Two stories in the news recently that highlight failures in risk monitoring have caught my eye: one involving a listeria outbreak caused by tainted cantaloupe, and the other involving Citigroup losing $285 million for defrauding investors.
In the cantaloupe story, the deadly, nationwide listeria outbreak was traced to a packing facility in Colorado operated by Jensen Farms, in which factors such as workers and trucks accidentally carrying the disease into the facility, and machinery being hard to sanitize created the environment in which the bacteria could grow and thrive.
In the Citigroup story, the Securities and Exchange Commission (SEC) settled a civil suit against the banking giant totaling over a quarter billion dollars for failing to tell investors of the role of their investments or that it had made bets that the investments would fall in value. These charges have continued since we identified it first in 2009 and saw it happen to Goldman Sachs in 2010.
So what does cantaloupe and Citigroup have in common?
Both Jensen Farms and Citigroup were in compliance, yet failed to have effective risk monitoring in place.
The packaging facility that caused the outbreak was audited two days prior to the outbreak and received a passing grade of 96 out of 100, so their facility was in compliance. Despite passing, the conditions causing the outbreak were still present.
In Citigroup’s case, the investments themselves were in compliance with regulations; however it was the lack of risk disclosure that resulted in a loss of $285 million and a tarnished reputation.
The lesson to be learned from both of these cases is that just being in compliance is simply not enough. Organizations must additionally be able to fully assess, mitigate and monitor risks across all business functions and through every material level as well as see their connection to business performance.
The first step in seeing across silos and levels and seeing the link to business performance is evolving your organization’s risk taxonomy. Your taxonomy is the risk framework that manages the relationships between risks, activities, and goals and defines your organization’s standards, assumptions, and terminology.