Category Archives: Reputation Risk

Игроки всегда ценят удобный и стабильный доступ к играм. Для этого идеально подходит зеркало Вавады, которое позволяет обходить любые ограничения, обеспечивая доступ ко всем бонусам и слотам.

Emerging Market Risk: Leaders, Laggards and Rules for Avoiding Loss

Posted on by

world map

When the developed world’s economies ground to a halt during the Great Recession of 2009, large, Western-based multinational companies turned their growth-hungry eyes toward developing markets. The slow recovery that followed the recession in the U.S. and Europe did little to change this trend. In fact, according to the United Nations Conference on Trade and Development (UNCTAD), foreign direct investment in emerging markets reached a new high in 2013 of $759 billion (the most recent year for which data is available). This represented more than half the world’s estimated $1.46 trillion total outward investment flows for that year. Given this intense interest in doing business in emerging markets, FTI Consulting, a global professional services firm, conducted a survey in November and December 2014 on the character of the risks businesses face in these markets and how they attempt to mitigate them.

FTI surveyed 150 companies with revenues of more than $1 billion and business interests in developing economies, as well as interviews with 32 executives focused on compliance and risk management from those companies. Our results indicated an enormous difference between leaders (defined as companies whose self-reported losses as a percentage of revenues was in the lowest quartile, averaging 0.2%) and laggards (those in the highest quartile, with a loss rate averaging 2.2% of revenues), not only in the ways they managed overseas risk, but how they thought about it.

Quantifying Risk: The Numbers

According to our survey, 83% of multinational companies have suffered significant losses in emerging markets since 2010, with an average cost per company over that time of $1.38 billion, and the average loss per year $260 million, or 0.7% of revenues.

In virtually all loss-making incidents (99%), our respondents reported that the issue was either a matter of a regulatory violation, bribery or fraud, or reputational damage. In incidents with the highest losses, two or three of these types of risk converged: 60% of reported incidents involved more than one type, 35% involved two, and 25% were perfect storms that involved all three.

Regulatory issues are the most frequent cause of loss (either due to the difficulty of keeping up with ever-changing regulations or lax or inattentive corporate compliance policies), but legal and criminal issues (engaging in fraud or paying bribes) lead to the most expensive incidents. The most frequently cited consequences of getting caught were noted as reputational harm (67%), loss of revenues (56%), and prosecution (44%). In all cases, reputational issues invariably make matters worse.

These are serious issues, and some companies respond with equal seriousness. Some do not.

Leaders vs. Laggards: The Three Greatest Ways They Differ

According to our survey, there are enormous differences in the ways companies that have suffered the lowest rate of loss in emerging economies and companies that have experienced the highest approach risk mitigation in the three major categories. (See Figure 2.) From these differences, we have derived three rules that leaders follow to best mitigate overseas risk.

Rule 1: Walk Away From Countries Where Compliance is Impossible

Our leading companies believe it is more important to avoid doing business in jurisdictions where compliance may not be possible than do laggards by a ratio of more than 5:1. In other words, our leaders are willing to walk away, even when environments are hyped and offer the potential for quick profits. Globalized companies often overestimate their ability to estimate and analyze overseas risk accurately.

For instance, it is extraordinarily difficult to stay compliant with Brazil’s tax laws. According to Renato Niemeyer, Chief of Tax Legislation in Roraima State, each of Brazil’s 27 states has its own tax regulations “and the rules change all the time.” Neimeyer said this has led some companies to postpone paying taxes as the penalties for late payment are relatively low. However, when a company does pay the penalties, “corrupt officials will solicit the organization for bribes in order to lessen the penalties,” Neimeyer said. This, of course, is the proverbial slippery slope that can lead to both bribery and fraud prosecution and concomitant reputational damage – the perfect storm.

Latin America is also growing increasingly green in its politics, and environmental regulations are becoming problematic, especially in the energy, mining and construction sectors. Chevron vs. Ecuador, the nasty, ongoing, eight-year trial over liability concerning alleged environment damage, is an example of how damaging running afoul of environmental regulations can be.

