Auditor at Ameriprise Financial - Asset Management
MBA, Opus College of Business '16
Brian Hensel is a UST MBA student, graduating Fall 2016. His focus as a graduate student is relatively balanced with an emphasis on corporate finance and risk management. As part of his MBA experience, Brian traveled internationally with the Global Risk Leadership course to Scandinavia, in May and June of 2016. This experience extended Brian’s skills and global awareness on modern risk issues, global sustainability concerns, and leadership capabilities.
Currently, Brian works as an auditor at Ameriprise Financial with a focus on asset management. As part of his role as an auditor, Brian has experience with projects ranging from technology replacements to investment strategy. He also oversees testing as part of the annual Service Organization Control reports issued by different business units of Ameriprise. In addition to Audit, Brian has experience in Investment Accounting and Mutual Fund Operations also at Ameriprise.
Brian’s interest in risk management is particular to global risk topics. As an internal auditor, his interaction with business partners conveys a risk management approach. “I always am looking to fine tune my approach so my business partners can be assured that are working with a credible individual who has their best interests in mind.” Additionally, Brian is interested in the challenges that globalization has brought upon firms around the world and how we bear responsibility for global as well as local impacts. “I want to be part of the solution to these challenges and am interested in hearing different perspectives to help prepare a response to global risks that is beneficial to all parties that I am working with.”
Brian continues to share his knowledge and experience with UST’s Risk Leadership Initiative. After attending the Fall Risk Summit, he provided comments on the event:
I am an internal auditor with a focus on our firm’s asset management business. The primary role of the internal audit department is to provide support to management by being a partner to mitigate risk. For example, when we undertake an audit, I participate in risk assessments to identify both the residual and inherent risks for both the business unit overall and specific processes. Much of the audit fieldwork then consists of me testing controls already in place by the business to ensure that they are working appropriately in order to mitigate the risks identified for the business unit or firm. The result of all or audits are reported to the audit committee to ensure that management takes responsibility for their risk management program.
As an auditor, collaboration is extremely important with outside business partners in order to manage risk. This is critical anytime we are working with a third party that provides services to us. One example would be overseeing a technology implementation project in which a vendor provides an upgraded or new service to the relevant business partners.
The most significant risk here is that the new technology is not sufficient to meet the needs of the company or significant defects exist that could prevent critical information from moving over to the upgraded system resulting in such information not being communicated to interested parties such as external auditors, regulators, investors, analysts, and other clients. As a result collaboration is extremely important because we need to make sure that the vendor can effectively meet our demands and have an effective recovery plan is in the event of a system outage as to limit disruption to normal business activities.
For my organization perhaps the biggest external risk that we face is regulation and specifically non-compliance with regulations around the world. A recent example of this is the uncertainty regarding the Brexit vote that took place this past summer. As the final details of the UK exit from the EU become available, the organization will have to carefully evaluate what products can be offered in a particular country and potentially changes to the organizational governance as a result. The way I see the organization managing the external risk of changing regulations and non-compliance is by having a task force with a dedicated focus on the regulation at hand and coming up with response plans. In addition, vendor management and oversight teams play a critical role in regulation compliance as we must be able to obtain a comfort level that our vendors will be to meet certain regulations that we are required to be in compliance with.
Security is also a significant risk that our organization faces as financial institutions are often a target for cyber-crime. This is not only due to the amount assets held within the firm but also other sensitive client and other non-public information that is held at financial institutions. I see the organization looking to mitigate the security risk through a couple different methods. One of these is annual training to make sure all employees are alerted for phishing emails and red flags that might constitute an attempt at money laundering. In addition, we also look to mitigate the risk of sensitive information becoming exposed as part of a data breach on a server or platform maintained by a 3rd party. We do this by doing a business recovery plan test on an annual basis and also rely on vendor management oversight controls to make sure that these third parties have processes in place to avoid critical information becoming exposed.
My reaction to the CPH case study was based around seeing evidence that the contagion risks discussed apply across many different industries. For example, regulation change is a significant contagion risk that impacts several industries. Specifically, in the financial services industry firms must comply with new standards which are often very costly to implement and require significant investment in compliance programs as well as product assessments. While the investment and time to comply with the regulations may be high, the risk of non-compliance is too great to ignore and would include fines, brand reputation damage, and potential loss of key personnel.
Further, firms face capacity constraints regardless of industry. A key line that struck me in the case was, “Can we provide capacity in time to cope with growth? Security, check-in, gates, and other customer services need to expand at the same pace as growth.” To me this a key line because it relates to items that organizations often underestimate when tackling a decision to expand or not such as building a new plant, leasing a new office building,
Finally, one thing that really stood out to me from the CPH case study and discussion on risk was the bow-tie approach used by Kristine and CPH to ensure consistent handling of risks. I like this approach for a variety of reasons. First of all, this approach reduces the number of identified risks in half from the previous model. One of the greatest challenges that I see in risk management is the inability to simplify all the risks related to a division or organization into the select few that are truly the most relevant to their objectives. By simplifying down to fewer key risks, this reduces the amount of time spent on items that are unlikely to have a significant impact to an organization should they occur. Next, I also like that the bow-tie approach clearly defines risks and structures enterprise risk management. In my opinion, this is a concept that is critically important for global organizations to have in order to have a thriving risk management operation. This is because if the definitions of risk are ambiguous or risk management structure is fluid or in flux, it is likely that key risks will not be identified and response plans may lack the resources to succeed. Finally, the identification and analysis of missed opportunities is something that every organization, whether global or not, should incorporate into their risk management program. This is because there are more lessons to be learned from mistakes and missed opportunities than from risk events that have yet to occur or have a low probability of occurring.
Connect with Brian: