Roger Vozar

Business owners understand the need to go to dentists to get their teeth cleaned and to mechanics for car repairs, but yet they attempt to manage their employees internally instead of getting help.

“Managing the business of employment requires a completely different discipline and skill set from what is needed for the core business activity,” says William F. Hutter, CEO of Sequent. “Just because you are in the business of making widgets doesn’t mean you understand what it takes to be an employer in today’s environment. Rules and regulations relative to being an employer have changed a lot during the past 10 years.”

Smart Business spoke to Hutter about government regulations, employee retaliation and other issues involved with the business of managing people.

Why should companies pay more attention to employee management?

So many companies spend time on their communications budget for things like high-speed Internet and phones; that’s an insignificant portion of the total budget. For service companies, people represent 40 to 70 percent of the total cost of operations. It’s such a big segment, but no one seems to approach it appropriately because it requires a separate discipline. Issues relating to employees have a risk tail — it’s a contingent liability that can last three to five years after an event occurs. How many companies really know how to manage that liability? Small to midsize businesses don’t have the resources or expertise to do that and protect their biggest asset, which is their company.

What is involved in employee management?

There are common responsibilities that come with being an employer — compliance, wage and hour, health care reform, retirement plan fiduciary liability, workers’ compensation management, proper forms, reporting, employee file maintenance, etc. In professional practices, there are also issues regarding licenses, accreditations and certification; those are business drivers that contribute to your business success.

The hiring process, however, has nothing to do with what you’re passionate about and the business you opened; the business drivers for your specific discipline. Each new piece of legislation, each government-required form, each legal precedent set because of a lawsuit filed by a employee begins to change how you need to think about managing the business of employment.

In 2010 and 2011, retaliation charges became the most frequent complaints filed with the Equal Employment Opportunity Commission, surpassing race discrimination. An employee filed a complaint of some sort — harassment, hostile work environment — and then was terminated and filed a claim of retaliation. That retaliation claim is pursued by the government at no cost to the former employee. And 41 percent of all federal discrimination claims are charged against companies with 15 to 100 employees.

One of the newest areas for claims is in absenteeism and attendance. The Department of Labor has developed a free app employees can download to their smartphones and keep track of hours worked to see if they’re due overtime pay, which in essence is wage and hour enforcement at the employee level.

What can companies do to prevent claims?

Make sure employees are properly classified as exempt or nonexempt under wage and hour law. For example, to be exempt you must have hire or fire authority, supervise two or more people and be able to affect company policy. Not all professionals are exempt; it depends on the actual job task. For computer programmers, they have to be paid 6.5 times minimum wage per hour to be considered exempt. But fruit and produce delivery truck drivers are exempt because they are involved in interstate commerce.

Most companies don’t want to keep track of time because it requires monitoring by managers. But it’s a major liability and all it takes is one complaint to create problems.

Think about how to keep track of hours and reporting requirements of health care reform and look-back periods, or just one required form, the I-9 — there are 40 different fines that can be levied for that form alone. This shift in focus toward compliance and away from innovation has great cost to the business. That’s a cost of doing business and you need to move those tasks elsewhere because you never get that opportunity back.

William F. Hutter is the CEO of Sequent. Reach him at (888) 456-3627 or


Know what to ask a professional employer organization before hiring one with these 20 important questions.


Insights HR Outsourcing is brought to you by Sequent



Data breaches are becoming more commonplace, causing millions of dollars in damages for companies that have personally identifiable information (PII) hacked by cybercriminals.

“Think about all of the losses you can incur. Not only do you have to hire a security expert to find what happened, you may be assessed fines or penalties by the merchant’s acquiring bank or payment card brand. In addition, you could be responsible for credit card charges made by the criminals and lose business because no one trusts you anymore,” says William M. Goddard, CPCU, principal, Insurance Advisory Services at Brown Smith Wallace.

Smart Business spoke with Goddard and Lawrence J. Newell, CISA, CISM, QSA, CBRM, security and privacy manager, about protecting companies from cybercrime.

How do cybercriminals access networks?  

