Corporate Counsel Oversight of the Risk Assessment Process

By: Gary Deutsch M.B.A, C.P.A.                                      

AS COUNSEL FOR ONE OR MORE BUSINESSES TYPES (for-profit and/or non-profit), you are often asked to advise on many different types of legal and regulatory compliance issues, but how well prepared is any business to incorporate your advice into its daily routine? At issue is the process a business uses to manage legal risk. Here are some key questions to consider:

• What is the board’s (or owner’s) perspective on risk? Are they risk takers or risk averse?
• What is their tolerance for risk? How much are they prepared to lose if they don’t follow your advice? Have they factored risk tolerance into their annual budget and strategic planning projections?
• Do they establish controls over risks? Do they make sure that those controls are tested periodically to ensure the organization is adequately protected within their risk tolerance?
• How do they communicate the controls that need to be in place? Do they include the controls in policies and procedures? If they do, are the policies and procedures routinely updated to ensure they include the most current controls needed to prevent or detect risks?
• Do they receive routine reports from management indicating that employees responsible for implementing controls are doing so per updated policies and procedures?
• Do they receive periodic risk assessments from management to identify risks inherent in the business as well as the effectiveness of management’s efforts in risk management and actions to mitigate risks when necessary to keep the organization moving toward the board’s plans within their risk tolerance?

The answers to these questions may expose some weaknesses in the risk management process that could lead to increased exposure to losses. Even if the answers do not expose significant risk management process weaknesses, attorneys need to review management’s risk assessments to form their own conclusions about the adequacy of the risk management process. Furthermore, even with a well-functioning risk management process, organizations are exposed to unexpected losses. For instance, significant changes in laws and regulations may be difficult to factor into plans until the structure of the changes have become clear. Risks that rarely occur, like natural disasters, or those occurring unexpectedly, like hacker attacks, cannot easily be included in plans except as contingency or reserve factors. Transferring those types of risks through insurance may be advisable if the transfer is cost-effective.

What Corporate Attorneys Need to Understand about Risk Assessments

Risk assessments evaluate an organization’s inherent risks or the risks that are imbedded in the nature of the business. Here are some examples:

• Hospitals are at risk for violating HIPAA laws, medical billing errors, spreading diseases, and many other risks unique to the medical field.
• Retailers are at risk for massive data breaches, exposing customers to fraud, and theft such as shoplifting.
• Manufacturers are at risk for workplace accidents and OSHA violations.
• Non-profits are at risk for fraud that could lead to tarnished reputations and reduced contributions.
• Financial institutions are at risk for regulatory safety and soundness violations that could lead to onerous controls over operations.

Of course, this list is only a sampling of the types of risk that are unique to (inherent in) various organizations. Understanding risk assessments can help attorneys assess the legal risks that the board (or owner) needs to consider in their planning and risk tolerance determination.

The Risk Assessment Process

Before discussing the risk assessment process, it’s important to understand that even small organizations need to consider the interaction among the various functions, departments, divisions, products, and services that operate within an organization.

This interaction requires an enterprise approach to the risk management process (called enterprise risk management or ERM).

Here’s an example.

ABC Corp. makes widgets. They decide to launch a new widget and outsource the manufacturing process to XYZ LLC. The new widgets start selling well and ABC’s accounts receivable grow accordingly. However, shortly after the new widgets reached customers, there was feedback that the widgets weren’t operating as ABC marketed. After an investigation, it was determined that XYZ LLC had a defect in a component part of the widget. While the investigation was underway, ABC’s accounts payable department paid XYZ under the contract provisions for the new widget. The accounts receivable department, credit department, supply management function, and accounts payable did not communicate with one another, resulting in accounts payable paying an XYZ invoice that should have been withheld pending the results of the investigation. If accounts receivable, credit, or supply management had provided accounts payable with a copy of the manufacturing agreement with XYZ as well as a notification that there was a defect part investigation, accounts payable would have been alerted to the defect part provision, allowing for payment to be withheld pending investigation.

