Managing Risk
1 like195 views
The document outlines various strategies for managing business risks, particularly focusing on technology risk, cybersecurity, and the importance of insurance coverage. It emphasizes the need for businesses to understand their risks, implement effective controls, and regularly review their insurance policies to protect against threats such as cyber attacks and business interruptions. Additionally, it highlights the requirements for internal audits and the benefits of compliance with regulations like Sarbanes-Oxley for public companies.
Managing Risk
- 1. Managing Risk Lucy Fanger, Michelle Hirsch and Chrissy Walters September 24, 2019
- 2. 2 Introduction Lucy Fanger, Owner • Founder and CEO of On Technology Partners, a woman-owned technology company developing partnerships with various local and national companies through planning and strategic design • 25 years of experience • Passionate about helping people and making a difference in the business community in Ohio and across the [email protected] linkedin.com/in/lucy-fanger-5412581/ 216-920-3100
- 3. 3 Introduction Michelle Hirsch, Brunswick Companies • Senior Vice President of Brunswick Companies, a third-generation family-owned insurance and risk management consulting firm, serving clients nationwide • Provides P&C insurance services to companies, aspiring and accomplished individuals, families and professional athletes • Bachelor’s degree from Penn State University and MBA from Case Western University Weatherhead School of Management • Part of Crain’s Cleveland Business: – Twenty in their 20’s (2008) – Forty Under 40 (2017) [email protected] linkedin.com/in/michelles1/ 800-686-8080
- 4. 4 Introduction Chrissy Walters, Skoda Minotti • Principal in the firm’s Accounting and Auditing Group • Leads the firm’s Internal Audit niche • 17 years of public accounting and industry experience • Background with Big 4 accounting firms in their external audit group and specializing in internal audit co-source and out-source engagements for large manufacturing SEC companies • Coordinated and developed new internal audit services in India and Argentina to benefit U.S. engagement teams [email protected] linkedin.com/in/chrissy-walters-5992207/ 440-605-7178
- 5. 5 Strategies to Mitigate Your IT Threats 1. Technology Risk 2. Cyber Security 3. Cyber-Liability Insurance
- 6. 6 Technology Risk What you care about: 1. Loss of function 2. Loss of business 3. Loss of money Technology Risk is UNDERSTANDING Cyber Security is IMPLEMENTATION
- 7. 7 Cyber Security Protection from: 1. Ransomware 2. Phishing/Spoofing Email Attacks 3. Viruses 4. Account Hijacking
- 8. 8 Cyber Security Things to do: 1. Backup 2. Antivirus 3. Patching 4. Multi-Factor Authentication 5. Strong passwords a. Password Management programs b. do not use the same password for all accounts c. change passwords regularly d. use multiple characters - the more the better
- 9. 9 Cyber-Liability Insurance What is it good for? 1. It helps recovery after a loss. 2. It can help save the company after a catastrophic loss. Concerns: 1. Are you covered? 2. Can you afford the insurance? “But surely you can’t put a price on your family’s lives!” – Ex-Con Home Security Guy “I wouldn’t have thought so either, but, here we are.” – Homer Simpson
- 10. 10 Business Insurance Requires • Knowledgeable agent • Access to network of carriers • Experienced in the industry • Strong business acumen
- 11. 11 Universe of Risk Advisors Independent Brokers Captive Agents Direct Response Companies
- 12. 12 Sample of Common Business Insurance Coverages • General liability • Property coverage • Product liability • Cyber • Commercial auto • Workers compensation • Boiler and machinery • Business Interruption • Employment Practices liability • Directors and officers • Fiduciary liability • Professional liability • Inland marine • Employers liability • Umbrella
- 13. 13 Deciding the Right Coverages • Diving deep into your business operations with your insurance agent • Understanding available insurance coverage to help mitigate business risks • Defining contractual liability with clients, suppliers, tenants and subcontractors • Implementing the insurance, business process and contractual changes
- 14. 14 Why Insurance Review? • When was your last conversation with your agent? • Did it extend beyond revenue and address changes? • When was the last time you saw a side-by-side analysis of several carriers’ coverage and pricing for your business? 75% Percentage of U.S. businesses significantly underinsured Insurance Journal
- 15. 15 Commonly Misunderstood Business Insurance Coverages: • Cyber vs. crime • Home-based business coverage • Hired non-owned auto • Umbrella • Business interruptions insurance • Elements of management liability • Professional liability
- 16. 16 Cyber vs. Crime • Cyber, social, crime, data breach, professional indemnity • Cyber liability – To insure loss of intangible property • Crime insurance – Protect an insured organization’s assets from threat by employee or third party 58% Malware attack victims are small business Verizon 2018 DBIR $2.2M Cost of cyber attacks on small business Verizon 2018 DBIR 90% Cyber attacks are successfully executed with credentials stolen or socially engineered from employees Identity Management Institute
- 17. 17 Home-Based Business Homeowner’s policy excludes: • Business property • Business liability (extends off premise) • Additional coverage 50% U.S. business home-based sba.gov 2016
- 18. 18 Hired Non-Owned Auto • Rented a car on a work trip • Support staff picked up office supplies • Driving to a conference • Picking up lunch for an office meeting
- 19. 19 Umbrella • Realizing the impact of liability • Extends liability Coverage over primary insurance policy • Inexpensive premiums
- 20. 20 Business Interruptions • Different policy definitions • Direct loss • Contingent loss • Extra expense 40% Experienced a BI loss and claim in last five years RIMS Business Interruption Survey 2017
- 21. 21 Management Liability • Directors and Officers (D&O) – Protects Directors, Officers and Employees against financial impact from claims by competitors, shareholders and regulators • Employment Practices Liability Insurance (EPLI) – Broad protection against financial impact from claims including discrimination, wrongful termination, retaliation and harassment 1 in 4 Private companies experienced D&O loss Chubb Risk Survey 2016 7 of 10 Small businesses don’t carry EPL Chubb Risk Survey 2016
- 22. 22 Professional Liability • Errors and Omissions (E&O) and malpractice • Tail coverage • Why is it different than General Liability?
