Joanna Makomaski

Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected]

Column: Risk Management

Captive Credit Cards

By: | November 2, 2016 • 2 min read
Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected]

I subscribed to Netflix a few months ago. I entered my credit card information, enjoyed my first month of membership free and thereafter I duly started to pay my monthly fee. I watched on my laptop and got hooked on a new TV series.

With my blistering travel schedule I was delighted to now have the ability to watch this series while on the road from anywhere.

On my first trip abroad, I turned to Netflix one evening. An on-screen message popped up telling me that Netflix was only available to me while in Canada.

Netflix offers streaming service to roughly 190 markets, different volumes and types of programming based on region-exclusive content licensing agreements.

Simply put, Canadian Netflix customers get Canadian-specific content dictated by their licensing agreement, while American Netflix customers get their own version. I get that.

But I remained confused. I called Netflix.

I went from feeling confused to feeling flabbergasted. I canceled my membership. All of this took place in under five minutes, all while holding my credit card in my hand ready to purchase something … anything.

The exchange with customer service sounded something like this: “I would like to watch my Canadian version of Netflix that I paid for, please?”

Advertisement




“No. You can’t, ma’am.”

“Why?” “Because you can’t.”

“Why?”

“You’re not in Canada.”

“But all I want to see is my Canadian content version that I paid for.”

“You can’t. It is for security reasons, ma’am.”

“What security threat do I pose?”

“You may give your password to someone while in the U.S. and they can watch it.”

“But I am not planning to give away my password.”

“I’m sorry, ma’am, you just can’t watch.”

“Can I buy an American version of Netflix to watch while in the U.S. then?”

“No ma’am. You live in Canada.”

I went from feeling confused to feeling flabbergasted. I canceled my membership. All of this took place in under five minutes, all while holding my credit card in my hand ready to purchase something … anything.

It is possible I do not understand this technology. Maybe I am under the false impression that this internet streaming service should work anywhere internet exists, just like my banking app.

But regardless the whole experience left me thinking about the inherently deadly flaw of this business model and how it is riddled with killer risks.

I looked into it. Netflix risks losing hundreds of thousands of customers in 2016. It claims that a rate increase is the culprit. The company tells its investors that an additional $520 million in annual revenue offsets the loss of thousands of customers. This pains me to read.

Who is doing their risk assessments? A mass exodus of users from around the world is inevitable if Netflix keeps this up. Business rule No. 1 – a customer, whose loyalty you have already won, is your most precious asset.

Netflix, are you listening? Free risk management advice: Let me get hooked on your products and services. Hold my credit card captive. Let me spend my money with you. Repeat with everyone else. &

Share this article:

Column: Risk Management

Apples to Oranges

By: | October 15, 2016 • 2 min read
Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected]

I was recently sandwiched in a middle seat on a long haul flight. Impossible not to strike up a conversation with both seat mates. On my left was the head of human resources, responsible for the health and safety of 10,000 employees.

On my right, was the CFO of that same company charged with all things finance, but also responsible for IT. Inevitably they asked me what I did – all things risk management – and as usual they wanted to talk of risks they face.

From the left, I heard HR concerns about the next virus or disease that could make employees sick. From the right, I heard fears of hacking.

How does one compare two different risks and assess priority?

To provoke, I asked, Which risk is bigger? More important? If you had only $500,000 for a solution, which risk would you choose to mitigate?

Life safety is always the priority, the left proclaimed. But a nasty breach could paralyze the company leaving us potentially bankrupt, the right argued. Frustrated they proclaimed: “You can not compare them. It is like comparing an apple to an orange.”

It is not the first time I heard that statement. In the risk management proficiency reviews, it is a common concern. How does one compare two different risks and assess priority?

Answer? Set context for risk assessments before starting a risk evaluation. This is an essential step. Set context by answering questions like this:

Advertisement




Which corporate performance objectives could the risk event compromise? Are all objectives equally important to achieve? If not, which are the most important? What timeframe bounds the risk assessment? Will the risk events happen within the next quarter, year or over five or 10 years?

Does the organization have a common scale that can inform the organization as to what is considered a high impact? In other words, a compromise of one or more objectives?

For example, if an objective for safety performance is “to ensure less than five lost time employee injuries annually,” or if an IT security objective states that “less than three IT systems penetrations shall be allowed annually,” what is considered to be a high compromise of those objectives? Twenty or 100 lost time injuries, or system penetrations?

Conversely, what is considered a low compromise of those objectives? What score will we give a high or low compromising risk event? Will the scores reflect how a risk event can compromise multiple objectives? What do we do if a risk scenario impacts none of our corporate objectives?

By answering these questions, you build a “risk ruler” system.

Risk rulers assure that you have pre-negotiated tools and context around your pending risk assessment. It sets the ground rules for what the risk assessment will tell you, and how the risk events will be prioritized.

Most importantly, risk rulers allow you to establish common criteria that link performance objectives to risk events. If an “apple” can cause more damage to objectives than an “orange,” keep an eye on that apple.

Share this article:

Risk Management

High Risk, High Consequence?

By: | October 1, 2016 • 2 min read
Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected]

Imagine you are a board member on a $200 million widget-making company. The risk manager has duly presented their quarterly risk register to you. You learn of two risks.

The first risk states there is a 1 percent chance that in any given year a rainfall could flood the factory costing an estimated $4.8 million in plant and employee injury damages, and loss of business. The company insurance policy excludes coverage for damages and loss of business due to flooding.

The second risk states there is a 90 percent chance that 24 company laptops worth $2,000 containing company information will go unaccounted for in any given year. Your insurance policy excludes coverage for mysterious disappearance of those assets.

I have three rules of thumb when it comes to risk response planning and investment.

Risk 1 has a low probability with sudden high consequences, while Risk 2 is a near-certain event with a comparably low unit consequence value. Both risks present a total expected loss of $48,000 for any given year. Risk management is looking for board guidance as to which risk to respond to first. Which risk captures your attention?

In recent conversation, a board member told me he felt that risk management often neglects high-consequence risks because of low likelihood, and that high consequence risks must be addressed regardless of their likelihood. He felt that most risks were inadequately selected, ranked and qualified.

Advertisement




He suspected risk management was only comfortable presenting risks that boards would perceive as manageable. Was he right?

Consider Risk 1. Did the register highlight the associated reputational losses and future opportunity losses? Did the register stress that embedded in the event was an employee injury?

If management re-evaluated the two risks to incorporate associated losses and the expected loss was yet again equal, which risk should take priority?

I have three rules of thumb when it comes to risk response planning and investment.

Rule 1: Address low-hanging fruit. Risk 2 has a 90 percent certainty of occurrence. It’s a matter of time. Let the register reflect this. The loss is almost a given and should be treated accordingly. If your company can influence the risk for a reasonable cost, just do it.

Rule 2: Deal with risk that can severely derail your operation. Ask how quickly the company could bounce back if the risk were to occur. Let your register reflect your answer.

Rule 3: Address risks that can exceed your capacity to bear risk. Know the level of loss you can handle any given year. Let your register reflect that. Does the company have the capacity to absorb flooding damage costs of $4.8 million any given year? If not, it needs your attention. Moreover, if this one risk has the ability to wipe out the company, it needs serious attention.

The prickly disconnect between management and boards seems to stem from how risks are reported. Easy fix: Let’s start there. &

Share this article: