The case for CSR/ Sustainability Reporting Done Responsibly


IDENTIFY - MEASURE - MANAGE - CHANGE

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How BMO promotes customer data security and privacy

Case study: How BMO promotes customer data security and privacy


Established in 1817, BMO Financial Group is a highly diversified financial services provider based in North America, providing a broad range of personal and commercial banking, wealth management and investment banking products and services. BMO is committed to respecting and protecting the privacy and confidentiality of its customers’ personal information  Tweet This!, and to letting them know how BMO collects and uses that information.

This case study is based on the 2018 Environmental, Social and Governance Report by BMO published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

BMO actively invests in its people, technology and processes to improve its ability to prevent, detect, manage and respond to information security threats. In order to promote customer data security and privacy BMO took action to:

  • evaluate the effectiveness of key controls
  • implement a Privacy Code
  • assess and monitor privacy risks

What are the material issues the company has identified?

In its 2018 Environmental, Social and Governance Report BMO identified a range of material issues, such as business conduct, corporate governance, diversity and inclusion, employee engagement, talent attraction and retention. Among these, promoting customer data security and privacy stands out as a key material issue for BMO.

Stakeholder engagement in accordance with the GRI Standards             

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups BMO engages with:

Stakeholder Group                Method of engagement
Customers ·       Advisory panels

·       Complaints management process (e.g., BMO’s Ombudsman Office)

·       Customer experience surveys

·       Dedicated mailboxes

·       Focus groups

·       Meetings, phone calls and email correspondence

·       Social media

·       Stakeholder ESG surveys

Employees ·       Dedicated mailboxes

·       Enterprise Resource Groups

·       Internal grievance mechanisms

·       Senior leader internal blogs

·       Stakeholder ESG surveys

·       Surveys (ad hoc surveys, annual employee survey)

·       Team meetings

·       Town halls

Shareholder and

Investor Community

·       Annual meeting

·       Disclosure of interim and annual financial results

·       Investor conferences

·       Investor Relations website

·       Management proxy circular

·       Meetings, phone calls and email correspondence

·       Quarterly conference calls

·       Stakeholder ESG surveys

·       Shareholder and Investor dialogue

Government and Regulators ·       Meetings, phone calls and email correspondence

·       Regulatory submissions

Civil Society

 

·       Interviews

·       Meetings, phone calls and email correspondence

·       Questionnaires

·       Research papers (on key issues for BMO’s industry)

·       Stakeholder ESG surveys

·       Surveys (on key issues for BMO’s organisation)

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics BMO surveyed over 3,300 individuals – a representative sampling of employees, customers, investors, communities/civil society organisations (CSO) and BMO leaders in North America, Europe and Asia – to find out how they rated potential material topics on a four-point scale.

What actions were taken by BMO to promote customer data security and privacy?

In its 2018 Environmental, Social and Governance Report BMO reports that it took the following actions for promoting customer data security and privacy:

  • Evaluating the effectiveness of key controls
  • To maintain its resilience in the face of cyber-attacks, BMO routinely evaluates the effectiveness of key controls through testing, reviewing best practices and benchmarking. In these evaluations, BMO refers to the ISO 27001 information security management standard and the U.S. National Institute of Standards and Technology cyber security framework. BMO also works with cyber security experts and suppliers to improve controls, strengthen internal resources and enhance its technological capabilities. BMO’s enterprise-wide information security programme sets out requirements for carrying out mandatory annual information security and privacy training for employees, complying with relevant regulations and reporting information security issues to management and the Board.
  • Implementing a Privacy Code
  • In Canada, BMO’s Privacy Code outlines its commitment to its customers and the 10 key privacy principles BMO embraces. The Code also outlines the channels through which BMO’s customers can make and escalate privacy complaints. In other jurisdictions, BMO complies with all local requirements for providing mechanisms to raise privacy concerns. Additionally, BMO’s Privacy Office oversees a privacy risk governance programme, which sets out BMO’s policies and procedures for identifying, measuring, managing, mitigating and reporting privacy risk. All incidents involving suspected or actual breaches of privacy must be reported to the Privacy Office, which then manages BMO’s response to these incidents.
  • Assessing and monitoring privacy risks
  • Privacy risk is assessed and monitored in BMO’s supplier management and enterprise compliance programme The Privacy Office has a data-driven reporting system that tracks key metrics. The Office reports quarterly to the Audit and Conduct Review Committee of the Board of the Bank, and to the Audit Committee of BFC. It also provides reports on privacy issues to all BMO’s operating groups and corporate support areas, to help them understand their state of readiness for protecting privacy and to identify opportunities for improvement. In addition, to provide another layer of security for online banking customers, BMO invited them to download third–party software from its website that helps protect information against malware and fraudulent activity. When prompted through an online marketing campaign, 61,755 customers downloaded the software and in March 2018, during Fraud Awareness Month, BMO also posted a video about phishing on the Security Centre page of its website that attracted nearly 163,500 views, with 6,891 visitors viewing the complete video.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

 

80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.



FBRH GRI Standards Certified, IEMA & CIM recognised Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI Standards Certified, IEMA & CIM recognised course you will be taking the first step in gaining the many benefits of sustainability reporting.

Most importantly, you will gain the knowledge to use the GRI Standards, project manage your own first-class sustainability report and:

  • Identify your most important impacts on the Environment, Economy and Society
  • Begin taking solid, focused, all-round sustainability action ASAP

 

References:

1) This case study is based on published information by BMO, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to BMO: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.