Board members and C-suite executives across industries perceive the global business environment in 2015 as somewhat less risky for organizations than in the past two years. In “Executive Perspectives on Top Risks for 2015,” consulting firm Protiviti and the Enterprise Risk Management Initiative at the North Carolina State Univeristy Poole College of Management found that this is far from bad news for risk managers, as organizations are actually more likely to invest additional resources for risk management. Internal challenges like succession, attracting and retaining talent, regulation and cybersecurity are drawing the most attention, according to the report.

“Our survey findings indicate that operational risk issues are keeping many senior executives up at night,” said Mark Beasley, Deloitte Professor of Enterprise Risk Management and NC State ERM Initiative director. Indeed, for the third consecutive year, regulatory changes and heightened regulatory scrutiny ranked as the number one risk on the minds of board members and corporate executives, with 67% indicating that it will “significantly impact” their organizations. More than half of global survey respondents indicated that insufficient preparation to manage cybersecurity threats is a risk that will “significantly impact” their organizations in 2015, pushing cyberrisk up three spots from last year to the third-greatest risk.

The Top 10 Risks for 2015

The top 10 risks identified in the annual risk survey, along with the percentages of respondents who identified each risk as having a “Significant Impact” on their business, were:

1. Regulatory changes and heightened regulatory scrutiny may affect the manner in which our products or services will be produced or delivered (67%)

2. Economic conditions in markets we currently serve may significantly restrict growth opportunities for our organization (56%)

3. Our organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt our core operations and/or damage our brand (53%)

4. Our organization’s succession challenges and ability to attract and retain top talent may limit our ability to achieve operational targets (56%)

5. Our organization’s culture may not sufficiently encourage the timely identification and escalation of risk issues that have the potential to significantly affect our core operations and achievement of strategic objectives (51%)

6. Resistance to change may restrict our organization from making necessary adjustments to the business model and core operations (49%)

7. Ensuring privacy/identity management and information security/system protection may require significant resources for us (52%)

8. Our organization may not be sufficiently prepared to manage an unexpected crisis significantly impacting our reputation (46%)

9. Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in our existing customer base (48%)

10. Our existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as our competitors (46%)

The survey also identified differing perceptions of the current risk environment between boards of directors and members of the executive team. CEOs and boards of directors reported more optimism about risk issues, while CFOs and chief audit executives perceived a more risky business environment. “Given encouraging signs in the economy, we’ve observed an overall shift in focus from macroeconomic risks to operational risks, which had the greatest increase in risk scores from 2014. Notably, however, CEO respondents remained extremely focused on macro trends affecting their business,” Beasley said.

Check out the infographic below for more of the study’s key findings:

Protiviti Top Risks for 2015

{ 0 comments }

Preparing for and responding to negative events, from the mundane to the catastrophic, from the predictable to the unforeseen, has become a fact of life for businesses and governments around the world. We don’t have to look any further than the seemingly daily reports of cyberattacks on governments, corporations and individuals to comprehend the severity of the problem.

Tackling these risks requires an integrated and holistic framework with the capability to identify, evaluate and adequately define responses to the circumstances. For more and more organizations, this means adapting an enterprise risk management (ERM) model. ERM seeks to identify all threats—including financial, strategic, personnel, market, technology, legal, compliance, geopolitical and environmental—that would adversely affect an organization. This holistic approach gives organizations a better framework for mitigating risk while advancing their goals and opportunities in the face of business threats. But in order to implement and continuously manage this enterprise-wide model there is a critical need for closer integration of two typically distinct roles within the organization—business continuity management (BCM) and risk management. Together, these two vital elements make up a robust ERM plan and have a tremendous impact on an organization’s ability to contend with interruptions to the execution of organizational activities.

Put in the simplest terms, risk management is concerned with minimizing the probability of and destruction caused by negative events. Operational risk management, as the name implies, must cope with interruptions at the operational level. Recognizing that there are inherent imperfections in systems, people, facilities and general operational functions, the essence of operational risk management is to negate or reduce the probability of an incident occurring. Focusing upon incident-specific, site-specific analysis of potential causes of interruptions, risk managers seek to preclude incidents from occurring. If elimination of the risk is not possible, the focus moves to minimizing the results of the negative event.

