FAQ
Try to think of a critical business process that does not rely on computers, software, networks or an ecosystem of 3 rd party providers. The list is very short if your business has any.
Most members of board of directors bring relevant operational experience and strategic vision to the organizations entrusted to their stewardship. The emerging and constantly evolving threats of new business paradigms requires a broad understanding of potentially disruptive operational and cyber risks. Yet most boards struggle to effectively understand the complex interdependencies between operational, reputational, 3 rd party and cyber risks that are currently placing their growth and other strategic goals in jeopardy. The “duty of candor” requires that the board inform stakeholders of all information that is important to their evaluation of the performance of the company. That requirement is very difficult to achieve if board members do not feel properly informed about the organization’s capabilities, risk appetite, residual risk beyond the capabilities of current controls, status of outstanding remediation activities or how to interpret the metrics that describe current state and evolving threat trends.
Government and industry regulations acknowledge these threats and related disruptive events but can only provide guidance on the only strategy permitted; self-defense. Consider that for the first time in history, operating a business located in the United States is NOT inherently any safer that operating in any other country, once you establish any connection to the internet or other shared network. The might of our military, the strength of our institutions, our rules of law and most fundamental core values provide virtually no protection for any business that utilizes computers, software, networks or external suppliers to support normal operations. These business enabling tools are under constant attack by highly skilled organizations & individuals that are well organized and very effective at introducing risk into every aspect of your business processes and supply chain.
Risk Neutral advisors have decades of global operational, compliance, risk management and cyber security experience in public & private corporations and government agencies. We provide an objective, independent perspective on a broad spectrum of risks and disruptive events. These insights enhance any organizations ability to outperform their competitors by demonstrating sound corporate governance and though leadership on risk and compliance matters. Dedicated advisors provide directors with an independent perspective to support their task of ‘trust but verifying’ an organization’s operational resilience and ability to minimize the impact of disruptive events. Our shared mission is to effectively evaluate cultural, operational and reputational residual risk. Armed with this information resources can be allocated and deployed to achieve and maintain acceptable levels of risk.
We are governance, compliance and cyber security certified professionals dedicated to helping senior executives and board members increase their understanding of the risks and financial impact associated with a wide range of potentially disruptive events.
Our strengths lie in explaining, in simple business terms, how operational and cyber security threats can disrupt revenue streams or otherwise impede an organization from achieving their strategic goals. We have successfully assisted a wide range of clients implement closed- loop, risk reduction programs that protect the organization’s reputation and effectively mitigates financial losses.
Any strategic advisor needs to understand the unique cultural, operational and risk factors that drive your organization if they want to provide good counsel. Short duration, point in time professional service engagements, can offer some value but at best rely on generic best practices or limited sampling as the basis of their analysis and supporting recommendations.
Risk Neutral relies on decades of practical risk management experience, gained in a wide range of industries, in both operations and executive management capacities. Expertise gained in roles ranging from information technology, cyber & physical security, digital forensics, enterprise software management, telecommunications, supply chain management, fraud detection, incident response and operations provides the foundation of the lens through which we identify and quantify the potential risks & financial impact to your organization. It takes time to build this complete perspective, but is required to make sound and effective recommendations to reduce risk across people, process, technologies and facilities within an organization and across the various environments they operate in.
Financial and reputational penalties are doled out by regulators, partners, clients, financial institutions and bad actors for organizations that lack maturity in their risk management programs and fail to effectively demonstrate organizational resiliency. Increasingly the demonstration of competence, or lack thereof, has become more and more public and spreads globally almost instantly via social media and non-stop media coverage.
Regulatory requirements to demonstrate sound governance and risk oversight is increasing from both industry and government agencies. Increasingly with major breaches and criminal fraud cases, key stakeholders from Congress to investors are asking, “Where was the board’s oversight that allowed a specific event to impact an organization?” Criminal, personal as well as professional liability have been key issues in many recent high-profile data breach and financial fraud cases (e.g. Equifax, Pilot Flying J).
The overarching goal for every interaction with our advisors is to improve the quality of the decisions being made and enhance the organization’s performance. Increased risk awareness lays the foundation for improving organizational resilience against a broad range of disruptive events.
Mentoring individual directors or members of the organization’s C-Suite provides an effective environment to dive into specific risk scenarios and any potential financial or operational impacts. This approach provides a safe and constructive learning environment to explore topics that might be new or beyond the scope of previous practical experience for any member of the senior leadership team. At the committee level, our advisors provide feedback and support for normally scheduled meetings and any specified assigned projects. Audit & Risk committees frequently request that we review and provide feedback on specific sections or documents in the board packet. With prior authorization, our advisors can attend specific meetings or provide primers on specific topics to facilitate decision making. Nomination and Governance committees may ask for input related to organizational capabilities, skill set gap assessment, skill set definition or interview support for key new hires within our areas of expertise.
As part of a crisis response team, our advisors may be asked to take on additional responsibilities as requested. Our knowledge of the organization’s operations, capabilities and domain expertise can be leveraged in an advisory capacity as part of event declaration, threat identification & containment or recovery efforts.
