in our world, there’s always an unknown that’s coming up. Right now we’re living through COVID-19 which was unknown to a lot of us,” James points out. “There’s always something that’s gonna happen. There’s always another bump in the night. So you can’t be planning based on what happened in the past. You need to be agile. You need to be nimble.” He gives tips on how to determine if a risk is strategically acceptable, and the role risk management should play in the corporation. 
COVID-19 and Supply Chain
They originally saw COVID-19 as a supply chain issue, James says, and started advising their clients about it in January. It became much more than that, he remarks. “Supply chain really needs to be embedded in your risk model… because it can damage what your suppliers and vendors do, it can damage your brand to your customers.” He shares useful COVID-19 resources that his company has made freely available to the public.
Resources
SAIGlobal.com
COVID-19 Resources
James Green on LinkedIn | Twitter

Categories
Daily Compliance News

Daily Compliance News: May 4, 2019-the Enter Slow, Exit fast edition

In today’s edition of Daily Compliance News:

Categories
Popcorn and Compliance

Popcorn and Compliance: Captain Marvel

In this podcast series, recovering screenwriter (and Mr. Monitor) Jay Rosen and myself will indulge in passion for the movies by looking at them through the lens of compliance. Jay is a contemporary movie fan and I am more of a classic movie maven so we present a well-rounded view of the movie fandom. If you want to indulge in your love for the movies with two guys who are passionate about Hollywood and get some ideas for your compliance program, this is the podcast series for you.For this week’s offering, today we look at the Marvel-universe hero, Captain Marvel.

Some of the highlights include:

  • What is the backstory for Nick Fury and Phil Coulson?
  • How and why did internet trolls tried to sabotage the film?
  • What was the response of Rotten Tomatoes?
  • How were Eggs used to great effect?
  • The special effects and battle scenes were great.
  • Who was honored in different scenes in the movie?
  • Jay gives the movie not only a full bucket of popcorn but as second bucket as well. Tom joins with an overflow bucket of popcorn.

The Compliance takeaways:

  1. Understand where you come from, know your business inside and out.
  2. Nick Fury recognized a new risk-do you have a trip system for new risks in your organization? Do you have a seat at that table?
  3. How and why did Nick Fury lose his eye? How do you assess known strategies for unknown risks?
  4. Get out of the corporate office and into the field to meet your employees.
  5. Take action, when needed to change the balance.
  6. As a CCO you may have to take a stand.
Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 344 – Virginia Suveiu

Legal Risk Management Specialized Studies Certificate Program for UCI Extension, where she teaches for that program and the Contract Management Certificate Program. She has published articles on various business law matters, most recently for the National Contract Management Association’s Contract Management Magazine May 2015 issue, as well as for the National Center for State Courts and the Aerospace and Defense Forum. Every corporation and compliance practitioner faces a wide variety of risks. These include regulatory risks, legal risks, reputational risks, safety risks, environmental risks, and many other types of risks. We consider whether there is one process or approach to take to the over-arching concept of risk management or if the approach needs to be fined tuned by an organization. We discuss the Legal Risk Management Specialized Studies Certificate Program, including the program benefits and who should attend. We explore the approach to teaching risk management. We discuss some of her current initiatives on the study of and teaching of risk. In this episode, I discuss with Virginia Suveiu the theories of risk and the process of risk management.