One typical method is spear phishing. Unlike traditional phishing attempts, which are fraudulent emails sent at random claiming to be from a reputable organization like a bank or eBay, spear phishing emails are sent to targeted employees or customers of a company.

The email appears to be coming from the company and requests that the recipient click on a link, which then goes to a fraudulent website. They may ask for personal information or they may launch a virus they’ll use to get into your network.

If you click on the link, it launches a program in the background that goes onto your workstation and canvasses the network for other vulnerabilities. The program collects data, whether that’s credit card information or other PII, and uploads it to the cybercriminal.

How can you reduce cyberattack risk?

The first thing to do is develop an information security policy, document it and disseminate it throughout the organization.

Other protective measures are:

  • Conduct an inventory of authorized devices on your network. Guests can come into your place of business with a laptop and leave a device on your network that goes undetected. That device could have Trojan horses or viruses that, when executed, plant a program on your network.
  • List an inventory of software allowed to run on workstations or servers. That helps when looking for rogue programs or software installations.
  • Install an anti-virus program to detect malware. Anti-virus protection also needs to be maintained and updated for the latest definitions.
  • Run vulnerability and penetration tests on servers and networking equipment to make sure you don’t have unnecessary services running that could lead to a vulnerability and potential unauthorized access.
  • Prevent data loss by running programs to detect outbound calls or connectivity to remote sites that are not authorized to receive data output.
  • Create security awareness within your company to ensure that people who have access to information are not sharing anything that is confidential or private.
  • Develop an incident response plan to react to a breach and quarantine activity before it spreads throughout the network.

Companies think they’re protected because they are compliant with some standard such as PCI, but that’s no guarantee their systems will not be compromised. Your security program needs to go beyond PCI and focus on more than credit card information. Cybercriminals go after the easiest target along with whatever PII is available that has value. For instance, not-for-profit organizations may have names, addresses and checks with banking information; all of that information is valuable to somebody. For similar reasons, credit cards are often targeted because they’re so widespread and it’s the easiest information to sell.

What can companies do to protect against losses if they are hacked?

A variety of insurance policies cover things like the cost of fines, notification that PII has been compromised, liability and business interruption. All cyber policies are slightly different, and you have to be careful to buy the right coverage.

Businesses are smart enough to buy fire insurance in case a building burns down. Cyberattacks can be just as damaging, depending upon what happens and what information has been compromised.

William M. Goddard, CPCU, is principal, Insurance Advisory Services, at Brown Smith Wallace. Reach him at (314) 983-1253 or

Lawrence J. Newell, CISA, CISM, QSA, CBRM, is manager, Risk Advisory Services, at Brown Smith Wallace. Reach him at (314) 983-1218 or

Brown Smith Wallace can help you with cybersecurity. Visit them here to learn more.

Insights Accounting is brought to you by Brown Smith Wallace

Annual physicals can lead to early detection of serious health problems and set a course for better outcomes. Companies need to take the same mindset concerning HR and benefits compliance audits, says Meghann Guentensberger, Director of HR Services at Benefitdecisions, Inc.

“Don’t wait until something ‘hurts’ to try to figure out how to respond,” she says. “It’s better to know ahead of time so you’re protected if there is a disgruntled employee who files a complaint.”

Smart Business spoke with Guentensberger about HR and the benefits of compliance audits.

What areas are covered by HR and benefits compliance?

Compliance is two-pronged: There is the benefit piece, which encompasses the Employee Retirement Income Security Act (ERISA), Health Insurance Portability and Accountability Act (HIPAA), COBRA, etc. There is also the HR side, which deals with regulatory compliance such as federally mandated forms and notice postings, and making sure an organization has proper procedures in place to address and resolve discrimination issues and complaints.

Many companies fall short on compliance with the Fair Labor Standards Act regarding employee classification — whether employees are exempt or nonexempt, or are a contractor or employee. There are best practices and risk management considerations such as having all I-9 employment eligibility verification forms filled out correctly and filed separately. The penalty can range from $1,000 to $10,000 for a form that is incorrectly completed. Employers also must ensure that any protected health information documentation is not co-mingled with other employee-related documentation in the employee personnel files.

