Risk Management Stretched Too Thin at Some Companies

Will the current Ebola outbreak wreak havoc on your supply chain? Could hackers successfully breach your security perimeter and steal sensitive information without you even knowing about it? Will geopolitical unrest, notably conflict in the Ukraine and political demonstrations in Hong Kong, complicate dealings with partners in those regions? Could another volcano in Iceland ground air travel from Europe, adding shipping delays? Perhaps some other natural disaster?

Of all the risks that keep company executives up at night, there may be no bigger nightmare than a threat they don’t see coming.

There is a very long list of large firms that have blamed (rightly or not) black swan events for their woes: MF Global, Arthur Anderson, Bear Stearns, Lehman Brothers, AIG, and BP among them.  “What you can gather from the length of the list is that black swans are not rare,” says Mark Hale, director of business and operations for CHAPS, a payment processing firm.

A flurry of new regulations and a long list of massive fines against companies for violating bribery, money laundering laws, and other rules have required companies to take a risk-management approach to compliance, devoting the most resources to the potentially most costly risks. But some risk-management experts say that those efforts are stretched too thin and could miss less common, but potentially more devastating events or scenarios.

The term “black swan,” coined by author Nassim Nicholas Taleb in his 2001 book “Fooled by Randomness,” became a catch-phrase throughout the financial crisis to describe the perfect storm that sank financial giants like Lehman Brothers. By definition, these are unexpected, unpredictable disasters that can only be picked apart and explained after the fact. These unwanted surprises once considered rare, are becoming increasingly common.

Back to the Breach

Cyber-security failures are a unique twist on black-swan events. It isn’t that breaches and the theft of customer data by hackers is unheard of—big breaches at Home Depot, Target, and JPMorgan have amplified concerns. The problem is that a company may not even know its security measures failed until that one fateful morning it finds regulators knocking on its door because millions of customer records have been pilfered.

“The threat of outsider attacks by black-hat hackers is not a new phenomenon,” Michael McGovern, managing director and CIO for Brown Brothers Harriman says. “It has been going on for many years, but a number of things have happened. There is the emergence of state-sponsored hackers. Target is also a great example because it was one of their suppliers that had a breach, so the extended ecosystem is an area that regulators are increasingly focused on. The level of sophistication of hackers  and the evolving threat matrix firms have to contend with has created a situation where there is a tremendous need to stay ahead of the frontier and anticipate the next wave of vulnerabilities.”

“The good news is that there are tremendous tools available,” he adds. “But hackers are only getting more sophisticated, so it is a war that has to be fought constantly by investing in talent and the tools.”

The current regulatory environment can both alleviate some risks and exacerbate others. Although the term black swan may not pop up in the Federal Register, regulators are making these unpredictable risks a priority.

The Securities and Exchange Commission, for example, expects to soon finalize Regulation SCI (the acronym stands for “systems, compliance, and integrity”). It would require exchanges and clearinghouses, to have comprehensive policies and procedures in place to secure their technology. It requires that systems have adequate capacity, integrity, resiliency, availability, and security, and that they are well-positioned to promptly take appropriate corrective action when problems arise. The rule requires designating individuals or firms to participate in the testing of business continuity and disaster recovery plans at least once annually and to coordinate testing on an industry or sector.

“If you don’t think you are subject to cyber-attack now, that probably means you have been compromised already. That tells us that we have to change our approach from preventative and move to the assumption that something has already happened.”
Mark Hale, Director of Business and Operations, CHAPS

In the wake of Hurricane Sandy, a black-swan weather event that hit New York and New Jersey, the SEC also issued guidance that stressed the need for firms to have response plans, redundancies, and business continuity efforts in place in response to a natural disaster or terrorism attack. Much of that guidance drew from lessons learned following the 9/11 attack on the World Trade Center, the blackest of black-swan events.

Much of the Dodd-Frank Act also focused on big risk events, requiring financial firms to put more protections in place and adequate recovery mechanisms to rebound in tough times. The legislation, for example, requires that banks hold sufficient capital buffers to weather unexpected disasters like a credit market collapse or a run on deposits. Annual stress tests ordered of banks by financial regulators is another tool intended to ensure they can weather any storm, expected or unexpected.

