Tag Archives: Risk Management

Want to scan your crypto wallet for risks? Check: AML check BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money. You may not be aware of a risky transaction and at any moment, even can increase your AML rating into the red zone.

Online Exclusive: How to Protect Yourself on Social Media

Posted on by

Add Friend on Social Media

In the October issue of Risk Management, social media and eDiscovery expert Adam Cohen chatted with me about the biggest corporate risks in sites like Facebook and Twitter, and outlined some best practices for developing and enforcing a social media policy. But behind every account sits one major risk that’s hard to control: a person.

Not all of Cohen’s advice could make the magazine, so here are some of his extra tips for how to mitigate the risks of personal social media – both to protect your company and to protect yourself.

What should employees know about their personal social media accounts?

All employees need to recognize one thing: they shouldn’t have any expectation of privacy in information that they post on social media. Even if they think they’re limiting information to a select group of friends, this stuff can all be disclosed in litigation and there are many cases where courts have required so-called non-public social media information to be disclosed. It’s fairly routine at this point.

Many employers – certainly all the major companies – have specific social media policies that give very particular and clear direction to employees on what they can and can’t do when it comes to company information on social media. That extends beyond just corporate social media and includes anything they’re doing on social media that could impact the company. And many employers are going to take the position that they have the right to monitor employees’ social media.

How can employees protect themselves?

buy lipitor online orthomich.com/img/blog/jpg/lipitor.html no prescription pharmacy

One of the key things employees need to do to protect themselves is only disclose information they would be comfortable disclosing to the entire world and they should not to go anywhere near business information. Being safe on this front may include publishing a disclaimer that an individual is not representing the views of the company. What else can they do? Follow the employer’s social media policy to the letter and, any time they have a question about whether one of their social media posts may be affected by the policy, they should ask. Most policies will provide a resource for questions, whether it’s a general counsel or a compliance officer or immediate supervisor.

Those are probably the main things: not having an expectation of privacy on social media and treating everything you post like it’s private, and following the policy to the letter and getting clarity and permission on anything that you think could be a violation of the policy.

As we’ve used social media more, do you think employees are using social media any more wisely?

I think it’s still too early to say that there are any improvements there. Litigation that involves social media as a factor in one form or another is just exploding. There is no information that would suggest in any way that employees have increasing awareness of this and are taking that into account when they go on social media.

What is the first thing you look for when trying to evaluate a social media account for potential liability or wrongdoing by an employee?

The first thing I would look for is the nexus between the social media and business information. Personal social media may be a concern from the perspective of the employee being seen as representing the company, even if it’s just sullying the reputation of the company – and that’s especially true the higher-ranking the employee is – but the first thing to look for is whether the employee discussing matters within the scope of their employment. And that’s difficult to monitor – the social media world is a big world, especially for a company with a lot of employees.

So then general personal misuse is relatively benign to you?

The other stuff is not benign at all. An employee who behaves in an inappropriate way on social media or is violating intellectual property rights, copyright or trademark of some other company – or, say, badmouthing a competitor – well, that’s not benign. If they’re engaged in criminal activity on social media or they’re defaming someone, that’s certainly not benign because they work for a company and that can impact the image of the company or lead to serious repercussions. That only gets more serious if you’re a prominent or higher-ranking executive.

buy arimidex online orthomich.com/img/blog/jpg/arimidex.html no prescription pharmacy

Is it benign? No, but you can’t control that.

Although, I should note, the National Labor Relations Board has said that employees have to be permitted to discuss their working conditions with other employees and that the employer can’t really control that, and if the social media policy purports to prohibit that discussion, the policy is not valid.

What is the most useful evidence in building a case against an employee?

Well, it depends on the kind of case, but social media has now been used as evidence in hundreds of cases. The most devastating use of it so far has probably been in the personal injury arena.

buy advair rotahaler online orthomich.com/img/blog/jpg/advair-rotahaler.html no prescription pharmacy

Plaintiffs have made claims of disability and emotional distress and the defendant has been able to obtain discovery or has retrieved public social media that completely contradicts those claims – for example, a video of the complainant surfing. There are a lot of cases like that and that’s just an example of really devastating use of social media.

Who do you friend at work?

