What you need to know to stay current in risk management
It’s Thursday August 2nd and our latest edition of the Feagin Company Weekly Risk Report: What you need to know to stay current in risk management.
Governance – Lack of Safe Harbors leaving Directors and Officers at Sea
I’ve lost count the number of times Directors and Officers (D&O) have expressed concern about evaluating their risk management capabilities. Let’s get something straight, most D&O’s want robust capabilities. Yes, some are “check the box” zombies. While the SEC, other regulators, Congress, and governments across the globe expect organizations to conduct excellence in risk management, they are unwilling to provide protections to D&O’s to identify, document, and fix issues…openly exposing these individuals to personal liabilities. In many cases, D&O’s are threatened with class action lawsuits regarding risk practices. It’s easy to be a Monday-morning quarterback, critical of a company’s risk management (see most risk management case studies). BTW, and I digress, if the people writing these case studies are so smart, why weren’t they talking about these risks before they happened? If institutional investors want better and more open risk management and if regulators are serious about transparency and improvement, then Safe Harbors must be established. Kudos to the organizations taking the risk to improve.
Emerging Risk – BlackmailWare will increase, Frameware coming?
Our “blackmailware” warning last week garnered a lot of attention across the globe and we were working a case within hours of releasing last week’s report. What’s next? “Frameware?” Emerging Artificial Intelligence is making it possible to create video in your image, complete with your mannerisms. It looks real. Plug cyber gaps now. Worth viewing: Ted talk by Supasorn Suwajanakorn on fake videos. Case closed.
Cyber Risk – 10 “low hanging” protections every organization should have in place to reduce exposure
- Document and enforce an Information Systems Governance policy
- Complete an inventory of authorized and unauthorized devices with network access and keep it current
- Complete an inventory of authorized and unauthorized software used by the organization and keep it current
- Ensure you have secure configurations for hardware and software on mobile devices, laptops, workstations, servers, firewalls, routers, switches, etc.
- Minimize and control the use of administrative privileges
- Install email and web-browser protections
- Install malware defenses
- Ensure you have a Disaster/Data Recovery capability
- Use very strong passwords
- Encrypt all information
This is not meant to be an exhaustive list of things you should or can do. The protections on this list are easy to do and you should do them at work and at home. OK, maybe at home you can forego the Information Governance Policy, but if you don’t do the other 9, you’ve been warned.
Board Members have two primary priorities when it comes to risk management: 1) oversight and assurance that risk management policies and processes are in place and working, and 2) that the right risks are being managed. Under no circumstances should a Director ever own or manage a risk! Think D&O liability. Test capabilities by having an independent, non-advocate assessment completed. Many 3rd party assessments are biased towards selling other services so beware. You should not only receive a thorough diagnostic, but also detailed excellence plans on how to achieve the right level for your organization…detailed enough that improvements can be accomplished by your organization internally. Oh, and the evidence backing up conclusions should be included; it’s usually missing or unclear.
Consider Annual Board Activities around risk management. The agenda should include: basic ERM awareness training on company policies, industry best practices and current trends, pertinent legal case studies, emerging relevant risks, review of the risk profile, and special deep-dives on topics like cyber risk. I usually complete this inside of one to two hours. Not a huge time and budget commitment to help organizations improve and protect their interests. Board members don’t need a dissertation…just the salient points.
According to the National Association of Corporate Directors (NACD) “2018 Governance Outlook: Projections on Emerging Board Matters,” Directors rated the following 5 areas as their most important opportunities for improving board performance (Board Priorities, page 5)
- Board Contribution to Strategy
- Board Oversight of Risk Management
- Board Operations
- Board Culture
- CEO Succession Planning
GEO-Political – Oil price shock possible?
There’s war in Yemen; sanctions are being reimposed on Iran following President Trump ripping up the 2015 Nuclear Accord and President Hassan Rouhani is having a tantrum. He’s threatening to close the Straight of Hormuz, not new. Related, Saudi Arabia has ordered its oil tankers to stop sailing through the Bab Al Mandeb Strait off the coast of Yemen after two tankers were attacked by Houthi rebels linked to Iran. President Rouhani may seek to disrupt oil; however, my bet is on the USN 5th Fleet and President Trump hedging with greater US oil output and releasing of reserves. If you’re worried President Trump my take a “scorched earth” approach with Iran, look to Russia as their hedge. Iran is a “hook in Russia’s jaw” and a key component in Russia’s USA destabilization strategy. President Putin’s goal: restore the Soviet era “motherland.” See last week’s Baltic States piece.
- “You are welcome” is the proper reply to “thank you,” NOT “no problem”
- Apple, Inc. hits $1 trillion market cap
- “password,” “letmein,” “Iloveyou,” movie characters and soccer teams among most common passwords being used…seriously folks??? IT, hello…is there anybody in there?
- Rising interest rates, wage push inflation, and oil hikes could be a not so perfect storm for growth…add trade war and it may get real ugly (retailers, Christmas, get it?)
- IBM is doing great things with its i2 intelligence analysis software used by Deliver Fund – Join Deliver Fund’s fight.
- TSA’s “Quiet Skies” program is no longer quiet…some argue overreach. Congress should look into it; trust but verify…no more James Clappers please.
- More pressure being applied to China through tariffs. Get ready for the long-game. China has plenty of arrows in her quiver.
- Companies could face disruption due to increased cyber risks in their supply chain. Develop cyber control expectations for vendors and codify them into your vendor contracts; then verify compliance.
- Medical device implants at risk of “hacking” due to BlueTooth and other built-in monitoring and reprogramming capabilities. Could be life-threatening for patients.
- LogicGate raised $7.5 million in a Series A round as it pursues GRC workflow automation.
- Improving Risk Identification
- Supply Chain risk management
- Survey results (punted from this week’s edition)