An assessment of payment risks focused solely on the accounts payable department may have identified the weakness noted in this example after the payment had been made to XYZ. However, an ERM risk assessment may have identified the lack of communications among the accounts receivable department, credit department, supply management function, and accounts payable as a control weakness that if corrected could have prevented the payment to XYZ.

Sample ERM Risk Assessment Questionnaire

This sample ERM risk assessment questionnaire for outsourced vendor contracts may have helped identify the payment issue discussed above. This assessment is not a legal review—it is a review of operational and security-related provisions to ensure that the organization’s interests are continuing to be protected.

When evaluating ABC’s outsourcing arrangement with XYZ, the following operational and technology contract issues should be considered:

• Does ABC’s internal auditor have the right to periodically review vendor activities? This review should identify the areas of risk and the levels of risk to be reviewed and recommend and perform audit procedures as needed that may require the vendor’s cooperation.
• Does the contract provide for ABC’s right to perform updates to due diligence to ensure that the vendor has a sufficient number of qualified staff members to perform the contracted work?
• Does ABC have the right to receive timely notice from the vendor of any key staffing changes?
• Does the contract adequately define the expectations and responsibilities for both parties based on the current operating environment?
• Are the scope, frequency, and cost of work to be performed by the vendor subject to change as necessary to protect the operations and security of ABC?
• Does the contract provide for the opportunity to reset responsibilities for providing and receiving information, such as the manner and frequency of reporting to senior management and the board about the status of contract work?
• Does the contract establish the protocol for changing the terms of the service contract, especially for expansion of work if significant issues are found, and stipulations for default and termination of the contract?
• Does the contract state that any information pertaining to ABC must be kept confidential?
• Does the contract specify the reports and the related documents needed to evaluate the performance of contractual obligations?
• Does the contract specify the period that vendors must maintain the reports and documents?
• Does the contract state that outsourced services provided by the vendor may be subject to regulatory review and that examiners will be granted full and timely access to the appropriate reports and related documents prepared by the outsourcing vendor?
• Does the contract state that reports are the property of ABC, that ABC will be provided with any copies of the related documents it deems necessary, and that employees authorized by ABC will have reasonable and timely access to the documents prepared by the vendor?
• Does the contract prescribe a process (arbitration, mediation, or other means) for resolving problems and for determining who bears the cost of consequential damages arising from errors, omissions, and negligence?
• Does the contract state that the vendor will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of an employee or a member of management of the institution, and will comply with professional and regulatory independence guidance?

This risk assessment together with a policy stating that all affected parties within ABC must be notified of outsourced contract provisions, changes to contracts, and violations of terms, if any, could have prevented the payment issue in this example. The discussion below will focus on an overview of the ERM risk assessments process.

Conducting ERM Risk Assessments

The Committee of Sponsoring Organizations (COSO) issued the "Enterprise Risk Management - Integrated Framework" in 2004 to assist organizations worldwide with principles-based guidance for designing and implementing effective enterprise wide approaches to risk management or enterprise risk management (ERM) as this process is appropriately named.

COSO defines its ERM framework as "a process, effected by an organization’s board of directors, management, and other personnel, which is applied in strategy setting and across the enterprise. The goal of ERM is to provide reasonable assurance regarding the achievement of organizational objectives by identifying events that may affect the organization and managing risk to be within the organization’s risk appetite."

The COSO framework provides guidance in the following general areas:

• Definitions for essential ERM components
• Key ERM principles and concepts
• Ideas for developing a common language to communicate ERM risks
• A development path for ERM

COSO’s ERM guidance moves beyond theory to explain how ERM integration into processes can help to balance risks and rewards. Consider the following risk assessment issues—does the institution’s ERM approach:

• Align risk appetite and strategy
• Identify and manage cross-enterprise risks
• Provide integrated response to multiple risks
• Link growth, risk, and return
• Seize opportunities
• Ration capital based on risk appetite
• Enhance risk-response decisions
• Minimize operational surprises and losses

The traditional non-ERM approach to conducting risk assessments is to have the organization’s financial function carry them out on a monthly, quarterly, or yearly basis. During the process, errors are detected and corrected and people are considered the primary source of risk. Operational plans focus on short-term risks.

