You’ve recognized the need for a risk management system, evaluated vendors’ products, and chosen the system that’s best for your organization. It may seem like the work is done, but there’s still a significant challenge ahead: the implementation of the system.
This step is arguably the most important: failure to smoothly implement a risk management system will make it much harder to achieve success. Before beginning implementation, consider the following advice:
9 Steps to Implementing a Risk Management System
1. Define the end goal before starting
It’s impossible to begin any kind of project without a thorough understanding of where you’re going. Doing so will lead to confusion, frustration, and wasted resources as the team moves in multiple directions at once without any noticeable results.
Since you’ve already gone through the process of selecting a risk management system, you know what issues need to be solved and where the system is needed. Formalize this knowledge by creating a document that defines exactly what your organization needs from the system and how this can be accomplished.
If you’re going to use the risk management system in multiple areas, determine your priorities. These should be the areas with the most issues; highlighting these problems will allow the team to tackle them first.
In addition, define success for your risk management system. Are you aiming for a lower number of claims? Would you like to see a reduction in costs? Should your team reduce time spent on redundant tasks by 50%? Whatever the goal, pre-defining success ensures you can measure the effectiveness of the system through implementation and going forward.
2. Set a timeline
Implementing a risk management system is a complex process. It’s important to understand exactly what is involved and what that means in terms of a timeline. The vendor and your team must find a balance: if an implementation is too quick, something may be missed; if the implementation takes too long, the team may lose faith in the system or become upset with the vendor.
Consider these stages in the implementation process:
First, the risk management system must be set up. The vendor will need to import historical data and complete any necessary customization.
The system must be tested to ensure it will work correctly throughout the organization.
All users must be trained in the proper use of the system.
Project management is key when implementing a risk management system. Determine milestones that can be easily measured throughout the process to keep all stakeholders on track, and consider appointing a project champion who is responsible for seeing the implementation through.
3. Build a relationship with the vendor
In many situations, the internal risk team views the vendor implementation team as external stakeholders who are only present for a few weeks or months. This is the wrong mindset. Risk management vendors have high levels of knowledge, insight, and resources that can help you manage both new and existing risks at any time.
By building a relationship with the vendor, you’ve widened your risk management network and increased the size of your risk management team. This can only benefit you as you seek to achieve your goals with the risk management system.
4. Be open to vendor suggestions
Risk management systems are built a certain way for a reason. Vendors have extensive experience with the needs of organizations much like yours. You should always be open to their suggestions, especially if they’re recommending a particular process.
Many teams fall into the trap of purchasing a risk management system only to use it in exactly the same way as their old system. For example, a team that switches from Excel spreadsheets may continue to manually add and report on data in the system, even when automation is possible. This mistake can be critical: the team continues to poorly utilize resources while extra resources are used to pay for the new system.
To avoid this problem, carefully consider all vendor suggestions on how their risk management system can truly improve your organization.
5. Customize where necessary
While vendor suggestions and knowledge are valuable, sometimes they may not realistically fit into your organization or goals. Some aspects of an out-of-the-box system may not be right for you. In this case, some customization is ideal. For example, consider your organization’s hierarchy, the ideal usage of the system, and your reporting needs. Only you can determine exactly how a risk management system will best fit into these requirements.
6. Be flexible
Adapting to changing circumstances is important when implementing a risk management system. Tasks may take more time than expected, there may be technical difficulties, or an employee may have a particularly hard time during training. You must understand that difficulties like these are bound to happen and typically only involve a small adjustment. Being ready to re-prioritize or modify existing plans allows all stakeholders to feel comfortable through the implementation process, even if not everything goes as planned.
7. Involve users and decision-makers
Another common mistake in the implementation of risk management systems is involving only decision-makers. While executives and top managers may be able to pick the system that best suits organizational goals, they aren’t the ones that will be working inside the system every day.
Involving users from the beginning ensures that the entire risk team is onboard or even excited about the change. They can also provide valuable insight into implementation: they may have needs or desires that decision-makers wouldn’t know about and can reduce complications in the implementation process.
8. Communicate
Any significant organizational change is likely to fail without regular and proper communication. When implementing a risk management system, there are two critical communication avenues: the vendor and employees.
No matter how robust their system, vendors cannot read your mind. You must explain your system, timeline, and security requirements as well as how involved you expect them to be in the implementation process. This will keep both teams on the same page and prevent frustrating back-and-forth conversation.