When successful companies do attempt to do business in countries where it is difficult to comply with regulations, they invest time and energy into helping host countries develop more rational regulatory frameworks. Our leaders consider this kind engagement more important than do laggards by a ratio of almost 3:1.

Rule 2:  Keep to the Straight and Narrow

In most developed markets, it is understood that paying bribes to win or facilitate business is bad business and, if there were any doubt, the U.S. Foreign Corrupt Practices Act (FCPA) and U.

buy bactroban online shadidanin.com/wp-content/uploads/2023/10/jpg/bactroban.html no prescription pharmacy

K. Bribery Act remove them. But in many developing economies bribery is just how business gets done. In China, facilitation payments are customary to keep projects on target. The long-established Chinese custom of giving gifts to customers violates both the FCPA and U.K. Bribery Act. For our leading companies, the first rule for avoiding getting caught in the coils of bribery and corruption is to “conduct continuous dialogue with local staff on compliance issues.” Leaders rate that more important than do laggards by a ratio of nearly 7:1.

It is very difficult for local managers to resist making a facilitation payment when that’s the only way to get a pallet off a loading dock, or a critical part to a factory. That’s why companies that avoid getting in trouble make significant investments in internal communication and compliance training. They also go the extra mile when conducting due diligence on potential local partners and suppliers that may not have the same commitment to hewing to the straight and narrow as do their own organizations.

buy norvasc online shadidanin.com/wp-content/uploads/2023/10/jpg/norvasc.html no prescription pharmacy

Companies sometimes forget that the contractors their local managers hire, and the subcontractors the contractors hire, also need to be vetted and watched. Ted Unton, a former director of global financial compliance at Bemis Company, a U.S. global manufacturer, said his company has hired private investigators to look into partner companies and even partner executives.

Rule 3: Walking the Compliance Talk

Our respondents said that reputational damage – of the sort famously experienced by Walmart (accused of bribery in Mexico) and McDonald’s (accused of using tainted meat in China) – most often leads to loss of revenues, followed by exclusion from markets and even expropriation of assets. In our research, we found the greatest difference between how leaders and laggards approach mitigating reputational risk was how the regarded maintaining a good reputation over the long term. Leaders rate it more important than do laggards by an impressive ratio of 10:1.

This variance is mind-boggling when one considers that those companies that do not rate the importance of maintaining a good reputation highly have, by definition, suffered far greater losses than those that do.

Maintaining that good reputation is difficult as local populations are prone to regard multinational corporations as bad actors, and rich exploiters of resources and people – a belief often reinforced all-too willingly by the local press. It requires action and investment. One former president of an energy company operating in Bangladesh (who requested anonymity) told us his company, which had purchased land for a 40-mile pipeline, set up offices to help displaced farmers find jobs.

By demonstrating its concern for the community and by conveying that the company was involved for the long-term, planned protests were averted. (Indeed, many of the farmers were hired by the company and their living standards improved.) According to the former president, the company became seen as a benefactor, not a despoiler, and he believes that reputation will improve the company’s future business prospects.

Notably, laggards believe that running “preemptive publicity campaigns to counteract negative reactions” is a fine strategy. Leaders do not. That spread is one of the largest differences we’ve found.

Do It Right or Don’t Do It at All

As we’ve seen, multinational companies have suffered significant and severe losses in emerging markets. And the difference in the loss-rate as a percentage of revenue – 2.2% for the laggards; 0.2% for the leaders – is certainly wide. Developing risk management competence in the three major categories of risk defined by our survey not only helps to stem these losses, but builds a strong foundation for future profits.

It is bad to be a laggard. What’s more, it is unnecessary.

New Approaches Needed for Effective Data Risk Management

Posted on by

virus

Over time, the role of corporate legal departments has expanded to address the increasing risks in corporations—from increasing involvement in implementing corporate policies to leading employee training on procedures for managing electronic communications, social media, and bring your own device (BYOD) policies. This shift, however, is not enough to meet the challenges posed by an increasing range of risks proliferating within global organizations. Legal and compliance groups must also take the lead in finding new ways to leverage the power inherent in their data and address the challenges posed by massive data stores, information and network security challenges, as well as regulatory compliance requirements.

