Originally posted on Mark On Solutions by Matt Davis.
The insurance industry uses the term “risk appetite” to describe the level of risk that an organization is willing to accept. An essential first step in managing corporate security, and resiliency, has to do with determining your firm’s risk appetite.
Risk appetite is defined as the amount of risk exposure that an organization is willing to accept as a normal course of business. Tolerance for risk exposure can vary greatly from one company to another, and among different industry segments.
As a precursor to establishing an effective risk management program, it’s essential for a firm to determine its risk appetite. This can be done using a baseline analysis that accounts for a combination of threats, vulnerabilities, consequences, and readiness.
It’s interesting to note that often a company’s appetite for risk doesn’t match its actual exposure. In other words, companies are often unaware that their risk exposure is significantly greater that their actual tolerance for that risk.
Assessments, training, and exercises are all excellent ways to expose those gaps and establish focus points for adjusting your firm’s security posture to align with its risk appetite.
Falling in the middle of the risk management cycle (after developing risk appetite and tolerance and identifying, but before assessing and analyzing risks), the organization then must identify who will “own” or be responsible for a particular risk.
Although the exact definition of what a risk owner is will vary depending on the organization, it can generally be defined as a person or persons responsible for the day-to-day management of a risk. (I will talk later about when to assign a risk owner…)
Assigning an owner for these risks is important for a few reasons…
One, a designated risk owner ensures someone in the organization is accountable for the risk. If there is not one person or a group charged with managing a risk, then by default, the entire organization will own the risk, and therefore it is highly likely the risk will fall through the cracks (a/k/a nothing will be done). Having a risk owner is an important step toward ensuring that a response plan is developed and acted upon in a timely manner.
Two, risk ownership is one way for executives to not only hold individuals accountable for risks, but to show their support for ERM in general.
The third reason for appointing a risk owner is to ensure that the ERM function does not own risks.
It’s important to understand that ERM does not actually manage risks, which is a common misnomer. The role of ERM is to help facilitate a process for identifying, assessing, and analyzing risks, and to ensure that executives and other key players have the information they need to make risk-informed decisions.
The only exception to this rule is if the risk function is responsible for insurance, business continuity, or similar program. This situation applied to me when I was Director of ERM for a large Florida-based property insurance company…in this case, it was only natural for my area to be responsible for these risks. In fact, business continuity can very closely integrate with ERM, so it made perfect sense to have them under a single manager.
In what circumstance will the organization need to assign a risk owner?
Not every identified risk will require an owner. In fact, if your organization has thousands of risks identified through a bottoms-up approach, assigning a risk owner for each one will overwhelm you and your team and nothing will get done.
Instead, start with the most critical risks and then consider adding more once a workable, sustainable process is in place.
Iconic cosmetics brand Estee Lauder for example has 46 critical corporate risks where an owner has been assigned. These particular risks met several guidelines which exceeded their respective risk tolerance or could cross this threshold in the near future.
In short, a risk owner needs be assigned for risks that exceed tolerance levels that were set earlier in the risk management cycle. However, that doesn’t mean risks that are within tolerance levels should be ignored…accepted risks have to be monitored as well.
More specifically, the cumulative result of accepted risks and the inter-dependencies of risks have to be carefully considered as well. If Risk A occurs and could trigger Risk B, a risk owner should be appointed and action taken, especially if Risk B is considered critical and falls outside of tolerance levels should it occur.
You also don’t need me to tell you that things are always changing. Perhaps tolerance levels change down the road or the risk itself changes. Of course, this certainty that things change is why I’m a firm believer in having a maximum time limit for a review of both low and accepted risks to ensure nothing is being overlooked.
Risk Ownership: Key Considerations, Challenges, and Options
I could probably write an entire article or even an eBook on how an organization could go about assigning an owner for a particular risk. Before getting into different options though, there are a few key considerations and challenges I should discuss first.
- Ensure there are clear definitions on roles and responsibilities in place before proceeding any further…this is one of the first and most important considerations when it comes to choosing a risk owner. As explained by Chris Corless in this article in Strategic Risk, it’s important for everyone involved to have a clear understanding of expectations when someone accepts the role of risk owner.
- Properly train on risk owner responsibilities and how they need to manage and report the risk. Think about it this way – your organization wouldn’t roll out a new time management system and not train employees on how to use it, right? Risk ownership is no different…
- Maintain consistent language throughout the firm regarding risks. Frank Fronzo of Estee Lauder explains how the company has a dictionary of terms it uses to ensure everyone is speaking the same language and stays on the same page.
