Enterprise Risk Management
Background
Executive management and the board of directors of an independent mortgage banker with nation-wide footprint recognized that the company was frequently experiencing various risk events. While these risk events were often small, management noted the events often required a crisis management approach to resolve in a timely and efficient manner. Actual risk events often require key personnel to create and staff a response team as well as invest substantial time in developing and vetting an appropriate response plan. Often, as part of the response effort, the team had to determine the root cause of the risk event and initiate appropriate process and system changes to prevent or at best mitigate a repeating event.
A security incident caused by a ransomware breach occurred just prior to the Tomorrow Group engagement. Regrettably, the company did not have a security incident response plan and did not have adequate insurance coverage to cover a ransomware attack. Consequently, mandated notification time limits required by regulators and state laws were missed and the company incurred additional costs and penalties.
This position is a first line of defense risk professional responsible for support and execution of various risk programs and Business Unit (BU) risk activities in adherence with the Company's Risk Appetite and Corporate Strategy. This role is responsible for engaging with the BU in management of risks and controls across all risk types, facilitating and/or monitoring execution of risk policies, procedures and/or program requirements, providing advisory to effectively manage risks, and serving as an effective communication channel between the Risk Management Department, regulators, and FCB business units. May manage the work of others and acts as a mentor to associates.
Approach
· The Tomorrow Group first reviewed the company’s strategic plan and outlined the role/responsibilities/and KPIs of each business and support unit.
· The initial review included the organization structure and internal control framework in the context of the company’s risk appetite.
· Like many companies without close regulatory oversight such as that required of financial institutions, the company had not defined its risk appetite or built its control and management reporting framework to support its substantial growth over the past five years. Consequently, controls and KPIs were not designed to support higher risk levels as well as reveal important trends to initiate appropriate changes in policies and procedures.
· The company had expected its insurance agent to ensure there was adequate coverage to mitigate the financial impact of event risks. While the agent had provided cybersecurity insurance, that coverage did not include kidnap and ransom events. Consequently, there was no coverage to offset the ransomware payment paid by the company to quickly restore access to data and systems.
It is exceedingly important for the 21st century business with substantial capital and multiple stakeholders to have a comprehensive enterprise risk management framework that supports each business unit (and the overall company). The framework must also facilitate and/or monitor execution of risk policies, procedures, and/or program requirements.
The Tomorrow Group then fulfilled a fractional Chief Risk Officer role until the company was able to recruit and transition a full-time resource.