Authors – French Caldwell and Richard Stiennon
Key takeaways –
Third party risk management is not just for suppliers, IT vendors and service providers. In many cases, subsidiaries or other organizations within your enterprise, and even well-known business customers should be brought into the third party management program.
The problems at Deutsche Bank and Danske Bank reminded me of an inquiry I had with a CISO at a large high tech equipment manufacturer. We were discussing best practices in third party risk management. I asked him what types of companies he was monitoring and he told me they were subsidiaries. He was putting these subsidiaries through the same hoops as he would any other third party vendor, classifying them into three risk categories, doing deep dives and continuous monitoring on the higher risk ones, and documenting certification and accreditation on all of them.
The Financial Times today recounted Deutsche’s current regulatory rows — money laundering by a former subsidiary Regula that it had acquired in the British Virgin Islands and Deutsche’s role as a corresponding bank processing over €160billion in suspicious payments for Danske Bank Estonia. And of course Danske Bank Estonia was a subsidiary acquired by Danske.
Being “in the family,” it is apparent that Regula and Danske Bank Estonia did not get enough scrutiny by their parents. Had they been treated as high risk third parties, the risks and lack of effective controls to prevent money laundering may have been discovered earlier, avoiding the heavy supervisory presence and regulatory investigations that the parents now enjoy.
Also, Danske Estonia’s use of Deutsche Bank instead of its own parent to transfer money out of Estonia could have helped to bypass parental scrutiny. Should Deutsche have raised a red flag — like a neighbor who lets the neighbor kid smoke pot in her backyard? Deutsche didn’t raise a red flag, instead stating they weren’t the ones responsible for validating the source of the funds — that was Danske’s problem.
Yet, now it’s all come back on Deutsche, and the lesson learned for the rest of us — when a lot of money is on the line, treat your family and your friends as acquaintances.
1 — Bring high risk subsidiaries into your third party risk management program
2 — High risk customers should also be included in your third party risk management program
Key takeaways:
1 – With modern social technologies, political movements can coalesce in days, maybe hours
2 – The weak political center and struggling traditional political parties in France provide an opening for the emergence of more political movements enabled through social technologies\
3 – Government leaders should be prepared with strategies to predict, engage, monitor, and respond to rapidly emerging political movements
Over the last three weeks, protests in France that were triggered by a new fuel tax and rising fuel costs have grown through social media to become a national movement. Watching the yellow vests protestors break out into a violent mob in Paris, and the police response with tear gas and water cannons, reminded me of other protests over the last two decades that have been organized through social technologies. The very first was the Battle of Seattle where protest organizers used text messaging and online bulletin boards – but that required months and weeks of preliminary planning. As we observe in France, with modern social technologies, political movements can coalesce in a few days, maybe a few hours.
Text me — killing Doha
The anti-WTO protests in Seattle in 1999 are the earliest documented application of social technologies in street-level activism. In Seattle, protesters networking through cell phones and updates to online websites were able to outmaneuver police and shutdown a round of trade talks. The round of WTO talks that had led up to Seattle ended inconclusively with no agreement on the major issue of breaking down trade barriers between rich and poor nations. The subsequent Doha round of talks, which began in 2001 and was scheduled to complete in 2005, picked up on the same theme of breaking down trade barriers between rich and poor countries. However, ten years after the original deadline the Doha round was still not complete – the smart mob had killed it.
The Arab Spring — not quite social
With the advent of smartphones, social media combined with mobile technology, and Twitter was often identified as an enabling technology for street protestors in the 2011 Arab Spring protests. Credible research has shown that during the Arab Spring protests, most street activism preceded social media activity, rather than followed it – indicating that most people were tweeting and posting about the events they were seeing on television, rather than using social technologies to organize the protests.
Social technologies help political movements, but leadership still matters
Seattle in 1999 remains the benchmark for organization and execution of street activism using social technologies. The yellow jackets in France, have yet to demonstrate a similarly high degree of organization, and the protests could peter out. However, there is a political vacuum in France, with both right and left mainstream political parties having been marginalized in the last elections, raising the specter of a weak center represented by President Macron and his “La République En Marche” party facing a population that has shown that it can self-organize through online and mobile technologies.
