407-445-2414 info@wrmllc.com
6 Reasons Data Is Key for Risk Management

6 Reasons Data Is Key for Risk Management

Jun 19, 2019 | RIsk Management News

Originally posted on ClearRisk by Rebecca Webb.

An average organization only uses 50% of its available data for decision-making. This is significant when you consider 70% of late adopters base their decisions on gut feeling or experience, while 60% of best-in-class companies use data analytics when making decisions.

Data is powerful when used to its full capability; by using all available data, an organization can establish a clear competitive advantage. Storing and regularly accessing relevant information will allow your organization to save time and money while drastically improving decision quality. Below are some of the key benefits that data utilization can have on your organization.

1. Increased efficiency

In a well-established organization, it’s easy to continue doing a task the same way out of habit and convenience. Without referencing data, you may get stuck in a routine and not recognize internal flaws. Streamlining people, processes, and tasks will increase efficiency across the organization.

2. Better decision making

Analyzing your data will provide the information required to run the organization, such as what course of action is necessary and whether your strategies have been successful. To do this, you need to have the right kind of data; ensure that you collect relevant, accurate, and complete information.

The more data you store, the more information you will have to base your next decision on. This can lead to more creative and smart strategies as well as help you choose positive risks and pursue paths that will lead to growth.

3. Financial health

Using data effectively will allow an organization to save money. By consistently tracking and monitoring costs, prices, and other useful information, you can track when spending is higher than it should be. It can also flag problem areas or help you identify costs that you shouldn’t be incurring. Further, making a habit of storing data means you will have a quick and easy process if you are ever audited or when entering tax season.

4. Making a case for any project

No matter the business idea, there needs to be some data and information to support it. By accessing stored information, you will be able to analyze data and use it to support a proposed project. With the collected data, you will be able to present your case to supervisors or employees to prove that the decision would benefit the organization.

5. Increased accountability

Without storing data, it can be difficult to know when something isn’t as it should be. A thorough database can allow management to recognize signs of fraudulent activity. It will show employees that they are being monitored, increasing their accountability and ethical actions. If something does go wrong, your organization will be able to show it had some measures in place to try and prevent the incident, thus protecting brand reputation.

6. Preventative measures

Having data allows you to analyze it. This will let you identify and mitigate against threats, reduce repetitive losses and lawsuits, and even lower insurance premiums. For more detail about the benefits of data analytics, check out our next in-depth blog post!

9 Steps for a Smooth Risk Management System Implementation

9 Steps for a Smooth Risk Management System Implementation

Dec 12, 2018 | Blog-All

You’ve recognized the need for a risk management system, evaluated vendors’ products, and chosen the system that’s best for your organization. It may seem like the work is done, but there’s still a significant challenge ahead: the implementation of the system.

This step is arguably the most important: failure to smoothly implement a risk management system will make it much harder to achieve success. Before beginning implementation, consider the following advice:

9 Steps to Implementing a Risk Management System

1. Define the end goal before starting

It’s impossible to begin any kind of project without a thorough understanding of where you’re going. Doing so will lead to confusion, frustration, and wasted resources as the team moves in multiple directions at once without any noticeable results.

Since you’ve already gone through the process of selecting a risk management system, you know what issues need to be solved and where the system is needed. Formalize this knowledge by creating a document that defines exactly what your organization needs from the system and how this can be accomplished.

If you’re going to use the risk management system in multiple areas, determine your priorities. These should be the areas with the most issues; highlighting these problems will allow the team to tackle them first.

In addition, define success for your risk management system. Are you aiming for a lower number of claims? Would you like to see a reduction in costs? Should your team reduce time spent on redundant tasks by 50%? Whatever the goal, pre-defining success ensures you can measure the effectiveness of the system through implementation and going forward.

2. Set a timeline

Implementing a risk management system is a complex process. It’s important to understand exactly what is involved and what that means in terms of a timeline. The vendor and your team must find a balance: if an implementation is too quick, something may be missed; if the implementation takes too long, the team may lose faith in the system or become upset with the vendor.

Consider these stages in the implementation process:

  • First, the risk management system must be set up. The vendor will need to import historical data and complete any necessary customization.
  • The system must be tested to ensure it will work correctly throughout the organization.
  • All users must be trained in the proper use of the system.

Project management is key when implementing a risk management system. Determine milestones that can be easily measured throughout the process to keep all stakeholders on track, and consider appointing a project champion who is responsible for seeing the implementation through.

3. Build a relationship with the vendor

In many situations, the internal risk team views the vendor implementation team as external stakeholders who are only present for a few weeks or months. This is the wrong mindset. Risk management vendors have high levels of knowledge, insight, and resources that can help you manage both new and existing risks at any time.