Following the ERM performance approach, risk assessments are continuous and performed by management of the various organization functions. ERM stresses that everyone controls and achieves the organization’s strategic plan and controls are focused on all risks, not just a risk selected in isolation. Errors are prevented and processes are the primary source of risk, not people.

The strategic plan focuses on long-term risk. Therefore, a wellfunctioning ERM program will provide for the systematic internal assessment of risks based on the following criteria:

• Place limited reliance on third-party risk assessments.
• Identify and plan for contingent risks.
• Create incentive for organizational units to minimize contingent risks.
• Use multiple risk management tools and metrics.
• Develop flexible and adaptive risk models.
• Aggregate net and gross loss exposures in addition to plans for expected (routine) losses.
• Implement credible stress testing that is actionable.

The ERM program should also provide for open communications among organizational units, risk management staff, senior management, and board members, as well as corporate counsel, to enhance enterprise level decision-making about major risks and to react faster to emerging issues.

However, look for signs that the ERM program is not working. Here are some signs to consider:

• Increasing risk concentrations are not disclosed in reports to management and the board.
• Organizational units use different risk models that do not produce consistent results.
• There is a lack of buy-in that risk issues and assessments should be shared.
• Risk models are rarely updated to reflect evolving risks.
• The mindset that someone else will be performing the risk analysis and assessment.
• Contingent risks and unintended consequences of risks are not identified.

To ensure that the organization’s ERM program is functioning as intended, ask management and the board the following questions:

• Are risk-and-capital concepts used to quantify risk/return tradeoffs, in dollars where possible?
• Does the ERM program quantify the destructive power of correlated risk factors across the enterprise?
• Are operational risk ERM resources directed toward big risks?
• Is out of the box thinking used on ERM to see all business risks and interactions?
• Is ERM information embedded in business metrics (risk-adjusted pricing/performance)?

Although ERM may sound like a risk management approach that is best suited to large organizations, keep in mind that smaller organizations may be practicing ERM without a formal ERM program. In smaller organizations, owners, the board, and management may be the same people or certainly a small group who can recognize risks more easily due to the small size of the organization. Corporate counsel can also help by providing an objective combined legal and business perspective on risks that the others may not recognize as they are immersed in daily activities.

Core Risk Assessment Components

There are two core components of ERM risk assessments. The components should be designed to answer the following questions:

• What is the organization’s inherent level of risk?
• How well is risk being managed within the organization?

Below is a brief overview of each of these components.

Inherent Risk Assessment

Inherent risk is defined as the possible damage to earnings, capital, or reputation because of an organization’s involvement in a certain line of business. This risk exists in each line of business, regardless of the level of management control in place. For example, credit risk associated with attracting new business is typically higher than the risk of extending additional credit to existing customers. When a risk is inherent, the frequency with which a risk event occurs and results in a loss, and the extent of exposure to such losses, can be managed. The risk frequency and severity of exposure can be directly managed through the processes the organization uses to identify, measure, monitor, and control risk. The inherent risk assessment is intended to identify those risks that are specific to a line of business. The management of risk assessment discussed in the next section is designed to evaluate the processes the organization uses to identify, measure, monitor, and control risk.

The inherent risk assessment is divided into three main sections: historic, predictive, and impact. The first section, historic, is intended to assess past loss experience within the industry as well as the organization’s actual historical loss experience. Since the past is often a poor guide to what might happen in the future, the predictive part of the assessment is intended to assess the potential for future adverse events in each risk category. The impact section addresses the expected result from significant adverse events.

Exhibit A includes sample assessment standards and a rating system to measure inherent risk. In this exhibit, a rating of 9 indicates that there is a strong likelihood of an adverse impact on earnings, capital, or reputation, but only if management controls are not in place or functioning properly. Since effective management controls can mitigate risks, the assessment should evaluate the organization’s total inherent risk exposure separately from the assessment of current management policies and processes in place to control the risk as discussed in the following section.

It is important to assign a score for each category of risk. Any categories that are not applicable should be scored zero. Also, comment on reasons for assigning any score of 7 to 9 since those risks will need to be evaluated for risk mitigation controls.