So far, Macron’s government has been ill-prepared to deal with a national political movement that appeared in a fortnight. In Macron’s favor is that the yellow vests have shown no cohesive national leadership; yet, that is also a problem for Macron since there is no legitimate movement leadership to engage.
Recommendations
Many government leaders treat social media as another public relations channel, like print and broadcast media. Instead they should be looking at social and mobile data as a rich source of insights. Government leaders can use social media analytics to predict, manage, engage and respond to rapidly emerging political movements, as follows:
1 — stress test proposed major initiatives and identify key indicators that can predict the range of societal reactions
2 – identify the people who are the primary influencers and engage appropriately and constructively with them as the indicators warrant
3 — monitor the indicators before and after the initiative is launched, and
4 — if people take to the streets, analyze the mobile and social data to guide the deployment of and response by law enforcement in ways that prevent or limit violence
5 – while mining and analyzing social and mobile data, ensure that policy and procedures to protect individual and group rights of assembly, petition, free speech, and privacy are followed
Key Takeaways:
1 – Silicon Valley and Washington, DC, are vying for which capitol – the tech capitol or the political capitol — sets the public policy agenda.
2 – Americans are not so much worried about privacy as they are about Silicon Valley’s threat to their free will.
The SV-DC balance of power
I recently attended the Bloomberg Next Summit in Washington, DC, and during a panel discussion on the divide between Silicon Valley and Capitol Hill, Fred Humphries, Microsoft’s Corporate VP for US Government Affairs, made the statement that the technology industry has lost trust on Capitol Hill. The panel, which also included Niki Christoff, Salesforce’s SVP for Strategy and Government Relations, and Michael Beckerman, President and CEO of the Internet Association, then went on to discuss the prospects of a U.S. privacy law. Christoff boldly predicted that the next Congress will pass a national privacy law, and Beckerman agreed. Beckerman added that it is not going to be another GCPR, but will be U.S.-specific. Humphries offered a dissent, noting that there are many different business models in the technology industry, and these different sectors of the industry would each seek provisions that would impede other sectors, making it difficult to have a privacy regime that would apply across all of them.
Frankly, this panel’s immediate deflection to privacy as the issue that must be addressed to improve trust in the technology industry illustrates that Big Tech just doesn’t get it. What’s dividing Big Tech and Capitol Hill is power – it’s a fight over who is going to set the direction of public policy for the country. It’s not a fight that is peculiar to the U.S., but with the global capital of Big Tech being Silicon Valley, the balance of power between Big Tech and Big Gov in the U.S. has a huge impact on that balance in other countries, particularly in other democracies.
Free will, not just privacy is at stake
Certainly, Americans are concerned over their privacy. According to Pew, 91% believe that people have lost control of personal information and how it is used, and 49% are not confident of the federal government’s ability to do anything about it.
But so what – despite data breaches, identify theft, and all kinds of scams that emerge from these, most Americans still freely share all kinds of personal information online and through their mobile devices. Increased surveillance seems to be tolerated too – not just government surveillance, of which 82% of Americans are tolerant according to Pew – but almost everyone carries around a smartphone which collects massive amounts of personal data through the dozens of apps that are on each device.
Americans may be worried about the collection and misuse of personal information – but heck, they trust technology more than government. According to the Edelman Trust Barometer, after a battering year of tech scandals, including sexual harassment at many firms, concerns over how social media may have been used to manipulate the 2016 presidential election, and the Equifax data breach, trust in the technology sector dropped just one point to 75% as opposed to government which dropped 14 points to 33%.
Judging by their continued heavy engagement with mobile devices and online, privacy concerns are not the driving factor dividing Silicon Valley and Washington – it’s really, who is going to be the biggest influence on setting the public policy agenda — how Americans think about the issues and how we organize to achieve societal objectives.