- 23. 23 What Does a Broker Need to Quote? • Expiration date • Current policies • Completed application It’s important to find a broker who is experienced, knowledgeable and is willing to help should a claim arise.
- 24. 24 Agenda • Internal Audit Requirements ⮚ Public companies ⮚ Private companies • Where to Start • Process Documentation ⮚ High level ⮚ Instructional • Your To-Do List
- 25. 25 My Company is Fine…. “We’ve never had fraud…” “Our employees know how to do their jobs...” “We are very profitable…” “Seems like a burden to undertake…” • Are you prepared for unexpected changes to your company? • How will the company owners react if fraud occurs and you didn’t take precautions to mitigate those risks? • Can your company benefit from creating efficiencies?
- 26. 26 IA Requirements for Public Companies Public companies need to be compliant with Sarbanes-Oxley - Document processes - Conduct an annual risk assessment - Prioritize risks (likelihood and impact) - Identify or create controls to mitigate those risks - Test controls to determine if effective - Create remediation plans for ineffective controls - Revisit every year or as needed Does that seem overwhelming?... It doesn’t have to be!
- 27. 27 Why are Public Companies Required to Do All That? • After Enron and WorldCom, investors lost confidence in the accuracy of financial statements • Sarbanes-Oxley was enacted to combat fraud, improve the reliability of financial reporting and restore investor confidence
- 28. 28 Benefits of Sarbanes-Oxley Documentation helps by: • Assigning responsibility to ensure accountability • Identifies risks, controls or lack thereof • Identifies process improvements • Allows others to understand the process – New employees – Auditors – Management – Potential buyers (Less risky = higher price) – Banks
- 29. 29 Benefits of Sarbanes-Oxley After getting a solid understanding of the process, you can determine where controls are missing or if current controls should be enhanced. These new or enhanced controls make the companies stronger by: • Standardizing processes • Creating efficiencies • Reducing the risk of human error or fraud
- 30. 30 Private Companies Shouldn’t all companies be concerned about the accuracy of their financial statements and if there are ways to gain efficiencies or best practices? YES
- 31. 31 One Bite at a Time • Don’t make the process of incorporating controls stressful. • Internal controls should help alleviate stress because you are taking action against risky issues. • If not required by Sarbanes-Oxley, you don’t need to cover all processes at once. • Focus on your riskiest area, tackle that, and then move onto the next. Any internal audit activity is better than none!!
- 32. 32 Internal Audit Overview We help our clients become stronger by improving controls over their financial processes. We accomplish this through process documentation, risk assessments and the development of effective testing programs. • Risks • Controls • Process Improvement
- 34. 34 Are Your Eggs All in One Basket? Think about your most crucial employees…. • What if any of those employees quit, or had to take a sudden leave? • Could your company run smoothly with little to no downtime? • What would that downtime cost your company? – How much time would be spent to figure out their tasks? – Would you miss deadlines? – Would business be disrupted?
- 35. 35 Step-by-Step Instructions Create instructions for those crucial roles • Month end close • Payroll • General accounting Create “click-by-click” instructions 1. Have the employee create their own instructions 2. Demonstrate those instructions to another employee 3. The other employee asks questions for steps that need clarification 4. The other employee performs the task unassisted
- 36. 36 Risk-Based Audit Approach • First, identify the risks (lack of review, segregation of duties issue, improper access, etc.) • Develop controls to mitigate the risks – Segregation of duties (Can’t create new vendors and cut checks) – Review controls with defined steps (A signature is not enough) – Access controls (Only allow essential access and remove timely) – Checklists (processes such as the month end close) • Create a testing program to verify control effectiveness; perform testing at least annually
- 37. 37 5-Step Plan • Step 1: Document the process • Step 2: Identify weaknesses • Step 3: Improve or create controls • Step 4: Create a remediation plan • Step 5: Control testing
- 38. 38 Consider Your Company • Have you defined your company’s risks? • Do you have a control to mitigate those risks? • How do you know if those controls are effective? • Can your company benefit from a fresh set of eyes to help determine best practice and efficiencies?
- 39. 39 Your To-Do List Assess your company… • What are the risks? • What are you doing about them? It’s that simple.
- 40. 40 Questions? Michelle Hirsch Senior Vice President Brunswick Companies [email protected] Chrissy Walters Principal Accounting and Auditing Group – Internal Audit Skoda Minotti [email protected] Lucy Fanger Founder and CEO On Technology Partners [email protected]