One of the most common challenges organizations face when assigning a risk owner is the tendency to give it to the highest accountable person in the organization. While this is okay for risks linked to the strategic plan, the fact is that executives and other leaders simply do not have the time to take many of these risks on. In situations like this, the individual may delegate the responsibilities of owning a particular risk to someone else with time to perform them.
In cases like this, the senior-level person becomes a risk “custodian,” meaning they still have an interest in the risk but do not fulfill the day-to-day responsibilities of an owner.
And as I mentioned earlier, risk ownership should extend down the organization chain for a couple of reasons. One reason is limited time on the part of executives and other leadership. Second to that, appointing a mid-level manager as a risk owner can play a huge part in cultivating a positive risk culturethroughout the entire organization.
Another challenge many organizations face when assigning and managing risk owners is the tendency for risk management activities to fall back within organizational silos. If this type situation occurs, the case can be made that you’re not really practicing ENTERPRISE risk management.
(Click here to learn more about risk management that occurs within a singular business unit vs. a top-level, enterprise-wide process.)
To address this challenge or avoid it altogether, a risk information system should be used that contains details about all risks the organization is managing, who the owner(s) of a particular risk is, recent activities and more. This system should be accessible by all risk custodians and owners…
During a recent conversation, a fellow risk professional mentioned that his organization uses Archer, but other commonly known software tools organizations commonly use include Logic Manager, MetricStream, CURA, and Sword Active Risk. But there are plenty of other options out there, like Aviron Financial Solutions, Audit Comply, and Vose Software, to name a few…
When developing the process and choosing risk owners, company culture and the accountability structure of the organization will play a huge role…
Broadly speaking, risk ownership can be assigned to an individual or a designated risk committee.
Individual risk owner
If your organization has diverse functions and a weak collaborative culture, you will most certainly want to go with an individual risk owner. This individual (…and the risk custodian if applicable) will be the oneperson held accountable for the management of the risk they are charged with handling. I mentioned this in a way in the beginning of this article…having an individual risk owner is not only a way to hold someone accountable for a risk, it is also a way for executives to demonstrate how important they view ERM.
When assigning an individual to be the owner of a particular risk, it’s vitally important they have decision-making authority and the ability to allocate financial and human resources for the risks they are charged with managing.
Another point to consider when determining an individual risk owner is assigning accountability by position rather by name. (I personally really like this concept!) This is one key point of how Estee Lauder determines the proper owner. Assigning accountability this way ensures risks are continuously managed, even if the individual person moves on from their position.
One situation where an additional person may be involved with managing a risk but not be considered group or committee ownership is when a department is impacted by a risk but another department is better suited to manage the risk. In cases like this, co-ownership and coordination between the departments will be needed, but in the end, one person will still be responsible for monitoring and managing the risk.
For organizations with a strong group or collaborative culture, group ownership of risk(s) may be the way to go. This group can consist of individuals from across the enterprise, which of course can be a positive in that it brings together different perspectives. Specific action-items can be assigned based on responsibilities of individuals within the group.
However, one big drawback of group or committee ownership is that it is hard to hold the entire group accountable. Absent any strong oversight from a management-level risk committee, the group can easily end up pointing fingers when things go awry or otherwise sit around and talk about a risk without ever taking any action.
These management-level risk committees can benefit the organization in many ways, including building a positive risk culture. Click here to learn more about oversight…
As you can see, your organization’s culture is a key part of determining the best model for assigning risk owner(s).
A Word of Caution
Developing your organization’s risk ownership process will take time and require a bit of trial and error, and above all, patience. Long before any risk owners begin their work and report their activities into a software system and to executives, definitions on roles and responsibilities and a consistent language must be developed, plus training for everyone involved.
This, of course, is all in addition to other phases of the risk management process like identification, risk assessment, setting risk appetite and tolerance, and more. But risk ownership should be embedded throughout the process of managing risks; after all, the risk owner will be your main contact for a risk. And by all means, don’t overlook the relationship factor and how it can support ERM success.
If done properly though, having individuals throughout the organization “own” and therefore be responsible for certain risks will go a long way to building a long-term, value-driven ERM program.
Source: ERM Insights
As digital transformation takes hold, organizations must learn what their cybersecurity risks are – and how best to address them.
Cybersecurity is in the news, but the risks posed by weak and outdated security measures are hardly new. For more than two decades, organizations have struggled to keep pace with rapidly evolving attack technologies.
With the arrival in May of WannaCry, a massive and highly coordinated ransomware attack that left tens of thousands of organizations around the world hoping for the safe restoration of their data, the threat posed by malware creators took an ominous turn. The attack sent an unambiguous wake-up call to organizations worldwide that now is the time to reassess and reinforce existing cybersecurity strategies.
