4 Risk Management Lessons from 2017 (article)
A new White House administration, natural disasters, and sophisticated cyber-attacks affected businesses across the United States in 2017. Reducing your company’s risk exposure is essential to protecting your business, but it can be difficult if you are overlooking your potential areas of vulnerability. Understanding the risk management lessons from major events in 2017 will help you plan to address the risks of tomorrow.
Lesson 1: Monitoring Proposed Policies of the Newly Appointed Trump Administration Can Help Businesses Prepare for Upcoming Changes.
2017 marked the first year of the newly appointed Trump Administration. With a new president and Republicans controlling both chambers of Congress, American business professionals saw proposed changes to taxes, trade and other regulations, and it is expected that those changes will continue through the remaining years of the term. Change may bring opportunities for businesses, but it is also likely to bring risks and could have other effects on operations.
Monitoring proposed changes by political leadership and taking a proactive approach to planning for how new laws, regulations, or policies will affect your company can be the key to minimizing disruption. President Trump aims to decrease regulations, renegotiate trade deals, and scale back federal government funding. Deregulation could reduce or eliminate requirements that have been costly and time-consuming for compliance, but executives will need to evaluate what the company’s risk tolerance is for the risk areas these regulations were designed to mitigate. It is probable that many currently regulated areas that are up for deregulation are critical for your operations and profitability, so protecting your company from these risk areas will still remain important, even if it is no longer required. Conducting an annual risk assessment can help address the current, most pressing threats to your company so that you can plan to allocate resources to the most appropriate areas.
Lesson 2: You Can’t Predict the Weather, but You Can Prepare for It.
The United States faced major catastrophes in 2017, from hurricanes Harvey and Irma to deadly wildfires in Tennessee and California. These events caused thousands of people to evacuate their homes and countless business disruptions across the country. Catastrophic events like these are impossible to predict, but unfortunately, most companies do not consider planning for them until after one occurs and they face a major interruption. Almost 40 percent of small to mid-size businesses do not survive an initial catastrophic event.
In order to handle issues created by emergencies, companies need to proactively develop a set of coordinated plans and procedures that ensure they have the ability to keep employees safe. Plans and procedures should also include how a company plans to continue to meet client needs following an unplanned business disruption. Your primary objective when creating your business continuity strategy is to identify your risks and create an actionable plan. The strategy should account for places, people, procedures, and communications, and the content should be general enough that it can be applied to multiple situations.
Lesson 3: Anyone Can Fall Victim to a Cyber-Attack – Even Companies that Specialize in Stopping Them.
In September, the largest accounting firm in the United States, Deloitte, confirmed that it was the victim of a cyber-attack that had compromised sensitive client data. While a cyber-attack on an $18 billion company is newsworthy, what makes the Deloitte attack a particularly good case study is the fact that a leading cybersecurity consultant fell victim to a sophisticated email platform attack to gain access to its network. The cases of Target, Yahoo, and Equifax breaches have illustrated that companies of any size or industry can be targeted by cyber criminals, but the Deloitte breach shows that no one is immune from the efforts of cyber criminals.
Every organization – regardless of size, industry and specialty – can benefit from having a proactive, robust cybersecurity strategy in place. It is impossible to predict exactly how or when a cyber-attack could occur, but this should not discourage management from mapping out a plan for the day when that might occur. Creating and implementing an incident response strategy is a critical component of any cybersecurity program. Including recovery steps for all possible scenarios likely will result in a complex document that isn’t practical when employees need to act quickly. The key to a strong incident response strategy is not to over-complicate the context. Your strategy should account for places, people, procedures and communications, and it should be able to work in multiple situations. Given the nature of the Deloitte attack, companies should make sure that their incident response strategies include steps to notify key stakeholders with details of the attack and important updates throughout the remediation timeline.
Lesson 4: Your Company’s Perception in the Marketplace is Determined by the Actions of Every Employee.
In 2017 Uber Technologies Inc., a global transportation company headquartered in San Francisco, made headlines on multiple occasions for allegations of stolen intellectual property, sexual harassment, and data breaches. This type of attention from the media can often cause devastating reputational and ultimately financial consequences for companies, especially if it involves multiple, differing incidents and accusations. In a survey conducted by cg42, 57 percent of respondents have a negative or neutral impression of the rideshare service after becoming aware of the scandals.
A company’s reputation is determined by the actions of every employee and the external perception of the way it conducts business. The reality is that every company opens itself up to fraudulent activity, corruption schemes, or poor perception when it fails to implement the proper controls and reporting. Create company values, codes of conduct, and policies for intellectual property, and make sure that you properly communicate these items to every employee. Never award a single employee too much authorization power and implement procedures for other employees to review day-to-day activities. Consider hiring a third-party Certified Fraud Examiner (CFE) to conduct forensic analysis and look for any areas of misconduct. Create a policy for what happens when fraudulent or unethical activity does occur, and make sure that this is enforced with every individual regardless of title or tenure.
For More Information
Having a proactive, enterprise-wide risk management strategy that is clearly communicated across your organization is your company’s best defense. If you have any specific questions, comments or concerns about your company’s risk management strategy, please contact a CBIZ Risk & Advisory specialist.
Copyright © 2017, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).