This article was originally published on Insurance Journal.
The heightened fear and anxiety that COVID-19 is causing people worldwide brings vulnerable targets for cyber hackers.
“We are living in a heightened time of cyber risk. Cyber criminals will take advantage of public fear and due diligence health measures to generate coronavirus-themed phishing attacks. We should be aware of unsolicited COVID-19 emails with specious links or attachments,” says Virginia Tech expert David Simpson.
In addition to scams that prey on people’s fear — the uncertainty and doubt regarding their own health — Simpson explains that the increased utilization of voice, video and data to replace in-person contact will open new threat vectors.
As many organizations shift to remote work environments, Simpson offers the following tips to avoid online scams:
Employees working from home for the first time will potentially use PCs, laptops, tablets, and smartphones that are not protected to the same level as workplace devices. Consider using additional risk reduction measures like document and file encryption, VPNs, regular scanning and other best practices to lower the potential for business intellectual property or financial theft.
The use of company credit cards to replace more rigorous financial office processes can expose business accounts. Employers should work with their banks and credit card companies to reduce exposure and limit potential losses should an ad-hoc process compromise account information.
Time and attendance programs for employees that don’t normally work from home are commonly exploited. Employees want to and think they are doing the right thing to document their time, but they can be directed to a false site and ultimately fooled into sharing credentials that incrementally lead to more sensitive accounts.
Increased network traffic from massive telework can lead to network disruptions. Employee attempts at workarounds can incorrectly set up VPNs or not recognize traffic re-direct attacks. Distributed denial of service attacks can not only shutdown work functions but can also lead to less secure workarounds.
Companies should take steps to ensure their employees know where to call when suspicious events occur, staff up to handle non-standard helpdesk issues and err on the side of caution for IT environments they have little control over.
Organizations that were used to getting “in-person” permission to do something are now implementing new approval processes that could be susceptible to man-in-the-middle attacks. They should be thinking about multi-factor authentication for newly established ad-hoc practices.
You’ve recognized the need for a risk management system, evaluated vendors’ products, and chosen the system that’s best for your organization. It may seem like the work is done, but there’s still a significant challenge ahead: the implementation of the system.
This step is arguably the most important: failure to smoothly implement a risk management system will make it much harder to achieve success. Before beginning implementation, consider the following advice:
9 Steps to Implementing a Risk Management System
1. Define the end goal before starting
It’s impossible to begin any kind of project without a thorough understanding of where you’re going. Doing so will lead to confusion, frustration, and wasted resources as the team moves in multiple directions at once without any noticeable results.
Since you’ve already gone through the process of selecting a risk management system, you know what issues need to be solved and where the system is needed. Formalize this knowledge by creating a document that defines exactly what your organization needs from the system and how this can be accomplished.
If you’re going to use the risk management system in multiple areas, determine your priorities. These should be the areas with the most issues; highlighting these problems will allow the team to tackle them first.
In addition, define success for your risk management system. Are you aiming for a lower number of claims? Would you like to see a reduction in costs? Should your team reduce time spent on redundant tasks by 50%? Whatever the goal, pre-defining success ensures you can measure the effectiveness of the system through implementation and going forward.
2. Set a timeline
Implementing a risk management system is a complex process. It’s important to understand exactly what is involved and what that means in terms of a timeline. The vendor and your team must find a balance: if an implementation is too quick, something may be missed; if the implementation takes too long, the team may lose faith in the system or become upset with the vendor.
Consider these stages in the implementation process:
- First, the risk management system must be set up. The vendor will need to import historical data and complete any necessary customization.
- The system must be tested to ensure it will work correctly throughout the organization.
- All users must be trained in the proper use of the system.
Project management is key when implementing a risk management system. Determine milestones that can be easily measured throughout the process to keep all stakeholders on track, and consider appointing a project champion who is responsible for seeing the implementation through.
3. Build a relationship with the vendor
In many situations, the internal risk team views the vendor implementation team as external stakeholders who are only present for a few weeks or months. This is the wrong mindset. Risk management vendors have high levels of knowledge, insight, and resources that can help you manage both new and existing risks at any time.
By building a relationship with the vendor, you’ve widened your risk management network and increased the size of your risk management team. This can only benefit you as you seek to achieve your goals with the risk management system.
4. Be open to vendor suggestions
Risk management systems are built a certain way for a reason. Vendors have extensive experience with the needs of organizations much like yours. You should always be open to their suggestions, especially if they’re recommending a particular process.