Connectivity Creates Opportunities and Challenges
Emerging technologies, particularly the Internet of Things (IoT), are taking global connectivity to a new level, opening fresh and compelling opportunities for both adopters and, unfortunately, attackers.
Sadik Al-Abdulla, director of security solutions for CDW, says growing connectivity has ushered in a new era of critical security threats. “The same viruses we’ve been fighting for 20 years, now those viruses grow teeth,” he adds, noting that organizations are just beginning to respond to more dangerous cybersecurity adversaries. “Suddenly, just in the last 18 months, with the explosion of ransomware, we’ve seen really substantial support from outside IT to actually start getting these projects done, because there has been real pain experienced.”
IoT poses a significant new challenge, Al-Abdulla observes. “As new devices are connected, they represent both a potential ingress point for an attacker as well as another set of devices that have to be managed,” he says. “Unfortunately, most of the world is trying to achieve the promise provided by IoT projects as rapidly as possible, and they are not including security in the original design, which creates greater weakness that is very, very hard to get back after the fact and correct.”
Al-Abdulla also notes that many organizations are unintentionally raising their security risk by neglecting routine network security tasks. “Every time our assessment team looks at the inside of a network, we find systems that haven’t been patched in 10 years,” he says. “Sometimes, it’s IoT devices.”
Al-Abdulla’s team has observed devices with “a flavor of Linux or Windows embedded” that have not been updated since they left the factory. Security cameras, badge readers, medical devices, thermostats and a variety of other connected technologies all create potential attack gateways.
“All it takes is the wrong guy to click the wrong thing in the wrong part of the network,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group. “You get mass propagation throughout the environment, and then you have a huge problem.”
“It’s a very complicated world that we live in right now, because the attacker and defense problem is highly asymmetrical,” Roesch adds.
The changing nature of networks and the devices located within them, combined with the fact that organizations keep introducing new software and hardware into their IT environments, make it nearly impossible to keep pace with a new generation of skilled attackers. “It becomes very, very difficult to respond and be effective against the kind of threat environment that we face today because the attackers are highly motivated,” he says.
The Danger of Giving in to Ransomware
Ransomware is like a thug with a gun: “Pay up, or your data gets it!”
Facing such a blunt demand, many organizations simply cave in and hand over whatever amount of money (usually in the form of bitcoin) is necessary to regain their data.
Problem solved? Not necessarily, says Michael Viscuso, co-founder and chief technology officer of endpoint security provider Carbon Black, who sees no easy way out of a ransomware attack. “It’s still surprising to me that people who have paid the ransom think that the game is over,” he says. “The reality is that the attacker has access to your system and is encrypting and decrypting your files whenever he wants to – and charging you every time.”
James Lyne, global head of security research at security technology company Sophos, notes that many ransomware attackers hide code within decrypted data, allowing them to reinfect the host at a future date. “Because if you’ll pay once, you’ll pay twice,” he explains.
Lyne also warns about the emerging threat of “shredware,” malware that encrypts data without requesting a ransom, effectively destroying it. “I bring that up because I’ve had a lot of board advisory meetings recently where people have said, ‘Well surely, we’ll just keep a fund, and if our data is encrypted, we will just pay the cybercriminals,’” he says.
Instead, organizations can take steps to defend themselves against ransomware. These steps include:
Effective backups: IT staff can save themselves trouble and money by implementing regular backup practices to an external location such as a backup service. In the event of a ransomware infection, backup data can get organizations back on their feet quickly.
User training: Most infections are the result of users clicking on links or attachments that are connected to malicious payloads. IT teams can avoid these pitfalls by training users to look out for them.
Deployment of security solutions: Measures such as anti-malware, firewalls and email filters can help detect ransomware and prevent infections.
The Human Factor
While following security best practices is essential to network security, many organizations remain unaware of or pay little attention to, the weakest link in the security chain: people.
It doesn’t make sense to try to solve what is essentially a human problem solely with technical means, says Mike Waters, director of enterprise information security for management consulting firm Booz Allen Hamilton. “We have to create an atmosphere, an environment, where people can tell us what risks they know about, and we can document them and work through it in a deliberative manner,” he adds.
Booz Allen has 25,000 people working for it, Waters says, adding, “I need 25,000 people to defend Booz Allen.” Educating users — and instilling in them just a touch of paranoia, he quips — leads to an alert organization in which users report every suspicious thing they encounter. “Ninety-nine percent of what they report is not bad, but the 1 percent that’s critical can get to us,” he says. “We reinforce that behavior — tell us everything.”
