The risk of not managing risks

/0 Comments/in /by

By Julián Laski

A couple of years ago, I was faced with the challenge of carrying out the audit of an important Latin American public entity. When I say “important”, I mean the size of the institution, its strategic nature and the volume of its operations, with a number of resources – financial, human and technological – according to its size.

A few months before starting the tasks, I was surprised to read an email sent by the institution’s Systems area, where it was requested to inform which computer would enter the entity by the audit team, specifying the brand, model and number of Series of devices. I must admit that at that moment I was impressed: I imagined that if I were asked for such data with such anticipation, I would encounter an entity that would have a robust control structure, which is not so common in the public sector of the region.

Until the day came: I had my first meeting in the entity, to which I was, of course, with my computer – the same one I had declared a few months before. As soon as I arrived, I found a security post in which a guard asked me to show the laptop I was entering. “Good, now, they are going to collate the information I indicated a few months ago,” I thought. But at that point I began to realize that, again, not everything that glitters is gold: the security employee began to take note of the computer data by hand on a worksheet, where instead of typing the number Serial, wrote down the license of the operating system, whose label was stuck to the back of the laptop. “It does not matter, then he will check it and inquire about the inconsistency,” I told myself … But no, that never happened. And I was not asked for the computer when I left. Not even the next day: as the guard knew me, he only asked me if he had the same laptop as the previous day, and as I said yes, in my successive entries he did not even consult me ​​about it. And, not controlling myself at the exit, no one analyzed the possibility that he was taking me something much more valuable than a computer (which could well be mine or another): the information of the institution.

This situation ignited my warning signals – like every auditor, I am skeptical by nature – regarding the risk analysis by the public entity. For that reason, I asked to speak with the person in charge of the area of ​​risks. The answer was clear: there was no risk manager there, but it was the financial manager who handled insurance. That is, it was assumed that insurance contracting was the only possible risk response. Almost resigned, I joined the financial manager, and asked him about the insurance they had hired. “We invest more money in insurance every year, because we want to be calm,” he told me. When I asked about the type of claims for which they had insurance, I realized that they did not cover half of the possible events for which coverage could be contracted. The subsequent result of the insurance audit was lapidary, and it almost cost the position to the financial manager, who was so calm simply to spend money …

Does insurance reach as a response to risk? No, clearly. Is it enough to know that many resources are invested in coverage for quiet sleep? Even less. An organization that manages its risks effectively must:

List possible financial and non-financial risks to which you are exposed. Therefore, it is not usually advisable for a financial manager to be responsible for risk management. There are no unlikely risks or absolutely unexpected events; If not, let us think about the attack on the Twin Towers, per case.
Evaluate adequately, through qualitative and quantitative tools, the probability and impact of events that could affect the achievement of their objectives. Not all risks are just as important! For the entity, it has a much greater impact if someone takes, by whatever means, a database without permission, than the possibility that an official or visitor enters with one computer and leaves with another.
Design and implement adequate risk responses, not only considering insurance coverage, but also mitigation, risk avoidance and, in some cases, even the need to accept risk. We can not take action against all risks, but we must know them and be aware of them. If there is a possibility that it rains, and our goal is to go see an Atlanta football game, outdoors, what can we do, besides waiting for the sky to not cloud?
Verify that the measures taken are effective, and monitor the strategy against risk. A risk can be important in a moment, and stop being it afterwards.

Improving service and security through knowledge management at Miami Airport

/0 Comments/in , /by

By Jorge Martínez

Imagine going on a trip in Miami to go to another country. After a long journey, with tiredness in the body, when he is about to pass immigration to enter the United States, tell him that he can not pass, that he has to go to a special room where he is put under a new control , Without anyone explaining the reasons or how long it will take. Half an hour later, they call him by name, give him his passport, and tell him that he can go. Zero explanations.

Now imagine that, four days later, when you stop at the same place on your return journey, exactly the same thing happens to you. Only this time his fatigue is greater, the rows he has already had to endure are even longer, and the possibility of losing the connection flight really imminent.

Well, this happened to me a few weeks ago and, despite complaining, I never managed to get an explanation, let alone an apology. I deduce that, just like a few years ago, they confused my name and first name with that of a delinquent with an international arrest warrant. It is clear that the situation of international insecurity and the terrorist threat make it necessary to raise alert levels, especially in the United States, which is a stated objective. But at least in my case, it would have been enough to look at my second last name to save me the trouble and the US government from using resources in a useless and unnecessary task. If, along with alert levels, the effectiveness of terrorist and criminal identification systems had increased, perhaps I would be telling another story. However you can not help but wonder the following:

What is the purpose of removing the ESTA (the Electronic Travel Authorization issued by the Department of Homeland Security prior to travel and valid for 2 years). First control.
What it will be like when you arrive at the airport in Miami, for the ESTA carriers, you are forced to go directly to a machine where you must scan your passport, take a photo, take your fingerprints and make an automatic declaration. Second control.
What will it be to go through an Immigration Officer who takes you back to the picture, fingerprints and any other question about your intentions in the United States. Third control.
What good are all these controls, if finally the last link in the chain ignores all previous controls and you end up locked in a room like a delinquent? It seems incredible that after so many years traveling to the United States, and having legally resided in that country for more than three years, I continue to confuse myself with someone I am not. Something is not working well.

