When a major retailer had a security breach, and consumer information was compromised, it created a ripple effect at Stamford-based First County Bank.
First County Bank customers inundated their local branches seeking new debit cards, and many wanted replacements right away. The bank is able to produce about 1,000 new cards a day in-house, but has to contract out for bigger projects, said John Bonora, senior vice president and chief risk officer at the bank, and a 2011 graduate of UConn’s MSFRM program.
After that experience, First County now has a new set of issues and procedures, which it now incorporates into its risk management plans, should a similar event happen again.
“I think the biggest concern for us is the rapid pace of change,” Bonora told a crowd of 150 during the 3rd Annual Connecticut Risk Management Conference on March 20 titled “The Many Faces of Enterprise Risk Management” and sponsored by UConn’s School of Business and School of Law. “We’re a small bank, but the amount of challenges we face are unbelievable.”
Although the conference participants came from different financial, governmental and insurance sectors and had very unique stories to share, their concerns about risk management resonated through the group. As the world changes quickly, panelists from consulting and law firms, to IBM and Starwood Hotels and even the FBI said, they struggle to identify and control risks that may not have existed five or 10 years ago.
Panelist Shawn Dahl, principal of Risk Advisory Services and national leader of enterprise risk management for McGladrey LLP, said a risk-management strategy must be broad enough to capture issues that don’t even seem probable.
Several years ago he was the risk manager for a large corporation that sold wine and spirits, and specialized in Mexican tequila. The company contracted with some 500 farmers to grow agave plants, which take seven years to mature. But after learning that they could make a greater profit by planting corn, most of the farmers ripped out the agave, leaving the company in peril.
“At the time, our brand was the bright, shining star,” Dahl said. “We were experiencing double-digit growth!” After the farmers revolted, the company could only serve a fraction of its customers.
The two stories echoed the opening remarks of Jacob Rosengarten, executive vice president and chief enterprise risk officer at XL Group, who quoted English writer and social critic Charles Dickens:
“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness…,” Rosengarten said. “Charles Dickens may have been the best risk manager on the planet.”
Rosengarten described this as an age of volatility. He noted weaknesses in western economy and institutions, tribal and separatist movements, urbanization and growth of the middle class throughout the world, powerful developing markets and quickly changing technology, among other challenges for risk managers. He advised his colleagues to run to trouble, remember the importance of human traditions and tendencies, include the contrarian in discussions, develop resilience and to get comfortable with discomfort.
Keynote speaker Thomas Sullivan ’00 MBA, the former Connecticut Insurance Commissioner and now associate director at the Federal Reserve, discussed regulatory provisions to help manage risk.
“As the world changes, firms need to change, adapt and improve their ability to identify risks, define and set risk limits and figure out how to best mitigate and highlight these risks to their respective Boards and stakeholders, and, of course, to regulators,” he said to the crowd assembled at the UConn Stamford campus.
“There is no foolproof method to mitigate and eliminate all risks within a firm. This should not be the aim of a risk-management framework, nor is it a regulatory expectation. We in the regulatory community recognize that markets are malleable and certainly not static. Risk can eminate from anywhere. Therefore, risk will always be present for financial services firms. While the future is unpredictable, a good risk-management framework will assist firms in handling what comes next.”
Dipayan Ghosh ’10 ENG, a White House technology policy adviser, said two risk issues have really emerged over the last two years and are considered a high-priority by President Obama and his administration. The first is the prevention of large data breaches like those experienced by Home Depot, Target, Anthem and JP Morgan. The public, he said, has driven the urgency for change.
Secondly, he said, federal officials are concerned about the sweeping nature and breadth of surveillance programs and the collection and storage of personal data by both the public and private sector.
Several of the conference seminars focused on cyber risk, which seemed to be in the forefront of participants’ minds. But the conference also addressed emerging risks, including global economic and societal changes, as well as additional advances in technology that may represent brand new concerns.
Many discussions revolved around identifying a company’s “appetite” for risk and aligning its strategy appropriately. It isn’t just the responsibility of the risk manager to identify weaknesses, but for every employee to feel free to raise a concern, they said.
“You must know your ‘appetite’ for risk and spread that risk culture across your organization,” said Daniel Bley, executive vice president and chief risk officer at Webster Bank. “You must articulate your risk appetite and align it with your strategy. As you identify new opportunities, look to see if it aligns with your risk tolerance.”
Rosengarten said you don’t want a culture where “people walk past a train wreck and say, ‘That’s not my problem.’ If something goes wrong, Rosengarten said, the CEO and the Board of Directors should never be able to say they knew nothing about the risk.
“Once you’ve expressed your risk appetite on paper, do you believe it?” Rosengarten asked the crowd. “Are we prepared for this loss? Am I betting the whole company on a calculation? Always think, ‘If this goes wrong, can we survive?'”