On the employee side, users need to be taught what to expect from the system. In some cases, users may feel that they are being replaced by the system; it is your job to reassure them that the system will actually make their jobs easier and more meaningful by streamlining complicated processes. Tell your employees what will change and how it will impact them individually, and make them aware of these changes well in advance. Educating them on the role they must play in the implementation of the risk management system will simplify the process.
9. Implement in stages
While risk management systems often have extensive functionality, it can be overwhelming for a team to implement them all at once. This is frustrating to employees and can actually lower the chances of system success. Instead, choose the one area that is most in need of the system and start there. This allows the team to gradually become comfortable with the system and then expand their capabilities.
Using one small change as an example of the effectiveness of the system can also help win over resistant employees and prove that the system has value.
Risk management system implementation can seem like a daunting task. Following this advice will put you well on your way towards achieving your risk management goals.
If there’s an attack on the country, the military mobilizes. When a natural disaster strikes, recovery plans go into effect. Should an infectious disease start to spread, health officials launch a containment strategy. Response plans are critical to recovery in emergency situations, but when it comes to cybersecurity, a majority of industries are not paying attention.“The reality is no matter how amazing you are with your prevention capabilities, you’re going to be hacked,” said Mohammad Jalali, a research faculty member at MIT Sloan whose work is currently focused on public health and organizational cybersecurity. “Then what are you going to do? Do you already have a good response plan in place that is continuously updated? And communication channels are defined, and stakeholder responsibilities are defined? Typically the answer in most organizations is no.”To help address cybersecurity weaknesses in organizations, Jalali and fellow researchers at Cybersecurity at MIT Sloan Bethany Russell, Sabina Razak, and William Gordon, built an eight aggregated response strategies framework. They call it EARS.
Jalali and his team reviewed 13 journal articles involving cybersecurity and health care to develop EARS. While the cases are related to health care organizations, the strategies can apply to a variety of industries.
The EARS framework is divided into two halves: pre-incident and post-incident.
Pre-incident
1 — Construction of an incident response plan: This plan should include steps for detection, investigation, containment, eradication, and recovery.
“One of the common weaknesses that organizations have is they put together an incident response plan, but the problem is that documentation is usually very generic, it’s not specific to the organization,” Jalali said. “There is no clear, specific, actionable list of items.”
Make sure that everyone in the organization knows the plan, not just the employees in the IT department. Set clear channels of communication, and when assigning responsibilities, make sure they are clearly defined.
2 — Construction of an information security policy to act as a deterrent: Clearly defined security steps establish and encourage compliance.
“Many companies think that compliance is security,” Jalali said. “[That] if you just follow the information you’ll be taken care of.”
Don’t set the bar so low that the organization is not secure. Regulations should ensure an understanding of cyber threats. Establish motivational reasons for the response teams to follow reporting policies. Compliance should go hand in hand with continuous improvement.
3 — Involvement of key personnel within the organization: No matter the size of an organization, key leaders need to be educated on the importance of cybersecurity and be ready to act according to the response plan.
Leaders don’t have to be cybersecurity experts, but they need to understand the impact an incident will have on their organization. The more informed they are, the more involved they can be in a response plan.
4 — Regular mock testing of recovery plans: Recovery exercises help organizations stress-test plans and train employees on proper response protocols.
If the organization only tests its recovery plan during an actual emergency, it’s likely to run into serious issues, which could increase the amount of damage caused by the cyber incident.
The shift from a reactive to proactive stance can help an organization identify weaknesses or gaps in its recovery plan, and address them before an incident occurs.
Post-incident
5 — Containment of the incident: Containment involves both proactive and reactive measures.
It’s easier to cut off infected devices from a network if they’re already segmented from other devices and connections, prior to an incident. The researchers concede that it’s not always possible to segment networks, nor to immediately disconnect it from the whole system. At the very least, immediately report the infected device to the organization’s IT team to contain the incident.
6 — Embedded ethics and involvement of others beyond the organization: It’s important to remember that all of an organization’s stakeholders could be impacted by a cyber incident.
Promptly notify legal counsel and relevant regulatory and law enforcement agencies. Consider help from external resources and share information about the cyber threat.
7 — Investigation and documentation of the incident: Be timely and thorough; every step of the pre- and post-incident reaction should be documented.
The investigation should aim to find the root technical cause of the issue, as well as weaknesses that could prevent future attacks. Proper documentation is a necessity for this analysis.
8 — Construction of a damage assessment and recovery algorithm: Organizations should self-evaluate after the incident.