Many teams fall into the trap of purchasing a risk management system only to use it in exactly the same way as their old system. For example, a team that switches from Excel spreadsheets may continue to manually add and report on data in the system, even when automation is possible. This mistake can be critical: the team continues to poorly utilize resources while extra resources are used to pay for the new system.
To avoid this problem, carefully consider all vendor suggestions on how their risk management system can truly improve your organization.
5. Customize where necessary
While vendor suggestions and knowledge are valuable, sometimes they may not realistically fit into your organization or goals. Some aspects of an out-of-the-box system may not be right for you. In this case, some customization is ideal. For example, consider your organization’s hierarchy, the ideal usage of the system, and your reporting needs. Only you can determine exactly how a risk management system will best fit into these requirements.
6. Be flexible
Adapting to changing circumstances is important when implementing a risk management system. Tasks may take more time than expected, there may be technical difficulties, or an employee may have a particularly hard time during training. You must understand that difficulties like these are bound to happen and typically only involve a small adjustment. Being ready to re-prioritize or modify existing plans allows all stakeholders to feel comfortable through the implementation process, even if not everything goes as planned.
7. Involve users and decision-makers
Another common mistake in the implementation of risk management systems is involving only decision-makers. While executives and top managers may be able to pick the system that best suits organizational goals, they aren’t the ones that will be working inside the system every day.
Involving users from the beginning ensures that the entire risk team is onboard or even excited about the change. They can also provide valuable insight into implementation: they may have needs or desires that decision-makers wouldn’t know about and can reduce complications in the implementation process.
Any significant organizational change is likely to fail without regular and proper communication. When implementing a risk management system, there are two critical communication avenues: the vendor and employees.
No matter how robust their system, vendors cannot read your mind. You must explain your system, timeline, and security requirements as well as how involved you expect them to be in the implementation process. This will keep both teams on the same page and prevent frustrating back-and-forth conversation.
On the employee side, users need to be taught what to expect from the system. In some cases, users may feel that they are being replaced by the system; it is your job to reassure them that the system will actually make their jobs easier and more meaningful by streamlining complicated processes. Tell your employees what will change and how it will impact them individually, and make them aware of these changes well in advance. Educating them on the role they must play in the implementation of the risk management system will simplify the process.
9. Implement in stages
While risk management systems often have extensive functionality, it can be overwhelming for a team to implement them all at once. This is frustrating to employees and can actually lower the chances of system success. Instead, choose the one area that is most in need of the system and start there. This allows the team to gradually become comfortable with the system and then expand their capabilities.
Using one small change as an example of the effectiveness of the system can also help win over resistant employees and prove that the system has value.
Risk management system implementation can seem like a daunting task. Following this advice will put you well on your way towards achieving your risk management goals.
Author: Rebecca Webb
Have you ever been in the room when someone suggested doing scenario analysis? Did you see everyone in the room cringe at the thought?
I have, and I felt pity for the person who made the suggestion.
Most likely, everyone in that room has gone through the endless “what if” scenario analysis that takes 4 or 5 hours and ends without any solid conclusions.
But if done correctly, scenario analysis can be extremely effective in its support of decision-making.
Personally, I prefer to use the term “scenario planning” instead of “scenario analysis” for the simple reason that “scenario analysis” sounds painful and very computer-driven. On the other hand, scenario planning is human-based and sounds like the effort and results will be useful for the participants and the final audience.
At its core, scenario planning is a “creative and structured process to guide deliberate thinking about risk,” as defined by Aries de Geus in his book The Living Company. De Geus, as the corporate planning coordinator at the Royal Dutch/Shell companies, used scenario planning and described its effectiveness in this Harvard Business Review article…from 1988!
So, with all that being said, how can scenario planning support decision-making?
1. Tests and validates assumptions being made as part of the planning process
When corporate planning occurs, whether called strategic planning, annual planning or something else, management believes that a certain set of assumptions will become true. How many times has management stated an assumption as fact? But what if they are wrong?
2. Provides management with the tools to proactively prepare
Risk management activities are supported by scenario planning, which looks at possible events. While most people inherently want to say the most positive event will occur, proactively preparing for events is always better than being reactive. Being proactive rather than reactive is a key difference between traditional risk management and ERM.
3. Encourages innovation
Scenario planning helps people to think outside of their comfort zone, taking next steps to a big innovative moment. Sometimes that innovation is triggered by the proactive preparation. An organization that is constantly innovating is a step ahead of its competitors.
4. Gives the organization a competitive advantage
Being prepared and innovative are two enormous parts of a competitive advantage. What company would not want that?
Management improves its way of making decisions simply by using scenario planning. It will take time for this way of thinking to take hold, but it stands to reap immeasurable benefits in both the short- and long-term.
