Tackling Event Risk, Scoring High in Safety

Super Bowl

Photo: Vincenzo Mancuso / Shutterstock.com

Major events like Sunday’s championship Super Bowl game and business functions go hand-in-hand. With the Big Game just around the corner, the San Francisco Bay Area has seen an uptick in events throughout the week, often consisting of lavish private parties and public gatherings. Companies in the area, as well as those from out of town, are taking this opportunity to conduct business and send their employees and clients to experience all the Golden Gate City has to offer.

Attending the Big Game, or any major event, cannot be all play and no work, especially for those – such as risk professional and business leaders – concerned about the legal, reputational, financial, and people-related risks surrounding such a high-profile and highly-populated event. Any company with employees or clients planning to attend the game and/or related festivities should keep a few things in mind to best protect them and their business in the event of a crisis. Before kickoff, here are a few tips to guide risk managers and business leaders when considering the potential risks surrounding major events like this Sunday’s game.

Mother Nature Poses Risks

Despite being known for its warm, dry summers and mild, wet winters, San Francisco is also known for being highly vulnerable to natural disasters such as earthquakes, tsunamis and wildfires. Organizations should expect the unexpected and create a crisis response plan for travelers prior to game day and most importantly, communicate these plans to their travelers and internal crisis teams. A clearly communicated plan can drastically reduce the potential for delays and confusion should a disaster strike.

Familiarize the Unfamiliar

Travelers heading to any major event need to become familiar with travel distances and transit options, since getting from point A to Point B will inevitably take longer than usual during a crisis. Knowing which roads and highways are open and which are closed and having several “out routes” from hotel and venue locations is one proactive way to prepare for an emergency.

Establish a Medical Strategy

With companies and attendees paying as much as thousands of dollars per ticket, it’s safe to say the last place anybody wants to be is in the emergency room. In the event something does happen, however, it’s important for travelers to understand the healthcare landscape in the Bay Area so they know where to go for medical care. Providing your employees with a thorough list of nearby hospitals, urgent care clinics and even a map of where the first aid locations are within the stadium ensures they have the tools to seek the care and assistance they need in the event of an emergency.

After Hours Preparation

Remember that disaster typically strikes when it’s least expected. As such, a sound crisis management strategy should include an element of what to do in the event of an after-hours emergency. It’s also imperative to perform a crisis management exercise before any emergencies surface, ensuring that all parties involved know their roles and responsibilities. Executives should keep a clear flow of communication to and from employees and those attending an event. During an emergency, details change by the minute and old facts are of no use. One way to keep attendees informed is arming them with a wide variety of tools, apps and websites (such as the event’s main website) to keep themselves updated on many of the variables described above.

These tips are just a few ways companies can fulfill their Duty of Care responsibilities while employees and clients enjoy the sights and sounds of any major event’s host-city. Providing employees, clients and other constituencies with a comprehensive list of information and emergency plans will allow your proactive measures to fall into place seamlessly should an emergency situation occur at a major event.

Overcoming ‘Balkanization’ of Business Continuity Planning

Fragmentation

To be sustainable, organizations must prepare for crises that occur or risks that crystalize. General responses to those threats include alternative office sites, IT back-ups and communication protocols. As reality demonstrates over and over, it is critically important to have a strong leader in a crisis situation, be it the captain of a ship in a storm, the commanding officer of a platoon under fire or the CEO of a company in turmoil. A cacophony of contradicting orders or disintegration in the line of command is the surest way to increase a disaster’s impact and the time needed to recover.

Instead of creating a strong BCP landscape with clear lines of command and control, however, we more often see “balkanization,” or fragmentation of responsibilities. Business continuity planning, environmental health and safety, operational risk and IT disaster recovery are different teams with overlapping roles and responsibilities for crisis management.

The newest buzzword is resilience, which is discussed in a growing number of articles and lectures and defined as the “ability to bounce back to a normal operating status after a state of crisis.” There are also a number of overlapping areas with the aforementioned functions—and that is just on an intra-company level. The OECD has issued Guidelines for Resilience System Analysis, urging member states to set up resilience management on a country level basis.