While computers are where cyber attacks happen, they can also be used to help with recovery. Organizations can leverage the power of computers, especially artificial intelligence, for real-time detection and containment of incidents.
“The commonly used frameworks for incident response strategies often miss this essential step,” Jalali said, “even though there are already AI-based products for this very purpose.”
First, it was the Ticketfly hack in May. My email was among the 27 million accounts stolen from the events company.
According to the website Have i been pwned?, which monitors data breaches, my personal email has also been found in records stolen from sites like Tumblr and LinkedIn.
By the time the Ticketmaster and PageUp data breach notification emails landed in my inbox weeks later, my attitude had devolved from concern to extreme digital nihilism.
Am I suffering from data-breach fatigue?
Peter Singer, a strategist and senior fellow at New America who writes about cybersecurity, is worried that after all the hacks, data dumps and servers left unprotected, we may be tuning out.
Data breach fatigue
Troy Hunt, who runs Have i been pwned?, has seen the rate and size of data breaches grow since he founded the site in late 2013.
Rather than becoming fatigued, he suggested people simply accept such incidents are now “a normal part of online life”.
“I’m actually finding … that people are judging companies less on the fact they’ve had [a data breach], and more on how they’ve dealt with it,” Mr. Hunt said.
What should I do after a data breach?
Change your account password and get a password manager
Report financial losses to the Australian Cybercrime Online Reporting Network
Check your bank account for unusual charges
If your credit card details have been lost, contact your bank
We don’t yet know much about “data breach fatigue” as ameasurable phenomenon, agreed Cassandra Cross, an online fraud researcher at the Queensland University of Technology.
“I don’t really think we know … whether people are making choices to do things differently, [or] whether they’re just ignoring it,” she said, suggesting more work needs to be done.
Rui Chen, an information systems academic at Iowa State University, investigated consumer attitudes after online security incidents.
In 2015, the US Office of Personnel Management (OPM) lost more than 4.2 million personnel files, among other sensitive documents.
Dr. Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack.
After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction.
In other words, Dr. Chen said, “we can see that the public is gradually losing interest in reacting to this news”.
The effects of ‘fatigue’
If people don’t take breaches seriously, they may not follow instructions to protect themselves, such as changing passwords or using credit-monitoring services.
But our understanding of how people do respond is limited.
“One thing could be there are just so many incidents of data breach happening … people consider it typical,” Dr. Chen speculated.
“It’s the norm of this digital world.”
These incidents can also feel quite abstract, Dr. Cross added.
Consider the compromising of more than 359 million MySpace accounts or more than 164 million LinkedIn accounts — these are almost unimaginable numbers.
For victims, there’s also a difference of perception between your details being lost or stolen and actual misuse of that information — in the form of identity theft, for example, which is estimated to cost Australia $2.2 billion each year.
“They’re just one small individual within an entire group, and they don’t feel that they are particularly valuable in terms of a target,” she said.
Real-world effects
New America’s Peter Singer suggested we won’t see decisive action from the government on these issues until breaches begin to have a dramatic impact in the physical world.
Connected devices, from fridges that can be accessed online to driverless cars, will make this more dangerous — and likely.
You might start caring more when a hacker uses stolen credentials to turn your lights on and off remotely.
“I think … what will inevitably happen is some type of bad outcome,” Mr. Singer added.
A badly handled data breach can also dent a company’s reputation.
Take Uber, which initially tried to cover up the exfiltration of the names, email addresses and mobile phone numbers of 57 million users.
Mr. Hunt also sees companies being judged harshly if a breach exposes their poor security posture, such as storing passwords in plain text without cryptographic protection.
On the flip side, he cited the Red Cross Blood Service’s reaction as “the gold standard” after it lost donor information in 2016.
The group was swift to act and tell the public — and was apologetic throughout.
As data breaches continue, Mr. Hunt hopes people will avoid fatigue and take control: get a password manager, make all passwords unique and turn on two-factor authentication.
“These are really basic things that we can all do, and they fundamentally change the impact of a data breach,” he said.
The hacking of medical clinic employee’s email account during travels overseas demonstrates the risks posed to data when workers travel – and the need to mitigate those risks.
Billings Clinic in Montana – which includes a multispecialty group practice with a 304-bed hospital and a Level II trauma center – says in a breach notification statement it became aware on May 14 of “unusual activity” within one of its employee’s email accounts.
The employee was traveling overseas on a medical mission at the time of the hacking incident, according to the statement.