After all, de Geus believes that scenario planning is the reason there are companies that last for 200 and 300 years. From the same Harvard Business Review article,
Sociologists and psychologists tell us it is pain that makes people and living systems change. And certainly corporations have their share of painful crises, the recent spate of takeovers and takeover threats conspicuously among them. But crisis management—pain management—is a dangerous way to manage for change.
Once in a crisis, everyone in the organization feels the pain. The need for change is clear. The problem is that you usually have little time and few options. The deeper into the crisis you are, the fewer options remain. Crisis management, by necessity, becomes autocratic management. The positive characteristic of a crisis is that the decisions are quick. The other side of that coin is that the implementation is rarely good; many companies fail to survive.
The challenge, therefore, is to recognize and react to environmental change before the pain of a crisis. Not surprisingly, this is what the long-lived companies in our study were so well able to do.
All these companies had a striking capacity to institutionalize change. They never stood still. Moreover, they seemed to recognize that they had internal strengths that could be developed as environmental conditions changed.
Don’t you want your organization to be around for 300+ years? Embedding scenario planning into management’s decision-making processes will help make that happen.
Author: Carol Williams
Source: ERM Insights
Recently, I had the chance to spend some time at Walt Disney World in Orlando, Florida, when I attended the NAMIC conference in February. One session included a presentation by Barry Dillard, director of claims for Walt Disney World, where he shared the company’s approach to handling a wide variety of claims.
I sat down with their vice president of risk management to learn about some of the strategies they employ, and I had the opportunity to tour Walt Disney World itself to peek behind the curtain and see how this massive theme park creates the magic for its guests and cast members while keeping everyone safe.
Believe it or not, the Walt Disney World Resort covers 40 square miles and is twice the size of Manhattan. Within its confines, this world-class attraction employs 75,000 cast members, each of whom plays a critical role in spreading the Disney magic. Their emphasis on safety is both taught and caught, which is especially important when serving the millions of guests who visit the Disney attractions around the world.
The Walt Disney Company is extremely proactive in their risk management strategies — it truly is everyone’s responsibility — not just the realm of those at the corporate level. As is often the case in life, the simplest things can make the biggest difference. Merely walking the parks, hotels, shops, and restaurants can yield valuable information, allowing cast members to identify small issues before they become larger ones. Even in one of the most magical places on earth – reality tends to intrude.
Unexpected risks arise every day and training plays a key role in mitigating them. Hackers are constantly devising new ways to access company information or hold it for ransom. The use of ransomware is expected to increase 350% this year, so being vigilant and backing up data has never been more important.
The number of shooting incidents in businesses and other settings is increasing at an alarming rate. Knowing what to look for and how to respond in these situations can literally be the difference between life and death.
For better or worse, new risks are changing our behavior — how observant we are in open spaces of our surroundings, what we post on social media, where and how we protect our personal information, what we open online and how we train our staffs. It really is the smallest things that can make the biggest difference in keeping people safe.
Author: Patricia L. Harman
Although weather is often unpredictable and always uncontrollable, businesses can go a long way toward mitigating damage with careful preparation. According to a 2018 report by the U.S. Chamber of Commerce and MetLife, however, more than one-third of small businesses have no emergency plans in place for natural disasters or severe weather, and while larger businesses often have business continuity and disaster recovery plans, many of them do not account specifically for weather-related events.
To ensure your organization is prepared, planning for a natural disaster should include the following steps:
- Create internal emergency-response teams and identify the roles of everyone on the team. Specifically highlighting what their roles are during weather-related emergencies will ensure each team member knows what to focus on as the event unfolds. Team members with the right skills and knowledge can then address their areas of expertise, knowing that other issues are covered by people with the appropriate skillset.
- Train key employees on technology to mobilize crisis-response teams, alert staff, and suppliers, and account for personnel safety. This preparation enables team members to move quickly when making decisions and share important information with all audiences, no matter how narrow or broad, rather than trying to learn and understand new tools in the midst of managing an event.
- Implement human resources policies for employee notification, remote work and accessibility for people with disabilities for both large and small events. In most cases, basic policies and procedures provide all of the necessary information to keep individuals safe and secure; however, some events are more complex and require giving employees specific instructions in advance.
- Create and distribute shelter-in-place, evacuation and medical emergency procedures informing employees of exactly how to respond or where to go. In many types of severe weather events, there is very little time to make decisions, so having predefined meet-up locations and procedures enables people to respond quickly and confidently.