Recent private initiatives like the 100 Resilient Cities (100RC) by the Rockefeller Foundation brings resilience management to an urban level. So if a natural disaster hits a major city, thousands of firms, and the city itself, will invoke a patchwork of crisis plans. For a larger disaster, there might also be a national crisis plan. Are there clear lines of command, however? Is everybody aware of what to do? We doubt it.

Modern BCP management does not need more specialization and buzzwords, but coordination of the different functions and initiatives to provide a clear, consistent and timely response. One of the most pressing tasks is establishing a common risk language to ensure that all stakeholders involved in the process have the same understanding. For example: While the 100RC initiative is coining the term CRO for chief resilience officer, the acronym is also widely used as an abbreviation for chief risk officer. So while talking about roles and responsibilities of a CRO, everyone involved should have a clear understanding about which CRO is meant.

100RC also looks at urban resilience in terms of surviving and thriving, regardless of the challenges—be they acute shocks (such as severe weather or earthquakes) or chronic stress (long term unemployment and violent crime)—and it seeks a much wider remit than the traditional concept of resilience as “the ability to bounce back from an event.”

The response is to call for a more coordinated approach working across multiple stakeholders through the chief resilience officer who, according to Michael Berkowitz (President of 100RC) “needs to build connections across not just various departments of municipal government, but across an entire ecosystem of people and places.” This is welcomed, since it is both forward looking and holistic in its approach to solving some of the world’s major issues in the next 20 years. Given that most entities are no longer stand-alone enterprises, but part of an increasing global network of customers, suppliers, regulators and other stakeholders, disaster recovery cannot be handled effectively by an individual member of that network. Instead, the entire group needs to collaborate to create an effective disaster recovery program. A central CRO who coordinates the needs of the various parts of the network seems to be the best way.

While we see this forward looking risk management approach to resilience as a welcome development, it does further complicate interaction between resilience and BCP by muddying command and control and introducing the potential for more stakeholders into an already complex chain. What is required for this to work is very clear planning and, one could argue, the ability for external (such as municipal) CROs to assume command of enterprises under his or her jurisdiction.

As of now, in most jurisdictions it is the responsibility of the CEO and the board to determine and define risk capacity and risk appetite. This leaves little room for outsourcing BCP or resilience planning. The key question, then, is whether a change in mindset and approach is required to enable the development of network-wide recovery solutions, thus overcoming the balkanization of BCP.

Sentencing Begins in 2014 W.Va. Chemical Spill Disaster

Elk River

Robert Reynolds, a former environmental consultant at a chemical distributor was sentenced to three years’ probation and fined $10,000 for a 2014 chemical spill in West Virginia that polluted the drinking water supply of 300,000 people. Reynolds was the first of six former Freedom Industries officials to be sentenced, the Associated Press reported.

The incident began on Jan. 9, 2014 when authorities discovered that 7,500 gallons of chemicals—mostly 4-methylcyclohexane methanol (MCHM) and PPH (polyglycol ethers), both used to clean coal—had leaked from an aging storage tank owned by Freedom Industries into the nearby Elk River.

Questions arose concerning the tank’s close proximity to a water treatment plant and, after the West Virginia American Water Company reported that its water supply had become contaminated, Gov. Earl Ray Tomblin issued a State of Emergency for Boone, Cabell, Clay, Jackson, Kanawha, Lincoln, Logan, Putnam and Roane counties. “West Virginians in the affected service areas are urged NOT to use tap water for drinking, cooking, washing or bathing,” Tomblin said in a statement.

Rafael Moure-Eraso, chairman of the United States Chemical Safety Board, warned in a Jan. 28, 2014 New York Times op-ed: “The United States is facing an industrial chemical safety crisis. It is clear to me, as chairman of the independent federal agency charged with investigating industrial chemical accidents, that urgent steps are required to significantly improve the safety of the nation’s chemical industry.”