Management of Risk Assessment

Organizations profit by taking measured risks. However, they can lose money or even fail by not managing those risks. Effective risk management means integrating several elements, including strategy, organization, policies and procedures, process and controls, measurement/monitoring, technology, and reporting.

Management of risk can significantly reduce volatility and the potential damage to earnings, capital, or reputation. Management cannot, however, eliminate risk, especially when an organization assumes levels of inherent risk associated with their line of business.

In the preceding section, we discussed the need to assess an organization’s inherent risks. The second core risk assessment component is to evaluate the quality of the management of those inherent risks.

Exhibit B includes sample assessment standards and a rating system for the management of risk assessment. A rating of 9 indicates that there is a strong likelihood of an adverse impact on earnings, capital, or reputation, but only if current management controls are not in place or functioning properly. Accordingly, as with the inherent risk assessment, evaluate the organization’s total risk exposure separately from the management policies and processes that are currently in place to control the risk.

It is important to assign a rating for each category of risk. Also, comment on reasons for assigning a grade of 7 to 9 since those risks will need to be evaluated for risk mitigation controls.

Corporate Counsel’s Role in Risk Assessment Compliance

Corporate counsel can have a significant impact on compliance with the board’s objectives through oversight of the ERM risk assessment process in the following manner:

• Communicate the legal implications of business (for-profit and nonprofit) risk issues to risk managers to assist them in preparing ERM risk assessments.
• Provide effective guidance to the board and management on how to implement and enforce strong corporate governance to protect shareholders, stakeholders, members, and donors.
• Review policies and procedures (which include risk management controls) to ensure the documents are properly vetted from a legal perspective.
• Assist with quantifying risks through an understanding of regulatory fines, costs of litigation, and other related costs.
• Provide routine risk management guidance to risk managers throughout the organization based on the results of court cases.

To accomplish these and other related roles, counsel must participate as an advisor to the risk management team that creates and implements the periodic ERM risk assessments. Counsel should:

• Review all risk assessment questionnaires to ensure they incorporate legal guidance and risk trends.
• Monitor the results of risk assessments to evaluate the potential implications for meeting the board’s strategic objectives within their risk tolerance.
• Provide guidance to the board on risk trends and ranking risk priorities.

Counsel’s oversight role should be objective as well as a routine part of the oversight process, which traditionally includes the internal and external audit functions as well as other oversight positions such as the chief risk officer. In addition, the board should allow counsel to work directly with the oversight functions and human resource and regulatory compliance managers to assist with evaluating risks inherent in the organization and the effectiveness of management in managing those risks.

Identifying Trending Risks

Corporate counsel can assist the board and management in identifying trending risks that should be considered in ERM risk assessments. Below are some examples of the types of risks that counsel might consider.

Invasion of Privacy

A hacker accesses ABC, Inc.’s account information through a financial institution’s website and sells the information to a third party. ABC sues the institution, alleging that it was negligent in safeguarding the account information and that ABC suffered economic loss as a result of the account breach.

Loss or Damage to Electronic Customer Data

ABC, Inc. applies for a loan on an institution’s website. A loan officer sends an e-mail to ABC concerning the status of the application. ABC later alleges that the e-mail contained a virus that deleted all financial records from one of ABC’s servers. ABC demands that the institution compensate them for the cost of reconstructing the data and for losses suffered when ABC could not access data to file tax returns on time.

Denial, Impairment, or Interruption of Service

A hacker institutes a denial of service attack on ABC, Inc.’s website, shutting down the site for more than 24 hours. During that time, a customer attempts to access his account to pay an outstanding invoice. Because ABC’s website is down, the payment is deemed late before the customer can complete the electronic payment. The customer alleges that the delay caused by the denial of service caused a loss of service from ABC that resulted in a loss of business for which ABC is responsible.

Unauthorized Access to a Customer Account

A hacker accesses ABC, Inc.’s account through their financial institution’s website and uses personal information in the account records to obtain credit cards in ABC’s name. When the credit card issuers attempt to hold ABC liable for the unpaid charges, ABC sues their financial institution for failing to safeguard their confidential information.

