The year has turned once again. The coming months may bring some changes and some things may stay the same. Depending on your philosophical inclination, change can be a good thing, or change may be something to dread. However, what is guaranteed to remain consistent, in fact the creative forces are stronger and more determined than ever: fraud, in all its forms.

Just this morning I received a personal email from a work account of a trusted friend. But something was off about it; the language in the email was strange and I was being directed to open a Google document. I didn’t follow the link, but I was concerned about my friend, so I sent him an email (separate from the one sent to me). Turns out, the email was sent fraudulently. In this case, as in millions of others like it, language can provide an important alert: “Kindly review and revert it back to me.” No one I know writes like that, no one with any sense of idioms anyway. That was the first hint.

There is a constant barrage of fraud attempts, online, via snail mail, brute force attempts, false charities, phishing, spear phishing (my new favorite), all of which are becoming more and more difficult to identify. And they each want what is yours: your money, your financial information – your identity. How may emails have been sent from the Prince of a small, wealthy nation saying there is a large deposit waiting for you? Have you ever had a call from someone claiming to represent the local police asking for donations? Most (if not all) legitimate fundraising for police-related matters is never conducted by telephone. Asking for their tax identification number (TIN) usually brings the conversation to a rapid close.

Since there are so many forces intent on doing bad things, does it mean you have to look over our shoulder all the time? Yes, yes it does. It’s just a fact of life. But it doesn’t have to be so bad, as long as you’re vigilant and aware, and you pay attention.

Some of the items on the list below may seem mundane, and you may have read them before, but to help reduce the risk of fraud, simple steps can be taken.

  • Do not EVER write your passwords on a Post-it note and keep it at your desk.
  • An IT professional should never ask for any of your passwords. If you are asked for a password, question it, twice. Be aware of this situation.
  • Be creative with your passwords, use upper and lower case alphanumerics and special characters. Change passwords on a regular basis.
  • If you have access to sensitive data at your workplace, especially if you have administrator rights – never leave your laptop unattended. On a desktop or a laptop, be sure to close any portals to workplace data when you are done and be certain all applications and portals are closed at the end of the day.
  • Monitor your personal financial information on a regular basis: bank accounts, credit cards, etc. You can do this by creating secure, online accounts. Although this is a detective control, if you monitor daily, you will identify a problem immediately.
  • Be wary of everything that enters your email inbox. Don’t click links if you don’t know the person sending – and even if you DO know the sender, pay attention to language and special requests: verify first!
  • Use common sense – always.



Risk Assessing and “The Beautiful Game”

Risks come to fruition quickly. Situations arise then escalate in no time at all. Suddenly your school or organization is fodder for headlines. Nothing will eliminate risk entirely; in order to move forward successfully risks must be properly identified, evaluated and mitigated.

In sports, there are few better examples of risk/reward, risk awareness and risk mitigation than the game of soccer. To the unappreciative eye, soccer is a low-scoring bore. To those of us who grew up playing and continued playing into adulthood, soccer is indeed, “The Beautiful Game.” Good play at midfield is applauded, exceptional defense is celebrated and outstanding goalkeeping raises the roof. Apart from the obvious physical hazards, what about other risks? Situations develop quickly. A player must assess risk then take immediate action. A school faces similar circumstances because of the great number of moving parts. Similar to good play at midfield, a school’s appropriate risk mitigation may go unnoticed to the casual observer, but the importance of properly managing risk is essential.

The USWNT recently won the 2015 world cup in Canada. They are an extraordinary team and an extraordinary group of women. Was their play risk adverse, or were they willing to take risks and at the same time be fully aware of the perils?

A school environment can be compared to a soccer match because without adequate planning and risk identification, negative situations can arise quickly. And it is important an independent third party facilitate the risk assessment process to ensure a free exchange of ideas and be able to provide unencumbered results.

Similar to play on the soccer field, running a school can be viewed as a graduated scale of risk. Fiduciary responsibilities, campus security and accreditation are among some of the highest risk areas. The medium to low risk areas should not be ignored; these should also be fully documented on a scale of importance.

In soccer for example, the following scale demonstrates risk: the forward positions (low risk), midfield (moderate to high risk), defense (high risk), the goalkeeper (crazy high risk). In every minute of a match, each player is faced with situations where risk must be considered immediately then action taken. However, the result of risk-taking is not equally disseminated among all positions.