Failings of Traditional Strategies

In the past, organizations used straightforward, people-intensive methods to search for and remediate risk. For example, organizations instituted policies training, hoping that it would be sufficient to corral employee use of electronic communications, BYOD, and social media. Some may have formed working groups or intradepartmental committees designed to consider the implications of data privacy or information security for their businesses. Others rely on basic technology, such as keyword searches, that trigger electronic alerts when they find a hit in a document.

While these tools are still important to demonstrate compliance, they are insufficient alone to monitor for risk.

buy estrace online www.biop.cz/slimbox/css/gif/estrace.html no prescription pharmacy

Older technology falls short when it comes to handling unstructured data, such as e-mail. For example, discerning employees will be too cautious to use triggering keywords such as “donations” or “bribes” when referring to illicit activity. Keywords are also notoriously inaccurate: if over-inclusive, they may yield a stockpile of irrelevant information, while under-inclusive keywords could omit critical documents from discovery.

Trends Drive New Risk Management Approaches

Three recent trends—escalations in data volumes, increasing threats to data privacy and security, and heightened regulatory scrutiny—highlight the need for more intensive means to investigate risk in organizations.

1-Burgeoning Data Stores

With today’s hyperfocus on information, risk follows data. The more data sources organizations have, and the more locations for storage of data, the greater the legal exposure.

Email is perhaps the most insidious source of risk, as hackers may look to exploit unwitting employees who may open spoofed e-mails containing malware or viruses designed to attack the corporate network. Along with e-mail, employees also have more ways than ever to share confidential corporate data such as trade secrets with outsiders. Newer forms of unstructured data, such as social media and instant messaging, allow people to disperse troubling information even more rapidly than before.

As more organizations look for low-cost storage for their data reserves, they have turned to the cloud—yet another source of potential risk to data privacy. Cloud providers may be susceptible to the same hacker schemes as employees. Moreover, depending on the terms of their service-level agreements, they could employ lax security protocols, lack disaster-recovery plans, share data with other clients, or transfer data to third parties, all without notifying the data owner. Furthermore, depending on the location of the cloud storage, it may trigger the application of international laws that protect data privacy and prevent the processing or transfer of a corporation’s data.

2-Data Privacy and Security

Traditional approaches to risk management are poorly equipped to meet the demands imposed by today’s data privacy and security regulations, particularly when it comes to the need to protect personally identifiable information, protected health information, nonpublic information, trade secrets, and privileged data.

This is especially true for global organizations, which are likely to have information cross international borders and trigger other nations’ data privacy schemes. Many nations have adopted restrictive schemes designed to protect their citizens’ personal information, such as the European Union’s Data Protection Directive, which controls when and how organizations can collect, process, store, alter, retrieve, and transmit this personal data. Many nations in the Asia-Pacific region have also created data privacy regimes, including China, which has blocking statutes that forbid the cross-border transfer of documents that contain “state secrets” as well as confidential commercial information.

Domestically, organizations must worry about laws such as the Health Information Technology for Economic and Clinical Health (HITECH) Act, which extends the Health Insurance Portability and Accountability Act (HIPAA) to a covered entity’s third-party business associates. Under HIPAA’s Security Rule, organizations and their business associates must take reasonable measures to safeguard protected health information.

buy tamiflu online www.biop.cz/slimbox/css/gif/tamiflu.html no prescription pharmacy

Organizations must vigilantly monitor their data to ensure there are no gaps in security that would violate these rules.

3-Regulatory Enforcement

The nation’s regulatory framework is becoming more complex almost by the day. Regulations that supplement laws such as the Foreign Corrupt Practices Act (FCPA) and the International Traffic in Arms Regulations (ITAR) have generated new areas of vulnerability, particularly when it comes to third-party relationships.

For example, the current administration has taken the position that no FCPA infraction is too small to prosecute. Organizations that fail to take proactive measures to search for, disclose, and remediate misconduct are likely to face substantial penalties if a regulatory agency discovers misconduct. Traditional tools, such as internal audits, are not up to the task of detecting the malfeasance of internal fraudsters, who may mask their corrupt behavior with code words or other innuendo that make it difficult to discover using keywords. Unless more advanced tools are used, an organization’s best defense against fraud might be reliance on tipsters.