It’s the perception that we are losing our individual and collective free will that is troubling Americans. In 2010, Google CEO Eric Schmidt said: “We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.” And knowing what we are thinking about allows Google and other search and social platforms to help their advertisers and partners to influence our actions — not just what to buy, but what issues matter most, and perhaps even how to vote. Are the FAANGs just one step short of mind control? That’s what Schmidt implied, and he’s made the same statement many times in many forums.
Capitol Hill’s issues with Big Tech aren’t the same as Americans’
Capitol Hill also has issues with Silicon Valley, particularly with social platforms like Facebook and Twitter. These platforms are enabling citizens to self-organize around public policy issues – loosely aligned groups like Black Lives Matter and the Tea Party are challenging establishment political parties for primacy in shaping the public policy agenda. Individual citizens are bypassing Congress, state legislatures, and regulators as they directly challenge businesses to change their behavior and policies.
There is also a concern on Capitol Hill and within traditional policy-making institutions over concentration of power within a small number of Big Tech firms – particularly the FAANGs – Facebook, Apple, Amazon, Netflix, and Google. Their dominance over control of information flows and news distribution, and the centralization of economic power enabled by their platforms, plus the dominance of these corporations by strong public personalities is concerning. Both the disintermediation of traditional political and governmental institutions and the concentration of power, enabled by social and e-commerce platforms, diminishes the role of politicians, regulators and other public policy-making institutions.
The possibility that the FAANGs could become more powerful than governments is not lost on politicians globally. European Union regulators are already taking steps under competition law and privacy law to de-fang the FAANGs, and China has shown that it is possible to have a rapidly growing internet sector with heavy governmental oversight.
While the model of governmental control in China is not transferable to western democracies, there is certainly more regulation to come for Big Tech in the U.S. A national privacy law will be a start, but that alone will not be enough to calm the unease of Americans and their politicians.
This week, I joined the Silicon Valley Leadership Group for a visit to Capitol Hill. The group had asked me to share a few thoughts with congressional leaders on how cybersecurity policy affects cloud software companies like my own, MetricStream. We met with congressional leaders who are grappling with cybersecurity issues. House Majority Leader Kevin McCarthy, Homeland Security Committee Chairman Michael McCall, and Representative Patrick Meehan all demonstrated a depth of knowledge on cybersecurity, and how it is affecting businesses. They were focused mostly on cyber intelligence sharing between the federal government and industry, and between companies. To remove roadblocks to sharing, Congress is considering bills from the House and the Senate that will provide anti-trust liability protections to companies that voluntarily share cyber intelligence. Privacy advocates are justly concerned with sharing of information, and protections are being built into the proposed legislation. Whether those protections are adequate is a political issue that is not easily resolved, but regardless some form of a cyber intelligence sharing bill will likely pass this year. There are several other cybersecurity policy issues remaining, and I expect this bill will break a logjam that has existed on critical infrastructure protection and data breach legislation. More legislation will follow in the current Congress, and that will be mirrored in the EU and other jurisdictions.
While new rules will confront GRC leaders with more requirements, frameworks engendered by those rules like the NIST Cybersecurity Framework are establishing the foundations on which digital business depends. The many opportunities from the digitalization of business can be realized when our GRC programs are robust enough to ensure our organizations’ resilience in the face of new cyber risks, and our ability to meet the new requirements of what is likely to be a rapidly evolving regime of cybersecurity regulations. CROs, CCOs, CIOs, and CISOs will need to work out their own policies for cybersecurity and privacy that account for the variations in laws between different jurisdictions around the world. Cyber risks do not respect geographic boundaries, and in fact bad actors take advantage of those boundaries to protect themselves from discovery and prosecution, seeking havens in locales where enforcement is weak. Companies also find themselves in the unenviable position of being in the midst of cyber wars, and these are wars that will not stop regardless of new rules. While industry, civil liberties, and government leaders work out national policies and new regulations on cybersecurity, it will take real leadership from GRC professionals to interpret these developments and keep their organizations ahead of the curve.