For example, suppression systems reduce the risk of operational disruption caused by fire damage. Redundant equipment decreases the possibility of operational interruption resulting from machine breakdown and redundant communications help maintain connectivity. By analyzing past events and examining known hazards (defined flood plains, hurricane-prone areas, construction sites, earthquake areas and terrorism-prone areas) operational risk management seeks to avoid the occurrence of negative destructive events.

But creating strategies to minimize the probability that an event will impact an organization certainly will not prevent the incident from taking place. No degree of preparation can stop a tornado, tsunami or other massively destructive event. So understanding that every incident is not preventable, our other line of defense is to minimize the impact. That’s where BCM comes in. BCM is concerned with minimizing the impact upon the entity after an event occurs and restoring the organization to its normal operations and delivery of products and services as quickly and safely as possible. In short, BCM helps maintain the viability of an entity under duress.

Because it is event-neutral, BCM is able to categorize effects into four distinct categories:

  • Effects on facilities, making them inaccessible or unusable
  • Effects on operational capability, such as supply chain interruptions, processing errors or staff unavailability
  • Effects on technology
  • Effects on the organization itself, ranging from financial problems to intellectual property rights.

When an event inevitably does occur, the optimal goal is to make any business interruptions imperceptible to those outside the affected organization. Here’s an example of how risk management and business continuity management, working together, enabled an organization to achieve that goal:

One of the world’s most important foreign exchange dealers realized that, as an occupant of a high rise building, it could not control the consequences of all incidents that might impact its ability to service its customers, which were some of the largest financial institutions in the world. A review by the company’s risk manager determined that there was a likelihood of an interruption in service as a result of construction work in the surrounding area. To reduce the risk, it was recommended that they install redundant lines and route them through alternative conduits into the building. So they undertook building redundancy in their telecom network. In addition, the risk of server failure was similarly high and so mirroring was implemented to duplicate all transactions and ensure that no data would be lost in the event of a failure of the building’s infrastructure.

Despite all the precautions to reduce risk, what risk management couldn’t control was an East Coast blackout that terminated power to its operation. Recognizing the impact that a loss of power could have, including the loss of use of the facility, the business continuity professional determined that a robust contingency plan was required.

The business continuity plan included a strategy that automatically forwarded incoming calls to another facility outside the U.S. and also provided connectivity to its back-up technology center. When the blackout hit, the business continuity plan worked exactly as tested. Phones were switched, systems were accessible and, best of all, customers never knew the difference. The company was actually more prepared than many of its customers who failed to provide similar capabilities and had to cease trading.

The combination of risk management and business continuity provides the level of resiliency that most organizations must achieve in light of the uncertainty that exists today. The blend will reduce uncertainty and promote a more stable operating environment.

{ 0 comments }

Unrelenting frigid weather often means frozen water pipes – one of the biggest risks of property damage. In fact, a burst pipe can cause more than $5,000 in water damage, according to IBHS research.

Structures built on slab foundations, common in southern states, frequently have water pipes running through the attic, an especially vulnerable location. By contrast, in northern states, builders recognize freezing as a threat and usually do not place water pipes in unheated portions of a building or outside of insulated areas.

Freezing temperatures can be prevented with the installation of weather stripping and seals. This offers two major benefits: keeping severe winter weather out of a structure, and increasing energy efficiency by limiting drafts and reducing the amount of cold air entering.