Loss of Business Opportunity

ABC, Inc. wires funds online from their corporate account at Bank A to their payroll account at Bank B. The funds are not transferred due to a systems malfunction at Bank A. When ABC’s payroll processor cannot verify that ABC has sufficient funds on deposit to pay employees through direct deposit, ABC is late paying its employees. ABC sues Bank A, alleging that their business was adversely impacted when their employees were not paid on time.

Libel, Slander, and Defamation, or Other Actionable Oral or Written Disparagement

ABC states on its website that its product is superior to competitor products. A customer sues ABC after he purchases a product from them, alleging that he could have obtained a better product from a competing vendor. Although ABC obtains dismissal of the complaint, significant defense costs are incurred.

Infringement of Copyright, Misappropriation of Ideas, or Plagiarism

ABC, Inc. obtains a report from a consultant concerning issues facing ABC’s market to support their claims of superior service. In preparing the report, the consultant copies extensively from another report, written by the consultant’s former partner. ABC places the report on its website for informational purposes, along with other information ABC provides to attract new customers. The consultant’s former partner sues ABC, alleging that ABC plagiarized his work.

Infringement of Trademark, Trade Name, or Service Mark

ABC, Inc.’s marketing department develops several slogans and phrases to emphasize the quality of their new service. ABC includes these slogans on the home page of its website. However, the marketing department neglects to seek the advice of an intellectual property attorney as to whether any of the slogans are already in use by other companies. A national corporation, which has registered two of the slogans as service marks, sues ABC.

Extortion

ABC, Inc. terminates an employee who feels he has been unjustly treated. In retaliation, he threatens to disseminate confidential information over the Internet unless a year’s salary is wired to a specified account within 24 hours.

Ransomware

Ransomware is malware that restricts access to an infected computer system until the user pays a ransom to the malware operators to remove the restriction. For instance, ransomware might systematically encrypt files on ABC, Inc.’s server hard drives. The drives become difficult or impossible to decrypt without paying the ransom for the encryption key.

Payment Systems

ABC Inc.’s financial institution incurs credit risk in different forms, depending on the type of transaction and the institution’s role in the transaction. Here are examples:

ACH Credit Entries

For ACH credit entries, the Originating Depository Financial Institution (ODFI) incurs credit risk upon initiating the entries until ABC funds the account at settlement. The Receiving Depository Financial Institution (RDFI) incurs credit risk if it grants ABC funds availability prior to settlement of the credit entry.

ACH Debit Entries

For ACH debit entries, the ODFI incurs credit risk from the time it grants ABC funds availability until the ACH debit can no longer be returned by the RDFI. ODFIs generally charge back a returned ACH debit to the originator. But the ODFI may suffer a loss if, for example, the originator’s account has insufficient funds or has been closed. The RDFI’s credit risk from a debit entry arises if it allows the debit to post and overdraw its customer’s account.

Institutions implement credit-risk controls that:

• Establish underwriting standards
• Require analysis of originators’ creditworthiness–and–
• Set appropriate credit exposure limits

Institutions with more complex ACH programs or institutions that do not mitigate credit risk through holdbacks or reserve accounts have more expansive credit-risk management systems. These credit risk issues can adversely impact ABC’s ability to maintain its banking relationships.

Human Resources

The risk assessment of Human Resources (HR) functions requires input from leaders in all disciplines within the organization. Leaders in marketing, sales, operations, finance, etc.—all should be asked for their opinions, ideas, and thoughts on risk areas such as:

• Hiring and selection
• Training and development
• Productivity
• Organizational planning
• Reward and recognition
• Administration

It may be helpful to have an HR expert participate or provide leadership in the process, but it would be a mistake to hand off assessment of the HR functions to one or two HR staff people when the assessment questions and considerations require input from many disciplines within the organization.

Data Theft Risk Mitigation Example

The risks described above would require an assessment of their potential impact on the organization (ABC, Inc. in the examples). In addition, the assessment should identify and prioritize risks and provide for risk mitigation controls where necessary. Since this type of risk assessment is focused on specific risks, it is less comprehensive than the organization-wide ERM risk assessments previously described.

