Category Archives: Governance, Risk & Compliance

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

New RIMS Report Delivers a ‘Wakeup Call’ To Risk Managers

Posted on by

According to the new RIMS report, Enterprise Risk Management’s Wakeup Call: 10 Years After, an increasing number of organizations are at least partially integrating ERM into their frameworks as they prepare for the possibility of another financial crisis or a new threat.

“The evidence shows that risk management has evolved from a promising but somewhat perfunctory exercise into a strategic management competency,” said RIMS Vice President of Strategic Initiatives Carol Fox, who authored the report. “Even so, given increasingly uncertain times, risk management professionals would be unwise to declare victory or become complacent.”

The 10 Years After report highlights a range of perspectives from executives, officers and risk professionals who represent banking, higher education, technology, health care, transportation, and a federal agency. These professionals offer their perspectives on where ERM stands today. In fact, one shared observation is that the factors which contributed to the crisis are resurfacing, but that ERM can help protect against them. As one technology officer noted: “…as soon as people are introduced into the equation, things change and risks are introduced into the process. While financial models and robot investing are agnostic, once you introduce people, their biases come back into play and disrupt the integrity of those models.”

The integration of ERM programs—even partially—has seen a slow-but-steady climb in the past decade. The report cites statistics from recent RIMS surveys, showing that 92% of financial institutions have fully or partially integrated ERM programs since the housing market crisis. Full integration, however, may be the key to protection and value—and this is accordingly the most daunting, long-term task. “At any point in time, changes in an organization itself, given myriad complexities and disruptions, may take focus away from full integration,” Fox said.

The report discusses what the experts and their industries learned from the financial crisis in the way of risk appetite and regulatory systems. By examining recent literature and studies to better understand the risks facing organizations, the report challenges risk professionals to deliver programs that generate value.

It also offers insight as to what organizations should consider as they further integrate programs. Changes in legislation, interest rates and the volatility of cryptocurrencies are on the collective radar as risk professionals look to the future.

“[bitcoin’s] future is unknown, especially given its recent run-up and sudden devaluation,” the technology officer said. “Cryptocurrency could become problematic because of scale—particularly if someone figures out a way to short-sell it much like what occurred with CDOs.”

Enterprise Risk Management’s Wakeup Call: 10 Years After is available to RIMS members only for the first 60 days. After the introductory period, it will become available to the broader risk management community. You can download the report via Risk Knowledge.

Complementary to the report, Risk Management Monitor recently published Compliance in 2018: Q&A with James Reese of the SEC, highlighting how the SEC views organizational risk management.

Compliance in 2018: Q&A with James Reese of the SEC

Posted on by

The Securities and Exchange Commission (SEC) recently named James Reese as the Chief Risk and Strategy Officer for the Office of Compliance Inspections and Examinations (OCIE), which also leads the Office of Risk and Strategy (ORS). These offices assess companies’ and products’ risk to the financial markets and influence the SEC’s rule-making initiatives, among other actions. OCIE conducts the SEC’s National Exam Program (NEP), which was created to protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies that:

  • improve compliance
  • prevent fraud
  • monitor risk
  • inform policy

Risk Management Monitor reached out to Reese to find out what he has in store for his office and U.S. businesses.

Risk Management Monitor: Your office administers the NEP to businesses to ensure they are operating in compliance with the law and the SEC rules. Can you describe the information you gather and how it is used?

James Reese: During examinations, we may request and review policies and procedures, supervisory processes, trading activity or any other aspect of a registrant’s business. The results of the NEP’s examinations are used by the SEC to inform rule-making initiatives, identify and monitor risks, improve industry practices and pursue misconduct. The NEP maintains a critical presence among market participants by conducting thousands of exams annually. This provides us with timely, accurate, and reliable information to assist the program and SEC in fulfilling its mission.

buy cytotec online healthdirectionsinc.com/flash/swf/cytotec.html no prescription pharmacy

RMM: You had been OCIE’s acting chief since shortly after its inception. How has the office grown and what is your vision for the next five to 10 years?

JR: Now that we have built synergies across groups, the focus is turning more toward enhancing our risk assessments, providing better support to exam teams, improving our technology and using big data.

Centralizing the staff has led to a more cohesive approach to risk assessment and more opportunities to collaborate and take advantage of cross-discipline problem-solving.

buy renova online healthdirectionsinc.com/flash/swf/renova.html no prescription pharmacy

It has also helped us prioritize those areas where we can make the greatest impact on the NEP, allowing not only our office to maximize its limited resources but in turn also allowing us to focus on how we can provide exam teams tools and data to maximize their resources.

