Risk Management Bulletin

No matter how rigorous you think you are in protecting your business against security breaches or other risks, there’s always room for improvement. Here are six simple steps you can put in place right away that can have a significant impact on reducing your business’ exposure to risk:

1. Have a written code of conduct. Writing down rules and repercussions for poor behavior is the best way to make sure your employees know what’s expected of them, as well as the consequences for risky or inappropriate behavior. Offer a copy of the code to new hires, and whenever changes are made, provide updated copies to all employees. Also be sure to review it frequently so it can evolve as your company grows.

2. Maintain ample office security. Make sure to install adequate locks on doors, windows, desks, file cabinets and individual rooms in your office, and keep a close eye on keys. Make sure employees change passwords frequently and adhere to your company’s BYOD policy (you do have one, right?). Install cameras and motion detectors as needed, and be sure to use adequate lighting in all areas, especially near entrances and exits.

3. Schedule regular security audits. Make time to regularly check documents in your employees’ possession, both at their work station and on their computers. The idea is not to penalize employees, but rather to identify risky behaviors or practices where your company can improve its overall security. Once areas in need of improvement have been identified, devise and implement strategies to overcome these weaknesses ASAP.

4. Shred monthly — or weekly. Pretty self-explanatory; don’t leave sensitive documents around. This includes not only your company information, but information provided by your customers. Put a shredding day on your calendar every month or week, and then be sure to stick to it.

5. Restrict computer access. While all your employees may need to access computers to do their jobs, they probably don’t all have to be able to reach every document or file you have stored on your computer network or in your company cloud. Designating clearance levels lets you decide who has access to what, and can be a powerful step in reducing the risk of security breaches and inadvertent — or intentional — information leaks.

6. Have an emergency plan in place. You and your employees should know what to in case of a fire, theft, natural disaster or other emergency situation to avoid unintentional security breaches. Like the code of conduct, you plan needs to be written down and provided to all employees. Review it at staff meetings to make sure it’s understood.

Some people — managers and business owners included — are just better at managing risk. Maybe it has something to do with personality or natural ability, maybe it has something to do with a more developed skill set or greater understanding of the risk management process — most likely, it’s a little of both. Management consulting firm Accenture decided to explore the question of just what makes a business owner or manager truly effective at handling risk, and here’s what they found:

Top-performing owners and managers:

* rely more on their chief risk officers (CROs) for guidance and advice when developing and maintaining risk management programs and activities
* are involved more with their boards of directors in discussing potential risks and how to handle them
* focus more on emerging risks and strategic risks than day-to-day management of known weaknesses, leading to greater effectiveness and responsiveness when new risks emerge
* are at the head of the pack when it comes to analytics
* excel at recruiting and retaining employees, as well as training them
* face fewer obstacles with regard to board buy-in, employee skill and even budgets

Some of these factors are advantages that not all businesses enjoy. For instance, most managers and even owners find themselves up against budget constraints more often than not, especially where risk management is concerned. But other factors are clearly skills that can be developed and honed. For instance, getting bored buy-in might be easier if you take the time to develop ways to reward your board members in meaningful ways to let them know they’re valued. We’re not talking kickbacks here — just simple ways to let them know you appreciate their time, like a phone call or a thank-you card.

Likewise, learning how to screen employees during the hiring process and implementing effective ways to retain good employees are skills that can be learned. In fact, both of these factors — dealing with the board and handling employees — are people skills that involve a certain degree of insight. If you’re lucky, that insight comes naturally; if not, it’s certainly a skill worth cultivating.

Lying on a job application isn’t a new concept, but you might be surprised just how often it happens: According to results of a survey from The Society of Human Resource Managers, 53 percent of all job applications contain false information and 78 percent are misleading. What’s more, 70 percent of college students reported they’d lie on an application to get a job they really wanted.

Lying on an application is about more than dishonesty; it also leaves your company open to significant liability risks and losses. In fact, just one negligent-hiring lawsuit can wind up costing a business millions of dollars in addition to significant negative publicity and loss of customer trust.

Comprehensive background checks are the first line of defense when it comes to avoiding negligent-hiring lawsuits as well as theft, harassment and other criminal and civil issues, but too often, employers fail to implement policies effectively.

• Here are some tips to ensure your company is getting the most from its background checks:
• Search data from both national and countywide databases
• Be sure your policy adheres to the Fair Credit Reporting Act (FCRA); that means getting written authorization to conduct the check and recognizing the applicant’s right to dispute information turned up by the background check.
• Make sure the data you use in your hiring decision is based on relevant and factual information.
• Make sure you apply your background check process fairly and not just on specific applicants or groups of applicants.
• Establish criteria to determine which results will preclude employment and apply those criteria consistently.
• Review your process regularly to make sure it’s being implemented properly and to make any necessary changes to ensure it remains responsive.

Gathering background information on your potential employees is important not only for your company, but for your customers’ security as well. If you don’t have the skilled personnel to carry out background checks in-house, outsource the task to a company that specializes in employee screening.

