Increasing Risk Complexity Outpaces ERM Oversight

More organizations are recognizing the value of a structured focus on emerging risks. The number of organizations with a complete enterprise risk management (ERM) program in place has steadily risen from 9% in 2009 to 28% in 2016, according to the N.C. State Poole College of Management’s survey “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.”

Yet this progress may lag behind the increasingly complicated risks that need addressing. Of respondents, 20% noted an “extensive” increase in the volume and complexity of risks the past five years, with an additional 38% saying the volume and complexity of risks have increased “mostly.” This is similar to participant responses in the most recent prior years. In fact, only 2% said the volume and complexity of risks have not changed at all.

Even with improvements in the number of programs implemented, the study—which is based on responses of 432 executives from a variety of industries—found there is room for improvement. Overall, 26% of respondents have no formal enterprise-wide approach to risk oversight and currently have no plans to consider this form of risk oversight.

Organizations that do have programs continue to struggle to integrate their risk oversight efforts with strategic planning processes. “Significant opportunities remain for organizations to continue to strengthen their approaches to identifying and assessing key risks facing the entity especially as it relates to coordinating these efforts with strategic planning activities,” the researchers found.

According to the study:

Many argue that the volume and complexity of risks faced by organizations today continue to evolve at a rapid pace, creating huge challenges for management and boards in their oversight of the most important risks. Recent events such as Brexit, the U.S. presidential election, immigration challenges, the constant threat of terrorism, and cyber threats, among numerous other issues, represent examples of challenges management and boards face in navigating an organization’s risk landscape.

Key findings include:

8 Steps to Stronger Passwords Enterprise-Wide

Passwords remain one of the most critical security controls widely used to protect and secure company infrastructure and data. While the need for strong passwords has long been discussed, they continue to be the difference between a secure infrastructure and a potential cyber catastrophe.

Last year was extremely busy in cybercrime, with more than 3 billion credentials and passwords stolen and disclosed on the internet. That works out to a rate of 8.2 million credentials and passwords each day or 95 passwords every second.

Passwords have always been a good security control, but password strength and how they are processed make a major difference in how secure they really are. For example, it is critical to choose an easy password to remember, keep it long, and use some complexity and uniqueness. In addition, how the password is processed and stored in an encrypted format plays a major role in password security.

Here are eight easy steps to get in control and ensure passwords are strong and secure:

  1. Go with encryption: Passwords cannot be left in plain text ever and especially not in an Excel document. Always store passwords with encryption.
  2. Escape complexity: Focus on teaching your end users to use longer and more easily remembered passwords, like password phrases. Don’t let them get bogged down with having to remember special character requirements.
  3. Teach employees: Continued training is critical and is the most important step in implementing your policy. Make sure your users understand their role, prepare quarterly reviews, and make it fun with incentives.
  4. Size matters: The longer the password, the harder for a hacker to break. Make human passwords at least eight characters long and systems passwords 12-50 characters.
  5. Trust no one: Two-factor authentication is a must! No matter the size of your organization, there are two-factor options for you, like RADIUS tokens, DUO, or Google Authenticator.
  6. Omit duplicates: Use a unique password for each of your accounts. The same password should never be used more than once!
  7. No cheating: Remembering a long password can be difficult, but don’t allow password hints. These just make it easier for hackers to get in.
  8. Get a vault: Start using a trusted password manager to enforce strong password best practices. This way, users can always generate long and complex passwords, never have to remember all their passwords and, if you use a vault for your IT team, you can find one that automatically changes your admin passwords. When it comes to IT, automation is key to preventing a breach.

For more information on what’s expected in relation to security and passwords, check out Thycotic’s recent report on the current and future state of password security.

RIMS Conference Veterans Offer Advice to First Time Attendees

Last week a member of the RIMS Opis online community asked an important question: “What advice can RIMS Annual Conference & Exhibition veterans give to someone attending the show for the first time?” Luckily, the risk management community rushed in with some sage advice.

First and foremost, several people pointed out how helpful the First Time Attendee Orientation (4:30 p.m. on Sunday, April 23) is. Aside from getting the conference layout, attending the orientation is a great opportunity to meet and get to know people, as “networking is a huge benefit—perhaps the biggest benefit—of attending the conference.”