By building a relationship with the vendor, you’ve widened your risk management network and increased the size of your risk management team. This can only benefit you as you seek to achieve your goals with the risk management system.

4. Be open to vendor suggestions

Risk management systems are built a certain way for a reason. Vendors have extensive experience with the needs of organizations much like yours. You should always be open to their suggestions, especially if they’re recommending a particular process.

Many teams fall into the trap of purchasing a risk management system only to use it in exactly the same way as their old system. For example, a team that switches from Excel spreadsheets may continue to manually add and report on data in the system, even when automation is possible. This mistake can be critical: the team continues to poorly utilize resources while extra resources are used to pay for the new system.

To avoid this problem, carefully consider all vendor suggestions on how their risk management system can truly improve your organization.

5. Customize where necessary

While vendor suggestions and knowledge are valuable, sometimes they may not realistically fit into your organization or goals. Some aspects of an out-of-the-box system may not be right for you. In this case, some customization is ideal. For example, consider your organization’s hierarchy, the ideal usage of the system, and your reporting needs. Only you can determine exactly how a risk management system will best fit into these requirements.

6. Be flexible

Adapting to changing circumstances is important when implementing a risk management system. Tasks may take more time than expected, there may be technical difficulties, or an employee may have a particularly hard time during training. You must understand that difficulties like these are bound to happen and typically only involve a small adjustment. Being ready to re-prioritize or modify existing plans allows all stakeholders to feel comfortable through the implementation process, even if not everything goes as planned.

7. Involve users and decision-makers

Another common mistake in the implementation of risk management systems is involving only decision-makers. While executives and top managers may be able to pick the system that best suits organizational goals, they aren’t the ones that will be working inside the system every day.

Involving users from the beginning ensures that the entire risk team is onboard or even excited about the change. They can also provide valuable insight into implementation: they may have needs or desires that decision-makers wouldn’t know about and can reduce complications in the implementation process.

8. Communicate

Any significant organizational change is likely to fail without regular and proper communication. When implementing a risk management system, there are two critical communication avenues: the vendor and employees.

No matter how robust their system, vendors cannot read your mind. You must explain your system, timeline, and security requirements as well as how involved you expect them to be in the implementation process. This will keep both teams on the same page and prevent frustrating back-and-forth conversation.

On the employee side, users need to be taught what to expect from the system. In some cases, users may feel that they are being replaced by the system; it is your job to reassure them that the system will actually make their jobs easier and more meaningful by streamlining complicated processes. Tell your employees what will change and how it will impact them individually, and make them aware of these changes well in advance. Educating them on the role they must play in the implementation of the risk management system will simplify the process.

9. Implement in stages

While risk management systems often have extensive functionality, it can be overwhelming for a team to implement them all at once. This is frustrating to employees and can actually lower the chances of system success. Instead, choose the one area that is most in need of the system and start there. This allows the team to gradually become comfortable with the system and then expand their capabilities.

Using one small change as an example of the effectiveness of the system can also help win over resistant employees and prove that the system has value.

Risk management system implementation can seem like a daunting task. Following this advice will put you well on your way towards achieving your risk management goals.

Author: Rebecca Webb
Source: ClearRisk

8 steps to a stronger cybersecurity strategy

8 steps to a stronger cybersecurity strategy

Nov 14, 2018 | Cybersecurity

If there’s an attack on the country, the military mobilizes. When a natural disaster strikes, recovery plans go into effect. Should an infectious disease start to spread, health officials launch a containment strategy. Response plans are critical to recovery in emergency situations, but when it comes to cybersecurity, a majority of industries are not paying attention.“The reality is no matter how amazing you are with your prevention capabilities, you’re going to be hacked,” said Mohammad Jalali, a research faculty member at MIT Sloan whose work is currently focused on public health and organizational cybersecurity. “Then what are you going to do? Do you already have a good response plan in place that is continuously updated? And communication channels are defined, and stakeholder responsibilities are defined? Typically the answer in most organizations is no.”To help address cybersecurity weaknesses in organizations, Jalali and fellow researchers at Cybersecurity at MIT Sloan Bethany Russell, Sabina Razak, and William Gordon, built an eight aggregated response strategies framework. They call it EARS.

Jalali and his team reviewed 13 journal articles involving cybersecurity and health care to develop EARS. While the cases are related to health care organizations, the strategies can apply to a variety of industries.

The EARS framework is divided into two halves: pre-incident and post-incident.