On 13 February 2015, President Obama issued “Executive Order — Promoting Private Sector Cybersecurity Information Sharing.” The primary objective of the order was to Information Sharing and Analysis Organizations and voluntary standards for information sharing by critical infrastructure companies. This is the third in a series of cybersecurity executive orders issued annually each February since 2013.
By establishing a regimen for the development of voluntary information sharing standards, this executive order is getting a head start on proposed cyber security legislation that the White House recently sent to Congress in January. The last attempt in 2012 to get a cybersecurity act through Congress failed, mostly due to intervention from privacy advocates and concerns about increasing regulatory burdens on critical infrastructure businesses. However, following that failure, the President in 2013 issued “Executive Order — Improving Critical Infrastructure Cybersecurity.” That order resulted in the Cybersecurity Framework, which has been accepted well by industry as a baseline standard for critical infrastructure protection. This new executive order is about as far as the executive branch can extend its authority without further legislation. With all the major cyber attacks since 2012, and with the Sony and Anthem hacks fresh in the minds of business executives, the public, and politicians, the resistance to new regulations should be less than it was in 2012.
Operators of critical infrastructure should:
1 – Participate in the development of the voluntary information sharing standards
2 – Identify information that can be shared without legal liability concerns
2 – Prepare for legislation that will provide legal protection for information sharing.
The Executive Order doesn’t change much for critical infrastructure companies – current cybersecurity policies should not be affected directly. It does not direct government agencies to review current regulations or make changes to them. The executive order calls for consultation on voluntary standards. Depending on what comes out of voluntary standards and the Executive Order, companies could make voluntary changes to their policies based on them.
There are no requirements for companies to share information with the Information Sharing and Analysis Organizations that are established in this executive order. Sharing is voluntary and not mandatory. For companies that decide to share information, there are legal risks. Until there is legislation that provides more specific legal protections, this executive order is not likely to have much effect, other than laying the groundwork for an information sharing regime.
The window for legislative action is open. All the major hacks that have happened since 2012, especially Sony, received a lot of political attention, and also attention from boards of directors and CEOs. There are special interests who are concerned about privacy and civil liberties, and there are other special interests who are concerned about putting more regulatory mandates on companies. As far as the latter, legislation on information sharing will be much less onerous than the cybersecurity audit rules proposed in the Cybersecurity Act of 2012. The time to bring all sides in Congress together is right now while what happened at Sony and Anthem are still fresh in the mind.
What makes a disruptive technology disruptive?
This is a question that came up in a discussion with my cohort in the doctor in law and policy program at Northeastern, and I’ve been puzzling on it for a few months. One characteristic is that technologies that emerge with new value propositions come from the convergence of two or more existing technologies. For instance, cell phones existed for years before they became truly disruptive. It was when the smartphone converged the cell phone converged with the internet we began to see real disruption from mobile technologies.
With the smartphone, information becomes accessible and sharable anytime and anywhere, and it enables alternatives to existing services. Smartphones have taken market shares from cameras, music CDs, taxi companies, and even cellular service itself. They accelerated the disintermediation of the recording industry that had already begun with Web-based music sharing. Most recently, apps on smartphones have begun the disintermediation of the personal transportation and the hospitality industries.
Convergence and displacement still don’t quite get at the disruptive effect of a new technology-enabled business model. One more thing is needed — a threat to social order. Consider the case of farming drones such as those offered by HoneyComb and PrescisionHawk. These drones and the associated analytic software can enable crop tracking, and better decisions by farmers on where and when to irrigate or apply pesticides and herbicides. They can provide a level of detail above what a farmer can get by walking the fields, and do so quicker and less expensively than services from agricultural airplane operators. Many drones are financially within the reach of family farmers, thus disintermediating the farming aircraft operators and services.
