Archive for June, 2009

Let’s take a look at what risk is:

Risk is defined by Websters as a noun 1. exposure to the chance of injury or loss; a hazard or dangerous chance.  It is further defined in an insurance setting as  from among other things “a hazard or chance of loss, the degree of probability of such loss, the amount that the insurance company may lose, . . .”.

In both of these definitions, the focus is on the chance of loss.  the flip side is there is a chance of gain as well which is not mentioned.  Perhaps the better definition is the uncertainty of a result which may be either positive or negative.

We break risk down along the same definitions, so risks that are inherent in operation of the particular organization where there is a chance of loss or gain are referred to as speculative risk or business risk.  Some examples would be loss of profits because of a change in the economy, or a change in the competitive landscape that turns the product or service from a unique item to a commodity, or expanding into a market that doesn’t need the product or service. 

This differs from pure risk or hazard risk that is focused on potential accident losses that are unintended.  It is associated with either loss or no loss,  the opportunity for profit does not typically enter into the equation.  Examples of these types of risks are property, personnel, and  liability.

We’ve all seen the commercial.   Todd Davis the CEO of LifeLock looks to the moving billboard that is emblazoned with his social security number to show how confident he is that his identity can’t be stolen (it can and was done, because the offending company didn’t run a credit check).  Now Judge Andrew Guilford has indicated the service provided by LifeLock and similar companies is illegal.

One of the three major credit credit reporting organizations filed a suit in Federal court claiming that LifeLock was improperly requesting credit fraud alerts be placed on consumer accounts, which resulted in additional costs of millions of dollars every year (see the complaint here).

While I understand Experion’s claims of LifeLock crying “FIRE” when there is no smoke in the building, and regret the extra work required to proactively protect LifeLock customers, I see this decision setting a precedent that will push more work to consumers.

Judge Guilford’s ruling indicated that the original wording of the Federal Credit Reporting Act (FCRA) allowed for the consumer directly or an individual acting on behalf of or as a personal representative of the consumer to be the requester for the fraud alert when the consumer is or about to become a victim of fraud or related crime including identity theft (bolding and italicizing added by me).  Because LifeLock is a company, they do not meet this criteria and thus are unable to file the fraud alert.

SO, you ask, what does this mean to my company?   If your company suffers a data breach that causes sensitive employee or consumer data to be exposed, technically you are no longer able to contract with a company to provide the fraud alert service.  To protect the consumers from identity theft each individual would need to file a fraud alert with the three major credit reporting company in order to protect themselves.

This additional work shifted to the consumer could hurt your brand as well as your business reputation.   It may also affect your disaster recovery program for data breaches, something that needs to be reviewed and potentially updated with the Red Flag Rules set to go into place on August 1.

As a consumer, I hope that some compromise can be worked out that will allow a company to take the steps necessary to protect my identity, as a risk professional, I hope that occurs soon.

Every business thinks of the major risks that they face during the course of the year, but there are some risks that are not given the proper attention that is deserved.  Here’s a listing of 10 “Rodney Dangerfield” risks that don’t get the respect they deserve.

  1. Reputation – Got a plan in place if your company or brand reputation is soiled? 
  2. Succession Planning – Is there a plan in place if key people in your organization are no longer there?  Who takes their place, who is the knowledge expert to keep that part of your business going?
  3. Identity theft – It doesn’t just happen on credit card transactions.  What’s the plan if your HR system gets hacked and social security numbers of your employees along with other sensitive information is taken?3. 
  4. Economic instability – Lots of people didn’t see the economic downturn coming, did you plan for the changes in revenue? 
  5. Pandemic fever – Real or imagined, have you thought about how a pandemic (Swine, Avian, Spanish, blue flu or other global, national, regional, or local illnesses) will affect your day to day operations?
  6. Fraud – You have probably put great controls in place at many of the financial touch points.  What about some of the less obvious ones?
  7. Sales and usage tax – State and local governments are looking to collect all the   to them, are you collecting or paying your fair share on things you buy and sell?
  8. Technology - Keeping up on the latest trends in your industry to see if you are ahead, even, acceptable or behind the technology wave.   Are you providing your customers with acceptable technology for the product or service you are providing?
  9. Government regulations – This doesn’t have to be just the local government, but also in the countries you are sourcing products or services from.  Are you in tune with legislation that may affect how you conduct business? 
  10. Supply chain disruption – How do you react to product lost in transit, a port shut down because of a longshoreman’s strike, and other threats to getting your product to market.  Remember, supply chain is not just about products, it can also be about services, such as the IT contractor for the new project not being available to begin on the expected start date, or your project manager taking a bit longer to complete their previous project than anticipated.

So there’s 10 risks that fly under the radar, and I am sure that you have run across many more.  Let me know your thoughts, and other items which should be added to the list.