Dealing with Risk, Asymmetric Information, and Incentives

In any type of business there is always the unexpected actions of dealing with the risk and uncertainty. No matter small business or Fortune 500, businesses large and small must use preparedness techniques and tools to elevate and minimize the negative impacts of hazardous and problematic issues. One company that is relied upon to protect consumers most sensitive data has dealt with such uncertainty as of recent.

Evaluate a Company’s recent (with in the last year) actions dealing with Risk and Uncertainty

Founded in 1899, Equifax is one of the nation’s top three major credit reporting agencies. Consumers nationwide depend on Equifax to protect their most sensitive data. However, as of recent, Equifax has had to take-action dealing with some risk and uncertainty. “Equifax is a global information solutions company that uses unique data, innovative analytics, technology and industry expertise to power organizations and individuals around the world by transforming knowledge into insights that help make more informed business and personal decisions” (Equifax, 2018). In September 2017 Equifax suffered a major cyber security breach that impacted over 145 million consumers. Consumer personal data including names, addresses, birthdates, social security numbers and in some cases credit card information, was assessed by hackers. The thought of company held in such high regard for protection advocacy having such lax measures in place did not sit well with the millions of angry consumers whose most profound information sat in the hands of complete strangers. One year later, the negative impacts are still being felt despite Equifax’s best efforts to notify and offer free credit monitoring for one year and not requiring disputes to be settled through arbitration to those impacted by the breach (Brown, 2018). These two efforts where created with the intentions of softening the blow of the company failing to properly protect consumer data. However, the major credit bureau is steadily suffering the after effects of their actions. One immediate impact was the 13 percent share drop that ensued after the announcement of the security breach, this in addition to the ongoing lawsuits makes Equifax more aware of readily prepared with some type of risk management plan.

Offer Advice for Improving Risk Management

Risk management is a technique implied by investors or managers to identify, analyze, accept or mitigate the uncertainty of risk involved with a problem, project or investment (“Risk Management”, 2018). In any industry, the best way of dealing with risks and uncertainties is by adopting digital techniques to help them identify and resolve them; the company should work faster in adopting and integrating modern technology into their systems.  Equifax’s scenario, there was a lack of risk planning and integrating modern technological security measures. There should have been a plan in place that would have mitigated the possibility of cyber hackers attempting to gain access to consumer data. Equifax should first apprehend that risk management is one thing that is constantly under review. The company start with a brainstorming session by allowing all key stakeholders/representatives in the company to offer their input on what they feel “could” go wrong. Preparing to handle and manage multiple outcomes in any industry is a challenge, especially in finance. A company that is readily prepared to handle a wide range of issues is one that is more likely to succeed. It is always wise for any company, especially a credit reporting agency, not to assume that the most likely events will occur, but instead prepare to handle varied multiple outcomes irrespective of what they had expected. From here, a team would be organized to analyze and process this information continuously, and meeting together periodically. They would piggy-back off the original risks and possibly explore the ideas of new ones, all to build a detailed list of risk factors. Cultivating their reputation for the extreme scenarios- Equifax would utilize this so that it is in a position of handling different extents of risks and uncertainties. This means that there would be few events that will overcome their abilities, and they can resolve the risks easily (Merlo et al., 2018). The team would be responsible for prioritizing the risks based on probability of occurrence, department affected and solution/outcome. This would be the primary foundation of establishing a risk management plan. From here, the team should discuss measures the company could take to improve its systems.

System Monitoring

Equifax can take steps to improve its IT department and monitor its systems around the clock. This type of monitoring system can provide extra protection for its consumers as well as allow the company to be more diligent of potential fraudulent alerts. This type of monitoring system could also assist in limiting the amount of people who have access to the company’s IT information systems. The cyber breach occurred in 2017 initially due to poor risk management and the fact that an IT systems administrator used an insecure password that did not comply with Equifax’s practices or policies (Kess & Primoff, 2017). Equifax’s choice in IT professionals should always be a priority and align with its mission and values to its company goals and consumers. Equifax could also look to offer a free year’s subscription to an anti-spyware program. This would show that they are transparent in their commitment to providing protection to their consumers at all costs. In addition, the credit reporting agency should be open with its communication about its commitment to prevent future cyberattacks and protect consumer data. The credit reporting agency should also have programs in place to certify that consumer information stays encrypted and protected throughout the duration of the entry and transfer and information processing process. This encryption software is just another means of protecting sensitive consumer data and mitigating risk.