What is involved in a benefits and compliance audit?

There are three steps — discovery, evaluation, and assessment and recommendation. In discovery, you determine which areas may present the most risk. A third party conducting an audit will interview HR employees, evaluating practices and processes to determine if they are in compliance with the law.

In the evaluation stage, select policies or a random sampling of employee files are reviewed and compared to standards. This often provides insight into hiring, interviewing and employee relations procedures. Common problem areas include employment applications that contain impermissible questions. This can lead to a claim of discrimination by a candidate who was not hired for a position. Employee handbooks often contain sections that provide unnecessary risks to the employer. An audit can ensure that it provides the same information to all employees.

For the final step, a scorecard is developed that shows risks and potential associated costs of noncompliance, or savings as a result of compliance. The scorecard also identifies areas to improve.

How do you determine an audit’s value?

Some savings derived from audit findings are soft costs, because fines would only be paid if an institution such as the U.S. Department of Labor (DOL) conducts an audit and finds violations.

One of the more significant values of an audit is in showing employees they matter most. Staying compliant shows you’re providing best-in-class service and indicates the moral values of the company. It also can be very powerful when dealing with a complaint from a disgruntled employee.

How often should audits be conducted?

Conduct an audit at least annually, although non-discrimination testing for Section 125 cafeteria benefit plans should be reviewed twice each year.

Many companies establish policies but don’t review them. That’s fine until you have a scenario where a disgruntled employee files a complaint with the DOL.

Regulations change all the time, so you have to stay on top of compliance issues, which can be difficult. Small and midsize businesses would benefit most from hiring an independent third party to perform an audit because you need someone who knows what you don’t know.

Meghann Guentensberger is director of HR Services at Benefitdecisions, Inc. Reach her at (312) 376-0449 or

For additional Insights topics and events, visit Benefitdecisions' website.

Insights Employee Benefits is brought to you by Benefitdecisions, Inc.


When screwdrivers were created, they had an obvious use — to turn screws. But over time people started using them as chisels and pry bars, which led to injuries and the addition of warning labels that laid out the proper use of screwdrivers.

What to include on warning labels is tricky. You not only have to warn about the inherent risks of the product from its intended use, but you have to consider the ways it could potentially be misused, says James C. Hyde, a partner at Ropers Majeski Kohn & Bentley PC.

“Most small to midsize businesses think about the need to have instructions and warnings on product labels, but there are topics they need to address that they’re not thinking about or are even aware of,” says Hyde.

Smart Business spoke with Hyde about what should and shouldn’t belong in product warning labels and ways companies can protect themselves from legal judgments.

How do you determine what to address on warning labels?

There’s an obligation to warn about inherent risks associated with the intended use of products and provide instructions on proper use. But companies often don’t understand they have a duty to warn against reasonably foreseeable misuse of the product. Basically, you have to brainstorm scenarios in which people might be injured misusing the product and warn against them.

There is also a duty to warn of potential allergens in your product. That also applies to products that are not ingested. A small business selling hand soap might have an ingredient that could cause an allergic reaction, so there’s an obligation to warn that the product contains the ingredient.

Making this more challenging is the prevalence of companies that sell products they do not manufacture under their own labels. The company might not be aware of all the chemicals used in the manufacturing process. For example, a company was selling exercise mats containing a chemical that required a California Proposition 65 consumer warning label. The company was not the manufacturer and were not aware the chemical was in the finished product, but it was sued for not warning of its presence. The state Office of Environmental Health Hazard Assessment has a website that lists chemicals that require a warning label because they’re considered carcinogens, or could cause birth defects or reproductive harm.

Do you have to warn against obvious dangers, such as coffee being hot?

There is no duty to warn consumers of an obvious danger — those making custom knives do not have to warn that the knives are sharp and may cut the user. The law requires warnings to be effective. But if the warnings become voluminous, consumers won’t read them and they lose their effectiveness.