However, crop-dusters and aerial surveyors who provide agricultural services have investments in expensive general aviation aircraft and equipment, and drones will destroy business value of these assets. Hence, most general aviation services incumbents are opponents of drones, and they have cited safety concerns as a reason to ban their use. For now, FAA rules effectively ban most commercial use of drones.
This government ban is only a short term win for agriculture aircraft business. Imagine trying to get investment in such a business now? Investors could be reticent to fund the acquisition of assets that could shortly be obsolete. On the other hand, with the FAA restrictions they may also feel inhibited from investing in drone-based business services. This stalemate effectively freezes time for agricultural aviation technology; it’s like in Cuba where 1950s era automobiles are still plentiful. Even if a crop-duster wishes to shift his business to drone technology, it just isn’t reasonable to do so right now. But the demand from farmers is there.
Government regulations though are not always able to intercept and freeze the disruptive effects of technology. New business models that can capture a market rapidly enable the creation of a counter lobby to threatened incumbents.
Uber is a case in point. This simple app connects the owner of a smartphone to the owner of a sedan or automobile, thus disintermediating limousine services and taxi companies. Personal transportation services, unlike agricultural aviation services, are used by large numbers of people who can become a social lobby to counter the incumbent lobby. Usage of emerging consumer apps can spread virally through word-of-mouth and social media, rather than being dependent on trade press and industry conferences. This wide and rapid adoption enables entrepreneurs to run faster than the regulators.
Furthermore, regulation of personal services typically operates at a state and local level rather than at the national level. The chance of finding friendly or just plain slow jurisdictions is pretty high, and by the time the incumbent lobby organizes itself, the new technology’s entrepreneurs and investors have the support of a large and growing number of consumers who can mobilize through social media — i.e., a social lobby. By the time the backlash mobilizes, the entrepreneurs have generated enough revenue, social capital, and momentum to compete effectively in the lobbying game.
To summarize, the most disruptive technologies will include the following characteristics:
1 — Convergence of two or more existing technologies that enables the emergence of a new business model
2 — Displacement of incumbents that have significant investments in legacy assets, and thus a political stake in maintaining the status quo
3 — Disintermediation of the regulators through a vector that enables rapid development of a social lobby in favor of the new business model
Bottomline – Disruptive technologies are those that overturn the existing social order.
![1941_Navy_vs_Notre-Dame[1]](https://fcinsight.com/wp-content/uploads/2014/11/1941_Navy_vs_Notre-Dame1.jpg)
At the Navy, Notre Dame football game yesterday, I watched as Navy took a pounding the first quarter. Notre Dame scored its first touchdown in two plays at the beginning of the game. Finally, when the game got to 21-7 in favor of the Irish, I wondered why Patty and I were braving the cold to be there for Navy. It just seemed that the much bigger Irish were going to outplay the Mids the whole game. No doubt by the fourth quarter, Notre Dame would be giving its third string bench warmers some playing time.
But it didn’t work out that way. The Navy defense literally dug-in and would not give an inch to the much bigger Irish linemen. An interception, some serious innovation in play calling by Navy, and all of a sudden it was 32 to 28 in favor of the smaller Navy team.
The Notre Dame fans around us (it seems no one told them which side was their side of the stadium) were stunned. One fan summed it up — Navy just wanted it more. None of them were going to the NFL, or even had thoughts of doing so. All the players, the cheerleaders, and the screaming brigade of 4000 of their fellow midshipmen, were all there to become officers in the Navy and Marine Corps.
In the end, Notre Dame came back and won the game. But it wasn’t easy for them. In the final few minutes, the Mids blocked a kick, reminding the Irish that this was not a cake walk. At the end, the two teams embraced, and with the 4000 midshipmen and thousands more Navy alums like me in the stands, the Notre Dame and Navy teams together sang the Navy Blue and Gold.
What an emotional game, the way it was meant to be played. A real win for the Irish. A real game for Navy.
Source: University of North Carolina, Charlotte
The three lines of defense paradigm for audit, risk management, and compliance is so commonly accepted, so ingrained in the way that we think of GRC functions, that no one questions it. Until now. Last week at MetricStream’s London GRC summit, Paul Moore, former chief compliance officer and famed whistleblower at HBOS, said the three lines model doesn’t work. That conclusion raises the question of what can replace it.
