2017 presented a whirlwind of corporate scandals: United Airlines, Wells Fargo, Facebook, Uber, Chipotle, Equifax, WannaCry…the list goes on and on. Many of these companies suffered second and even third scandals when they failed to learn their lesson from the first.
But for every company that’s suffered a failure in risk management, I believe there’s a company that’s looking over these headlines and doing everything they can to prevent a scandal of their own, for there are many lessons to be learned from 2017.
The most important lesson is that these scandals, although seemingly diverse, are far from unique. I’ve written a lot of blogs over the past year that detail how companies have perpetrated failures in risk management. They neglected to adopt the proper systems and processes that would help them prevent scandals from occurring in the first place, and certainly from occurring a second time.
It’s an exciting time for enterprise risk management. A time for progress and immense change. Here are my predictions for risk management in 2018.
In recent blogs, I’ve talked about this idea of the see-through economy. Every day the business world is becoming more transparent as consumers adopt technologies that allow them to share their experiences.
Facebook, Twitter, Instagram, Glassdoor, and Yelp enable customers to record and spread corporate missteps in a matter of seconds. Gone are the days when PR teams could swoop in and make a scandal disappear. Maintaining a good reputation, upholding market shares, and retaining customer loyalty is now a matter of being proactive, not reactive.
Take the #metoo movement for example. Sexual harassment has been a pervasive problem at work and beyond for decades. Social media empowered many to speak out against it and effect change. According to a recent Wall Street Journal article, the movement has grabbed investors’ attention, as well.
According to their study, “77% of boards hadn’t talked about sexual harassment, 88% hadn’t implemented a plan of action as a result of recent revelations, and 83% hadn’t evaluated the company’s risks when it came to sexual harassment. Their most commonly cited reason for inaction? A perception that sexual harassment wasn’t a problem at the company.”
The see-through economy has unearthed shocking oversights and practices that companies can no longer cover up. Issues all the way from sexual harassment to corrupt data practices have been unearthed too many times to be considered one-off incidents. Rather, they are systemic issues with specific root causes that can be uncovered, mitigated, and monitored.
Effecting change isn’t about responding to isolated incidents of irreprehensible behavior; it’s about recognizing and resolving systematic problems. ERM provides the foundation and processes needed to connect departments and prevent these problems from materializing.
For a deeper dive into this particular prediction, check out this blog: A Shift in GRC: Consumers, Reputation, and Ethics.
For many, risk management has been and will continue to entail responding to the demands of regulators. Under the current administration, regulations on the federal level have slackened.
For example, financial regulators at the SEC, FINRA and the Commodity Futures Trading Commission have imposed a third of the amount of penalties in President Trump’s first six months in office, compared to the first six months of Barack Obama’s 2016 term.
However, I believe slackened federal regulations will only mean increased regulations at the state level.
Take the Equifax data breach as an example. States have taken it upon themselves to sue the credit bureau for putting their citizens’ personal data at risk. Massachusetts has entered into a class-action lawsuit with Equifax, and the penalty for violating Chicago’s consumer fraud ordinance includes a fine of $2,000 to $10,000 for each offense and for each day that a violation continues.
To put it plainly, increased state-level enforcement means increased uncertainty. New compliance regulations, penalties, and laws can arise at any moment from any state. Compliance will no longer be a matter of monitoring changes to one federal regulation, but for changes coming from multiple, unpredictable angles.
On a more tactical note, the SEC recently issued a proposed rule in response to recommendations in the SEC staff’s Report on Modernization and Simplification of Regulation S-K. The proposed rule would make specific revisions to a group of items in Regulation S-K and is intended to improve disclosures.
Let’s look at their proposed changes to item 503(c): Risk Factors.
Current guidance in Regulation S-K requires disclosure of the most significant risk factors related to a registrant’s business and includes specific examples of factors that a company may consider for such disclosure. Although the current requirement is intended to be principles-based, the inclusion of risk factor examples led certain registrants to disclose generic information.
The proposed rule would eliminate the examples from the risk factor disclosure requirements to encourage registrants to revisit their risk assessment and disclose the risks that are most significant to them.
I believe this is a huge step in the right direction for risk management in 2018. The current risk disclosure process has historically consisted of doing a copy/paste job from other companies, not including input from risk professionals, and not conducting risk assessments.
This proposed change will encourage companies to abandon vagueness in favor of real risk assessments of real risks specific to their industry, and more importantly, to their actual corporate risk profile.
Discover how to adapt to changes like these by downloading our complimentary eBook on risk-based compliance.
This last prediction is also a strong hope I have for risk management in 2018. The sheer volume of corporate scandals topping news headlines should be enough of a wake-up call to Boards, CEOs, and senior management alike in every industry to take risk management seriously.
United lost $1 billion in market value the day after Dr. Dao was dragged from the plane, Chipotle’s stock prices have yet to recover from the E. coli outbreaks of 2015, and Uber is struggling to keep customers on their side of the fence.
Equifax is a particularly poignant example, as their massive data breach not only reflected poorly on them, but on every single company who gave away their customers’ information to the credit bureau in the first place.
Consumers are outraged, fed up, and will move their money elsewhere to companies who can prove their trustworthiness in regard to protecting their data and their best interests.
If corporations want to be counted among those whom customers, investors, and employees believe in, then they’ll need to seek out and implement strong ERM processes and systems that are capable of breaking down silos, assessing risk objectively, prioritizing resource allocation, and monitoring the effectiveness of controls.
I believe 2018 is going to be another big year for ERM, one of heightened awareness, increased implementation, and, hopefully, less scandal.
Check out this complimentary eBook that describes the 5 timeless characteristics of the best ERM programs.