Audits

In any company it is imperative to ensure that the people who are working the closest the data are not the ones stealing it. Equifax should schedule periodic audits to prevent internal fraud. Internal audits as well as external audits would be performed randomly several times a year to follow up on claims and check to safeguard that consumers information is protected, and employees are following proper procedures when handling sensitive information.

Examine an Adverse Selection Problem your Company is facing and recommend how it should Minimise its Negative Impact on Transactions

Adverse selection is when one party has information on some aspect of product quality that the other party does not, or vice versa (“adverse selection”, 2018). An adverse selection problem Equifax is facing is internet security. The company can minimize its negative impact on transactions by improving its compliance protocol and by using techniques to protect customer information such as creating challenging passwords and updating codes. Moreover, Equifax should also utilize the U.S. Department of Commerce’s National Institute of Standards and Technology list of several cyber security resources. This program has an upcoming event in March 2019 on the Threshold Cryptography. This session will cover he implementation of cryptography primitives, security criteria, and intrusion tolerant systems (National Institute, 2018). Equifax could use these cyber security resources to build its system and assist in minimizing its negative impact on transactions.

Determine the ways your Company is dealing with the Moral Hazard Problem and suggest best practices used in the Industry to deal with it

A moral hazard is defined as having the opportunity to take advantage of a situation and risks that someone else will pay for (Pritchard, 2018). Equifax encounters moral hazards in its company by offering its consumers free copies of their credit report, or by giving them the option of placing security freezes or locks on their credit files. Equifax assumes the risk along with the user that nothing bad will happen, however, as proven with the cyberattack, things did happen, and it has proven to be a costly fix on the side of Equifax. The company has taken the initial steps its needed to inform and modify the situation by issuing mailed contact about to those affected and offering free monitoring services. Equifax should also seek to provide an ongoing commitment in improving cyber security in addition to providing consumers with a lifelong assurance if they are ever negatively affected by a breach of Equifax’s doing. Ultimately the best practices that Equifax can implement are enhancing all security measures, updating technological and ensuring that management is up to speed on key changes and enhancements that are necessary to maintain a reputable and positive status. There are potential gains from monitoring when the agent is both effort-averse and risk-averse.

Identify a Principal-Agent Problem in your Company and Evaluate the Tools it uses to align Incentives and Improve Profitability

The principal-agent problem occurs when one person (the agent) makes decisions on behalf of another (principal) but fail to account for the principal’s best interests (Agarwal, 2018). Equifax (the agent) failed to provide the courteous attentiveness into protecting consumer (the principal) information. The absence of security software has led to unethical actions on the behalf of external hackers, severely effecting the lives of millions. Equifax initially found fault within itself and took responsibility for what happened. Going forward the tools the credit agency can use to align incentives and improve profitability are attempting to regain the trust of its affected consumers, shareholders and investors; increase market share and popularity with products that they sell for profit (credit services, decision analytics, marketing and consumer marketing). Tools that can be used to align the incentives and improve profitability include:

• Limiting the number of measures, you compensate for.
• Setting reasonable targets for your measures.
• Ensuring you have a control system in place.
• Avoiding measures that can be gamed.
•  Considering a trigger mechanism for funding incentives.

Credit bureaus make a profit by selling products. These products include bulk lists sold to banks, credit card companies and employers, fraud protection and monitoring services offered to consumers, and fees affixed to offers of freezing and unfreezing consumer credit files (Sweet, 2017). To improve profitability, Equifax must persuade consumers to purchase these services to make them feel safe.