A similar approach is required to ensure compliance with ITAR. This law imposes stiff penalties, including millions in fines, against U.S. organizations that export “defense articles” without government authorization. “Articles” is defined so broadly that it covers technical, defense-related data in documents, blueprints, drawings, photographs, plans, or instructions. The Directorate of Defense Trade Controls, the U.S. agency that enforces ITAR, is likely to take a more lenient approach with companies that have implemented a rigorous compliance program and that voluntarily disclose and remediate any failures.

Data-Driven Tools

Risk professionals now have a number of advanced analytics tools at their disposal to counteract the additional risks that lurk in emerging forms of data. Linguistic analysis techniques can identify instances where employees use seemingly innocuous words or phrases to engage in subterfuge. Concept clustering is a tool that isolates subtle patterns within documents that seem dissimilar to the untrained—or undigitized—eye. These conceptual search tools can identify patterns in documents, based on keywords or chunks of text, and flag the documents that refer to items that might fall within ITAR’s purview. Data visualization tools can analyze relationships and look for troubling connections that might violate the FCPA, such as links between employees, vendors, and foreign officials. In addition, anomaly detection tools can scan records for irregularities, such as unusual recurring payments.

Counsel, risk and compliance professionals can also apply tools such as technology-assisted review (TAR) to prioritize documents for review based on the likelihood that they contain material of concern. Using TAR, experienced legal counsel code a seed set of documents for relevancy to the issue at hand. Once done, they feed these documents into a computer that is programmed to uncover the logical reasoning behind the lawyers’ coding decisions. Sophisticated algorithms then apply that logic across an entire document population.

buy cytotec online www.biop.cz/slimbox/css/gif/cytotec.html no prescription pharmacy

The process is iterative, so that ultimately the computer’s logic closely mirrors the lawyers’ coding decisions. Organizations can use TAR to limit the population of documents for review, thus expediting the data mining process.

Navigating Data Breach Regulatory Requirements

Posted on by

Data breach

Amidst the gridlock on Capitol Hill and in State Houses across the country on many policy priorities, there seems to be one issue related to corporate governance that brings both parties together. In response to a tidal wave of security incidents, both policymakers and regulators are passing and debating new rules regulating how companies must respond to a data breach.

Along with managing internal expectations from the rest of the C-suite and board on how a data breach needs to be handled, risk managers now face a continually shifting regulatory landscape. It is essential that risk managers are up to speed on the latest policy developments and understand how they will influence how a company responds to an incident. In a policy white paper released by Experian, we found the following to be some of the most significant trends changing the regulatory landscape.

State Laws and Regulator Expectations 

Today, when a data breach occurs, risk management professionals need to take into account 49 different laws and regulations across states, the District of Columbia and Puerto Rico. The nuances between each law require careful review, especially for businesses that operates in multiple locations.

buy lariam online greendalept.com/wp-content/uploads/2023/10/lariam.html no prescription pharmacy

Further complicating matters, many states are actively making updates to their laws:

  • Oregon recently signed a law requiring that notification of a data breach be provided to the state attorney general if a company experiences a breach that affects more than 250 consumers.
  • Connecticut added a requirement that companies provide credit monitoring for at least 12 months to impacted parties, as well as provide notice of a breach within 90 days of the incident’s discovery.
  • Rhode Island now requires consumer notice no later than 45 days after breach discovery and expanded the definition of personal information to include email addresses combined with passwords.
  • Illinois is considering legislation that would move the definition of personal information to include marketing data.

State attorneys general are also increasingly scrutinizing how companies respond to a data breach, and are often vocal if they think a company is not taking the proper steps to protect affected constituents. In addition to conducting more official investigations, state attorneys general are leveraging the power of the press to make their point.

Congress Looking to Reach Consensus

The current complexity caused by evolving state laws could soon become a non-issue if Congress is able to pass a comprehensive federal data breach notification bill. Lawmakers have made passing a national federal data breach and data security standard a priority in the current Congressional session. One bill, the Data Security and Breach Notification Act of 2015, has already been passed by the House Energy and Commerce Committee and could make its way to a full vote. In the Senate, there are also a number of competing pieces of data breach legislation being debated that are fighting for support.

