The document profiles Suzanne Hartin as an expert in risk management who has worked for major financial institutions. It outlines her GEAR framework for managing risk, which consists of four steps - Gather by inventorying relevant risks, Evaluate risks by understanding their likelihood and impact, Address risks by deciding whether to eliminate, reduce, or accept them, and Report risk information to the right people at the right times. The document provides details on each step and suggests how they can be implemented.

1. Don’t Overthink Risk Management
Suzanne Hartin
March 2016

2. 2Suzanne Hartin © 2016. All Rights Reserved.
Suzanne Hartin
Recognized Leader in Risk Management
As a senior executive at a top financial services firm, Ms. Hartin is known as an expert
in Enterprise and Operational Risk. Throughout her career she has been accountable
for enterprise level policies, operational management, regulatory compliance, and a
wide variety of risk management activities.
Ms. Hartin has most recently spoken at the Continuity Insights Conference and a Third
Party Risk Management Forum. She has contributed to the development of Community
Bank Board Director Workshops for a major regulatory body and blogs on the topic of
risk management.
Her financial services corporate experience includes Capital One, American Express
and Bank of America, and she sits on the Board of a privately held corporation and a
local non-profit.
With her engaging demeanor and way of translating complex
concepts so they are easy to understand, Ms. Hartin is often
asked to speak on third party risk management, resiliency
and response topics.

3. 3Suzanne Hartin © 2016. All Rights Reserved.
GEAR: Four Critical Steps to Managing Risk
Gather
Report
Address
Evaluate
A strong risk management framework has interlocking processes that
leverage and support each other. To most effectively support company
objectives, these steps must fit together seamlessly.

4. 4Suzanne Hartin © 2016. All Rights Reserved.
Gather: Inventory Relevant Risks
Possible ways to create an inventory
– Scan the external environment
• Applicable regulations
• Newspaper articles about risks in your industry
• Networking with peer companies
– Leverage internal resources and data
• Survey key executives
• Analysis of internal breakdowns and their impacts
Common risks to consider
– Resiliency of technical and business environments
– Third party relationships and services
– Information security
Gather

5. 5Suzanne Hartin © 2016. All Rights Reserved.
Evaluate: Understand the Impact
and Priority of Potential Risks
Step 2
1. For each of the inventoried risks, identify countermeasures in place that reduce either
the likelihood or the impact.
2. After each risk is considered against its countermeasures ,reprioritize the inventory
Evaluate
Step 1
1. Determine likelihood of occurrence for the risks you have
identified
2. Determine the impact of the risks if they should occur
3. Using these two criteria, prioritize this initial list from high to
low inherent risk

6. 6Suzanne Hartin © 2016. All Rights Reserved.
Evaluate, Step 1:
Understand the Impact and Priority of Potential Risks
HighLowMedium
HighMediumLow
Likelihood
Impact
• Determine what high/medium/low means to
you. Is a high likelihood once per year or
once every five or ten years? Is a low impact
$1,000,000 or $10,000,000?
• Consider the inherent risk as though no
countermeasures were in place.
• Those that have some combination of High
and Medium will be the most urgent to
consider further, those with some combination
of Low and Medium will be the least pressing.
• When there is a long list of risks, multiple
items will be in each box and then there will
be a need to determine a more precise
location for each risk in each box – is it higher
or lower in the “high” box, for instance.
• In some cases, it might be more useful to use
a 5-square box, i.e. minimal, low, medium,
high, extreme.
Threats to
data security
Hurricane
threat to Iowa
location
Reputation
risk from
using third
parties
Failure of
network
component

7. 7Suzanne Hartin © 2016. All Rights Reserved.
Evaluate, Step 2:
Understand the Impact and Priority of Potential Risks
HighLowMedium
HighMediumLow
Likelihood
Impact
• For data security, third party and network risk,
countermeasures include:
• A robust information security program
utilizing the latest tools and techniques that
is judged to reduce likelihood but not
impact
• A strong monitoring program for third
parties and their activities on our behalf
which is judged to reduce both potential
likelihood and impact
• Monitoring and redundancy in the network
which is also judged to reduce both
potential likelihood and impact
• There are no countermeasures in place for the
threat of hurricane in Iowa and it is determined
there is no need for any so this risk is accepted
and there is no change.
• In this case, the highest risk is Information
Security, followed by Third Party Risk. These
two might require additional countermeasures if
the remaining risk is above company tolerance.
Threats to
data security
Hurricane
threat to Iowa
location
Reputation
risk from
using third
parties
Failure of
network
component

8. 8Suzanne Hartin © 2016. All Rights Reserved.
Address: Decide What to do About
the Risks You Have Evaluated
Your choices
– Eliminate the risk: stop offering the risky product; move to a less
risky location; stop storing credit card numbers; or whatever it is
that is too risky to do, stop.
– Reduce the risk: if the decision is to continue the business, stay
in the same location , etc, and the current countermeasures
aren’t enough, then design and implement additional ones that
will further reduce the risk
Address
– Accept the risk: if management agrees that the benefit outweighs the risk and all
available countermeasures are already in place, then accept the risk as it is
Making the decision
– It is critical that the decision maker is known and agreed upon and that these decisions
are communicated to all relevant parties

9. 9Suzanne Hartin © 2016. All Rights Reserved.
Report: Share the Data with the
Right People at the Right Times
Right People – know who they are
– Business areas
– Key executives
– Those that need to weigh in on decisions
– Those that need to be informed
– Key committees – executive or risk committees, the Board of Directors
Right Times – what to consider
– More rapidly moving subjects may require weekly or monthly reporting while other items
could be quarterly; consider the cadence of key committee meeting schedules
– Usefulness of conversations at meetings versus email distribution
– Intersection with other reporting such as that done by Internal Audit or report by
regulatory examiners
Report

10. 10Suzanne Hartin © 2016. All Rights Reserved.
Contact Suzanne Hartin
Connect with me on LinkedIn:
• https://www.linkedin.com/in/suzannehartin
Reach out to me for speaking engagements:
• To Boards about Risk Management
• At conferences whether panels or keynotes
• Tailored to specific groups