A risk taken by a player in the forward position, if unsuccessful, may result in an offside call, a foul, or a missed goal opportunity. The downside of these risks is nominal. The midfield position risk-taking is more dangerous. Considering that midfield play is where many matches are won and lost, risk assessing is important. A defensive blunder at midfield may cause a breakaway. A missed opportunity to properly identify an open space could prevent your team from mounting a potential goal-scoring attack. The risks at midfield are much higher than those in the forward positions.

The defense faces the highest risks on the field. A missed defensive assignment can result in a goal, and a foul can result in a goal-scoring set piece, or worse.

Risk assessing is vital in the defensive end of the field and it has to happen in a hurry. In the World Cup semi-final match, the unfortunate own-goal by the UK defender Laura Bassett is a good example. In the match against Japan, she took a risk, which was instinctive and simply reflex, but it resulted in a UK loss and it forced them into the third place match.

The risks facing the goalkeeper are extraordinarily high. There is little nuance between success and failure. Conditions must be assessed quickly and the action taken must be swift and deliberate. For instance, in the final World Cup match, where play was well away from the goal, the Japanese keeper came off her line for only a moment. This is when Carli Lloyd scored the astounding goal from midfield. The keeper took a risk, unaware of the possible consequences, perhaps even unaware that she was taking a risk at all.

There are also times when reaction or reflex can be a hazard when confronting a negative situation in a school environment. To avoid an ‘own-goal’ in your school setting, planning is critical; risks must be identified, evaluated and appropriate action plans created to mitigate those risks. And what about situations where it appears there is little to no risk at all – a new venture or creating something in your school that will no doubt be a benefit to a majority of the population. Without adequate risk assessing with representatives from all stakeholders, you may never identify a risk until it is too late.

Manage The Unexpected

Has our culture become more violent? Is news more readily available to us it appears horrific incidents occur more frequently? Surely fodder for debate. What cannot be argued, however, is the need for preparedness. Emergency plans should be in place, communication policies should be developed, frequently reviewed and updated, and a strategy should be developed to manage the unexpected.

While an effective Enterprise Risk Management framework offers a wide variety of benefits to a school or business, no manner of audit or extensive risk management planning can predict an unforeseen event. And if something occurs, the court of public opinion will judge the actions of senior management taken during the event, then again by the actions taken in the aftermath during the inevitable media onslaught that will ensue.

This topic is the elephant in the room. The mindset of, “that sort of thing is unlikely to happen here” (I heard that once) is antique and dangerous.

In addition to identifying risks within your organization during extensive risk assessment sessions, Banyan Risk Management Consulting conducts each session with an eye toward potential audit issues. Many times during risk assessment sessions, weaknesses in established processes are identified, issues with data or physical security are discussed, as well as a myriad of other topics. If the same topic is brought to light in several risk assessment sessions across different departments, it is likely a problem exists.

While no empirical evidence of an audit issue is obtained during risk assessment sessions, Banyan Risk Management Consulting provides written documentation to senior management for their consideration, explaining the nature of the topics discussed.

Do you have an effective emergency plan in place? Is it tested? Do you have a communication policy in place? Is it reviewed and updated regularly? Who will address the media if an unforeseen event occurs? Are all employees instructed to refer the media to a central source for information? These and many other questions are posed when establishing an Enterprise Risk Management framework.

Protect your reputation – it is your most important asset.

The link below is the report of the review panel on the tragic events at Virginia Tech in 2007. Hundreds of lessons can be learned from the information contained in this report.

Two Essential Components of ERM

Communication with stakeholders
During the information gathering stage of the ERM process, it is vital to hear from as many voices as practical. Risk assessment sessions are designed to identify “inherent risks” – those risks without any consideration of mitigating controls. And from these sessions, all types of risks are fair game for ERM documentation, from all stakeholders.

When establishing the ERM framework, it is important to ensure all stakeholders are provided updates along the way. By maintaining a steady stream of information from senior management to stakeholders, it strengthens the base and it keeps everyone engaged in the entire process. Employees (and others) have too often been involved in an effort for the greater good only to have nothing provided to them specific to results, action plans or procedures that may ultimately affect their daily operation. An effective ERM process must keep stakeholders involved to maintain the momentum of creating a more risk-aware culture.