- Keep a current list of contact information for all employees, response-team personnel, utility companies, Federal Emergency Management Agency (FEMA) officials, the local Red Cross chapter and local first-responder organizations, ensuring the right people are acting on the information that they have the skills and authority to manage.
- Build and maintain off-site support for business continuity so information channels remain open and functioning at all times, such as through a software-as-a-service (SaaS) solution that is not tied to specific hardware or a physical location that could be impacted.
Ensuring Effective Communication
Once these initial steps are complete, organizations should focus on preparing for effective communications before, during and after severe weather events to protect their operational, financial and strategic assets.
Evaluate emergency mass notification systems. When it comes to mitigating the effects of weather events on businesses, employees, customers and suppliers, speed is imperative. This should include the use of an emergency mass notification system (EMNS) to warn and update employees and suppliers about business closings and emergency measures. Some systems can automatically notify employees in advance of severe weather events as soon as the National Weather Service issues a bulletin.
Ensure EMNS can reach users through multiple channels. Effective mass notification systems use multiple methods of communication, such as phone calls, instant messages, desktop alerts, social media posts, mobile apps, SMS and emails. Using different methods of notification, or “multimodal alerting,” helps to ensure that messages can be delivered quickly without human intervention and mitigate single points of failure. Because technologies and methods of communication evolve over time, make sure to choose a vendor that stays up-to-date on how to use all means of communication.
Ensure two-way communications. Your organization’s emergency communication system should be capable of two-way communications to help ensure the safety of personnel and continuity of operations. Decision-makers within organizations need a system that not only can deliver real-time, mission-critical notifications in any message format required, but provide a way for message recipients to respond as well. With two-way notification capability, IT and security administrators can communicate with employees to determine if they are safe and report the results so the emergency response team can keep a running tally of who still needs to be contacted. This is critical during severe weather events when employees scattered across multiple locations may be impacted and must be accounted for.
Ensure geo-targeting based on severe weather track. The ability to target groups of employees, customers or suppliers in specific geographic areas is important, especially in weather-related emergencies where the severity of warnings or expected impact may differ depending on the area. The most effective systems can geographically target only those in the path of the weather event, and can automatically plot contact addresses on a map, allowing administrators to choose specific areas they want included or excluded from an alert.
Conduct periodic testing. Once the policies, procedures and communications technologies are set, they should be tested periodically with different drills for each type of weather event. Then, after the next weather event has taken place, set aside time to assess how effective the response was, and adapt and update your plan accordingly.
Author: Aaron Charlesworth
This is undoubtedly a prosperous period for the world economy, but the recent volatility in global stock markets is an indicator that times may be changing. The World Bank has forecast global economic growth of 3.1% for 2018, which will obviously benefit businesses.
At the same time, an improving business environment brings with it the prospects of wage inflation, rising interest rates, and the end of cheap money. A couple of weeks ago, U.S. stocks reacted dramatically to figures that showed U.S. wages rising faster than expected. This clearly demonstrated how jittery the markets are about the end of a loose monetary policy.
In addition to these macroeconomic developments, other significant changes are afoot. The established political order is being questioned in the United States and Europe, tensions are rising again in the Middle East, technology is transforming the way we live and work, and the United States has overhauled corporate taxation. Change brings opportunities, but it also presents risks.
5 key risks
So, what are the five key risks that should be at the forefront of risk managers’, CFOs’ and treasurers’ radars in 2018? And what are best practices for managing them?
Cybercrime is an ever-growing and ever-present threat. It is a particular concern for corporate treasurers since the cash flows they’re responsible for are a key interest for most cybercriminals. In 2016, research by the Association for Financial Professionals found that almost three-quarters (74%) of the organizations that it had surveyed had been the target of attempted or actual payments fraud, including check fraud and unauthorized transfers of funds associated with business email compromise attacks. Almost a third (29%) of those that had been targeted by fraudsters had lost $250,000 or more.
Companies that don’t have the right systems in place to detect unusual or suspicious behavior may potentially end up exposing their organization to serious reputational damage and significant financial loss. Yet the Hiscox Cyber Readiness Report 2017 found that more than half (53%) of surveyed companies in the United States, U.K., and Germany were ill-prepared to deal with an attack.
Cybercrime cost the global economy over $450 billion in 2016. Risk managers, CFOs, and treasurers must talk to their technology vendors to make sure they are investing in the most effective security capabilities for their systems.
2. Rising interest rates and the end of cheap cash
For years, large companies have been able to borrow money at extremely low rates. In the seven years that followed the financial crisis, U.S. businesses were typically borrowing from banks at interest rates in the region of 3.25%, while the corporate borrowing rate in the U.K. dipped as low as 2.65% in 2009.