These areas should be inspected for cold air leaks to determine where sealing is needed:

  • Windows and doors
  • Vents and fans
  • Plumbing
  • Air conditioners
  • Electrical and gas lines
  • Mail chutes

IBHS recommendations:

  • Provide a reliable back-up power source, such as a stand by generator, to ensure continuous power to the building.
  • Interior building temperature can be monitored by a central monitoring company to ensure prompt notification if the interior of the building reaches low temperatures during after hours, power outages or idle periods.
  • Recessed light fixtures in the ceiling below the open area that is directly under a roof, such as attic space, should be insulated to prevent the release of heat into the attic.
  • Check to see if there is any visible light from recessed light fixtures in the attic.
  • If there is, they are not adequately sealed or insulated. Sometimes, especially in low sloped roof buildings, the space above a suspended ceiling located below the roof may be heated and cooled like the occupied area below.
  • If that is the case, there is no need to insulate above the suspended ceiling or seal the ceiling’s penetrations.
  • Insulate all attic penetrations such as partition walls, vents, plumbing stacks, electric and mechanical chases, and access doors that are not properly sealed.
  • Ensure proper seals on all doors and windows. Depending on the building or room size, fan tests can be conducted to ensure room and pressurization tests.
  • Seal all wall cracks and penetrations including domestic and fire protection lines, electrical conduit, other utility service line, etc.
  • Sprinkler systems should be monitored by a constantly attended central station to provide early detection of a sprinkler pipe rupture due to freezing.
  • Insulation and/or heat trace tape with a reliable power source may be installed on various wet sprinkler system piping. This includes main lines coming up from underground passing through a wall as well as sprinkler branch lines.
  • UL-approved gas or electric unit heaters can be installed in unheated sprinkler control valve/fire pump rooms. If backup power is provided, the heaters should also be connected to this power source.
  • A monitored automatic excess flow switch can be placed on the main incoming domestic water line to provide early detection of a broken pipe or valve when the space is unoccupied.

 

{ 0 comments }

Stanford University, Feb. 13, 2015

It was an honor to attend the White House Summit on Cybersecurity and Consumer Protection and I applaud President Obama’s efforts to bring together an impressive group of leaders across a broad range of industries, government and law enforcement officials, and consumer and privacy advocates to discuss cybersecurity. This is an issue that affects us all and clearly has no borders. While there were several core themes discussed throughout the day, three key takeaways are of particular interest to private industry:

Public-Private Collaboration is Critical
The overarching theme presented by the White House was how to boost the collaboration between companies and agencies in order to combat hackers. The announcement in the days preceding the Summit of the new Cyber Threat Intelligence Integration Center (CTIIC) was just a first step. As a further validation of the importance and urgency on behalf of the White House surrounding the issue at hand, at the Summit President Obama signed an Executive Order directing the creation of Information Sharing and Analysis Organizations (ISAOs) which will enable companies and the government to share classified cyber threat information. Only with an ongoing sharing of threat information between the government, including the Department of Homeland Security and the Federal Bureau of Investigation, and companies across industry groups, will we be successful. With much of the order voluntary, companies across all industries are also being asked to step up to the table now to not only share threat information but to establish best practices within their organizations in order to protect their constituencies in the future. This too is critical, since the maintenance of best practices is closely tied to a company’s ability to get cyber insurance.

Understanding Vulnerabilities is Key to Improving Best Practices
While the need to focus on the security systems operating behind consumer payment systems in order to make it harder for hackers to steal information is absolutely critical, and Apple CEO Tim Cook was quite persuasive on this point, to stop at payment systems alone would not solve cyber hacks. In order to enhance consumer protections online, single factor authentication, or the password as the primary form of security, is a dated practice that should be replaced with more secure technologies. Companies also need to be mindful that criminals can breach a business’ defenses in any number of ways – directly through company networks and also indirectly through the network of vendors and third party service providers. What is needed is a fuller understanding of all the possible threats, malicious actors and the broad range of tactics those actors will employ. Across all industries, companies are facing a highly complex and constantly evolving threat environment with new attackers and attack methods to be wary of in order to protect their partners, clients and customers.

What Comes Next is Even More Meaningful
While it is essential for the United States to take a leadership role on this important issue, with guidelines and processes for internal consumption, we cannot merely look inward. We are living and working in an increasingly interconnected and globalized environment, and that environment also includes criminal elements. Cyber threats from foreign countries, such as Russia, China and North Korea, keep growing. Sharing information alone won’t stop them. The next steps from our government in protecting our nation’s business must be even more meaningful. We urge cooperation with international law enforcement agencies to help protect companies from foreign-based threats and to help make significant progress in this area.

{ 0 comments }