Pre-incident

1 — Construction of an incident response plan: This plan should include steps for detection, investigation, containment, eradication, and recovery.

“One of the common weaknesses that organizations have is they put together an incident response plan, but the problem is that documentation is usually very generic, it’s not specific to the organization,” Jalali said. “There is no clear, specific, actionable list of items.”

Make sure that everyone in the organization knows the plan, not just the employees in the IT department. Set clear channels of communication, and when assigning responsibilities, make sure they are clearly defined.

2 — Construction of an information security policy to act as a deterrent: Clearly defined security steps establish and encourage compliance.

“Many companies think that compliance is security,” Jalali said. “[That] if you just follow the information you’ll be taken care of.”

Don’t set the bar so low that the organization is not secure. Regulations should ensure an understanding of cyber threats. Establish motivational reasons for the response teams to follow reporting policies. Compliance should go hand in hand with continuous improvement.

3 — Involvement of key personnel within the organization: No matter the size of an organization, key leaders need to be educated on the importance of cybersecurity and be ready to act according to the response plan.

Leaders don’t have to be cybersecurity experts, but they need to understand the impact an incident will have on their organization. The more informed they are, the more involved they can be in a response plan.

4 — Regular mock testing of recovery plans: Recovery exercises help organizations stress-test plans and train employees on proper response protocols.

If the organization only tests its recovery plan during an actual emergency, it’s likely to run into serious issues, which could increase the amount of damage caused by the cyber incident.

The shift from a reactive to proactive stance can help an organization identify weaknesses or gaps in its recovery plan, and address them before an incident occurs.

Post-incident

5 — Containment of the incident: Containment involves both proactive and reactive measures.

It’s easier to cut off infected devices from a network if they’re already segmented from other devices and connections, prior to an incident.  The researchers concede that it’s not always possible to segment networks, nor to immediately disconnect it from the whole system. At the very least, immediately report the infected device to the organization’s IT team to contain the incident.

6 — Embedded ethics and involvement of others beyond the organization: It’s important to remember that all of an organization’s stakeholders could be impacted by a cyber incident.

Promptly notify legal counsel and relevant regulatory and law enforcement agencies. Consider help from external resources and share information about the cyber threat.

7 — Investigation and documentation of the incident: Be timely and thorough; every step of the pre- and post-incident reaction should be documented.

The investigation should aim to find the root technical cause of the issue, as well as weaknesses that could prevent future attacks. Proper documentation is a necessity for this analysis.

8 — Construction of a damage assessment and recovery algorithm: Organizations should self-evaluate after the incident.

While computers are where cyber attacks happen, they can also be used to help with recovery. Organizations can leverage the power of computers, especially artificial intelligence, for real-time detection and containment of incidents.

“The commonly used frameworks for incident response strategies often miss this essential step,” Jalali said, “even though there are already AI-based products for this very purpose.”

Author: Meredith Somers
Source: MIT Management

‘Data breach fatigue’ may breed complacency about online security

‘Data breach fatigue’ may breed complacency about online security

Oct 17, 2018 | Cybersecurity

First, it was the Ticketfly hack in May. My email was among the 27 million accounts stolen from the events company.

According to the website Have i been pwned?, which monitors data breaches, my personal email has also been found in records stolen from sites like Tumblr and LinkedIn.

By the time the Ticketmaster and PageUp data breach notification emails landed in my inbox weeks later, my attitude had devolved from concern to extreme digital nihilism.

Am I suffering from data-breach fatigue?

Peter Singer, a strategist and senior fellow at New America who writes about cybersecurity, is worried that after all the hacks, data dumps and servers left unprotected, we may be tuning out.

Data breach fatigue

Troy Hunt, who runs Have i been pwned?, has seen the rate and size of data breaches grow since he founded the site in late 2013.

Rather than becoming fatigued, he suggested people simply accept such incidents are now “a normal part of online life”.

“I’m actually finding … that people are judging companies less on the fact they’ve had [a data breach], and more on how they’ve dealt with it,” Mr. Hunt said.

What should I do after a data breach?

  • Change your account password and get a password manager
  • Report financial losses to the Australian Cybercrime Online Reporting Network
  • Check your bank account for unusual charges
  • If your credit card details have been lost, contact your bank
  • Be alert to any phishing emails

— The Conversation

We don’t yet know much about “data breach fatigue” as a measurable phenomenon, agreed Cassandra Cross, an online fraud researcher at the Queensland University of Technology.

“I don’t really think we know … whether people are making choices to do things differently, [or] whether they’re just ignoring it,” she said, suggesting more work needs to be done.