Well, you don’t friend subordinates – that’s a no-no. You can get yourself into all kinds of trouble there with people making claims about what kind of a relationship you have with them. You don’t friend people at work whom you don’t know – just as you don’t in your personal life. You shouldn’t assume that, just because this person works with you, they’re the kind of person with whom you want to be associated. You also don’t want to friend somebody who you don’t want to have access to your social media. If you have privacy concerns, you want to maintain the upper limits of your reasonable expectation of privacy, so don’t friend people you’re afraid might use that access against you in an invasion of privacy.

California Town Must Improve Risk Management or Lose Insurance Coverage

Posted on by

Insured City

One southern California town has officially been warned that their insurance will be cut off if city officials do not adopt risk management policies.

Irwindale’s insurer, the California Joint Powers Insurance Authority, issued a performance improvement plan on August 28 and said city liability and workers compensation insurance will be terminated if it does not adopt the measures. Allegations of corruption have cast a pall over the police department and local government, and the city has been forced into almost $2 million in settlement payouts over the past five years, according to the Pasadena Star News.

“They’re on notice that they need to improve their risk management practices within the city’s operations, specifically in the police department, to maintain their insurance coverage with our agency,” JPIA’s risk management program manager Bob May told the paper.

Irwindale has been mired in controversy over the past few years.

Of 24 police officers, three are on paid administrative leave and the department is conducting 14 internal affairs investigations. A local woman recently filed a $20 million lawsuit against the city, alleging that an officer sexually assaulted her during a traffic stop. Police Lt. Mario Camacho has been accused of retaliation by an officer under his command and of sexual harassment by a female cadet. Four city officials are charged with of misappropriation of public funds, embezzlement and conflict of interest resulting from a series of lavish trips to New York City that utilized over $200,000 of public funds.

Under the guidelines from JPIA, the city must hire a permanent human resources manager and council members must complete training on council relations and cooperation. If they do not complete the improvement plan, they risk losing coverage and will have to go to the open market or self-insure.

In September 2011, the JPIA issued a similar warning to the city of La Puente, Calif. As part of the “healthy members program” criteria, which outlines what members should do to stay within risk management guidelines, Insurance Journal reported that the town’s performance improvement plan required that La Puente “hire a permanent city manager, give notice of any harassment and retaliation complaints, and send council members to etiquette classes to learn how to get along.” The city recently completed the program and remains insured.

buy tamiflu online https://silvermancare.com/wp-content/uploads/2023/10/jpg/tamiflu.html no prescription pharmacy

So far, the only town to be officially cut off by the California Joint Powers Insurance Authority is Maywood. The city was dropped in 2010 and the lack of insurance forced the local government to lay off almost all of its employees and disband the police department.

RMORSA Part 2: Risk Identification and Prioritization

Posted on by

The first step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) implementation, Risk Culture and Governance, lays the groundwork and defines roles for your risk management function. The second step, Risk Identification and Prioritization, defines an ongoing risk intelligence process that equips an organization with the data needed for risk based decision making.

The engine behind this process – the enterprise risk assessment – isn’t a new concept, but organizations are finding that the traditional, intuitive ideas for how to conduct risk assessments are inadequate. Too often, risk managers are interviewing process owners and collecting huge quantities of data, only to find that their top 10 risks are entirely subjective and lack any actionable component. And what good is a top 10 risk if you can’t answer the inevitable question; what are you going to do about it?

Take a Root-Cause Approach

The first and most common hurdle risk managers face is that the risks expressed by process owners are so specific to their business area that they can’t possibly be measured against the rest of the enterprise.  For example, the IT department may be struggling to find candidates with enough JavaScript experience, or the Health & Safety department might be concerned with an endless string of EPA regulations. Process owners can’t help but think in terms of their immediate environment, but you can make use of their insight by adopting a root-cause approach.

The key to this root cause approach is a common risk library, or Taxonomy, that orients the concerns of business areas to a category that you as the risk manager can take action upon. When IT says it can’t find candidates with JavaScript experience, for example, what it’s really expressing is an issue with hiring practices, just as health and safety is expressing its concern with the company’s regulatory environment.

By categorizing risks, it becomes evident when more than one business area is expressing the same concern, allowing the risk management function to identify and address systemic risks.

Use a Single Set of Criteria

When engaging a variety of business areas for risk assessments, ensure you’re using a single set of criteria. Often risk managers will begin with a monetary value that represents a critical loss, and they’ll evaluate risks based on that amount. But consider how many process owners in your organization have the financial transparency to operate off of monetary values. Chances are, the answer will be very few.

