Chapter 2Risk

The case of Wells Fargo, as discussed in Figure 2.1, makes it clear that boards have clear responsibility for gaps in risk management. Every regulated trading environment now operates under clear regulations for governance – in the United States, it is SEC rule 33-9089. Robust risk management programs are critical to avoid financial and reputational damage.

No alt text required.

Figure 2.1 The Case of Wells Fargo

There are two clear trends:

  1. Regulations follow industry events

    As shown in the timeline that follows, legislators try to get out ahead of the risks. Further, as new risks are identified we can expect that the more impactful an event, the more rigorous the legislative response will be.

    For example:

    • Stringent Payment Card Industry (PCI) standards followed reported incidents with Heartland in 2009 and Sony PlayStation in 2011.
    • In the wake of Facebook's mishandling of user information in 2018, US states are passing new regulations to address both privacy and consumer trust.
    • Bills before the US Congress in 2018 include the Cybersecurity Disclosure Act, which requires boards to either have the requisite skills or to identify their strategy for obtaining the advice and support that they need.

    The timeline shown in Figure 2.2 aligns events since 2002 with the regulatory developments.

    Figure 2.2 Alignment of Incidents and Regulations

  2. Regulations are getting broader and penalties ...

Get Duty of Care now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.