Class action lawsuits involving the Fair Credit Reporting Act (FCRA) are on the rise; according to a report by the law firm Littler Mendelson, during June and July alone, more than a nationwide dozen class action suits were filed against employers across the country. Although many of these suits may appear to be based on the most trivial technicalities, they can still result in millions of dollars in losses.

FCRA suits generally arise as a result of two causes: Employers fail to follow proper protocol when obtaining a report from a credit reporting agency (CRA), or they fail to observe the steps required when information from a report results in an “adverse action.”

In a nutshell, here’s what you need to know:

• Before a company can obtain a report form a CRA, it must provide a written disclosure to the applicant, typically in a separate document that solely addresses the company’s intent to collect information.
• The applicant must provide written permission to allow collection of data from a CRA.
• When contacting the CRA, the company must certify that it is requesting the report for permissible purposes and that it is in compliance with FCRA and equal opportunity employment laws.
• If the company decides to take adverse action, such as denial of employment, based on information in the CRA report, it must first provide a notice to the applicant, including a copy of the CRA report and a copy of the statutory Summary of Rights. These rights provide the applicant with a chance to discuss and dispute the information prior to an action being taken.
• If the company decides to move forward with an adverse action, it must provide the adverse action notice to the applicant orally, by electronic methods or in writing.
• The adverse action must include: contact information for the CRA; a statement that indicates the CRA is not responsible for the action; a statement that the applicant has a right to obtain a copy of the report; and a statement that the applicant has the right to dispute the report’s contents.

During the past few decades, the workplace has changed significantly, and one of the biggest shifts has been in the number of years an employee remains with one employer. While a half century ago, it was “normal” practice for the majority of employees to remain with an employer for many years — sometimes entire careers — today’s employees are likely to change employers every few years. That’s bad news for employers: Workers who remain longer with a company attain a far deeper knowledge of the company, its brand, its products and its customer base, making them much more valuable than any new hire. And unlike a new hire that’s an “unknown quantity,” loyal, long-term employees can actually help reduce a company’s level of risk.

Still, when it’s time to take stock of a company’s assets, valuing employee loyalty can prove problematic; many companies wind up ignoring the value of loyal employees in favor of focusing on easy-to-grasp tangible assets. Likewise, many companies don’t bother to learn how to retain employees for the long term, or even know where to start.

Motivating employees to stay on board doesn’t have to be difficult. If you’re interested in learning what you can do, Monster.com offers the following tips:

• Implement career paths that offer opportunity for advancement, and let employees know how to advance in your company.
• Proactively monitor morale and seek out ways to help improve morale in ways that are meaningful to your employees.
• When devising management training programs, consider what makes a good, effective manager from a worker perspective rather than focusing in what management wants.
• When considering compensation, think beyond salary to include health insurance, vacation time, pension plans and other perks.
• Teach your managers how to provide consistent and valuable feedback and mentoring, and ensure they understand how to listen to employees and value their input.

Learning to retain employees isn’t rocket science; but it does take commitment and time. Take some time today to brainstorm ways your company can develop a workforce that’s as committed to your company’s success as you are.

During the past decade, diversity training has become a huge industry, with many companies implementing programs aimed at helping all employees feel valued while reducing bias and unfairness. That’s the stated purpose, and it sounds great; but when you get right down to it, the reason most companies implement diversity training programs is to, hopefully, reduce liability issues including potentially costly lawsuits. And what’s more, recent studies have been indicating that most diversity training programs simply don’t work.

In fact, one study from Harvard University looked at 829 companies over three decades and found that the training resulted in “no positive effects in the average workplace.” Even worse, the researchers also found that in workplaces where diversity training is mandatory, the training “actually has negative effects on management diversity.”

The researchers noted that the very nature of diversity training forces people to think in terms of categories. In the end, employees are more likely to dehumanize people than to see them as individuals.

Mentor programs appear to be very effective, the study says. Such programs can provide everyone with connections to “higher ups,” and they are generally better accepted than training programs, possibly because they are available to everyone, not just specific groups.

“Mentor programs put aspiring managers in contact with people who can help them move up, both by offering advice and by finding them jobs,” the study authors found. “This strategy appears to work.”

The study found another good approach to ensuring diversity in the current workplace and in hiring practices is to put one person or a group of people in charge, acting as a diversity manager or task force. Managers and task forces can be effective because they focus on identifying both specific problems and remedies.

“Managers and task forces feel accountable for change, and they monitor quarterly employment data to see if their efforts are paying off. If not, it’s back to the drawing board to sketch new diversity strategies.”

The take-home message: Don’t give up on diversity programs in your company, but do spend time exploring other options that may be more effective.

Mergers and acquisitions are part of many businesses’ strategic planning initiatives, and to be carried out effectively, CFOs and board members ideally should be in alignment.

