Mitigating risk is an important part of every business’s planning but few know where to start. That’s where Anne-Héloïse Bédard, Leader of the Enterprise Risk Services team in Montreal, can help. Learn about her experience in this area and how you can protect your organization.
Why did you choose to work in risk management?
I wasn’t supposed to be in risk management! My background was in operations and production management. I came to risk management because I strongly believed that combining process optimization with controls can actually mitigate risk for an organization.
Process optimization adds value on its own, but more importantly, it ultimately means you have a much better chance of reaching your business goals.
How long have you worked in this area?
I’ve been involved in risk management for over 20 years. I worked in process reengineering for a year, then I moved to risk management with an accounting firm that wanted to develop their processes related to operational risk management. I came to MNP in 2019 to build up their risk management offering for Quebec organizations. It’s been a natural evolution of my previous roles and responsibilities, including building a strong team that has been steadily growing.
You work with many public institutions. What are their main concerns right now?
Public institutions need to demonstrate that they are properly protecting citizen data within their internal systems, and that they have laws in place to ensure that personal data is protected at large. This includes proper project management, procurement process and vendor management, and data privacy protection decisions. Journalists and the public have more access to information than ever before and politicians are very concerned about public perception, particularly with how public fund spending.
As a result, one of their main concerns is data privacy. Cyber crime is increasing at an alarming rate and governments need to make sure they can protect citizen information. If a government cannot keep their data safe, they risk losing public trust. Although the focus of recent Canadian privacy reform initiatives is on consumer privacy, changes to consumer privacy legislation will likely cascade to the public sector eventually.
Third party risk is also a major concern for the government. It is closely linked to data privacy as some third-party partners manage or have access to sensitive data. Public institutions need to demonstrate that they achieve the right balance between needs and requirements, quality, and costs.
What do organizations need to look at to protect themselves from third-party risk?
The entire procurement process is key. How you select the vendor, how you onboard them, how you manage the contract, and how you oversee the contract — these are areas that organizations need to have answers to if they want to mitigate risk.
Organizations lack visibility into the risks that are associated with their vendor and contract management process. As an example, the person writing the contract typically isn’t the person enforcing the contract, and the person enforcing the contract may not be aware of all the clauses listed in the contract. This means that, willingly or not, third parties could be not following the contract but the person enforcing rules is unaware that the contract is not being followed.
Another issue is that companies may not have proper understanding of all the contracts they have with a single vendor. Managing one contract at a time may not be so risky but having multiple contracts with a single vendor at one time may be much more dangerous.
What questions can organizations ask themselves in order to mitigate risk?
It’s simple. Ask yourself: What could go wrong? Am I prepared for it?
To answer the first question, you need to identify the risks you are facing. Stepping back to reflect on the risks you face can be eye-opening.
To evaluate if you’re prepared, check if you have mitigation strategies for those risks you’ve identified. Are those strategies clear? Are they clearly assigned to a team member? Ask yourself: if something goes wrong, do we know what to do? When to do it? How to do it?
There are other questions that can help but these are the most important ones to get started on the path to risk minimization.
To learn more about risk mitigation, contact Anne- Héloïse Bédard, MSc, CIA, CRMA, CGAP, PMP, Partner, Enterprise Risk Services, at 438.469.4724 or [email protected]