The famous McDonald’s coffee case seemed pretty obvious on the surface — coffee is hot. But the plaintiff’s argument was that it was served at a temperature that was much hotter than one could drink it at or that one would expect it to be served. This illustrates how broad and very product-specific the issue is and why businesses need to have a well thought out procedure in place for developing use instructions and warnings.

How does a company protect itself?

Before the product goes to market, the company has to evaluate it specifically to determine what use instructions and warnings need to accompany it. The process should include the people involved in developing the idea for the product, as well as the designers and marketers, and engage resources such as industry associations. It’s a good idea to not only document the design and development process of the product but also to document the development of warnings and instructions, too. If sued, it helps to show the jury the process undertaken when developing the warnings. It demonstrates that there was a procedure in place and a comprehensive effort to provide clear and complete warnings including dangers of potential misuses of the product.

Ultimately a jury will decide whether it was reasonably foreseeable that someone was going to use that screwdriver as a chisel.

James C. Hyde is a partner at Ropers Majeski Kohn & Bentley PC. Reach him at (408) 918-4538 or

Insights Legal Affairs is brought to you by Ropers Majeski Kohn & Bentley PC


In business, everyone loves numbers, charts and reliable data points to make decisions. However, when it comes to transforming a company’s most valuable asset, its workforce, many are at a loss for data that drives actionable insights. Small businesses that don’t have direct access to a vast pool of data can still stay on top of developments and save themselves a lot of time, says Liz Brashears, director of Human Capital Consulting at TriNet, Inc.

“An entrepreneur doesn’t get into business to measure data about trends they see in their workforce,” says Brashears. “Businesses need to leverage additional resources to prepare for trends in workforce management and the complexities of health care reform — don’t try to do it all yourself.”

Smart Business spoke with Brashears about workforce management trends and how companies can get ready for the future.

What is meant by workforce management?

Workforce management comprises all activities needed to accomplish work that must to be done while effectively utilizing the people who do the work. It covers activities such as payroll processing, benefits, succession planning, managing employee performance and scheduling.

Do workforce management tasks need to be automated?

It’s most effective to have processes automated, but many small and growing businesses handle tasks manually. When you automate components together, you can utilize the data in the workforce management system and learn from it. Information is power and knowing more about payroll, benefits, and work hours helps you see trends and make decisions that impact your business. More importantly, knowing the trends helps you get your business ready for the future.

What are some of the latest trends?

Most trends revolve around technology and an increase in mobile technologies as part of workforce management. Mobile apps are transforming the way companies interact with employees and customers, and how they receive information. Many companies are sitting on a mountain of information; if they have a human resources information system, they are collecting data. But not every system is designed to provide information in a format that’s easily understood. Small and midsize businesses tend to miss that component because they can’t manage it internally — they need to leverage other resources.

One other trend is responding to requirements of the Patient Protection and Affordable Care Act (PPACA). There’s considerable uncertainty and management is going to have to figure out the costs involved to make better decisions about health care, as well as how to stay in compliance. PPACA includes new requirements for benefit summaries and how information is presented to employees. There are also new reporting requirements for employers, and potential tax credits for some, while others may face penalties. In light of these complexities, organizations should leverage expertise, whether it’s through a vendor, a software system or hiring expertise in-house, to cope.

A third trend concerns attracting and retaining top talent. As the economy improves, the top talent that has been waiting on the sidelines the past few years will start looking for new opportunities. In order to prepare, companies first need to address how they manage their own top talent. Company management must convey to their employees how much it values them, whether it’s paying appropriately or developing them, and letting them know they have a future in the organization. In order to attract top outside talent, you need to evolve your company culture and find a way to brand your organization.

Do companies need help addressing these trends or can they be managed in-house?

Finding someone who can help leverage technology to understand how to manage benefits is always helpful. Particularly with the PPACA, small businesses are seeking outside help because the knowledge and expertise isn’t available in-house. Companies prefer to focus on growing their business, so finding a partner or system to accomplish these tasks is often the best solution, as outsourcing HR tasks can free up valuable resources and minimize risk.

Liz Brashears is director of Human Capital Consulting at TriNet, Inc. Reach her at (510) 352-5000 or

Website: See how companies grow their business with workforce management.