For many companies, though, achieving consonance between financial officers and board members who may have an incomplete understanding of the financial implications of M&A can be problematic. A recent survey by Deloitte identified the ways CFOs and boards end to diverge and provided some suggestions for gaining the buy-in and cooperation necessary to enable M&A deals to proceed smoothly:

* Ensure the CFO clearly and thoroughly communicates the potential future risks and benefits associated with an M&A, including risks and benefits associated with the diversification of products and markets, and then relates or “ranks” them against each other to demonstrate the level of risk that’s potentially involved. Seeing risks and benefits in relation to each other can help non-financial experts understand the tangible value of a proposed M&A deal.
* Understand that CFOs may be more “friendly” to the idea of accruing debt to complete M&As and other deals than many directors. When necessary, CFOs should be willing to describe the benefits of assuming debt rather than depleting cash resources when an M&A offers significant value to the company. Again, a comparative measure of return can help board members relate to the potential advantages of an M&A or other deal.
* Board members should be assessed for their willingness to embrace risk and to become better educated about risk-benefit analysis, and opportunities to improve understanding and facilitation of M&A deals should be evaluated and implemented.

By working together, directors and CFOs can create value and promote growth. If an M&A deal is in your company’s future, helping these two influencers to align more closely can help ensure you maximize your company’s ROI while minimizing its potential risks.

For most businesses, adding new technology comes with more than just the upfront monetary cost. New technology usually involves a learning curve during which time operator errors tend to be high and efficiency drops off. It’s also a time when your business can be exposed to greater risks. Why? Two primary reasons: As noted, unfamiliarity with equipment can lead to errors that can leave you open to unexpected loss or damage; and at the same time, employees’ and managers’ attention is diverted from “normal” routines and focused on adapting to the demands of the new technology.

Every business needs to upgrade technology from time to time. So how can you make the transition without exposing your company to elevated risk? By incorporating risk management into every phase of the upgrade, from the purchasing decision to training and final implementation.

Here are some tips:

* Plan carefully. Many companies plan based only on cost and features. Instead, consider the human impact including the learning period when risks can be at their highest. Consider ways to decrease the curve or speed-up the learning process, or have a mitigation plan in place.
* Consider hiring a technology consultant or ask if your supplier offers a training program or any guidance with planning and implementation.
* Allot additional resources during training to ensure more focus is placed on identifying and managing potential risks. Hopefully before they occur.
* Implement a reporting system that allows you to monitor implementation and track progress so you can anticipate risks during both current and future technology upgrades.
* Make sure to upgrade your risk management plans, operational procedures and insurance coverage as needed to reflect the upgrade.
New technology can help your business grow and stay competitive. Just be sure to plan carefully to minimize your company’s risk exposure during the transition period.

During the next few issues, we’ll be looking at some ways to help you manage risk and save costs by making smart decisions about your insurance. Let’s get started:

* Choose deductibles wisely. Since a higher deductible usually means a lower premium, you want to hit that “sweet spot” where the deductible you choose balances your risk profile. Don’t choose a deductible that’s so high, it could have a negative financial impact in the event of a loss; but don’t choose one that’s lower than you need based on the risks your business faces, either.
* Make sure your property values are in line with policy limits. Have you purchased new equipment or upgraded your facility, or perhaps scaled back in some way or made improvements that could lower your premium? Make sure to let your insurance company know about changes in your property value or additions like an upgraded security system to ensure you have the right amount of coverage at the best possible rates.
* Know your loss ratio. Your loss ratio is determined by dividing the annual premium that you pay by the amount of any claims you’ve made in the past year. Most insurance companies look at loss ratios for the past several years when determining risk. A lower ratio means less risk, and that means lower rates and better deals for you. Knowing your ratio can help you prepare for rate increases and it can also help you negotiate for lower rates when your ratio is favorable.
* Plan for price shifts. Like other commodities, the cost of insurance is cyclical, and if your rates have been low for a few years, there’s a good chance they may go up in the near future. Avoid “sticker shock” by budgeting at the high end of the market so you’re prepared for potential price increases.

Look for more tips in next month’s issue.

Last month, we looked at some of the less common strategies hackers and other online criminals use to gain access to business’s accounts and steal data and personal information. In this month’s issue, we’re looking at some hacking prevention tips provided by the FBI:

* Make sure your computer system uses multiple layers of security to help would-be thwart attackers.
* Use the highest security settings on social sites and ideally, restrict access to social sites at work to only those who must use them, such as marketing personnel or managers.
* Make sure firewalls and anti-virus software are updated and enabled on all systems.
* Provide annual training in online security and educate employees about what company information they may and may not share.
* Make sure employees change passwords regularly and do not use former passwords.
* Monitor dataflow on your network at all times and respond to potential threats or risky employee behavior immediately.
* Implement a reporting system where employees can notify managers about potential threats or risks such as phishing or pharming.
* Review prior threats, risks and losses and develop and implement plans to avoid incidents in the future.
* Develop a robust BYOD policy and make sure to enforce it.
* Make sure your employees do not use work computers to access personal accounts or networking sites.

The Internet is an important tool for most companies today, from small companies to major corporations. In fact, for most companies, it’s hard to imagine operating without some sort of online presence. While virtually any business activity can pose potential risks, smart businesses work hard to establish protocols to identify potential risks so they can be avoided and, if unavoidable, mitigated. Implement these strategies from the FBI to help decrease your risks when using the Internet in your business.