This is not the first time Congress has attempted to pass a comprehensive bill.

buy sinequan online greendalept.com/wp-content/uploads/2023/10/sinequan.html no prescription pharmacy

Several bills were previously introduced and passed by House and Senate committees, but were unable to make it any further in the process due both to lack of support and not being high on the priority list. However, while reaching consensus may not come easy, there is pressure today on federal lawmakers to pass a bill, which is driving more action in the space.

Lending to the cause, President Obama is also a vocal advocate for a national uniform breach notification standard. He explicitly referenced the need for comprehensive legislation during his latest State of the Union Address, and gave a speech to the FTC in January 2015 that outlined his version of a draft data security bill – the Personal Data Notification and Protection Act. In addition to data breach law, recent high profile security incidents also led Obama to encourage Congress to pass legislation that regulates and supports voluntary sharing of cyber threat information between companies and the government. With attention and support from the executive branch on cyber security, it is much more likely we will see progress on the topic from Congress.

Staying Informed and Prepared

The reality is that data breaches pose a risk that will always need to be addressed, and until the U.S. passes comprehensive data breach notification legislation, the responsibility falls to risk managers and relevant colleagues to track policy changes. This is why it is important to enlist outside experts such as legal counsel familiar with the evolving regulatory landscape. Understanding the landscape is not enough, however. Companies must ensure that any new rules or regulatory agency expectations are accounted for and updated in data breach response plans. As a best practice, companies should review plans at least twice a year.

More information on data breach legislation and resources can be found at the Experian Data Breach Resolution website and the Experian Data Breach Resolution blog.

Gauging the Impact of Reputational Risk

Posted on by

The following article is part of a continuing blog series that will explore ideas, concepts, discussions, arguments and applications associated with the field of enterprise and strategic risk management.

online pharmacy nolvadex with best prices today in the USA

In my previous article, I made the point that the public discussion of reputational risk lacks a set of common standards or definitions. This lack of consistency allows organizations to interpret or define the concept of reputational risk in very different ways. For some, reputation is beginning to be viewed as something like the “risk of risks” in the same way people are starting to discuss the concept of the “internet of things.” I questioned whether reputation or brand is actually a risk or a residual event stemming from other extenuating risk domains or actions.

Upon further reflection and discussions with academics and risk professionals who are thinking carefully about this issue, I would go further now to suggest that reputation or brand risk involves perceived or real human behaviors that are, to some extent, measured against societal, economic or moral standards. The adherence or deviation from established standards generates the basis for the risk, and the variability from the standard influences the duration of the outcome.

The bigger question is: What impact does reputational risk have on economic performance when possibly mitigated by the existence of a robust enterprise or strategic risk management methodology? Is the data available to see the “correlates” between a reputational risk event that trigger or influence operational key process indicators like EBIT, ROA, ROE and share price (public or private)?

What we do know from the Aon 2015 Global Risk Management Survey is that business leaders are concerned about reputational risk in general and the possible linkages with other hazard and operational risks within their organizations.

The respondents to the survey said that they worried that a reputational risk event would significantly impact financial performance.

reprisk1If reputation/brand risk was identified as a precipitating event, the respondents identified regulatory change, increasing competition, talent retention, cash flow/liquidity and share price volatility as “follow on” risk consequences. In effect, reputation/brand risk might constitute a “gateway” risk, where other related “follow on” risk consequences are triggered and serve to increase the overall volatility/impact of the reputation event.

Another way to view the data is to see what events could trigger a reputation event.

reprisk2In this case, the survey respondents identified nine non-correlated risks that could precipitate a reputation/brand event. Here social media plays an important role.

online pharmacy champix with best prices today in the USA

The speed by which information, accurate or not, is transmitted, consumed and iterated across the nine risk categories may have a material impact on the basis and duration of the reputation/brand event. There is also an error component associated with social media.

online pharmacy periactin with best prices today in the USA

How many times have we witnessed an initial media report of a brand damaging event that turns out to be prematurely reported and the facts distorted, only to be corrected in a later reporting cycle?

Next up: Fat vs. thin tail distributions.