Insights Human Resources Outsourcing is brought to you by TriNet, Inc.



Start-up companies in need of financing may not want to dilute ownership by bringing on additional investors. Fortunately, there are nontraditional financing products that can meet the need for capital.

“Revenue-producing start-up companies have options other than equity and one is going down the nontraditional debt financing route,” says Sarah Schmidt, senior vice president in the Capital Finance Division at Bridge Bank.

Smart Business spoke to Schmidt about nontraditional financing methods and how they work.

What nontraditional financing sources are available?

The two primary nontraditional financing sources are purchase order (PO) facilities and accounts receivable (AR) facilities. What makes those facilities attractive is that unlike a traditional bank line that requires low leverage, profitability and positive net worth, you can secure a PO facility or AR facility that is not governed by restrictive covenants. Instead, they focus on the value of the purchase orders and receivables. Leveraging your balance sheet by utilizing a PO or AR financing facility gives you the opportunity to limit your equity needs and, in turn, limit your ownership dilution.

Nontraditional financing facilities are more expensive than a traditional bank line but can provide significant value to owners of a company when they are able to preserve ownership and maintain a flexible access to working capital.

How do these facilities work?

With a PO facility, once a company receives a purchase order from a customer, it sends it to the bank and the bank advances a certain percentage against the purchase order. Once the purchase order coverts to a receivable, the bank advances against the receivable at a higher advance rate, repays the PO advance and provides additional working capital to the company.

Invoice by invoice financing traditionally involved the sale of the receivable at a discount, called factoring, but many banks and financial institutions instead lend against specific receivables while maintaining a secured-first priority position in the asset or pool of assets. This arrangement mirrors the structure of a more traditional bank line of credit, but manages the repayment risk by increasing the collateral monitoring and controls.

The mechanics of the facility are quite basic: When a company issues an invoice to its customer for the delivery of goods or completion of services, etc., and it has an invoice financing facility, the invoice, along with the backup information evidencing fulfillment, is sent to the bank. The advance is processed after completing the necessary due diligence on the invoice and customer. The bank is less concerned with financial covenant compliance in this scenario and is, instead, focusing on the strength of the company’s collateral.

Are these nontraditional financing methods particularly geared toward start-ups?

Most start-ups can’t qualify for traditional financing because of a lack of historic profitability, high leverage, an unproven business model and/or limited repayment sources — cash flows, outside assets of guarantors, etc. Since many entrepreneurs invest their nest egg into their companies, their personal guarantees don’t typically evidence significant outside net worth.

Depending on how much equity they’ve raised compared with cumulative net income (losses), they may report a negative net worth, which limits their ability to meet minimum leverage requirements. Companies with zero to $20 million in revenue often have trouble meeting financial covenant requirements for traditional bank financing. Their only other options might be really expensive mezzanine or venture debt, which they may not be able to secure, or selling equity in the company by bringing on new investors.

While strategic investors can help to take your company to the next level through key relationships, industry experience and general business acumen, nontraditional financing can be a great option to leverage a growing balance sheet and limit ongoing equity dilution.

Sarah Schmidt is senior vice president, Capital Finance Division, at Bridge Bank. Reach her at (415) 508-2501 or

Social media: Follow Bridge Bank on Twitter.

Insights Banking & Finance is brought to you by Bridge Bank


A global economy means product manufacturers should take a broader perspective when addressing issues related to product liability.

“They have always had to worry about warnings and product defect issues, but now with a global economy and the Internet, they need to be worried about not only federal and state laws and regulations but also international concerns in countries where their products may be advertised and purchased,” says Lawrence Borys, a partner at Ropers Majeski Kohn & Bentley PC.

“The changing world has expanded the concerns of businesses. Whereas previously manufacturers worried about design and quality control, warranty issues, or their warnings or labels, they often did so from a more provincial perspective. They now need to look at things from a much more global point of view,” Borys says.

Smart Business spoke with Borys about product liability and how businesses can protect themselves from legal judgments.

How has the Internet changed the product liability landscape?

