Battling Escalating Risks With Emerging Technology

Emerging risks are colliding with emerging technology.

Adapting to the increasing speed and complexity of risk was a common theme throughout the Compliance Week West conference earlier this month in Palo Alto, Calif. While evolving technology was touted as part of the solution, it was also discussed as having the potential to create new problems.

Norman Marks is vice president of internal audit for SAP, and the company's “evangelist” for risk management, compliance, and the “value of information.” He said the way companies approach risk must evolve and no longer be thought of as “insurance.” The value of risk management is that managing uncertainty can both create and protect value.

Marks bolstered his case by citing an Ernst & Young study that sought to measure the value of sound risk management. Organizations with mature risk-management functions enjoyed a 28 percent improvement in shareholder value over the long term when compared to those that are further behind on the risk-management curve.

“Risk management is about performance and results,” he said. “You are thinking about what could happen, preparing for it, and taking advantage of it.”

The key is to view risk management as a constant, ongoing need, not merely something intended as a quarterly update to boards and top-level executives. Marks described it as “managing risk at the speed of business.” He explained that making decisions based on information that could be a month or two old is a recipe for disaster in today's fast-past business environment.

“Risk velocity” means that an incident halfway around the world can result in a board member being asked to field questions in a matter of minutes, he said. A London banker recently told him that his operation requires constant data monitoring and systems that can respond in nanoseconds.

Technology is increasingly vital to the cause, Marks says. It enables financial institutions to monitor billions of transactions each day for red flags of fraud and money laundering (up to 300,000 times faster than just a year ago, he noted). Social media monitoring can alert an organization to reputational risks and internal personnel issues, for example. Although still in its infancy, “Big Data” holds great promise for assessing all manner of risks.

Technology can update risk assessments, monitor implementation of action plans, evaluate compliance and ethics programs, and improve monitoring and communication of risks across the organization.

SAP's internal risk-management function is deploying mobile risk analytics, for example. Linked to its enterprise risk management system, the mobile app will “enable every manager to see and dive into the risks they own,” embedding risk management into daily management, said Marks.

Colin Campbell, senior vice president of GRC product management, for SAI Global Compliance emphasized that there “is not one piece of technology that is going to do that for everybody.” Solutions will require a collection of different software and platforms.

New Risks, Too

New technology does create new risks, however,

Kathryn McCarthy, chief legal counsel for EMQ FamiliesFirst, California's largest children's behavioral health program, cites social media as a growing issue for her organization. Not only are its clients minors—which means strict privacy regulations—roughly one-third of its workforce is under the age of 30, presenting the additional challenge of “educating a generation not accustomed to the consequences of posting something.”

“It takes a lot of time for a company to build an ethical reputation and it only takes a few seconds to undo it,” lamented Jeremy Wilson, senior manager of the ethics and corporate policy program for Cisco Services.

“Risk management is about performance and results. You are thinking about what could happen, preparing for it and taking advantage of it.”

—Norman Marks,

VP of Internal Audit,

SAP

Wilson said that Cisco, like many other companies, has also faced the challenges of employees seeking a “bring-your-own-device” workplace, the ability to use their personal laptops, tablets, and smart phones for company business.

Cisco has, in part, addressed BYOD in how it engages employees with its code of conduct. It has evolved over time from a Word document, to a PDF file, and a Website. Now, it has its own online portal where policies are explained in eBooks and videos.

“If people can't access it, that's a big problem,” Wilson said of the need for this change. “They will come back and say, ‘I tried to look at the policy, but I was on my tablet and couldn't access it.'”

An internal discussion forum helps foster risk awareness among all employees and clarify policy. A current events item about the Dodd-Frank Act, for example, may be used to reinforce the fact that employees have the option to report issues to regulators if they choose to go beyond a company protocol or hotline.

Cisco has also created an in-house disclosure tool, a simple application used, for example, when an employee or their spouse starts a business, or takes on outside work with a contractor or vendor. Managers and the ethics office still review this information, all of which is archived, but the majority of scenarios are allowed or disallowed nearly instantly after answering a few questions. It has been expanded to matters involving gifts or entertainment and whether a given situation is acceptable within company policy.

RISK ASSESSMENT LIFECYCLE

Below is a chart from the CW West Emerging Risks and Trends presentation.

Source: CW West.

Wilson said initial concerns that people might not want to disclose to a tool were proven wrong. Instead, many of those who wanted to make disclosures were intimidated by the idea of doing so in-person (only 14 percent preferred talking to someone, a survey found). In response, Cisco created an anonymous Web form, e-mail aliases, and a case management tool that allows images, audio, and video to be uploaded as needed.

The deluge of data and constant insight into potential risks raises the question of how much boards need to—or want to—know, and when.

Marks cautioned against bombarding top executives and boards with the minutia of potential risks. Information needs to be boiled down to an “elevator pitch of what really counts” so they can be agile and make decisions quickly.

“You have to do a lot of interpretation for them,” he says. “Only tell them what they need to know, because then they can do something about it. Don't tell them something just because it is interesting. Tell them if there is anything they need to worry about or that they need to do. Sometimes we feel the need to give too much information.”

McCarthy's filter is, “knowing what keeps the CEO up at night.” Among the items on that list are potential violations of the Healthcare Insurance Portability and Accountability Act, pending litigation, and any incident that threatens to hit the media.

There's no hard and fast rule or check-the-box approach to escalating an issue, she said, “you need to use critical thinking skills to decide what gets communicated up to the C-suite.”

“We are a very large company, and there is no way you can look under every rock,” Wilson said. “At the same time you have to come up with a prioritization model. Boards don't always want to discuss what action they should take; they will ask what actions you are already taking.”