Enhancing Your Business Continuity Framework in a Volatile Environment
Megan Phee: Hi, I'm Megan Phee, and this is GRC and Me, where we interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends, and more. Learn about your methods, solutions, and outlook in this space. Hello, all of you, risk practitioners out there, and welcome to another episode of GRC and Me. Today we welcome back Jason Wang, Chief Risk Officer at Synergy Credit Union. And for long time listeners, you may remember Jason's previous episodes where he explained why everyone at your company is a risk manager. And in his return to GRC and Me, Jason discusses how enhancing your business continuity framework is crucial during what he calls volatile times. We dive into what he means by that and so much more. So enjoy my chat with Jason. Well, Jason, welcome back to another episode of GRC and Me. It's lovely to sit down with you in real life this time to have another meaningful conversation.
Jason Wang: Its good to see you again.
Megan Phee: Yes, thank you.
Jason Wang: I'm very happy to be back.
Megan Phee: Oh, good. Wonderful. All right, so for today's conversation, we want to talk more about business continuity, frameworks, impact, all that goodness. So let's start first talking a little bit about, why are business continuity framework so critical in volatile times? I've heard you talk about that. And before we go there, tell us a little bit about, in your opinion, how do you define volatile times?
Jason Wang: Well look around and look at where we are. The environment, whether it's political environment, back and forth with a pandemic, and how that has disrupted a lot of how we work, how we live our lives, how we buy things, how we communicate with each other. And if I use our business examples, when we first went into the pandemic, we had to consider closing our branches and then dispersing our employees to an environment that they're not used to be working, which is their home. So when a lot of these are happening and you have to consider all the different factors. So how do we tell our clientele, doors closed, here's the number to tell, here's the number to call. Okay then how do we increase our staffing at the call center? So when all of the factors are happening, and you have to make a critical decision quickly. That's what I would call volatile times. And the reason why BCP or business continuity planning is so important, particularly in volatile times, is because it gives you that speed to decision, speed to action. The theme of the inaudible annual conference is agility.
Megan Phee: Yes.
Jason Wang: We talk about agility. This gives you agility.
Megan Phee: Great.
Jason Wang: You don't want to make critical decisions when things are actually happening. Let's have a meeting, let's call the board. Well, where's our marketing team at? Creating the creatives, the door signage. When you have a framework that's redefined, everything's there and you just worry about implementing and deploying.
Megan Phee: I've heard some people talk about that in a business disruptive event. You don't want to be planning, you don't want to be thinking, you want to be acting, you want to be executing, you want to be deploying to that plan that you've prepared for. So yeah, agility is so critical to that. And on the flip side of that, what happens if you don't have the agility to be able to respond with the speed that you need?
Jason Wang: Well then, you probably will just take the time to go through the same steps. So to make an appropriate business decision when you are facing an incident, whatever the incident is, you still need to go through the steps. Call the right people to make a decision, you just slow down. And for lower criticality levels, that might be okay. We don't have to make a decision today, let's talk about this tomorrow or the day after tomorrow. But for something that's really critical, and hear cyber breaches, ransomware attacks, this is where every hour matters. If your system is down, you can't afford to say let's regroup tomorrow. You have to make a decision now and go from here.
Megan Phee: That's great. Yes. And can you talk about what prevention measures look like in a good or strong business continuity program framework?
Jason Wang: Sure. We actually define our BCP framework into three phases. So prevention is not even the beginning point. So the three phases are preparedness, prevention, response. And this also ties back to what we just talked about earlier. Response is absolutely the last stage. But unfortunately, some people when they think about this, they always think about," Oh, when that happens, I'll respond." Well, you need to have proper preparedness and prevention, then let's talk about responding. Or not having to respond because you have preempted the risk, you have mitigated the risk. So going back to the first stage, which is preparedness, I do a scan of your own threat landscape for whatever business you are in. Look around, look at your environment, look internally at your people, look at your third parties, and think about what risk factors are there. And then put them into different categories and then talk about mitigation. So then now we're getting into prevention. Sometimes it's just awareness and education that will do a lot. So particularly, people tend to fall for some phishing emails. You have to constantly remind them, sometimes when you see these red flags, it's not a legitimate business email, it's phishing, so don't fall for it. And then when there are third parties, you have to have a framework where you ask the right questions, get the right documentation from them, and have a backup plan. When it's your data, you have to have backup recovery, you have to have your IT team who's always on point, and you know when and where to call someone if something happens, even if it's the middle of the night. So these are all critical points of being prepared and then you can prevent something from happening.