The three lines model assumes that risks will follow the same hierarchical process oriented structure that the organizational model follows. But we all know the hierarchical org chart is not the real model for how value is created. Value chains don’t follow organizational hierarchies nor are they limited to a single business entity, and neither do the risks associated with the processes, regulatory requirements, and assets that are incorporated within those value chains. The real work is done across teams, across divisions, departments, geographies, and even across companies.
The three lines of defense model assumes that business units are identifying and managing the risks, risk and compliance managers are ensuring that the business units have effective controls and risk management processes, and internal auditors are providing an independent opinion to management and the board on the effectiveness of risk management and compliance activities. This model assumes specialization and segregation of each of the lines of defense, and increasing objectivity from the first to the third lines.
This model leaves out the people closest to the risks. The person with the best knowledge of a risk should be the person closest to the processes or the assets that create value for the organization. This might be a front line employee, a business partner, or even a customer. It’s rarely an auditor, a risk officer, or a business unit leader. Enabling those people at the front lines to recognize risks, and to manage and mitigate them is critical to sustainable performance.
The three lines model is no doubt going to persist for a while, but already it is being disintermediated aggressively. Regulators are demanding more and more corporate data that enables them to independently evaluate risks and controls. SEC chairwoman Mary Jo White attributes the record number of enforcement actions in 2014 to the innovative use of advanced data analytics technology.
Social media has also served as a check on companies. As more corporate data is available to crowds of networked individuals, key influencers can mobilize a “social lobby” to respond to what they perceive as poor industry or corporate practices. Armed with social technologies, the people formerly known as the customers (or the voters, citizens or constituents) become the new regulators.
Companies can learn from these big data and social lobby developments. Crowd sourcing risk management can be used to tap into the collective intelligence of customers, partners, employees, or experts. Data based risks and controls monitoring with advanced analytics can enable quicker identification of potential risk events or control failures, and discover risks that might fall between organizational and risk management silos.
Disintermediation is usually not complete. iTunes has not replaced recording companies for instance, but it and other music industry cybermediaries have forced a huge shift in the recording industry’s business models. We should expect cybermediaries to arise that offer GRC services that force a shift in the three lines of defense model; even more revolutionary, imagine GRC cybermediaries that compete with regulators and statutory auditors.
Float the Market
Quite a while back, I started setting the stage for a move from Gartner. I had recognized through hard knocks that GRC in a big analyst firm would be just one of many “very important topics.” Resources to meet client needs are necessarily split between scores of teams and hundreds of analysts, and no one topic area can possibly get the resources that its strongest proponents want. Finally, one day in July after having had some vacation time to reflect, as much as it hurt to leave, I decided the time to move was now. So now I’ve moved to MetricStream whose sole business is GRC.
I’m now in week 4 with MetricStream, and I’m beginning to get my thoughts in order on my role as Chief Evangelist. Week 1 started in Palo Alto at MetricStream HQ. I met everyone I could there, and I tried to learn what the expectations were that everyone had for this new role of Chief Evangelist. Week 2 was spent at a customer site with our sales leaders, and I learned what it takes to go through a detailed proof of concept. Week 3 was in London at our first ever European GRC Summit. In a fireside chat on stage, it was my first opportunity to share some thoughts on where the market had been and where it’s going.
One question I that came up in Londonwas about the title of Chief Evangelist — why not Chief Strategy Officer or something along those lines. I guess that would have been fine, but that would not capture a key element of the role. The role goes beyond being a strategist for MetricStream, and extends to being an advocate for GRC overall. This is a new market that has suddenly gotten a good deal of traction, and the message on GRC, and all the practical activities attached to that message, need to float the market. That’s the goal — for all of us who are in the GRC space — whether a compliance or risk management professional, or a software or services provider — to spread the word on generating real business value from GRC.