But the flurry of new regulations and recordbreaking fines may open companies up to new risk. Because companies devote a limited amount of resources to risk assessment and mitigation, some will consider merely shuttering any business line that could cause trouble. It is a fear activists had when the SEC implemented its Conflict Minerals Rule, for example.  “Certain companies are getting out of certain business lines because they say it doesn’t make sense anymore because of the risk compared to revenues,” Luc Vantomme, chief risk officer for Euroclear, a firm that specializes in settlements for securities transactions, says.

Another response is to prioritize risks, rather than deal with them holistically. An example is how banks respond to the potential for money laundering in trade finance, the practice of financial institutions underwriting cargo shipments, says Hugh Jones, president and CEO of Accuity. These shipments, through falsified records, can be used for money laundering. “Currently in trade finance we don’t see a lot of fines, so we don’t see a lot of banks rushing into the trade finance arena with new investments to even investigate whether there is fraud going on,” Jones says

Given the unpredictable nature of black swan events, and the temptation to de-emphasize under-the-radar risks, how should compliance and risk officers respond? To start with, a company’s enterprise risk management system can indeed assess all risk factors, big and small, Alison Clew, global leader of AML sanctions and compliance for Deloitte, says.

Buttoning Down Business Continuity

The following is from a Securities and Exchange Commission advisory on business continuity plans for investment advisers.
Hurricane Sandy caused significant and wide-ranging damage across the northeast coast of the United States on Oct. 28 and Oct.29, 2012, which led to the closure of the equities and options markets. The storm prompted the SEC’s National Examination Program to review the business continuity and disaster recovery plans of approximately 40 advisers in the impacted areas to assess their compliance with applicable laws, rules, and regulations relating to business continuity plans (BCPs).
Observations
• Advisers generally adopted and maintained written BCPs. The degree of specificity of the advisers’ written BCPs varied; some had also developed specific BCPs for Hurricane Sandy just prior to the storm’s arrival.
• Advisers also generally distributed their BCPs widely within their businesses and operations. In some cases, employees were required to sign that they have received the plan annually, along with the
• Some advisers’ compliance personnel worked collaboratively with the advisers’ various business lines to develop the BCPs and sought to achieve redundancy in key services and operations.
• Some advisers required all business units to identify contingency scenarios that would affect operations and derive multiple solutions to help ensure the advisers could meet their fiduciary duty to clients.
• Some advisers formed special committees to plan, develop, test and, if necessary, execute the advisers’ BCP.
Weakness Noted
• Some advisers adopted BCPs that did not adequately address and anticipate widespread events. These advisers generally experienced more interruptions in their key business operations and inconsistent communications with clients and employees. For example, some advisers did not have adequate plans addressing situations where key personnel, such as portfolio managers, were unable to work from home or other remote locations.
Source: SEC.

“If you do a risk assessment, you are evaluating all kinds of inherent risks and you have to be super creative and challenge yourself about what the inherent risks are,” she says. “You are also constantly challenging your controls evaluation. The control side is where you have to push the envelope.”

“I truly believe that if you treat your risk assessment as a living and breathing tool and you bring that external knowledge into your controls assessment, you have a better chance of prioritizing even small things,” she adds.

Ditch the Rear-View Mirror

Another suggestion is to look forward, not backward. How an event unfolded in the past may not mirror the threat you eventually face. “History is not always a good guide,” Vantomme says. “Many firms have been building their systems looking backward to what has happened before to try to predict what the future is. We need to learn not to do that.”

McGovern suggests table-top exercises and role play, bringing together a variety of in-house expertise to brainstorm imaginative threats they might face. “The collective expertise can help expand each other’s thinking about what is in the realm of the possible in terms of a black swan event and then from there developing plans,” he says, adding that suppliers and partners may be part of this process.

Companies shouldn’t be afraid to reach out to others in their sector, or collaborate with those outside their industry, suggests Hale. “You should be prepared to learn from other organizations that do this sort of stuff very well,” he says. “For banks, secrecy and data protection is in their DNA. The nuclear industry, however, understands the extreme effect of black swan events and it is a regular practice for their IT and risk teams to get together and share everything so they can have collaboratively reduced risk thresholds.”

“You have to go through failure to understand what success might look like,” Hale adds. “I see really smart organizations take in people who have had failures under their belt. Nobody is better prepared to prevent something from happening than somebody who has already experienced the pain.”