The Highlights of IMPACT 2017
Steven Minsky | Nov. 29, 2017
LogicManager recently hosted IMPACT 2017, our annual ERM conference where risk professionals gather to share their challenges, successes, and insights in the risk management industry.
For two days, LogicManager users lead educational sessions on how they’ve made vast improvements to their various risk and governance programs, such as third-party risk management, compliance, audit, and more.
This year, we heard from a particularly diverse group of experienced professionals hailing from Boston to Hawaii in industries such as banking, energy, and healthcare. While each attendee’s company and program were unique, their advice was universal to developing a strong ERM program that protects, adds values, and drives success.
Among the countless moments of knowledge sharing, there were a few highlights that stood out to me throughout IMPACT 2017:
1. Reputation is everything
I opened the conference by addressing an undeniable trend: our see-through economy. Empowered by social media and ever-advancing technologies, consumers have the means to monumentally impact a company’s reputation. This is of serious consequence to the business world considering intangible assets, such as brand and reputation, account for 87% of the net worth of the S&P 500.
Instead of treating risk management as a means to meeting hard and fast regulations, the CEOs and Boards of every company will need to build their ERM programs in a way that manages reputational risk. This means listening and responding to the needs of customers, not just regulators.
This theme resonated with many IMPACT attendees. For example, our third-party risk management panelists unanimously agreed that while you can outsource a process, you can’t outsource its risk. Equifax served as a poignant example of companies failing to properly manage their third parties, and suffering immense reputational consequences because of it.
2. The increasing importance of cyber security
Events like WannaCry, Equifax, and countless other breaches in recent months have awoken companies to the importance of managing cyber security risk. I delivered my opening keynote at IMPACT 2017 on the topic of operationalizing cyber security, that is, aligning the policies you have in place with the risk and procedures that are carried out across the enterprise to manage and report on that risk.
Many think that more technology is needed to protect their organizations. But if you look at recent events, technology is rarely the root cause of a cyber-related scandal. 81% of breaches leveraged weak or stolen passwords, and only 20% of employees will strengthen their passwords after training. The same is true for following-through on patching, asset management, access rights, and other governance activities with risk-based task management, monitoring and reporting. The weak links in our corporations are now the people, policies, and procedures.
Fortunately, many attendees spoke towards how they’ve been able to identify gaps between their policies and procedures, and consistently improve their cybersecurity measures.
Some users shared their experience in the aftermath of Equifax, which was a big concern for their Boards. One attendee explained how it was important to anticipate the concerns of Board members using LogicManager to gather existing data across many departments and to address those concerns, such as which personnel were impacted, who has access to critical company data, and what their authentication procedures are.
3. How to engage the Board of Directors
Perhaps one of the hottest topics of discussion at this year’s ERM conference was how to present information to the Board so they can make strategic, risk-based decisions.
A lot of the advice came down to reporting. One attendee shared that she went from presenting her Board with a 15-page report of the company’s top 25 risks to presenting a 2-page report with the top 10 risks and a heatmap using LogicManager. Many attendees agreed that their reports are easier to read and act on when they incorporate high-level summaries, graphs, and dashboards.
When engaging the Board, one presenter said, you have to present risk in a way that resonates with their concerns. The consensus was risk managers need to take the time to understand what matters to their boards, what their goals are, and ultimately, how risks in every area of the business impact those goals.
One user agreed that although “building tone-at-the-top support is essential” for building an effective, sustainable ERM program, providing actionable results each 90 days is an expected return. Others shared their tips for building this support. One attendee advised creating an analogy between sports and risk management to make the topic more relatable. Another mused over the idea of showing a slide with nothing more than a banana peel on it as an ice breaker to get the conversation started!
4. Tips for ERM implementation
IMPACT 2017 attendees were in various stages of implementing ERM programs at their companies. Those in the later stages were a great resource for those in earlier stages.
Here are some of their top tips:
- Have a plan. Start and finish one project at a time. Don’t take on too many tasks right away, and carry your first initiative through to completion.
- Begin with one governance area. When other departments see what you’ve done, they’ll want to be a part of it.
- Consider engaging select leaders, who will then be happy to train others.
- Get to know your business from the inside.
This last point was presented in a particularly interesting fashion. One presenter compared getting to know a business area to the animated film “How to Tame Your Dragon.” The presenter said, “Once you find out dragons are like puppy dogs, your world is forever changed.”
The parallel here is that many employees operate in silos, unaware that there are other silos surrounding them, seemingly isolated, but in every way connected to their own. Understanding how the business really works, how these silos are connected, and how they roll up to achieve the company’s core objectives is at the heart of implementing a successful ERM program.
5. LogicManager: Looking Ahead
IMPACT 2017 closed with a look towards the future of LogicManager in 2018 and beyond. The team presented some exciting enhancements to the product inspired by advances in Artificial Intelligence (AI), Robotic Process Automation (RPA) and Business Intelligence (BI) technology and our customers’ needs.
We gave a live demonstration of the platform’s future, including visibility rules, automation rules, a UI face lift, and more. The goal of these enhancements is to continue to streamline the data collection process, automate manual activities, and make the user experience more intuitive than ever. I speak for all of LogicManager when I say that we’re excited to share more about these advances in future posts and press.
6. A unique learning opportunity
Perhaps our favorite takeaway from IMPACT 2017 is that our customers saw this conference as a unique learning opportunity. IMPACT is by risk managers, for risk managers. It’s a place for our users to come together and encourage each other to improve.
As one attendee put it, GRC is a hard, often thankless profession. But IMPACT is a place where risk professionals can collaborate and remind each other that they really are laying the groundwork for a better tomorrow.