Unaddressed Risks
The risk assessment process is complete, all documentation is complete and a report was published. Now what? The natural progression leads to control testing and an evaluation of the control environment. Testing will identify control deficiencies and an evaluation of the control environment will develop a barometer of the control culture. Once all control issues have been identified, prioritizing and action planning must follow next.

Highly rated risks in your organization must be addressed. Without an ERM framework, if a risk comes to fruition, with all the bad ink that will come your way, you can claim you were unaware. However, an eyes-closed position is not only unadvisable, it can be extremely harmful to your organization. With a well-established ERM framework, you will be aware of the risks facing your organization. But this also places your organization at risk: knowing what your risks are, yet doing little to ensure the risk is adequately mitigated. A simple resolution: take action and document well.

Prioritization of risks and appropriate action planning are essential elements in the ERM framework: understanding the risk and developing plans to mitigate the risk. If a negative event occurs during your planning process, while your organization is in the process of risk mitigation, you will be in a far better place.


Personal Approach to Enterprise Risk Management (ERM)

Regarding ERM and the risk assessment process in general, I take a page from H.D. Thoreau: “…Simplify, simplify.” The ERM process does not have to be complicated, just comprehensive and on-target. Risk assessment sessions with key employees are absolutely vital to the process. In these sessions, specific objectives will be documented and inherent risks will be identified, without considering any controls in place to mitigate risks.

I am a dedicated believer in function over form. The most efficient approach for a successful ERM is to introduce risk management theories using a practical approach and creating ERM documentation that is easily understood and maintained. A successful ERM is an iterative process and it requires input from the experts in your institution – your employees.

My responsibility is to draw from the knowledge of your experts. The risk assessment process may be a new venture to many, but with a practical, enthusiastic approach to the theories of risk management, the sessions discussing risks will be informative, efficient and extremely productive.

A successful ERM effort begins, yet never ends. The fundamental elements of risk management and risk assessment should be incorporated into strategic planning, project management and into the daily operation of a business or institution. The ERM process offers significant benefits and it can be infused into an institution’s current culture with very little stress and pain.

Is ERM doomed to fail?

The short answer to this question is yes. ERM requires proper care and feeding, otherwise the time and energy expended to enter into a new risk-aware environment are for naught.

ERM requires thorough documentation. And no matter the form it takes (Word, Excel, PowerPoint, etc.), if the printed documentation is stored in a file, or under stacks of folders on a credenza in someone’s office, it will be of no use to anyone. If an electronic version is stored in a folder only to the see the light of day during an annual review, ERM is rarely a benefit. A purely electronic ERM process faces a similar fate; if the process is documented in ERM software, the icon can just as easily be lost among dozens of other icons on a desktop.

It matters little what the final form the ERM takes – the key is how the concept of risk awareness and risk management is integrated into your environment. A culture change in an institution isn’t necessary to incorporate ERM into professional lives. Culture changes can take many years to achieve. Rather, an infusion of risk awareness into the current culture is the goal, to raise the institution’s risk intelligence quotient, to introduce a new vocabulary and a new philosophy to work with your current strategic planning and daily operations.

An ERM can do far more than simply identify risk and controls in place to mitigate risk. A successful ERM should take an holistic approach, define the institution’s risk appetite. ERM is an invaluable methodology when infused into the day-to-day operation of the institution, during project planning and developing strategic plans.

Thoughts on Enterprise Risk Management

The reputation of your school or business is the most valuable asset you have: protect it.
And when considering risk, your employees are the best resource to identify specific risks.
The risk assessment process is the first phase – and the most vital phase in the Enterprise Risk Management (ERM) process. It is vital to hear from as many voices as possible in the risk assessment phase.

ERM is far more than crisis management, or simply insuring against loss. ERM examines everything in your organization in an effort to identify what risks you face.

By closely examining your environment for risk, you may be surprised what is uncovered.

Why create an ERM framework for your business or school?

  • To help your business or school remain a viable option
  • To get ahead of potential issues, resolve them prior to coming to fruition
  • Improve your risk IQ
  • To stay off the front page of the newspapers, or before the scroll on a news website
  • To help everyone sleep just a little better at night