Typically, product liability cases involved whether the product had a design or manufacturing defect, or the nature of the warning label or instructions on how to use the product. Because so much information is available on the Internet, manufacturers and sellers need to be careful about what representations are made online. Online sales raise a concern for manufacturers that simply didn’t exist 30 years ago. There needs to be a balance between marketing and selling a product versus the representations being made. The Internet is so prevalent that in many product liability cases there is an allegation or contention that raises an issue about what was represented online.

How can companies limit product liability?

Whether in product design, manufacturing, marketing or sales, work closely with your staff, experienced counsel and risk management professionals, including insurance representatives. No matter how careful you are, almost by definition success will lead to a greater probability of a product liability lawsuit with more products on the market. Working with strategic advisers reduces the likelihood that an isolated case will impact a successful business.

What types of insurance are available?

Traditionally, businesses get general liability insurance and some type of product liability coverage, but there are newer, advanced products such as patent infringement coverage and cyber liability to protect against hacking. Product recalls, once rare, have become more common, so there also is product recall insurance.

Does documenting the development process help when defending a lawsuit?

Record keeping and documenting how you addressed concerns is important when defending a product. California has separate product liability areas — there is a negligence aspect, which is focused on whether you acted as a reasonable manufacturer. Records of what was done to make the product safe are critical in the analysis of whether you acted reasonably in the process or recklessly in putting a product out into the marketplace. The other area of product liability, whether the product contains a defect, usually focuses on if the product functions the way most consumers think it would. Again, good record keeping is essential to show you considered foreseeable and anticipated uses.

It’s been said that you can manufacture the most effective mousetrap in the world, but that’s just a start. You have to determine whether your product may have violated patent or other forms of intellectual property protection, here and abroad; how to ensure every subsequent mousetrap gets built the same way as that first one; how you’re going to market and sell it; what your website will say; and how you want to label it with warnings provided on how to use the mousetrap. And you need to do all of that remembering that you may have to defend your product in a much broader geographic area than anticipated. Good documentation will help in every jurisdiction.

Also, if you’re going to sell your product online, either directly or through an intermediary, you have the same concerns, as well as ones related to the specifics of many jurisdictions. Working with your in-house team and legal and insurance consultants, you might not be able to stop product liability exposure, but you can help limit it.

Lawrence Borys is a partner at Ropers Majeski Kohn & Bentley PC. Reach him at (213) 312-2026 or

Insights Legal Affairs is brought to you by Ropers Majeski Kohn & Bentley PC


U.S. Marine Corps Capt. Juan E. Rose III lets his military experience provide perspective when considering the task of balancing work, school and family life.

A student in the Executive MBA program at the UCLA Anderson School of Management, Rose’s leadership qualities earned him a John Wooden Global Leadership Award Fellowship. At the award ceremony, he was asked how he manages his busy schedule.

“When I met Pepsi CEO Indra Nooyi, she said, ‘You’re a Marine on active duty in San Diego, you go to an Executive MBA program in Los Angeles and you have a family in Murrieta, Calif. How do you do this?’ I commute 40,000 miles a year and I’m working hard and learning every single minute. But my Marines and I are not getting shot at, so it’s OK,” Rose says.

Smart Business spoke with Rose about the MBA program and how it’s helped prepare him for entering the business world when he leaves military service.

Why did you enter the MBA program?

After 10 years of active duty, I’m looking to transition to the private sector and I’m using the MBA program to couple the leadership experience I have with more technical knowledge.

I’m a financial management officer in the Marine Corps; however, finance in the private sector is for-profit, levering debt, and managing, maintaining and acquiring assets. As a government-certified defense financial manager (CDFM), I’m more preoccupied with safeguarding and disbursing public funds, while accomplishing the mission with minimal resources. Profit is never a conversation we have.

How does the profit motive change things?

Profit stresses people in completely different ways. I’ve been afforded the opportunity to work as a consultant recently, and I’ve been working with a couple of clients as a student. I am learning every day that people manage risk in order to maximize profit; Marines manage risk in order to save lives. It still seems to me that if you focus on your employees — an invaluable asset — while managing risk, profit maximization will be a result.