Ultimately, our office’s goals are wide-ranging and include:

  • identifying risks to investors, particularly retail investors, and the markets
  • assisting the home and regional offices in identifying exam candidates
  • developing technology tools and quantitative approaches that exams teams can use to, for example, identify potentially problematic practices at firms and more quickly analyze trading activity
  • monitoring and examining some of the largest financial firms to understand the various market and their operational risks

RMM: What risks are you closely monitoring (or are most influential)?

JR: Since 2013, OCIE has annually published its examination priorities, which generally reflect certain practices, products and services that OCIE believes may present a heightened risk to investors and/or the integrity of the financial markets. In 2018, as in prior years, we have prioritized matters of importance to retail investors, including seniors and those saving for retirement. This translates to pursuing examinations of firms that provide products and services directly to retail investors and focusing on the disclosure and sales practices associated with higher risk products.

buy lariam online healthdirectionsinc.com/flash/swf/lariam.html no prescription pharmacy

We are also focusing on risks to market infrastructure, cybersecurity as well as firms’ anti-money laundering requirements.

RMM: How has a risk manager’s role (and/or its importance) changed since you began at the SEC in 1999?

JR: I have seen more firms identify individuals to either serve as a chief risk officer or build out their risk management function. As SEC Chairman Jay Clayton noted in his recent remarks at the Equity Market Structure Symposium: “One of the few certainties of trading markets is that they continually evolve. New technologies spur new market mechanisms, which, in turn, lead to new trading practices.”

Risk managers face an increasingly difficult task of identifying and triaging these changes, and also having to be proactive. Trying to look around corners, identify emerging issues and spot trends before they metastasize within an organization is the cornerstone of any good risk organization and ORS spends a great deal of time on those activities, as well.

Are You Prepared for GDPR?

Posted on by

If your work involves personal data, you probably already know the European Union’s (EU) General Data Protection Regulation (GDPR) enforcement date is May 25.

buy vidalista online pelmeds.com/wp-content/uploads/2023/10/jpg/vidalista.html no prescription pharmacy

While penalties for noncompliance can be stiff, the sky may not be falling just yet.

GDPR focuses on personal data originating from the EU, which reaches well beyond the EU’s borders into organizations around the world that collect, process, use and store that data. As a regulation focused on data protection and privacy, GDPR’s impact may extend far outside the EU. For example, there are signs that Latin American countries may be considering a regulation that mirrors GDPR. With the recent Facebook/Cambridge Analytica data privacy fallout, several pieces of privacy-related legislation in the U.S. are currently being considered by federal lawmakers.

Privacy is a risk-based problem. Organizations should assess which risks exist and determine their risk tolerance. With data privacy, these risks are typically financial (such as fines and lawsuits) and reputation (bad press and negative perceptions).

buy tobradex online pelmeds.com/wp-content/uploads/2023/10/jpg/tobradex.html no prescription pharmacy

GDPR also introduces a newer risk into the risk landscape – one related to activist groups potentially using GDPR as a springboard to flood a target organization with data subject requests.

Why GDPR matters and to whom it applies
GDPR applies to personal data originating from the EU. GDPR gives individuals (aka “data subjects”) control and ownership over their personal data. This includes personally identifiable information (PII), IP addresses, biometric data, social identity, along with health, economic, cultural and genetic data. There are two reasons this has gotten so much attention:

  • The GDPR represents the EU’s most sweeping changes to privacy regulations in decades. It requires organizations to be transparent about which data is collected and how it will be used. All data collected must have a purpose and be kept accurate and up to date. Individuals (aka data subjects) now have the power to access their data, fix errors, restrict usage, move data and demand that their data be deleted.
  • The penalties for noncompliance are unprecedented. The law sets out penalties of up to four percent of global revenue or €20 million, whichever is greater. It is not clear at this point how and when these fines will be applied or if they are even enforceable outside the EU. However, the significant size of the potential fines and potential risk of noncompliance captured the attention of organizations around the world.

Large data-driven organizations have been working toward GDPR compliance since the regulation was passed in 2016. A significant number of organizations may not be ready, however. In fact, a flash poll conducted by Baker Tilly during a recent GDPR webinar revealed that 90% of attendees do not have the necessary controls in place to be GDPR-compliant.