From the point of view of internal controls and knowledge management of the Department of Homeland Security, the high number of controls required for each “suspicious” passenger is highly inefficient (not to mention the discomfort that generates in the visitor) . This is because scarce resources (Immigration Officers, Machines) are being used to do the same job several times. But worst of all, if every time a foreigner visits the United States, several checks are necessary, many of them identical, despite having already obtained prior authorization from the Department of Homeland Security, This information is being stored, and that every time someone visits the United States it is as if they were doing it for the first time, which is wasting a lot of valuable information, that if it was stored, it would save a lot of time and money.

This reminds me very much of one of the findings of the National Commission’s report that at the request of the President and Congress of the United States, investigated the terrorist attacks of September 11 (http://www.9-11commission.gov/report /). That report indicated that another major federal security agency in the United States, the FBI, “did not have an effective intelligence-gathering effort. The collection of intelligence by human resources was limited, and the agents were not adequately trained … The FBI lacked the ability to know what it knew, there was no effective mechanism for capturing and sharing its institutional knowledge. FBI agents created records of interviews and other investigative efforts, but there were no officers to condense intelligence into meaningful intelligence that could be found and disseminated. “

These signals of inefficient controls or lack of knowledge management in public safety institutions in the most advanced country in the world remind us that beans everywhere. Have you ever lived a similar situation that could have been avoided with better knowledge management?

When the controls impose to concrete a business

/0 Comments/in /by

By Julián Laski

A few weeks ago I received, like many other times, a call from the call center of an important and well-known commercial bank, through which I was offered a credit card. While I do not usually be interested in these types of proposals, where the “small print” usually hides a trap (and some cost), this time my curiosity could do more. And, paying attention, I thought it was a good chance, so I decided to ask what requirements in terms of documentation were needed to proceed with the process. When they told me that they only needed the copy of my document, I opted to accept and proceed to manage the issuance of the card.

From there, the operator of the call center, following the manual in which he was probably trained, began to request the basic data that, intuitively, would be filling in a system: full name, date of birth, occupation, etc. Until, in a moment, we come to the key question, the point of discord: “You are not obligated subject in the matter of prevention of money laundering and financing of terrorism, no?”. The way he asked the question, I would be sincere, was tempted to say no, but I thought it was the truth, so I told him that as an external auditor of financial statements of companies with assets over $ 10,000,000 (Ten million pesos), I am obligated to prevent money laundering. For those unfamiliar with the subject matter, being an obligor is merely included in a list of natural or legal persons who, due to their work or profession, must report a suspicious operation linked to money laundering and financing of terrorism , Without meaning anything in particular. It is something like an assistant referee in football: you must tell the judge of the meeting if you notice any fouls during the game. But for the operator of the call center, probably because of ignorance, my answer aroused alarms and suspicions by virtue of what its procedure indicated. That is why the talk, which was going on in a cordial tone, took an unimaginable turn: in the first instance, the call center operator told me that, directly, she could not apply for the card and that the procedure could not proceed. When I asked the reason, he told me that it was because I was framed in Law 25,246 of money laundering of criminal origin.

Although I did not lose sleep getting the card (in fact, they were offering it to me, I was not requesting it), I was disturbed by the situation, and I told my interlocutor that I was actually a forced subject, not a fugitive or a suspect Of justice. He then asked for a moment to speak to his superior while I waited on the line, which happened for about 20 minutes, during which I was tempted to interrupt the telephone communication on several occasions in order to continue my work. Then the call was restarted and the call center supervisor told me that they would call me the next day to see “how we were going” because, he admitted, the system prevented the process from being continued when the answer to the question “Subject Obliged? “Was a yes, because the bank had strict internal controls and wanted to ensure that its clients were subjected to a strict prior review process.

The situation indicated in this article, where a commercial management was hampered by an alleged need for adherence to internal controls, shows that only one side of the coin is considered as one of the three objectives of internal control models, which Is to comply with applicable laws and regulations (in this case, a procedural manual). Thus, the first of the aforementioned objectives of any control system is left aside, which is to achieve efficient and efficient operations. After all, if a bank – a for-profit company – does not sell its financial products, how do you achieve your goals? One might even ask how the bank gives a credit card without a problem or credit analysis to a client who is not an obligor, but if it is, even if it has the best financial situation, the process is interrupted … Curious, no doubt . But everything is in order to comply with what the procedures manual indicates.

The day after the first telephone conversation I had with the call center operator, I received a call from another bank employee, who told me that “despite being a compulsory subject” – again, as if it were a sin – they could process My application – I did not ask for anything, the bank was the one who offered it – if I presented myself at the branch of the bank and delivered a series of documents which, I believe, only lacked my birth certificate: identity document, Income, inscription as an obligor, last tax payments, affidavits … Pap