Here are some other tips from previous attendees to get the most out of the conference:

  • Download the RIMS app. The app will help to keep you on schedule. “I love this app because you can add your own events, see who is attending and plan your schedule. It even has a map!”
  • Leave the uncomfortable shoes at home. The Pennsylvania Convention Center in downtown Philadelphia is massive, and attendees will be doing a lot of walking. That said, don’t opt for flip-flops either, as most attendees are in business formal or business casual attire. One commenter shared this helpful system, “I can’t emphasize comfortable shoes enough! I log 25,000+ steps each day of RIMS and it is non-stop from morning to night. I bring a backpack and carry dressier shoes if I need to put them on for a specific meeting during the day.”
  • Take advantage of free food. “If you work this out right, you won’t buy any meals (except the occasional),” one commenter said. “There are many opportunities to eat for free at a RIMS Annual Conference, and that’s just on the tradeshow floor!” There are also several evening events hosted by underwriters and brokers, some of which splurge on impressive entertainment.
  • Get organized, but stay flexible. There are more than 150 education sessions, tradeshow floor activities and general sessions to attend. Before you get to Philadelphia, make note of the sessions you would like to attend, and put holds on your calendar along with location information. That way you won’t feel overwhelmed and flustered when you’re on site. There will inevitably be things that pop up when you’re at RIMS 2017—your plans will change, and that’s OK.
  • Find a show veteran to tag along with. Doing this can help with maneuvering the Exhibition Hall and to learn how to “work” the tradeshow floor.
  • Talk to the people around you. This can’t be emphasized enough. During down time before or after education sessions, during meals and at parties, be sure to meet new people and collect their business cards. Many business deals and careers have received big boosts from new connections made at the annual conference.
  • Bring a very tall stack of business cards!

Finally, a RIMS member advised attendees who don’t want to leave their healthy habits at home amidst all of the activity and parties, to “embrace wellness” with these tips:

  • Take part in the 5K Fun Run. This event will take place on Tuesday morning, before the start of educational sessions. It’s a great way to network, raise money for Spencer Educational Foundation (which supports the next generation of rising risk professionals), and experience the host city with an early morning perspective.
  • Visit the Wellness ZENter. The ZENter will be located centrally in the RIMS Marketplace Exhibit Hall.
  • Drink plenty of water. In addition to the health-conscious choices available at RIMS meals, look for other options, such as infusers and water bottles, in vendor handouts and giveaways.

Software May Help Oil Companies Determine a Location’s Earthquake Potential

New software for monitoring the probability of earthquakes in a targeted location could help energy companies determine where they can operate safely.

The free tool, developed by Stanford University’s School of Earth, Energy & Environmental Sciences, helps operators estimate how much pressure nearby faults can handle before rupturing, by combining three important pieces of information:

  • Location and geometry of the fault
  • Natural stresses in the ground
  • Pressure changes likely to be brought on by injections

“Faults are everywhere in the Earth’s crust, so you can’t avoid them. Fortunately, the majority of them are not active and pose no hazard to the public. The trick is to identify which faults are likely to be problematic, and that’s what our tool does,” said Mark Zoback, professor of geophysics at Stanford, who developed the approach with graduate student Rail Walsh.

Fossil fuel exploration companies have been linked to the increased number of earthquakes in some areas—Oklahoma in particular—that have been determined to be the result of fracking. According to the Dallas Morning News:

Only around 10% of wastewater wells in the central and eastern United States have been linked with earthquakes. But that small share, scientists believe, helped kick-start the most dramatic earthquake surge in modern history.

From 2000 — before the start of America’s recent energy boom — to 2015, Oklahoma saw its earthquake rate jump from two per year to 4,000 per year. In 2016, its overall number fell to 2,500, but its quakes grew stronger.

Five other states, including Texas, Arkansas and Kansas, have seen unprecedented increases in ground shaking tied to the wells, although North Texas had no earthquakes strong enough to be felt last year.

The insurance industry has also been monitoring the rise in temblors. A Swiss Re report concluded, “It’s highly likely that this dramatic rise in earthquake occurrence is largely a consequence of human actions.”

According to the report:

Along with the increase in seismicity, Oklahoma has seen a growth in its oil and natural gas operations since 2008, specifically hydraulic fracturing (often referred to as “hydrofracking” or “fracking”) and the disposal of wastewater via deep well injection. Both hydrofracking and deep well injection involve pumping high-pressure fluids into the ground. A consensus of scientific opinion now links these practices to observed increases in seismic activity. Earthquakes where the cause can be linked to human actions are termed ‘induced earthquakes,’ and present an emerging risk of which the insurance industry is taking note.