Meet the Evil Entrepreneurs
In much the same way that organizations boost their results through ambition and innovation, cybercriminals also are improving the way they operate. “The bad guys are entrepreneurial,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group.
Most successful cybercriminals are part of large and well-structured technology organizations. “There’s a team of people setting up infrastructure and hosting facilities; there’s a team of people doing vulnerability research; there’s a team of people doing extraction of data; there’s a team of people building ransomware; there’s a team of people delivering ransomware; there’s a team of people doing vulnerability assessment on the internet; there’s a team of people figuring out how to bypass spam filters,” says Michael Viscuso, co-founder and CTO of Carbon Black.
Roesch says organizations have found it “very difficult to respond and be effective against the kind of threat environment that we face today,” but says security experts within Cisco have specifically targeted cybercrime organizations and achieved some success in shutting them down.
Weighing Risk Against Benefits
Security boils down to measuring risk against anticipated benefits. “One of the fascinating things about risk is that low-level engineers know where the risks are, but they don’t necessarily tell anybody,” Waters says. As an example, he cites Operation Market Garden, a World War II Allied military effort (documented in the book and movie A Bridge Too Far) that was fatally hampered by poor radio communication. “People knew those radios weren’t going to work when they got over there,” Waters says. “They didn’t tell anybody because they didn’t want to rock the boat.”
Once a risk is identified, users and IT professionals must be committed to addressing it, with the support of executives. Across all departments and in all situations, calm person-to-person communication is always a reliable and effective security tool. “If we’re running around with our hair on fire all the time, they don’t want to talk to us,” Waters adds. “We want everybody to be able to talk with us and share their risks, so we know to prioritize and trust them.”
In a perfect world, security professionals would strive to create a risk-free environment. “We want it all down to zero,” Waters says. That’s not possible, however, because some degree of risk is inherent in every action an organization takes. “As challenging as it may seem, there are risks businesses are willing to accept,” Waters adds.
Too much caution blocks or degrades benefits, particularly when security mandates unnecessarily interfere with routine activities. Simply telling people what not to do is rarely effective, particularly if what they’re doing saves time and produces positive results. “We talk about Dropbox and things like that,” Waters says. “If your policies are too restrictive, people will find a way around them.”
Author: CDW Brandvoice
Women in the workplace encounter particular safety risks that need to be addressed, including workplace violence and ill-fitting personal protective equipment, according to safety experts.
For example, women in industries such as health care and retail are significantly impacted by workplace violence, according to safety experts participating at the American Society of Safety Professionals’ Women’s Workplace Safety Summit in Rosemont, Illinois, on Monday.
According to the U.S. Bureau of Labor Statistics, 16,890 workers in private industry experienced trauma from nonfatal workplace violence in 2016; 70% of those employees were female, and 70% worked in the health care and social assistance industry.
Diana Stegall, ASSP president-elect and senior loss control consultant for workers compensation insurer United Heartland, otherwise known as United Wisconsin Insurance Co., a member of AF Group, said she sees claims data about the workplace violence injuries that happen in the health care and social services sector.
“Many times when we think about workplace violence, we think about it in terms of active shooter,” she said. “But when you look at the injuries that actually happen, many times it’s those people who were providing care. They get injured in providing care. It’s a huge issue.”
Meanwhile, 500 U.S. workers were workplace homicide victims in 2016, and 31% of them were working in a retail establishment, according to BLS data.
“We know about health care, but we sometimes forget about the retail portion where workplace violence takes place and the late-night gas and go’s,” said Sally Smart, technical safety specialist at W.W. Grainger Inc. based in Janesville, Wisconsin. The health care and social services and retail industries “are the ones who have unfortunately the most experience with workplace violence.”
One solution that emanated from a discussion group at the summit focusing on the workplace violence issue was to share the stories of the women impacted by workplace violence to raise awareness of the issue, Ms. Stegall said.
“Sometimes we become numb when we see one headline after another after another,” she said. “How does this really impact us as an organization? How does this impact us personally? What are those stories that show this can happen to you? It can and in many cases already is happening, and you may just not be aware of it.”
ASSP will also gather data on the workplace violence issue, including underreported verbal altercations, to create guidance documents or toolkits for employers to help them improve or develop their workplace violence prevention programs, Ms. Stegall said. The documents would address key issues such as safety culture, accountability and how to engage workers in the process, she said.
A separate group of experts participated in a discussion about another safety exposure for women in the workplace: ill-fitting personal protective equipment, or PPE.