Below is an example of a risk assessment that is focused on a specific risk. This risk topic is data theft technology risks. When evaluating how to protect against technology risks, it is important to identify the ways that an organization can be attacked. Attacks take many forms, from breaking into a computer room and stealing data files to a trusted employee who gets around controls because of their trusted position. A summary follows of the typical ways that hackers and thieves carry out their attacks and typical risk mitigation control procedures that may prevent the attacker from succeeding.

Posing as a Customer

Risks

• A thief uses an assumed or stolen identity to pose as a customer of ABC, Inc. and attempts to open an account with ABC.
• A thief uses a stolen credit card number from ABC to illegally purchase goods and services from ABC.

Procedures

Implement, update, and manage:

• Customer identification procedures
• User signup procedures
• Transaction limitation procedures
• Dollar limits per transaction
• Credit lines access limits
• Cash management user approval criteria
• Wire limitations
• ACH origination limits
• Transaction settlement procedures

Using Technology to Launch an Attack

Risks

• A thief attempts to break through Internet security measures to illegally gain access to ABC’s online banking services.
• A thief attempts to steal data from ABC’s customer databases, using hacker tools over the Internet.

Procedures

Install, update, and manage:

• Network perimeter controls (firewalls and intruder detection)
• Data integrity controls (encryption)
• Virus prevention management
• Software patch management

Taking Advantage of a Trusted Employee Position

Risks

• An ABC employee uses his or her knowledge of network security weaknesses to access systems and steal customer data.
• An employee does not enforce security controls and allows another person to steal customer data.

Procedures

Manage and monitor:

• Human access controls (passwords)
• System overload and capacity management
• Backup and recovery procedures (protection from unexpected shutdowns)

Identifying Industry-Specific Inherent Risks

In addition to identifying risk trends as discussed above, counsel can assist the board and risk managers with identifying industry-specific risks. These risks are the inherent risks that were discussed earlier in this article. Below are some examples of the risks inherent in a sampling of industries. Counsel should work with the board of each organization they represent to understand, monitor, and evaluate through ERM risk assessments the risks inherent in those industries.

Banking

Credit risk is the current and prospective risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise to perform as agreed. Credit risk is found in all activities in which success depends on counterparty, issuer, or borrower performance. It arises any time bank funds are extended, committed, invested, or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet.

Risk assessments should consider both the quantity of credit risk and the quality of credit risk management. Quantity of credit risk is derived from the absolute amount of credit exposure and the quality of that exposure. How much credit exposure a bank has is a function of:

• The level of loans and other credit/credit-equivalent exposures relative to total assets and capital–and–
• The extent to which earnings are dependent on loan or other credit/credit-equivalent income sources

Quality of credit risk management involves the adequacy of controls over the process of originating, funding, and overseeing loans until they are paid according to the loan agreement.

All else being equal, banks that have higher loans-to-assets and loans-to-equity ratios and that depend heavily on the revenues from credit activities will have a higher quantity of credit risk. The quality of exposure is a function of the risk of default and risk of loss in assets and exposures comprising the credit exposure. However, the risk of default and loss is not always apparent from currently identified problem assets. It also includes the potential default and loss that will be affected by factors such as bank risk selection and underwriting practices; portfolio composition; concentrations; portfolio performance; and global, national, and local economic and business conditions.

To determine the quantity of credit risk, risk assessments must consider an array of quantitative and qualitative risk indicators. These indicators can be leading (rapid growth), lagging (high pastdue levels), static (greater/less X%), relative (exceeds peer/historical norms), or dynamic (trend or change in portfolio mix). Many of these indicators are readily available from call report and Uniform Bank Performance Report information. Other indicators, such as a bank’s risk tolerance or underwriting practices, are more subjective.

It is important to note that banks can exhibit an increasing or high level of credit risk even though many, or all, traditional lagging indicators or asset quality indicators are low. Although a qualitative indicator may have the opposite effect on credit risk that a quantitative indicator has (the one may mitigate the other’s effect), the indicators can also work together (the one may add to the other’s effect). While each type of measure can provide valuable insights about risk when viewed individually, they become much more powerful for assessing the quantity of risk when viewed together.