Rui Chen, an information systems academic at Iowa State University, investigated consumer attitudes after online security incidents.

In 2015, the US Office of Personnel Management (OPM) lost more than 4.2 million personnel files, among other sensitive documents.

Dr. Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack.

After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction.

In other words, Dr. Chen said, “we can see that the public is gradually losing interest in reacting to this news”.

The effects of ‘fatigue’

If people don’t take breaches seriously, they may not follow instructions to protect themselves, such as changing passwords or using credit-monitoring services.

The insecure cloud

But our understanding of how people do respond is limited.

“One thing could be there are just so many incidents of data breach happening … people consider it typical,” Dr. Chen speculated.

“It’s the norm of this digital world.”

These incidents can also feel quite abstract, Dr. Cross added.

Consider the compromising of more than 359 million MySpace accounts or more than 164 million LinkedIn accounts — these are almost unimaginable numbers.

For victims, there’s also a difference of perception between your details being lost or stolen and actual misuse of that information — in the form of identity theft, for example, which is estimated to cost Australia $2.2 billion each year.

“They’re just one small individual within an entire group, and they don’t feel that they are particularly valuable in terms of a target,” she said.

Real-world effects

New America’s Peter Singer suggested we won’t see decisive action from the government on these issues until breaches begin to have a dramatic impact in the physical world.

Connected devices, from fridges that can be accessed online to driverless cars, will make this more dangerous — and likely.

You might start caring more when a hacker uses stolen credentials to turn your lights on and off remotely.

“I think … what will inevitably happen is some type of bad outcome,” Mr. Singer added.

A badly handled data breach can also dent a company’s reputation.

Take Uber, which initially tried to cover up the exfiltration of the names, email addresses and mobile phone numbers of 57 million users.

Mr. Hunt also sees companies being judged harshly if a breach exposes their poor security posture, such as storing passwords in plain text without cryptographic protection.

On the flip side, he cited the Red Cross Blood Service’s reaction as “the gold standard” after it lost donor information in 2016.

The group was swift to act and tell the public — and was apologetic throughout.

As data breaches continue, Mr. Hunt hopes people will avoid fatigue and take control: get a password manager, make all passwords unique and turn on two-factor authentication.

“These are really basic things that we can all do, and they fundamentally change the impact of a data breach,” he said.

Source: ABC

Author: Ariel Bogle

Why Data Literacy Is Your First Step to Business Intelligence

Why Data Literacy Is Your First Step to Business Intelligence

Oct 10, 2018 | Informative

In college, I had a short-lived and hilarious dream that I could learn to play lacrosse. I suppose I was attracted to the glamour of running wind sprints for two hours while being hit with titanium poles.

Alas, the dream was not to be. When I showed up to my first pick-up game, I had no idea what a “slide” was, didn’t realize “clamping” had anything to do with face-offs and had no idea where “the box” was.

I lacked lacrosse literacy.

The problem’s the same with business intelligence software. Except, data literacy is the key factor.

If you want your employees to use the $3,000-per-license business intelligence software you bought, they need to be data literate first. Otherwise, that BI tool will be as useless as a lacrosse stick was in my hands.

Why data literacy is your first step to business intelligence

Fortunately, Gartner research can help you and your team get data literate. They’ve come up with multiple strategic suggestions that you can implement at your business.

What Is Data Literacy?

Data literacy means you “speak” data the way you might speak any other foreign language.

“Gartner defines data literacy as the ability to read, write, and communicate data in context, including an understanding of data sources and constructs, analytical methods and techniques applied, and the ability to describe the use case application and resulting value.”

(Full research available to Gartner clients.)

In plain English, data literacy means you know what data you’re tracking, why you’re tracking it, how to read that data, and how to use that data to save or make money.

Data Literacy Is the Gateway to Business Intelligence

At its heart, business intelligence software is a data-wrangling program.

BI software programs organize all your data sources (website data, CRM data, email data, financial and POS data) and let you see how those data sources interact (for example, did sales increase when you changed the colors on your website?).

So, until your employees are literate with the data your business intelligence tool wrangles, they won’t know how to wrangle their business intelligence tool.

The data literate person knows what data they’re tracking, where it’s stored, and how it fits together. That’s not all they know, though.

Data literacy is also a way of thinking in terms of data. The data literate person doesn’t just think in generic terms—such as did sales increase? They think in terms of data—did Q1 website conversions among women ages 18 to 34 increase as a result of that email campaign?

It’s like learning a foreign language: You haven’t really learned that new language until you start thinking in it, as well as speaking it.