What Happened?
Billing Clinic says it took immediate action to disable access to the email account, launched an investigation to determine what happened and took action to further secure its email system.
“As a result of the forensic investigation, we learned that an unauthorized individual had access to emails and attachments within that one account, some of which included patient information.”
The types of information on 8,400 individuals included in the affected email account include patient name, date of birth, contact information, the medical record number, internal financial control number, diagnosis and limited information about medical services received, the clinic reports.
“Each patient had different types of information, included in the emails, and no one email contained all of these types of information,” the notification statement says.
Earlier Incident
As of July 16, the hacking incident was not the Department of Health and Human Services’ HIPAA Breach Reporting Tool website – commonly called the “wall of shame” – that lists breaches affecting 500 or more individuals.
That breach tally, however, lists a different hacking/IT incident reported in April by Billings Clinic that impacted 949 individuals.
In a notification statement posted on Billings Clinic’s website about the earlier incident, the clinic says that on February 26, it also became aware of unusual activity within its email system, and immediately took action to disable the account.
A Billings Clinic spokesman tells Information Security Media Group that the two breaches were separate incidents, but declined to discuss further details, including the steps the clinic is taking to bolster security in the wake of the breaches.
The spokesman also declined to discuss whether the traveling employee in the latest breach was traveling with a Billings Clinic laptop or other mobile computing devices, or whether the employee had been accessing Billings Clinic’s email system while using a personally owned computing device or smartphone.
Overlooked Risk?
Data breaches occurring during employee travel are a common but often overlooked problem, says Rebecca Herold, president of Simbus, a privacy, and cloud security services firm, and CEO of The Privacy Professor consultancy.
“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it.”
—Consultant Rebecca Herold
“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it,” she says. “People are often unaware of what is going on around them when they are traveling. They are using any charger station they can find, they speak loudly and they use free Wi-Fi,” she says.
Cybercriminals routinely scan free Wi-Fi networks and copy unsecured transmissions, including emails, she says.
“Shoulder surfing is also still very common; it’s a decades-old tactic that still works effectively today. And the skimmers on charging stations are increasing in use. Don’t think that if you are in a frequent flyer lounge that these things do not happen there; they happen in those exclusive lounge areas possibly more than in other places,” she warns.
Cybercriminals often target travelers, Herold says, because “it is easy for them to commit their crimes without getting caught because there is usually no digital evidence created.”
Mac McMillan, CEO of security consultancy CynergisTek, offers a similar assessment: “Any time you travel overseas you may be at greater risk as local cybercriminals will have access to your mobile devices, the locations where you are staying or the ISPs their networks and your traffic is traversing.”
Healthcare entities and other organizations – and their traveling staff members – should review information from the Federal Communications Commission, Department of Homeland Security, and other agencies for tips on securing their computing devices while overseas, McMillan stresses.
“The problem is that most private businesses don’t educate their employees on these risks,” he says. Government agencies “routinely brief employees on foreign travel risks and are always aware that overseas we are potential targets.”
Steps to Take
McMillan advises workers on vacation to “leave the work computer at home. Temporarily suspend access to sensitive apps and work email, and do not permit mail forwarding.”
But if remote access is absolutely required, he says, “employ two-factor authentication on both apps and email, and strong encryption on all devices. Use different passwords or pins when you travel. Do not make online purchases or go to your online banking site. Clear your cache regularly. Turn off auto-join on your Wi-Fi. If traveling for more than a few days, reset your settings. Above all keep your devices with you at all times and shielded from view.”
Keith Fricke, a consultant at tw-Security, notes that some companies issue a laptop specifically for overseas travel that is locked down more than normal and has fewer applications on it.
There have been reports of some private airplane flights having “hidden cameras” in them recording information on the screens of laptops passengers used laptops during the flight, he says. “Stories also exist of hidden cameras in hotels of certain foreign countries or people entering hotel rooms when the occupant left the room for meetings or a meal. The intruder looked for ways to obtain unauthorized access to information,” he notes.
Herold advises organizations to take a number of precautions to reduce the risk of breaches while individuals are traveling.
“Implement policies for employees to not use public Wi-Fi,” she stresses. “Provide secured virtual private network or similar types of solutions for remote access. I carry my own device that I use to establish a private VPN connection. I never use public Wi-Fi, or the Wi-Fi in the hotels or restaurants either.”
Organizations should also require that data be encrypted in transit and in storage, she says. “That way, if someone gets access through a network, the data is not accessible. If they get access to the device, the data is not accessible.”