Megan Phee: Right. And then I love that you said," And then respond, then you can respond appropriately." That's great. And what would you say are some enterprise- wide efforts that an organization can do, just to be prepared, as we talk about that. What would you say at the enterprise level, folks should be doing or considering?
Jason Wang: Sometimes risk professionals tend to make a mistake to think that I'm shouldering everything. I'm the hero that's saving this organization from sliding into a disaster. That's probably not the best mentality. Everything is enterprise wide. And we do a great job at Synergy Credit Union to talk about the three lines of defense to everyone. So risk management is only the second line of defense. Our front line employees are the first line of defense and they are a line of defense. So making sure that they understand, everyone is a risk manager. Risk management begins with them. If they see something, they take actions or they report and mitigation begins with them. So that's the first step. And then there are some drills or tests that you can deploy to your employees. For example, phishing email tests.
Megan Phee: Yes.
Jason Wang: You do this from time to time just to learn, where's our vulnerability? And we had two employees who clicked on this, let's talk to them to figure out why. What were they thinking? Is it the design, the look of the email? So that we can train them better. Right? Also, when you are building more complicated drills, for example, I'm in the banking industry. So we do have a framework for branch robbery. This is where, if an actual robbery happens, the response team will not only consist of just my team, but we will have pretty much everyone, right? We will have the operational team, the retail, the leadership and the board and the communication team, maybe even conduct media training to our senior leaders. And the board, our privacy officer will also step in to look at if we lose any information on any clientele. So this is where it's always cross- functional. Then when you are conducting the drills, you set expectations that this is going to involve everyone. Please set aside some time or resources. We're going to do this in the fourth quarter when you guys are not so busy or second quarter. So you have to make it an enterprise- wide effort and you have to always talk to them about this, that way.
Megan Phee: Well, I was going to ask you that because I think at Synergy, you have a very clear and active culture whereby you set that tone and your peers all set that tone of, this is a collaborative effort, it's a cross- functional effort. We are all harboring the responsibility of risk awareness. What advice would you give to folks who, maybe they come into a newer organization or they're new to a role and they don't have that culture of risk awareness yet and they're trying to get an enterprise collaboration going? What advice would you give? What have you seen has been helpful in your career? Or even as your team members go out there to have conversations with business leaders, what advice would you share for folks who are trying to get to the level that Synergy's at where it is a collaborative shared responsibility of risk management?
Jason Wang: Sure. Twofold. My answer would be, leadership sets the tone from the top. It's critical. If you don't have your executives or if you only have half of your executive team who buys into this vision of, everyone is a risk manager, then you probably are not setting yourself up for success. You have to get them on board. And the way to get all of your executive team and leaders to be on board is to really break this down into, if we don't do this, what does that mean to you?
Megan Phee: Yeah.
Jason Wang: Right. So I'm not saying that we should scare them, but we operate in scary environments. So banking is one of those scariest industries. So you talk to the operation officer by saying," Well, if we don't prepare for robberies and robberies do happen, it's going to impact you. It's going to impact your branches." Talk to the people officer to say this is going to impact our employees. Talk to the finance officer to say this is going to impact our money. Talk to communication and marketing to say," Well, we're going to have a reputational damage, so what do you do?" So once you get them on board and then you ask them to talk to their teams about this and set the stage where if you have a court city town hall, somebody from the risk team will go on stage and talk about this, show the three lines of defense visual and say, here's what we are. We're all a particular line of defense, whether you know about it or not. So that is critical. But in our day- to- day work, people on my team, they do a good job of building relationships, so we collaborate with IT quite a lot. We collaborate with our branch leadership quite a lot and we communicate with each other very often. So that's another part of it.
Megan Phee: I love that. So I heard, get support from the top, have a leadership alignment, whether it's board or executive leadership team alignment, and then talk in the terms of outcomes or impact so folks can relate it to their own business line, I think is critical. That's really interesting. That's great. I have another question for you. I think there's a myth out there. Can you tell us a little bit about what the myth is and then debunk that myth if you can?
