Trip report: Risk Summit highlights digital transformation and a tech start-up called PwC

On 27 and 28 March 2019, at PwC’s Risk Summit in Boston, PwC senior leaders and consultants in the risk assurance and consulting practices shared with their clients and over three dozen industry analysts their vision of how digital technologies are transforming both risk management and business performance.

Continue reading
Share

Time to put technology at the forefront of your GRC strategy

Having just finished analyzing the data and writing the report on the triennial OCEG GRC technology strategy survey, I stepped into the family room to see that my wife was watching a recent episode of Amazon’s Grand Tour — the season 3 Mo’town Funk episode. Jeremy Clarkson was test driving this fantastic new McLaren Senna. 

Continue reading
Share

Adding another piece to the puzzle of its GRC strategy, SAI Global is buying BWise from Nasdaq

Key takeaways

1 – The acquisition of BWise gives SAI Global a much needed boost to its competitiveness in the financial services sector

2 – SAI Global needs to assure BWise and Compliance 360 customers of its viability and ongoing support for both GRC solutions

Continue reading
Share

3 critical success factors for strategic risk management and 5 questions corporate directors should ask

The announcement from PG&E that the California utility will file for bankruptcy reminded me of a question posed a few years ago by the head of GM’s risk committee: “How do we manage strategic risks?”

Key takeaways —

  1. People can and do die from poor strategic risk management
  2. Due to blind spots in the risk vision of executives and directors, risks can emerge that unbalance corporate strategies and create existential events
  3. The critical success factors for strategic risk management include encouraging and rewarding risk awareness, creating goodwill with stakeholders, and building a strategic risk response plan

NASA’s ARIA team produced this map of damage to Paradise, California, from the Camp Fire, the deadliest wildfire in the state’s history. Image credit: NASA/JPL-Caltech

Continue reading

Share

Gatwick: attack of the drones

Authors – French Caldwell and Richard Stiennon

Key takeaways –

  1. Air transportation infrastructure is particularly vulnerable to non-lethal attacks by drones
  2. Regulatory controls alone will not stop drone attacks
  3. Attacks like the one at Gatwick this week are a serious reputational blow to the drone industry and rapidly growing drone control software and analytics vendor ecology
Continue reading
Share

When to treat family and friends like acquaintances

Key takeaway

Third party risk management is not just for suppliers, IT vendors and service providers.  In many cases, subsidiaries or other organizations within your enterprise, and even well-known business customers should be brought into the third party management program.

See the source image

The problems at Deutsche Bank and Danske Bank reminded me of an inquiry I had with a CISO at a large high tech equipment manufacturer.  We were discussing best practices in third party risk management.  I asked him  what types of companies he was monitoring and he told me they were subsidiaries.  He was putting these subsidiaries through the same hoops as he would any other third party vendor, classifying them into three risk categories, doing deep dives and continuous monitoring on the higher risk ones, and documenting certification and accreditation on all of them.

The Financial Times today recounted Deutsche’s current regulatory rows — money laundering by a former subsidiary Regula that it had acquired in the British Virgin Islands and Deutsche’s role as a corresponding bank processing over €160billion in suspicious payments for Danske Bank Estonia.  And of course Danske Bank Estonia was a subsidiary acquired by Danske.

Being “in the family,” it is apparent that Regula and Danske Bank Estonia did not get enough scrutiny by their parents.  Had they been treated as high risk third parties, the risks and lack of effective controls to prevent money laundering may have been discovered earlier, avoiding the heavy supervisory presence and regulatory investigations that the parents now enjoy.

Also, Danske Estonia’s use of Deutsche Bank instead of its own parent to transfer money out of Estonia could have helped to bypass parental scrutiny.  Should Deutsche have raised a red flag — like a neighbor who lets the neighbor kid smoke pot in her backyard?  Deutsche didn’t raise a red flag, instead stating they weren’t the ones responsible for validating the source of the funds — that was Danske’s problem. 

Yet, now it’s all come back on Deutsche, and the lesson learned for the rest of us — when a lot of money is on the line, treat your family and your friends as acquaintances.

Recommendations

1 — Bring high risk subsidiaries into your third party risk management program

2 — High risk customers should also be included in your third party risk management program






Share

Smart mobs in Paris: let them be social

Key takeaways:

1 – With modern social technologies, political movements can coalesce in days, maybe hours

2 – The weak political center and struggling traditional political parties in France provide an opening for the emergence of more political movements enabled through social technologies\

3 – Government leaders should be prepared with strategies to predict, engage, monitor, and respond to rapidly emerging political movements

Over the last three weeks, protests in France that were triggered by a new fuel tax and rising fuel costs have grown through social media to become a national movement.  Watching the yellow vests protestors break out into a violent mob in Paris, and the police response with tear gas and water cannons, reminded me of other protests over the last two decades that have been organized through social technologies.  The very first was the Battle of Seattle where protest organizers used text messaging and online bulletin boards – but that required months and weeks of preliminary planning. As we observe in France, with modern social technologies, political movements can coalesce in a few days, maybe a few hours.

Text me — killing Doha

The anti-WTO protests in Seattle in 1999 are the earliest documented application of social technologies in street-level activism.  In Seattle, protesters networking through cell phones and updates to online websites were able to outmaneuver police and shutdown a round of trade talks.  The round of WTO talks that had led up to Seattle ended inconclusively with no agreement on the major issue of breaking down trade barriers between rich and poor nations.  The subsequent Doha round of talks, which began in 2001 and was scheduled to complete in 2005, picked up on the same theme of breaking down trade barriers between rich and poor countries.  However, ten years after the original deadline the Doha round was still not complete – the smart mob had killed it.

The Arab Spring — not quite social

With the advent of smartphones, social media combined with mobile technology, and Twitter was often identified as an enabling technology for street protestors in the 2011 Arab Spring protests.  Credible research has shown that during the Arab Spring protests, most street activism preceded social media activity, rather than followed it – indicating that most people were tweeting and posting about the events they were seeing on television, rather than using social technologies to organize the protests.

Social technologies help political movements, but leadership still matters

Seattle in 1999 remains the benchmark for organization and execution of street activism using social technologies.  The yellow jackets in France, have yet to demonstrate a similarly high degree of organization, and the protests could peter out.  However, there is a political vacuum in France, with both right and left mainstream political parties having been marginalized in the last elections, raising the specter of a weak center represented by President Macron and his “La République En Marche” party facing a population that has shown that it can self-organize through online and mobile technologies.

So far, Macron’s government has been ill-prepared to deal with a national political movement that appeared in a fortnight. In Macron’s favor is that the yellow vests have shown no cohesive national leadership; yet, that is also a problem for Macron since there is no legitimate movement leadership to engage.

Recommendations

Many government leaders treat social media as another public relations channel, like print and broadcast media.  Instead they should be looking at social and mobile data as a rich source of insights.  Government leaders can use social media analytics to predict, manage, engage and respond to rapidly emerging political movements, as follows:

1 — stress test proposed major initiatives and identify key indicators that can predict the range of societal reactions

2 – identify the people who are the primary influencers and engage appropriately and constructively with them as the indicators warrant

3 — monitor the indicators before and after the initiative is launched, and

4 — if people take to the streets, analyze the mobile and social data to guide the deployment of and response by law enforcement in ways that prevent or limit violence

5 – while mining and analyzing social and mobile data, ensure that policy and procedures to protect individual and group rights of assembly, petition, free speech, and privacy are followed

Share