Herold also advises employers to “provide information security and privacy reminders and awareness communications of other types prior to employee travel so that they have the need to practice safe mobile computing at top of mind.”
As CIOs work out their spending and strategies for the year, the annual review of the disaster recovery and business continuity plan will inevitably form part of a lengthy to-do list.
Yet with the ever-increasing threats from both natural and man-made disasters – from the devastating fires and flooding in California last year through to the recent impact of Intel’s chip flaw that opened the door to potential hacking – is there anything more that IT departments can do to perfect how their organization both prevents and reacts to business disruptions?
Surprisingly, more than 1 in 3 businesses admit they don’t have a disaster recovery policy in place, a figure that is even higher amongst smaller businesses where an estimated 3 out of 4 are reported to have no contingency measures at all.
With our increasing reliance on technology and the reluctant acceptance that most technology is vulnerable to potential downtime, the CIO or IT manager is the obvious choice of leader to take responsibility for the whole disaster recovery plan, whether it’s due to a technical problem or other factors.
The ripple effect of abnormal events not only affects the IT department but can have serious repercussions on all daily operations including financial management, customer experience, HR, and workflow, etc.
Whilst CIOs regularly consult with other members of the C-suite on devising a risk management strategy, there are significant advantages to garnering the support of key employees across the whole organization, on a continual basis.
To ensure your disaster recovery plan anticipates every eventuality it’s essential to get ‘buy-in’ and input from all departments, so you can be confident that your plan is as informed, up to date and effective as possible.
Here are some recommendations on how to maximize the knowledge, creativity, and strength you can draw from key players across the organization.
Produce a clear mandate
During ‘business as usual’, a robust process management discipline and a strong process culture provides a firm foundation for teams to document and develop new and innovative ways of working and can help a company drive competitive advantage and innovation.
However, do employees know what processes to follow when the extraordinary occurs? Whether the Internet or phones go down, sensitive customer data is stolen, or severe weather stops them from getting into the office, clarity, and communication of disaster recovery processes is just as important as the plan itself. Every member of staff needs to know when and how to trigger a disaster recovery response, as well as be aware of who else is part of the team.
Part of the CIO’s remit should be to oversee the design and build of processes that are easy and clear for all personnel to find and follow, every day. In a disaster situation, it becomes imperative for staff to act with minimum delay, limiting the damage that could result from a disaster.
Build easy to follow checklists
One way of communicating unequivocally is to introduce simple checklists as advocated by US doctor, writer and speaker Atul Gawande in his book “The Checklist Manifesto”.
By getting the basics right, well-designed checklists have been proven to cut through unnecessary complexity and encourage transparency, leading to a 35% reduction in complications in hospital operations. These same fundamental principles can be applied to the corporate world where teams are responding to an emergency or extraordinary incident.
You also need to consider how and where to store this critical process information and make it easily accessible to all key staff.
Stage regular ‘fire drills’
Like most insurance policies you hope you’ll never need to claim on them, but you need to know that you’re fully covered. Regularly testing and modifying your disaster recovery processes will keep them up to date and make sure they work. Set up simulation exercises to rehearse what everyone’s roles are during a catastrophe.
With today’s accelerated pace of business change, a month-old plan may soon become obsolete. Organizations need to monitor changes in general circumstances like impending legislation. They also need to be sensitive to company or market-specific conditions such as when a key person leaves and joins a competitor, a laptop goes missing or perhaps a product needs to be recalled.
As soon as a new threat appears on the horizon it needs to be factored into the overall disaster recovery strategy immediately.
Crowd-source ideas and share responsibilities
With a collaborative and collective approach that encourages everyone to work as a group, it’s simpler to both create and follow agreed checklists so you can minimize the impact of unforeseen circumstances.
Employees on the front-line are often best equipped to advise on what level of impact disruptions may have on themselves and other departments. For example, the service manager can give the most insight on the scale of a spike in customer enquiries after your IP network goes down.
By leading the charge for a proactive, constantly-evolving approach to disaster recovery, CIOs can be confident that the entire operation is fully prepared and protected for when the unexpected occurs. Rather than panic-stricken employees bombarding you with support calls, instead there is state of relative calm as everyone already knows what they should do and can focus on executing an agreed plan.
Putting in the advance groundwork during quieter times not only leads to cooler heads during more turbulent times, but will also make a tremendous difference to your customers, employees and future business performance.