Health Care Workers

Every health care worker can influence the risks related to the health, safety, and welfare of patients. Health care workers are defined as everyone that works within a health care facility.

A risk assessment within a health care facility should provide for a thorough evaluation of the workplace to identify anything that may cause harm to patients. The assessment should consider how probable and severe the risk is and determine what measures should be taken to prevent or control the harm from occurring.

Here is a sample outline of the typical risk assessment:

• Identify hazards to patient health.
• Decide what patients are at risk and how the risk might arise.
• Conduct and evaluate the seriousness of the risks identified.
• Document assessment findings.
• Propose action steps to improve patient safety.
• Identify who will be responsible for implementing revised policies, procedures, and personnel training.
• As risks are identified, update the risk assessment and take corrective action.

The outcome of the risk assessment should be to create awareness of hazards and risks, identify who may be at risk, and determine if existing control measures are adequate or if alternative controls should be implemented. Ideally, controls will be designed to prevent injuries or illnesses based on a prioritization of the seriousness of health hazards.

Health care facilities have a legal obligation to limit unprotected exposures to pathogens, the transmission of infections associated with procedures, and the transmission of infections associated with use of medical equipment, devices, and supplies. Risk assessments should address the adequacy of control measures to manage the facility’s obligations to safely care for patients.

Retailers

Retailers are exposed to many risks due to the need to provide customers with direct physical and online access to their products and services. One access point that has resulted in losses for many retailers is incidents in which a skimming device is physically implanted (tampering) on an asset that reads magnetic stripe data from a payment card (e.g., ATMs, gas pumps, POS terminals, etc.).

Some of the risk assessment issues to consider are:

• Does the retailer design (or buy) tamper-resistant terminals?
• Do they use tamper-evident controls?
• Do they have cameras to watch for tampering?
• Are consumers encouraged to protect their PINs?
• Are consumers encouraged to let the retailer know if something looks out of the ordinary at an ATM, payment terminal, or gas pump?

The objective for risk mitigation controls is to make it harder for criminals to carry out their plans or to detect the heist more quickly if prevention isn’t possible.

Cybersecurity Insurance

Cybersecurity has become a significant risk issue for all organizations. Hackers can attack from throughout the world and mostly remain undetected. These criminals are well funded and can attack for profit or to achieve political objectives. Often the risk implications of successful attacks can be debilitating and can result in reputational damage. There is also the potential for significant costs related to remediating these attacks, which is why the insurance industry has created cybersecurity insurance policies.

Since there is presently little actuarial basis for underwriting these policies, actual underwriting requires a due diligence investigation into an organization’s internal risk management practices and external business dependencies, including vulnerabilities related to the organization’s suppliers, sub-suppliers, and vendors. In addition, the underwriter’s risk analysis considers threats arising from insiders, inadequate physical security, and international travel. Underwriting also evaluates how consistently the organization has adopted, implemented, and enforced an engaged cybersecurity culture that works toward risk prevention and prompt detection if prevention fails.

The results from the insurer’s underwriting provide an objective look at the organization’s enterprise risk including potential highpriority vulnerabilities. Once the insurance is in place, the insurer will conduct periodic risk assessments to gain insight into evolving cybersecurity risks.

Even if the organization decides not to purchase cybersecurity insurance, the insight gained from participating in the underwriting process may uncover invaluable cyber risk insight based on the insurer’s exposure to multiple industries.

Gary M. Deutsch, CPA, MBA, CMA, CBA, CIA, has worked extensively with financial institutions in audit, lending, financial, and operational areas. He has served in senior positions for regional banks as VP of Finance, Real Estate Loan Officer, and Senior Audit Manager. Mr. Deutsch served as a consultant to financial institutions in strategic planning, profit improvement, financial management, and merger- and acquisition-related studies while working at KPMG. Mr. Deutsch is the President of BRT Publications LLC, a professional authoring company serving the financial industry. He has written numerous financial industry books and guides, including Risk Assessments for Financial Institutions, a LexisNexis/Sheshunoff publication.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Corporate Counsel > Compliance Risk Assessment and Governance > Compliance Programs and Risk Assessment > Articles > Risk Assessment

Related Content