How To Teach Your Employees Data Literacy

Most employees, however, probably don’t think in terms of data, which presents you with another challenge: How do you get your employees to start thinking in terms of data?

1. Employees need to know what data literacy is

Becoming literate in any new lingo is challenging … especially when people don’t know that lingo even exists.

Chances are, most of your employees aren’t even aware that data literacy is a concept. So if you want your employees to use your BI software, you’ll have to introduce data literacy first and explain why it matters.

And don’t just introduce the concept of data literacy once. Introduce it repeatedly.

No, “introduce repeatedly” is not an oxymoron. Since learning how to speak (and think) data is a major change, a single introduction probably won’t stick. They may forget at first, and that’s natural.

Case in point: As a one-time substitute teacher, I got several classes to make a major change by introducing that change gradually.

The English teacher I subbed for allowed cell phone use in her classes. Predictably, the students were learning next to nothing, though their Candy Crush scores were amazing, and they Snapchatted all their paper cuts. About a month into the gig, I decided to ban cell phones.

The change only worked because I introduced it gradually—I announced I would start the policy on a set date, explained why I was doing it, and reminded students to leave phones in their lockers.

If students brought their phones with them, they could put it in a plastic box at the front of the room when class started. If their phone rang while in the box, I’d leave it alone. If it rang while on them, I’d answer it in a loud and public fashion, and they’d go to the principal’s office.

Though the notion of spending even 45 minutes without their phones was horrifying for most of them, the policy worked well because I gradually introduced the concept of class without phones.

How to put this into practice:

There are multiple ways to introduce data literacy to your employees over a period of time.

At Capterra, our employees volunteer to lead “lunch and learn” sessions: brief, hourlong intros to topics that interest them. You could encourage data-savvy employees at your company to do the same.

You could also spend time at all-company or department meetings translating basic activities, or concepts, into data. Anything that breaks the data-ice is a good idea.

2. Employees need to speak data

Once employees know what data literacy is, they need to learn to “speak” data.

Gartner analyst Valerie Logan suggests you approach learning to speak data the same way you would any foreign language and even refers to the process as ISL or information as a second language. (Full Gartner research is available to clients.)

How to put this into practice:

Figure out which employees already speak data, and also who can translate data into plain English. These “data translators” can help employees who struggle to speak data.

Figure out what the language barriers are to speaking data: If business and IT folks don’t speak the same language, that’s a language barrier (or “interpretation gap,” as it’s also called).

There are multiple ways to break language barriers:

  • Keep a glossary of common terms.
  • Make sure C-level executives speak data so they can set an example.
  • Make sure your business goals are expressed in actionable language.

3. Employees need to speak data to each other

Practice makes perfect, so speak data regularly until it becomes a habit.

As Gartner analysts Alan Duncan and Lydia Clougherty Jones suggest, the best data-driven companies focus consciously on this goal. They don’t just speak data, they interact in terms of data. They use data as a way to build inter-team trust, presenting evidence and keeping an eye open for problems such as confirmation bias. (Full Gartner research is available to clients.)

At the same time, you’re learning terms such as “confirmation bias” and “cognitive filtering,” you can think about examples of this in your own work, and be on guard against these bad habits.

How to put this into practice:

Follow the example of foreign language conversation clubs. In the same way those clubs meet once a week to practice German or Amharic, get a group together for weekly or monthly coffee meet-ups where you talk data: what data you’re working with, how it interacts with other departments’ data, and what data you wish you had.

For instance, how does your website’s load time impact visitors and conversions? If sales and tech aren’t discussing how those data sets interact, you could be missing out on a possibly lucrative correlation. (Hint: shorter load time almost always means more visitors and conversions).

Discussion groups like this also help with another important goal: becoming data-driven. This is where business intelligence as a way of thinking comes into play. As you’re learning to speak data, treat it as an opportunity to learn how to think differently.

4. Employees need to speak data frequently

Ideally, brown bags and discussion groups will be your first step on the way to data literacy immersion.

Immersion’s the best way to learn to speak a foreign language, and speaking data is no different.

How to put this into practice:

Gartner analyst Valerie Logan recommends you speak data in everyday conversations, “from board meetings to team meetings.” If speaking data becomes a regular behavior, it’s more likely to stick. And when it sticks, you’ll be on your way to being data-driven.

As Gartner analyst Alan Duncan notes, becoming data-driven has more to do with behavior than technical know-how. That’s why HR should also be involved in your attempts to become data literate.

Duncan recommends having the HR department be a core stakeholder in business intelligence change management. Primarily, they can “adjust hiring practices to emphasize analytic literacy.” (Full Gartner research available to clients.)