About 13,000 facilities nationwide store or process chemicals in amounts hazardous enough to endanger the public, according to the Environmental Protection Agency. This estimate, however, understates the scope of the problem. “The West Virginia facility implicated in the recent spill…would not fall under criteria used by the agency to come up with its estimate,” Moure-Eraso said.

2016 Data Breach Predictions: Hackers More Active than Ever

Data3

We are only a month into 2016 and it’s already shaping up to be a big year for data breaches. Of the many organizations facing increasing threats this coming year, the presidential candidates are also likely to be attractive targets for attacks. Recent cyberattacks targeting information from Hillary Clinton and Donald Trump are an indicator of how the threat landscape is changing with hacktivism making a comeback.

Beyond the candidates, companies also face hacktivism and several other new data breach threats in the coming year. While traditional threats will continue to make headlines, there are several emerging issues that need to be addressed in data breach preparedness plans. To help risk managers prepare for what lies ahead, outlined below are our top trends anticipated in 2016.

Hacktivism will return in force

Foreshadowed by last year’s high-profile data breaches – think website Ashley Madison – hacktivist activities are likely to resurge with the intention of causing reputational damage to a company or cause in lieu of financial gain. Organizations and groups with a polarizing or controversial standing should be prepared for the possibility of an attack aiming to harm its organization and/or constituency. These incidents can cause significantly more damage to individuals and are harder to resolve for the business, so organizations must be prepared to respond to this type of incident and ensure that all scenarios are accounted for in their data breach response plans.

2016 elections set the stage for attractive hacking targets

With big data analytics driving modern campaigns, the potential for a politically motivated attack is a significant threat. The presidential arena is an attractive platform for criminals or activists seeking notoriety, and a hack of this kind could take many forms from exposing secrets or embarrassing information about the candidates to outing fund sources of super PACS. This year’s race is particularly polarizing with the involvement of outspoken candidates, the current political uncertainty and the comeback of hacktivism. In addition to attackers looking to expose information about candidates, other countries will likely be on the lookout for vulnerabilities to target during the election to gain insight into the foreign policy positions and platforms that could impact their country if a certain candidate is elected. Generally, risk managers at businesses and political campaigns should be prepared for a data breach around any major activity or event. If sensitive information about a campaign or donor base is exposed, it could cause a major disruption in the campaign and reputational damage.

Consumers and businesses will be caught in the middle of cyber conflicts between countries

As nation-states continue to move their conflicts and espionage efforts to the digital world, we will likely see more incidents aimed at stealing corporate and government secrets or disrupting military operations. The Wall Street Journal reported in October 2015 that more than 60 countries have or are developing tools for computer espionage and attacks, and 29 countries now have formal military or intelligence units dedicated to cyber efforts. These attacks are likely to cause collateral damage to millions of innocent individuals whose personal records could be exposed in the process, similar to the Office of Personnel Management breach in 2015. While hackers in the OPM breach were likely targeting information from a subset of individuals, millions of people’s information was exposed in the process.

Healthcare data breaches will continue to make headlines

Healthcare companies will remain a top target this year, due to the high value of medical records on the black market. However, this year we expect that breaches of smaller organizations will cause the most damage. While insurers and large hospital networks contain the largest amount of data, and therefore present the largest payoff to hackers, they also spend more time preparing for attacks and investing in security compared to smaller organizations. Regardless of size, this sector will continue to be a focal point for attacks. Organizations must protect their data by investing in up-to-date security technologies and regularly training employees on proper data handling practices.

Only time will tell what type of breaches will top the charts this year, but we can bet that the frequency and sophistication of security incidents will probably continue to advance. Companies must confront the rising threats and vulnerabilities in today’s data breach landscape, and take the necessary steps to protect themselves. By investing in up-to-date security technologies, training employees, implementing security awareness programs and regularly updating data breach response plans, companies can be much more confident and prepared to face an attack.

More information on the 2016 Data Breach Industry Forecast and additional resources can be found at the Experian Data Breach Resolution website and the Experian Data Breach Resolution blog.