A thorough understanding of key business processes is required to have any chance of effectively understanding any potential threat and associated negative impact. As part of this organization specific continuous learning and feedback process, each board member will gain a deeper understanding of core business operations as well as become more risk and disruptive event aware. The improved perspective of contributing risk elements will allow each board member to more effectively apply their own expertise and insights to decisions impacting the organization’s they are entrusted to protect.
There are tangible, competitive advantages for market leaders that embrace and demonstrate a culture of effective risk management. Suppliers and insurers are very interested in understanding a business partner’s demonstrable position related to the establishment of an acceptable risk appetite, regulatory compliance status, adopted risk treatment framework, data protection efforts, 3 rd party management & key cyber security initiatives. Demonstrating a commitment to protecting key assets as part of a trusted ecosystem of suppliers and service providers is a differentiator for most organizations.
Being transparent about efforts to reduce strategic risks using mature, well thought out and robust business processes will be rewarded in the marketplace. Business partners, clients, regulators and investors are increasingly interested in an organization’s reputation for being mindful and executing successfully to mitigate strategic, operational & cyber risks. Brand equity is closely tied to a sense of ‘trust’ that an organization demonstrates by good stewardship of trade secrets, client information, intellectual property and other forms of sensitive data required to run their business.
Return on Investment for many risk reduction activities, including potentially very disruptive events, can be difficult to quantitatively calculate. Consider, where would an organization’s CFO record the approximated cost of something that doesn’t happen, or savings associated with the cost avoidance from serious damage as a result of operational controls that work as designed? Consider all the insurance that most people carry as working professionals… life, health, auto, liability, D&O, indemnification, etc.
We know most of the events they are designed to help mitigate against probably will NOT happen during a given policy period. Despite this most of us will still happily buy them without any tangible benefit or measurable ROI year after year. We know if something bad happens, these policies will likely help mitigate the financial and potential reputational impact of an unfortunate event. The same logic applies to investments to improve the cultural, operational and security posture of any given business. Every organization should assume that bad actors will do everything simultaneously to disrupt your business. The engagements with Risk Neutral’s advisors are designed to improve the risk treatment of potentially disruptive events to minimize the potential impact so that it remains with an organization’s stated risk appetite.
Transference of risk via insurance or to ‘trusted business partners’ in common place for many core businesses functions. Unfortunately, in many scenarios, you cannot transfer the responsibility of the duty of care easily if at all to another organization. Items such as the Payment Card Industry – Data Security Standard (PCI-DSS) is a great example of how precise these arrangements must be and how elusive they can be to initially achieve much less maintain over time. The ecosystem of software, hardware, network and cloud providers for your organizations as well as your supply chain is very difficult to trust with a high degree of confidence without a highly disciplined and well thought out risk oversight program.
Cyber and similar insurance policies reward well run, cyber-savvy organizations with lower premiums. These insurer’s due diligence review of an organization’s security posture and resilience capability is increasingly thorough and becomes more mature every year. Insurers are prepared to pay when appropriate; but will likely be one of many teams on-site after a security incident to verify that stated policies, processes and procedures were properly followed prior to any payment distribution.
Regulators are also starting to weigh in on this concept of transferring risk to other parties. Some regulators are trying to send a clear message that if your organization does NOT handle risks appropriately that it will impact your bottom line. Some regulators have gone so far as to say that the fines and penalties must be paid directly by the organization and CANNOT be paid by a 3 rd party insurer.
- Prepare for bad things to happen
- Be transparent with key stakeholders on your capabilities
- Come clean when you have an incident
- Prevent insider trading when a non-public event could negatively impact stock price/shareholder value.
Individuals qualified to sit on the board of directors are smart, politically astute and likely will be referred by someone currently affiliated with your organization. Simple search engine results, public filings and dedicated websites such as Glassdoor.com can provide a perspective on how effective an organization is at managing a wide range of risks.
Potential board members will be very mindful when evaluating whether or not to join your organization’s board. How it impacts their reputation or increases their risk personally and professionally will be a serious consideration. Director & Officer (D&O) insurance is very common, but even the best policy cannot eliminate the stress associated with being individually named as a party in class action lawsuit that has unfortunately become very common for board members.
Some board members may have extensive expertise or operational experience in specific areas that the organization may find valuable. Joining a board may take some potential candidates into new areas of responsibility. They may now be asked to oversee risks that goes beyond their previous assigned responsibilities or professional experience. Having a solid new board member on-boarding program and dedicated external advisors that can help educate them on areas of new responsibilities may be the difference between landing a top director candidate or not.
Areas such as emerging risk and cyber security are frequently cited as critical gaps during board skills & capability assessments. Being able to make the entire board more risk, technology and cyber security savvy will only be a growing requirement for most organizations and industries for the foreseeable future.
There are risks and costs to action. But they are far less than the long-range risks of comfortable inaction.
We cannot change what we are not aware of, and once we are aware, we cannot help but change.
Over time, there is only one alternative to risk management, and that is crisis management, and crisis management is much more costly, time consuming and embarrassing.
The pace of change is so great; there is always something else going on. What that says to me is that you have to have strategic vision and peripheral vision. Strategic vision is the ability to look ahead and peripheral vision is the ability to look around, and both are important.
You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk.
Prepare for the unknown by studying how others in the past have coped with the unforeseeable and the unpredictable.
All events in your life are neutral until you label them. Nothing has meaning until you give it meaning.