“Ill-fitting PPE leads to increased hazards, increased injuries, and also affects productivity because of those two things, as well as (having) a psychological impact,” Ms. Smart said. “If you put a women in PPE and it doesn’t fit her … do they feel unprotected because it doesn’t fit right? Or more importantly, do they not wear it because it doesn’t fit? There are manufacturers who do make specific personal protective equipment for women, but not many. Sometimes employers don’t understand that. They sometimes go with one size fits all and it doesn’t.”
“With any of these issues, awareness is a big piece,” Ms. Stegall said. “A lot of the PPE that’s out there is developed for males based on data gathered from the military from the ’50s. Men in the military look a lot different than those outside of that demographic. Quite frankly, if we get (PPE) that’s more gender-diverse, it’s going to help men as well who don’t fit the standard ‘body type,’ because we’re not all the same size. How do we get the word out? Also, how do we let manufacturers know that just because we’re women doesn’t mean we want pink safety shoes and pink personal protective equipment?”
The summit also focused on the leadership of women in the occupational health and safety industry, with a discussion group highlighting the need for additional data on the issue and identifying potential sources of data as well as developing a problem statement, said Deborah Roy, corporate director of health, safety and wellness at L.L. Bean Inc. in Portland, Maine, and senior vice president on the ASSP board of directors.
“We feel there needs to be more of a baseline to begin work,” she said. “We need to identify between men and women what their leadership opportunities are, and we don’t have that data right now.”
“One of the gaps we identified was education, so we talked about what kind of training in leadership could be offered for women in OSH,” Ms. Roy added. “Quite honestly, we all acknowledged some of those things could be done for men as well.”
Have you ever been in the room when someone suggested doing scenario analysis? Did you see everyone in the room cringe at the thought?
I have, and I felt pity for the person who made the suggestion.
Most likely, everyone in that room has gone through the endless “what if” scenario analysis that takes 4 or 5 hours and ends without any solid conclusions.
But if done correctly, scenario analysis can be extremely effective in its support of decision-making.
Personally, I prefer to use the term “scenario planning” instead of “scenario analysis” for the simple reason that “scenario analysis” sounds painful and very computer-driven. On the other hand, scenario planning is human-based and sounds like the effort and results will be useful for the participants and the final audience.
At its core, scenario planning is a “creative and structured process to guide deliberate thinking about risk,” as defined by Aries de Geus in his book The Living Company. De Geus, as the corporate planning coordinator at the Royal Dutch/Shell companies, used scenario planning and described its effectiveness in this Harvard Business Review article…from 1988!
So, with all that being said, how can scenario planning support decision-making?
1. Tests and validates assumptions being made as part of the planning process
When corporate planning occurs, whether called strategic planning, annual planning or something else, management believes that a certain set of assumptions will become true. How many times has management stated an assumption as fact? But what if they are wrong?
2. Provides management with the tools to proactively prepare
Risk management activities are supported by scenario planning, which looks at possible events. While most people inherently want to say the most positive event will occur, proactively preparing for events is always better than being reactive. Being proactive rather than reactive is a key difference between traditional risk management and ERM.
3. Encourages innovation
Scenario planning helps people to think outside of their comfort zone, taking next steps to a big innovative moment. Sometimes that innovation is triggered by the proactive preparation. An organization that is constantly innovating is a step ahead of its competitors.
4. Gives the organization a competitive advantage
Being prepared and innovative are two enormous parts of a competitive advantage. What company would not want that?
Management improves its way of making decisions simply by using scenario planning. It will take time for this way of thinking to take hold, but it stands to reap immeasurable benefits in both the short- and long-term.
After all, de Geus believes that scenario planning is the reason there are companies that last for 200 and 300 years. From the same Harvard Business Review article,
Sociologists and psychologists tell us it is pain that makes people and living systems change. And certainly corporations have their share of painful crises, the recent spate of takeovers and takeover threats conspicuously among them. But crisis management—pain management—is a dangerous way to manage for change.
Once in a crisis, everyone in the organization feels the pain. The need for change is clear. The problem is that you usually have little time and few options. The deeper into the crisis you are, the fewer options remain. Crisis management, by necessity, becomes autocratic management. The positive characteristic of a crisis is that the decisions are quick. The other side of that coin is that the implementation is rarely good; many companies fail to survive.
The challenge, therefore, is to recognize and react to environmental change before the pain of a crisis. Not surprisingly, this is what the long-lived companies in our study were so well able to do.
All these companies had a striking capacity to institutionalize change. They never stood still. Moreover, they seemed to recognize that they had internal strengths that could be developed as environmental conditions changed.
Don’t you want your organization to be around for 300+ years? Embedding scenario planning into management’s decision-making processes will help make that happen.
Author: Carol Williams
Source: ERM Insights