When Risk Becomes Everyone’s Responsibility

Risk and Strategy in Business, Image of hand stopping falling collapse wooden block dominoes effect from continuous toppled block, prevention and development to stability

Table of contents

On a recent episode of LogicGate’s podcast, GRC & Me, Jason Wang the Chief Risk Officer at Synergy Credit Union based in Canada, shared his thoughts on how to evaluate the new risks that have emerged due to the COVID-19 pandemic, the importance of Environmental, Social, and Governance (ESG), and why he believes everyone in an organization is a risk manager. 

At Synergy Credit Union, Jason is building the Enterprise Risk Management (ERM) function, which covers Business Continuity Planning (BCP) and disaster recovery frameworks, including a pandemic response framework that was completed just in time for the COVID-19 pandemic.

Prioritizing Privacy 

When considering the impact of COVID-19, one area which Jason believes is easy to overlook is the company’s responsibility toward their employees’ data privacy.

According to Jason, sensitive information needs to be handled with care, “Remember employee privacy is also privacy, and there are sensitive issues related to COVID-19.  For example, who is a close contact? Who has tested positive? Who’s isolating at home, and who’s traveling? And more recently, who’s vaccinated?”

Such sensitive information requires the organization to think carefully about managing, storing, and destroying data to ensure compliance with privacy requirements.

The handling of sensitive information isn’t the only thing the pandemic changed, Jason says, “The pandemic has disrupted people in many, many ways, whether it’s how they bank, how our employees work, or how people were really forced to take up and start to use new tools.”

Jason believes this disruption has led to a potential increase in human error, including a greater likelihood of data and privacy incidents. One example is the need to use email for customers’ private documents rather than face-to-face contact.

The risk of sending private information to the wrong email address is exacerbated by easy-to-miss errors, such as the autocompletion of an incorrect email address. While Synergy did not experience this, Jason did use this opportunity to raise awareness of data privacy and cybersecurity amongst the staff.

Though these issues can be frustrating, they can also be used as a learning opportunity, Jason says, “So I think the positive that came out of that, and this is part of the work of the COVID-19 committee would be, ‘Hey, the silver lining of this will be, now's a good opportunity to educate everyone again, to raise the awareness about just how important data, privacy, cybersecurity, all of these things are.’”

Using real-life challenges to educate employees raises the bar for excellence at your company while promoting a problem-solving mindset.

Understanding the Importance of ESG

ESG is a relatively new concept for many organizations. It expands investment decisions beyond pure financial gain and considers the wider environmental, social, and ethical impacts that organizations have on the world.

ESG brings with it the concept of double materiality. Simply put, an organization affects the environment through its actions such as pollution or its impact on local communities. This is termed the outward impact or outward risk. At the same time, the environment has an impact on the organization.

For example, floods or wildfires can cause damage either directly through physical loss of company assets or indirectly through damage to investments. This is termed the inward impact or inward risk.

With more people gaining a comprehensive understanding of the effects of climate change, investors are now looking for ways to make money while avoiding harm to the planet or its people.

As such, they are turning to ESG reporting as the means to help with their investment decisions, Jason says, “We all live on this planet, and we share the planet, and probably for the foreseeable future, this is the only planet we can live on…We have to treasure and protect this planet. I stay pretty close to the research and the science on this front, particularly when we talk about climate risk. It is a real risk.”

Right-Size Regulations

While some organizations feel that onerous regulation can stifle innovation, the events in recent years have demonstrated that prudent risk management can be a blessing. For example, when regulators insist on maintaining a high capital ratio, banks and financial institutions under those regimes have been able to weather difficult conditions where institutions in other countries have failed.  

The regulations have both pros and cons for companies, according to Jason, “Tight regulation is not always a bad thing, but it does sometimes make us feel like our hands are tied and we can't do this or we can't do that. So it’s hard to remain competitive and innovate.”

Financial institutions have an important role to play when it comes to being a voice of reason in the face of knee-jerk reactions from regulators. Oftentimes, these complaints come from a small contingent of consumers or are conflated by bad press.

When that happens, institutions must engage in a good dialogue with the regulators to help them to understand that incidents are not the same as systemic issues.

While there are more than 270 credit unions in Canada, their combined assets represent only a fraction of the assets held by banks such as the Royal Bank of Canada.

So with a smaller team, it is much more difficult to keep up with the demands of regulators, Jason says, “If the regulators become prescriptive and they want exactly these 10 things to be done and you have to prove it, and you have to follow this [process], then is it really fair and really productive to let my five people go through this, where they have a large team bigger than our whole bank to do this?”

In Jason’s view, the answer lies in right-size regulation. By this, he means that regulators should define the principles and ensure that the intentions are clear. The organizations can then define for themselves how they should implement processes to demonstrate compliance.

Internal education about risk and compliance is an important part of Jason's role. When it comes to internal control, Synergy Credit Union and most other institutions rely on the concept of the three lines of defense.

This concept considers all employees and their management to constitute the first line of defense, which ensures policy and procedure are adhered to. The second line of defense is formed by the risk management function, which is designing the controls to ensure policy and procedure cannot fail. The Internal Audit makes up the third line of defense to assess the efficacy of controls.

Companies should make sure their employees understand their role in these defenses, Jason says, “Just by telling people that this is how it’s actually structured makes people feel included in the risk compliance, risk prevention, and fraud prevention. Everyone is a part of it.”

It’s important to make everyone feel they play a role and are responsible for managing their company’s risk, even if it’s not in their job title. Continued internal education and awareness are the keys to keeping all teams accountable.

To listen to the full GRC & Me episode with Jason, access it here. To learn more about how a holistic GRC platform like Risk Cloud can help you manage your risk program, request a demo or visit us at logicgate.com.

Further Reading

GRC Insights Delivered to your Inbox