To me, profit just changes the perspective. When you’re managing life or death situations, losing money is not as important. As a leader you can then focus on learning from the mistakes to ensure you and your team don’t allow that to happen again. The complexity of defense financial management in the military comes from the environment and the mission, not the application of financial assets.

When you start using debt and trying to maximize profit at all costs, there are a lot of strategies and different ways to do that. That’s what I am trying to obtain from the MBA program and so far it’s exceeding all of my initial expectations.

What type of job will you seek after graduation?

I’m leaning toward management consulting. It will give me the opportunity to work in teams and continue to learn about industry as a whole in several different arenas.

It’s important for me to bring value to a company that values its people and affords them the opportunity to be intellectually challenged. My No. 1 priority is to work in a company that gives back somehow.

My long-term goal is to be a professor and to continue to coach, mentor and inspire people. The most important part of what I’ve accomplished over the past 10 years is coaching, mentoring and inspiring Marines to exceed their own expectations.

I look at some of our professors who sacrifice and take time to do that for us. They are able to manage their professional aspirations and personal lives, while also continuing to educate us. That’s what I’m passionate about — paying forward what was done for me.

Juan E. Rose III is a MBA candidate at UCLA Anderson School of Management. Reach him at (760) 458-7408 or

Insights Executive Education is brought to you by UCLA Anderson School of Management


Wednesday, 01 May 2013 08:40

How to manage third-party risk

Failure to assess and plan for risks associated with third parties can be costly. Of the more than 250 executives surveyed by CFO Research Services, 75 percent were harmed by action or inaction of a third party, resulting in financial loss, supply chain issues and data breaches.

“Companies initially think about risks with high-cost providers. But they may have a $10,000 contract with a small marketing or advertising firm that fails to adequately protect their customer information. Their servers get hacked and experience a breach that in turn raises concerns with their customers and brings reputational and financial risk and penalties,” says Jim Stempak, principal at Crowe Horwath LLP.

Smart Business spoke with Stempak about assessing third-party risk and solutions to limit exposure.

What poses third-party management risks?

Relationships that drive the most risks are:

  • Service providers — processing, accounting, computer services, IT, service centers, advertising and marketing, leasing, legal and collections.

  • Supply-side partners — production outsourcing, research and development, material supplies and vendors, and software development providers.

  • Demand-side partners — customers, distributors, franchises and original-equipment manufacturers.

  • Other relationships — alliances, consortiums, joint ventures and investments.

The Japanese tsunami and Hurricane Sandy illustrated this. If something happens to a single-sourced company, what’s the impact on suppliers or business partners?

What are some gaps that expose risk?

A ChainLink Research study found that 70 percent of organizations reported no resilience and risk mitigation standards for service providers. It also noted that risk assessment often focuses on the easiest risks to quantify, such as financial viability and business continuity plans.

With supply-side partners, vendor risk assessments are hampered by a lack of good data and poor visibility into contractor use.

How often should companies conduct risk assessments of third parties?

Risk assessments should be done at least annually for all vendor relationships that are high risk. Those with moderate or low risk can be done on a rotational basis.

In determining high-risk relationships, consider the financial risk penalty if a supplier has a breach. Another risk is reputational, such as a third party compromising private health information found in hospital records. Other high-risk areas are protection of systems and data, and reliability or continuity of operations. Are there contingency plans if a vendor faces a natural disaster or labor strike?

Many organizations don’t address risk management of third-party relationships until a problem arises. Before that happens, establish ownership for the organization’s third-party risk management framework, and responsibility for review and monitoring of individual relationships.

What other solutions address these risks?

First, establish ownership and buy-in, which requires executive leadership and oversight, with clear goals and objectives. Strengthen the overall relationship with the third party. Then evaluate risks by developing a risk profile of the organization that covers financial, integrity and operational issues. This spurs initiatives to audit, inspect, benchmark performance and costs, verify, and gain assurance or attestation.

A third-party risk management program should have:

  • Risk measurement and monitoring.

  • Performance measurement and monitoring.

  • Incident tracking.

  • Evaluation of the value received from the relationship.