What to do today
Preparing for GDPR compliance is a matter of preparing for privacy in general. Whoever you are and wherever you are in the world, consider these steps in your compliance journey:

  1. Identify potential data and systems affected by GDPR: Put a process in place to understand what data you collect and why. Know where it is coming from and where it is stored. You will want to know where you have “data pools” with GDPR relevance and you’ll want to know the scope. Is it one record or one million? Where are the gaps in compliance?
  2. Understand existing data privacy controls: Review your existing data protection controls and assess GDPR compliance. Do you have written security protocols in place? What is your risk exposure? Depending on the type of organization you represent, you may actually be closer to compliance than you think. For example, organizations compliant with NIST, ISO, HIPAA, PCI DSS, Privacy Shield or other frameworks, may be well on the way to GDPR compliance.
  3. Lead from the top and educate: The news cycle is now dominated by the questionable use of personal information and it appears the shift to a data subject-centered environment may very well be here to stay. This issue goes beyond risk management and IT. Marketing, legal, government affairs, HR and communications are just a few of the functional areas touched by privacy issues. They all need to be as committed to data protection as the chief privacy officer.
  4. Be clear about how you will deal with data-subject requests: Once you have a clear picture of the data you possess, it is essential to design, implement and document your processes to correct, transfer and delete that data if required or being able to provide a valid, legal reason for retaining the data.
  5. Determine whether you need a data privacy officer: The GDPR requires that a data privacy officer (DPO) be appointed in most situations. Proactive organizations should consider the organization’s position and strategy. Is privacy an essential piece of the business model (as it is for a bank) or the brand (as it is for Apple)?
    buy imodium online pelmeds.com/wp-content/uploads/2023/10/jpg/imodium.html no prescription pharmacy

    The answer may well influence whether or not you define a new area of leadership and accountability.

Looking ahead
There is a shift taking place. People used to accept (or not know) that their online data and personal information were being tracked and used by others. Many people seemed to think this was simply the price of being online. Now, people are questioning how their data is being used and governments are starting to listen. GDPR is the likely first step toward far more widespread change.

This is not about solving every single detail today. Most experts believe that a well-documented plan and clear effort to comply with the GDPR will make conversations with supervisory authorities significantly easier. Do the homework ahead of time, know your landscape, get your systems in place, be transparent and be ready to pivot when necessary. Do that, and you will be miles (or kilometers) ahead of everyone else next time a new law or regulation goes into effect.

Reputational Crisis Forces Cambridge Analytica’s Closure

Posted on by

Most of us are aware of the recent scandal involving Facebook and political consulting firm Cambridge Analytica, wherein the latter company obtained data from up to 87 million Facebook users and, in turn, built profiles of individual voters and their political preferences to best target advertising and sway voter sentiment. This information was used to enable Donald Trump’s campaign in the 2016 presidential election.

Right around that time it was reported that the Cambridge Analytica board of directors suspended CEO Alexander Nix. This action was taken after a whistleblower claimed Nix set up a “fake office” in Cambridge to present a more academic side to the company, and made comments to undercover reporters  that “do not represent the values or operations of the firm and his suspension reflects the seriousness with which we view this violation.”

A feature about the scandal in Risk Management’s current issue explains why the incident was not a data breach and how companies can learn from this and comply with EU’s General Data Protection Regulation (GDPR) in time for its May 25 implementation.

In the aftermath of the scandal and Cambridge Analytica’s concession that it will not be able to recover from its reputational crisis—although the company’s leadership maintains that it acted ethically—the UK-based firm and its affiliates announced on May 2 that it will be “ceasing all operations.” Excerpts from its statement are below:

Over the past several months, Cambridge Analytica has been the subject of numerous unfounded accusations and, despite the Company’s efforts to correct the record, has been vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas.    

Despite Cambridge Analytica’s unwavering confidence that its employees have acted ethically and lawfully, which view is now fully supported by [Queen’s Counsel Julian Malins] report, the siege of media coverage has driven away virtually all of the Company’s customers and suppliers. As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the Company into administration.

buy cellcept online thecifhw.com/wp-content/uploads/2023/10/jpg/cellcept.html no prescription pharmacy

This once again demonstrates how attacks in the court of public opinion can cripple a business.

buy chloroquine online thecifhw.com/wp-content/uploads/2023/10/jpg/chloroquine.html no prescription pharmacy

Despite a fast reaction and being exonerated by a credible authority, no amount of crisis management and communication could make up for the actions of Cambridge Analytica’s leadership. It also seems that the company had not considered a business continuity plan for a reputation crisis of this magnitude.

Last year, Steel City Re CEO Nir Kossovsky wrote for Risk Management Monitor about reputational risk—reflecting on it and warning of the consequences to an organization. When public anger rises, he said, “more blame is being cast upon recognizable targets, such as CEOs.”

And while Facebook CEO Mark Zuckerberg seems to have dodged the bullets fired his way during a Congressional hearing last month (did you #deletefacebook?), Cambridge Analytica’s leadership knew that, based on its actions and the cavalcade of accusations, neither their clients nor the public would ever “like” them again.

buy zithromax online thecifhw.com/wp-content/uploads/2023/10/jpg/zithromax.html no prescription pharmacy