Even as recently as December 2017, the average interest rate in the Eurozone on a fixed bank loan of more than €1 million for a period of 10 years or more was 1.75%, according to the European Central Bank (ECB).
The clock is ticking on cheap money
In the bond markets, borrowing costs plunged even lower over the past decade. Some companies, including French pharmaceutical maker Sanofi and German consumer goods producer Henkel, even managed to issue negative-yielding debt.
However, the clock is now ticking on cheap money. The U.S. Federal Reserve has hiked interest rates five times since December 2015. Last November, the Bank of England announced its first hike in more than a decade.
The ECB is expected to follow suit, and the Bank of Japan is cutting back on its bond-buying program, suggesting that its rates, too, will rise in due course. Businesses should expect their funding costs to increase over the coming months and years. Highly leveraged companies can expect to feel the biggest squeeze.
To avoid unwanted questions from the board about the impact of the rising cost of cash, global risk managers, treasurers, and CFOs should look to refinance debt early and for an extended period in order to reduce their exposure to rising funding costs. They can also mitigate the risk of higher borrowing costs through effective cash management, by better utilizing global cash surplus balances to reduce short-term borrowing, and through due diligence on mergers and acquisitions (M&A) to make sure their company doesn’t overpay for a deal that it later regrets.
3. U.S. tax reform
As of the first of this year, U.S. corporate taxes were slashed from 35% to 21%. What’s more, the reform package includes a one-off repatriation tax on corporate earnings held overseas — 15.5% for liquid assets and 8 percent for illiquid assets — that is intended to encourage U.S. companies to bring home cash they previously stashed abroad.
On the face of it, the tax reform seems beneficial for foreign companies doing business in the United States, since their subsidiaries here will pay less tax. Yet some of the rules, including a base erosion and anti-abuse tax (BEAT) and a cap on the deductibility of interest, present challenges for some multinationals that move money back and forth across the U.S. border. CFOs and treasurers need visibility into their organization’s cash flows to and from the United States, and they should review its strategy for intercompany loans.
Although the United Kingdom is set to leave the EU on March 29, 2019, there will almost certainly be a two-year transition period to smooth its departure. During this transition, the U.K. will have to abide by EU rules in the same way that it does today. The longer-term implications of the split are not yet clear, though, since a trade deal has yet to be thrashed out.
One area to keep an eye on In the past, U.K. regulators have had a great deal of influence over the EU’s financial services regulations. Going forward, there could be a divergence between U.K. and European banking rules — for example, in terms of how banks adopt the Basel III capital and liquidity standards.
According to PwC, the uncertainty associated with Brexit poses a number of specific challenges for treasurers, including foreign exchange volatility, possible funding shortages, and increased counterparty risk if companies have to suddenly develop relationships with unfamiliar financial institutions. The firm suggests that organizations put in place processes and systems which enable them to readily access their cash, monitor their treasury risks, adapt their financing strategies to changing markets, and manage their relationships with financial institutions.
5. Economic Shock
So far, the volatility that we’ve seen in the equity markets in 2018, can be better described as a correction than as a crash. Nevertheless, a catastrophe may lie around the next corner. It is no coincidence that the fall in equity prices coincides with the rise in bond yields that has come about as a result of governments buying fewer bonds. In early February, the benchmark U.S. 10-year Treasury bond hit 2.85%, its highest point in four years, as investors pulled out of equities.
The current market conditions have two significant implications for corporate risk managers and treasurers: First, as the yields on government bonds rise, it will become harder for companies to issue bonds with historically low coupons. And second, should a major stock market crash occur, it could dent consumer sentiment and cause both people and businesses to cut back on their spending, which would, in turn, squeeze companies’ cash flow.
Difficult market conditions may also prompt banks and bond investors to refuse to fund to companies that are seen as undesirable credits. Of course, it’s virtually impossible for a company to buffer itself from the full impact of a major economic shock, but sound working capital management can play a vital role in helping an organization to survive even the toughest of times.
A state of constant flux will continue to plague the global economy. In this environment, successful businesses will be those that are able to respond quickly.
Risk managers, CFOs, and treasurers who can’t capitalize on the opportunities presented by changes in the economy will put their organizations at risk of falling behind. Fortunately, effective cash management is a great foundation for long-term business agility, especially when combined with powerful technological tools such as in-house banking capabilities, notional cash pooling, and payment fraud detection systems.
Ultimately, change does not have to be a threat to organizations. By harnessing technology, smart companies turn it into a great opportunity to profit and grow.
Author: Greg Person