This information guides decisions about when and whether to renegotiate an agreement. Success depends on customizing the assessment to the relationship, using automation to streamline the process, and analyzing trends of incidents.

In the CFO Research Services study, less than half of companies had a formal process for assessing and managing third-party risks, and 97 percent said at least one aspect of their third-party risk management should be improved. Businesses do their due diligence when entering contracts but tend to take their eyes off of it once a contract is signed.

Jim Stempak is a principal at Crowe Horwath LLP. Reach him at (214) 777-5203 or


Website: Learn more about third-party risk management with a webinar, podcast, white papers and more.


Insights Accounting is brought to you by Crowe Horwath LLP

Monday, 01 April 2013 08:37

How to create a happy workplace

Business leaders understand the value of employee engagement, yet many have been slow to implement plans within their organizations.

“It’s interesting that 75 percent of leaders have no engagement strategy, even though 90 percent say it has a positive impact on business success. So while they think it’s important, they’re not actively engaged in affecting change. I think they don’t fully understand the impact it can make on the bottom line,” says Beth Thomas, executive vice president and managing director of consulting services at Sequent.

She says employee engagement is about creating an environment where employees understand the company’s values and what is expected of them, and are committed and dedicated to their work.

“Employee engagement is probably the biggest reason why companies are successful. Engaged employees generate 40 percent more revenues than disengaged ones and are 87 percent less likely to leave an organization,” says Thomas.

Smart Business spoke with Thomas about ways to boost employee engagement and the impact it can have on an organization.

What can companies do to foster employee engagement?

There are five keys to creating conditions for thriving, engaged employees:

  • Empowering employees. No one wants to be micro-managed; they want to feel that what they bring to the table is valued. They were hired for a reason — let them do that job.

  • Sharing information. People get anxious and disconnected when there are a lot of closed-door leadership meetings. Create a connection by bringing employees into the growth of the company with quarterly or town hall meetings.

  • Minimizing toxic behavior and negative feedback. Hire the right talent that will fit the culture and bring positivity. Then hold employees accountable to the values and expectations of the organization.

  • Offering performance feedback. Everyone wants to know how he or she is doing, and it shouldn’t be just once a year. Empower them and let them know they’re in charge of their careers, and can move forward if they are motivated and dedicated.

  • Appreciating employee value through reward and recognition. Have an employee of the month award and profile that person because people will want to emulate what they are doing. Make it very clear what is needed in order to be successful and profile those behaviors, characteristics and performance standards so everyone knows what is valued. That includes recognizing all the qualities that are valued; it doesn’t have to be based on the same performance. An employee might not be a high-powered salesperson bringing in six-figure deals every month, but might be the most positive person in the office and contributes to the organization’s culture.

Does employee engagement start with the hiring process?

Absolutely. When you are hiring people, it’s just as important to assess their ‘soft skills’ as their knowledge, skills and abilities. It’s more difficult to train people to be team players. Having the personality to go above and beyond to meet a customer’s needs or to be a trusted adviser is a soft skill that is largely innate and takes a lifetime to build. It’s important to evaluate those qualities to ensure they match the organization’s culture beyond the skills they bring.

Is it the workplace culture that promotes engagement?

Yes, it’s about the culture, but also all the employees and the leaders. It’s important for employees to ‘hang with the gang that gets it’ — those people at work who are successful — steal shamelessly and emulate what they do. Conversely, when employees hang with the people who are negative and contribute to toxic behavior, leadership sees them as being one of them, even if they’re not participating in those activities.

Engagement goes hand in hand with happiness. In a work context, happiness is about finding what in your career makes you happy. While it may sound trite, happiness leads to engagement in your work, which motivates you to give 110 percent or more discretionary effort. This is what contributes to business success, not only boosting your own career but at the same time increasing the company’s bottom line. Who wouldn’t want that?

Beth Thomas is an executive vice president, managing director of Consulting Services and author of “Powered By Happy” at Sequent. Reach her at


Event: Get your company “Powered by Happy” with the employee engagement workshop.


Insights HR Outsourcing is brought to you by Sequent