Examine the Organisational Structure of your Company and Suggest ways it can be changed to Improve the Overall Profitability

Equifax’s current organizational structure is centralized and hierarchy. The company could possibly investigate adjusting their organizational structure by integrating Business Security Information Officers (BISO’s). The BISO’s would have an engaging presence throughout the company, and with their increased visibility, help to develop trusting relationships and warn off the idea of fraudulent activity while keeping security on high alert (Fazzini, 2018). The BISO would report directly to the security organization, that in turn, would report to Equifax’s regional office. Other methods the credit reporting agency can use to adjust its organizational structure are to:

1. Organise the Structure by Function

Looking at the various functions that the company has and create an organizational chart to ensure each one is properly staffed.  Even if Equifax is using contractors for some of these functions, someone in the company is still in charge of hiring these contractors and should have those organizational responsibilities (Pedersen et al., 2018).

2. Combine Organisational Functions When Possible

Many small companies give multiple responsibilities to different departments or function heads to save money, especially if the function only requires part-time attention, but a major company such as Equifax can do the same too. It’s a cost-effective measure that helps save money, manpower and resources.

3. Communicate Organisational Structure to Those Who Need to Know

Equifax should have a meeting to explain the reason it decided to have the structure it has. The same is true when it decides to make changes to its organizational structure. The company should be prepared to explain how it will benefit the company, who reports to whom, provide any necessary grievance procedures, and answer any questions. Changing an organizational structure of a company can open lines of communication and eliminate nonsense that could have been clouding judgements and delaying decisions. Equifax has had to endure the challenges associated with taking risks and currently has a long road of recovery ahead. To overcome and profit from these setbacks, Equifax understands the concepts of building trust and gaining market share. Consumers must want your what you are selling and if they do not trust it, they will not waste their time or money on it. The credit reporting agency may persevere, but its going to take time, placidity and adjustment before they reach that result of being the nations most reputable credit reporting agency.

References

• “Adverse Selection”. (2018). Investopedia. Retrieved from: https://www.investopedia.com/terms/a/adverseselection.asp
• Brown, M. (2018, October 29). One Year Later: The Impact of Equifax’s Data Breach. Retrieved from: https://tdwi.org/articles/2018/10/29/biz-all-impact-of-equifax-data-breach.aspx
• Equifax. (2018). Retrieved from: https://www.equifax.com/about-equifax/
• Fazzini, K. (2018, March 19). New Equifax CISO Tightens Structure Post-Breach. Retrieved from http://webreprints.djreprints.com/54676.html
• Kennedy, M. (2017, September 21). After Massive Data Breach, Equifax Directed Customers to Fake Site. National Public radio, Inc. Retrieved from: https://www.npr.org/sections/thetwo-way/2017/09/21/552681357/after-massive-data-breach-equifax-directed-customers-to-fake-site
• Kess, S. & Primoff, W. (2017, December). The Equifax Data Breach: What CPA’s and Firms Need to Know Now. The CPA Journal. Retrieved from https://www.cpajournal.com/2017/12/15/equifax-data-breach/
• Merlo, O., Eisingerich, A., Auh, S., &Levstek, J. (2018). The benefits and implementation of performance transparency: The why and how of letting your customers ‘see through ‘your business. Business Horizons, 61(1), 73-84.
• National Institute of Standards and Technology (2018). U.S. Department of Commerce. Retrieved from: https://csrc.nist.gov/Events/2019/NTCW19
• Pedersen, E. R. G., Gods, W., &Hvass, K. K. (2018). Exploring the relationship between business model innovation, corporate sustainability, and organizational values within the fashion industry. Journal of Business Ethics, 149(2), 267-284.
• Pritchard, J. (2018, May 29). Moral Hazard: Definition and Examples. The Balance. Retrieved from: https://www.thebalance.com/moral-hazard-what-it-is-and-how-it-works-315515
• “Risk Management”. (2018) Investopedia. Retrieved from: https://www.investopedia.com/terms/r/riskmanagement.asp
• Sweet, K. (2017, October 6). Equifax Makes Money by Knowing a Lot About You. Retrieved from: https://www.usatoday.com/story/money/personalfinance/2017/10/06/equifax-makes-money-knowing-lot-you/738824001/