To combat the lack of financial awareness, qualitative criteria is essential for operational risk assessments. Create qualitative criteria that will apply to multiple functions. For example, a major risk—such as fraud or embezzlement—might result in a work stoppage, or result in a serious variation from an organization’s business values.

Tell a Story to Your Board and Executive Leadership

The key to any good story is not only an identifiable villain (your top 10 risks), but also a damsel in distress (your company’s strategic goals). Tying risks to strategic objectives allows you to demonstrate ORSA compliance by orienting your initiative to the executive objectives of the company. When the question is asked “why is this risk a priority?” your top 10 list won’t exist in isolation, but will be mapped back to the priorities already set by the board.

Demonstrating risk-based decision making is one of the more difficult elements of ORSA compliance, but it can be accomplished by gathering meaningful, contextual risk intelligence with well-designed risk assessments.

For more information on risk assessment best practices, download LogicManager’s complementary guide, “5 Steps for Better Risk Assessments.”

RMORSA: Risk Culture and Governance

Posted on by

The National Association of Insurance Commissioners adoption of the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) requires insurance organizations to take a broader approach to risk management. As U.S. insurers begin to mobilize their efforts to comply with the regulation by the 2015 deadline, it’s important for them to take a step back, leverage their existing risk management operations, and develop their RMORSA efforts with a mind to the future.

The groundwork for RMORSA was laid with International Association of Insurance Supervisors’ (IAIS) Core Principle 16 – Enterprise Risk Management – and much of the ORSA requirements can be fulfilled with the adoption of an ERM framework that addresses:

• Risk culture and governance

• Risk identification and prioritization

• Risk appetite and tolerances

• Risk management and controls

• Risk reporting and communication

Before you scoff at the scope of these requirements, consider that the ORSA Guidance Manual stipulates that insurers with appropriately developed ERM frameworks “may not require the same scope or depth of review” as organizations with less defined processes.

As defined by the NAIC, risk culture and governance defines roles, responsibilities, and accountability in risk-based decision making. In effect, the principle builds off of a 2010 SEC mandate requiring corporate boards to document their role overseeing enterprise risk. This rule extends the board’s role in risk oversight from C-level risks, activities and decisions to now having accountability at the business process level. Boards are explicitly given a choice between either having effective risk management, or disclosing their ineffectiveness to the public. Doing neither is considered fraud or negligence. Enforcement actions by the SEC have doubled in recent years, so it’s likely your board has already established risk management as a priority, but what does this mean for your organization?

The first practical issue is that it is no longer sufficient to rely on the audit function as a hub for risk management. Risk responsibility has always been the responsibility of process owners, and ORSA is now mandating better oversight under the guidance of a risk management function. For many organizations, the critical first step has been taken by establishing executive responsibility in a chief risk officer (a CRO is actually required to sign off on the ORSA assessment), but without the appropriate tools to make risk management actionable, accountability beyond the CRO is never properly defined. Front line managers hear “risk responsibility” and take the same action they would for other lofty strategic initiatives—that is to say, they take no action at all.

To engage process owners in a risk culture, each business area must take ownership for a subset of the enterprise risks.

online pharmacy singulair with best prices today in the USA

Risk managers, in effect, do not own the risks to the organization; on the contrary, they own the ERM process. Their primary role is to lay the groundwork for risk assessments, aggregate risk intelligence for board reports and create actionable initiatives for business areas in need of oversight.

Engaging process owners has the dual effect of permeating an enterprise-wide risk culture, while also creating a sense of shared responsibility. The structure defined above also creates three levels of defense, a concept adopted and well-articulated by the Institute of Internal Auditors. The operational risks are owned by the process owners. The risk management function provides guidance and strategic alignment.

online pharmacy spiriva with best prices today in the USA

And finally, internal audit ensures adherence to the proper policies and regulatory standards.

Risk culture and governance cannot be accomplished overnight, but significant progress can be made by adopting and articulating the best practices outlined above.

online pharmacy elavil with best prices today in the USA

For more information on engaging process owners, implementing a standardized risk assessment process, and reporting this information to the board, download LogicManager’s complimentary eBook, Presenting Risk Management to the Board.