Jason Wang: Sure. The myth, when it comes to business continuity and cyber security is that, well, my company has insurance, so why do we have to do this? Let insurance pay for it. So if you were at the conference, you heard the NASA veteran talk about the unfortunate Columbia tragedy. I'm sure they were heavily insured, but what is that going to do? It's not going to bring back the lost lives. And it's the same thing here. Well, you can argue," Well, we're not in that kind of business. It's not life and death. We talk about it all the time." But seriously, think about it. In a way, it is. If you have cybersecurity, ransomware, if you have these critical things happen and you don't take the right actions within a short timeframe, you're going to face significant financial damages, you're going to have class action lawsuits, you're going to have a reputational damage. In a way, yeah, we're not looking at human lives that are lost, but you have a lot of irreparable damages. So do not rely on insurance. And we hope... And using the real life example, we have all insurance, life insurance, home insurance. It doesn't mean that we start to live a dangerous life.
Megan Phee: Recklessly, yes.
Jason Wang: Let's just start to drive recklessly, right?
Megan Phee: Right.
Jason Wang: We still need to avoid incidents and just live our day carefully. It's the same mentality here. So having insurance makes you sleep better, but you would do all the planning to make sure that you don't actually invoke insurance,
Megan Phee: You don't need it. Yeah. Prevent it, right? From needing it. Yeah. And I would say the last question I have for you today is, talking about the work that your team does, how has the Risk Cloud impacted the work that your team does or their ability to perform the work in risk management?
Jason Wang: Using LogicGates Risk Cloud has helped not only my team, but also the teams that we work with. You think about the old ways of doing things, spreadsheet or emails back and forth, I would email you an attachment. You open up, it's 30 rows of Excel.
Megan Phee: Yes.
Jason Wang: Lots of questions. You have to literally type in. You don't get a lot of collaboration by forcing people to go through that. So now, if you set up a workflow, then it's simple communication and they have their user login, they log in, click on this, this is a dropdown, you click on this, you're done. So I think it streamlines and simplifies the way that we think about risk problems and it gives us really, a good way to communicate with people whose real core job is not risk managed. But we talk about that everyone being a line of defense, but still, they have their real job to do. You can't give them this burden. This is almost the reason why a lot of people push back and risk people to say," Ah, yeah, I don't want to do this," is because they see this as added work on top of what they actually get paid for. So you make it streamlined and simplified for them. And if we use complicated BCP scenarios, also setting up the workflow can help arrive at the decision really quickly. So we have a grading system to put incidents into four different levels. Not every incident is created equal. So you have the most critical ones like ransomware attack or you have the cyber breach, and then you have little ones. Particular employee issue, particular branch issue. Then having this in the cloud allows us to go through a few simple steps in the workflow arriving at, oh, so it's a level two and then it's going to point you to, this is what you do next. Or, this is level four, well this is what you're going to do next three things, and you blow up to communication plan, your IT plan, right? And you blow that up to, how do you recover your data? So this, I think using the Risk Cloud greatly simplifies things and makes it streamlined and intuitive to people so that it's not overwhelming anymore.
Megan Phee: Oh, that's great. I love what you said about that. We have to keep in mind that they have day jobs and we want them to participate in this, but the best way to do that is to make it a nice experience. And we've seen that, the better the experience, the better the quality of the experience, the better the quantity of the data that you'll get, the better experience that more people will be willing to enter that system and record risk, because it's easy to do. It's intuitive. And I love what you mentioned about, there's just consistency and compliance in regards to, there's consistency in workflows about the triaging, right? It's less of a human intuition or human activity. It is, this is how we've decided and we've agreed upon, this is how we're going to approach these types of criticalities and this is what happens next. And it allows you to document and report on that, I'm sure really clearly and easily for the leadership team in the board. But that's great, and I love that you keep in mind, it is that first line who, we need their help and so how do you keep in mind the user experience that they have? So that's great to hear. Well, Jason, thank you so much for joining us.
Jason Wang: It's my pleasure.
Megan Phee: Wonderful chat today and thanks again.
Jason Wang: Thank you too.
Megan Phee: Now, if you want to learn how Risk Cloud can help you and your organization's business continuity planning, visit logicgate.com. And until next time, this is Megan Phee with GRC and Me.
LogicGate’s Megan Phee sat down with Jason Wang, Chief Risk Officer at Synergy Credit Union, to explore the importance of creating or refining business continuity plans in the face of volatility. Business continuity plans help you make critical decisions before you need them. Otherwise, you make those decisions during a business-impacting event when every hour matters. Listen to the full episode to hear Jason’s valuable advice for making enterprise-wide decisions to improve your resilience.