New AMRAE Survey Explores RMIS’ Global Market Trends

Recently, the Association for the Management of Risk And Insurance of Enterprise (AMRAE) and EY jointly released the 11th edition of the RMIS Panorama, offering an in-depth look at the organizations and professionals who are using risk management information systems (RMIS), how well they have adapted, and guidance for those seeking their first or newest framework.

After surveying 570 risk managers and 36 vendors from more than 30 countries, Panorama’s authors note the top reported benefits from RMIS were the ability to spend more time analyzing (and not collecting) data, harmonizing practices and reducing silos. Of those who have adopted these systems, 47% are in the industry and services sector, followed by 31% in banking and insurance and 12% in the public sector.

Some other key takeaways from the report include:

  • 54% of risk managers already use an RMIS and report a 71% satisfaction rate.
  • Though a majority of risk managers said they wish to keep RMIS costs at less than €300,000, last year marked the first increase for RMIS budgets totaling more than €1 million (approximately $1.12 million). This trend was largely driven by activity in North America, and a 2% increase is projected for 2019.
  • Ease-of-use is still the main criteria for selecting an RMIS tool. The market is seeing an increasing demand for “ergonomic and advanced reporting” within the solution.    

According to the report (which can be found here in both English and French), there has been a 60% year-over-year increase in RFP solicitations for RMIS from the international risk management community since 2013. Francois Beaume, AMRAE vice president and VP of risks and insurance at Sonepar, said he expects the trend to continue and noted that the report can serve as impartial guidance to help risk professionals find the right RMIS vendor and system for their organization. The report also offers insight on best practices around the RMIS lifecycle from the original requirement design phase to the change management program following implementation.

“Our approach is based on two critical pillars – objectivity and neutrality,” Beaume explained. “As an increasing number of risk professionals seek their first or new RMIS models, they may need help selecting or even adapting them to their own methodologies.”

Panorama also explores the most requested RMIS modules, which range from risk mapping and incidents management to audit. Internal control and audit garnered high satisfaction rates among professionals, both exceeded 80% in cumulatively “meeting” or “exceeding” expectations.

Additionally, the report includes testimonials from six global risk managers on their experiences with RMIS. For example, according to Susan Hiteshew, a RIMS board member and senior director of insurance for the Americas at Marriott International, RMIS systems provide a “one-stop shop for data aggregation, reporting and analysis” that “builds a single source of truth when making decisions.”

To fellow risk managers starting the process, Hiteshew advised, “Rather than reproducing work within the system, companies undergoing an implementation must begin with the end in mind and work backward to build and validate processes to realize the full RMIS value. This helps minimize the execution risk that can materialize and offset the system’s advertised value proposition.”

Francois Beaume was recently a featured guest on RIMScast to discuss the Panorama‘s findings and international market trends. Download this free podcast episode here

The Risky ‘Business of Art’ Explored at Observer Event

From left: Massimo Sterpi, Elena Zavelev, Anne Bracegirdle, Devin Finzer, Curt Bilby / Photo: Keith Sherman & Associates

NEW YORK—On May 21, the Observer’s inaugural “Business of Art Observed” event brought experts in art, insurance, risk management, tech and finance to the Roosevelt Hotel to discuss established and emerging risks facing the $50 billion art industry.

The “Insurance and Risk Management” session wasted no time exploring creative risk and claims management approaches to the various forms of potential damage to artwork. From transit to security to geopolitical risk, panelists agreed fine art coverage is not a paint-by-numbers process, and said the “framing of a claim” can facilitate a payment.

“Insurance companies get a bad reputation,” said Mary Pontillo, senior vice president and national fine art practice leader at DeWitt Stern. “But the higher-end, really good-quality insurance companies are looking for ways to pay claims. I think that’s where there are a lot of misconceptions.”

For example, she mentioned advising a client whose work was being kept on a yacht. While certain maritime and environmental risks such as humidity were not covered by the policy, she was able to demonstrate that ocean spray had been the source of the damage and successfully get the claim covered.

The session discussed modernizing risk management in the art market and how the industry should apply forensic due diligence to transactions and ensure they view all business activities through a lens of strategic risk. And with transparency cited as a continuous challenge, Dennis Wade, a senior partner at Wade Clark Mulcahy, LLP, who has handled international fine art matters, pointed out the importance of reputation risk when drafting a policy.

“Many policies also contain an exclusion for the dishonesty of the person to whom you deliver or entrust the goods,” Wade said. “So if you consign a work to a corrupt gallerist, there may be an exclusion in your policy and you may not be covered at all.”

The emergence of blockchain technology dominated discussion at another session, “Art Market 2.0: Using Art & Technology to Drive the Industry Forward.” According to panelists, authentication and secure transactions have risen to the top of their risk registers. New Art Academy Founder Elena Zavelev said blockchain’s ability to put individual faces on digital artwork has mostly solved the prior risk of unauthorized duplications, forgeries, and fraud. Zavelev and her co-panelists said blockchain may facilitate a long-term change in the way art is created, sold, curated and insured by improving the ability to track a work’s provenance.

Christie’s AVP Anne Bracegirdle said the masterstroke for streamlining the authentication process is to create a digital, industry-wide registry. Tokenizing original works, she said, would simplify the experience of buying, selling and trading. “If each piece had its own digital identity that would stay the same, no matter where it went, it would instantly provide secure provenance and prices,” Bracegirdle said. “There are companies like Consensus and Microsoft working to create distributed identity networks. The security within that could be applied to scale blockchain—regardless of which blockchain you’re interacting with. Digital identities would provide clients with access to all their consignments and their purchases in one consolidated space, which currently doesn’t exist.”

The evolution of art was also a hot topic during this session since what’s considered a “finished piece” is no longer just a physical canvas. Digital, virtual and even crypto-art may be in their relative infancy but these are gaining global popularity and could significantly influence the industry, said Devin Finzer, co-founder and CEO of OpenSea, a peer-to-peer marketplace for crypto collectibles, gaming items, and digital art.   

“[Owning digital products] has always been confined to a specific ecosystem, like event tickets to a ticketing site,” Finzer said. “Blockchain offers a new type of ownership for these digital assets and it’s exciting for digital art because you can own it in a variety of [digital forms]. Right now, we see the enthusiasm is from tech enthusiasts, but I think over time these ideas around digital ownership will cross over to a mainstream crowd who appreciate the art more than the technology.”

McDonald’s Sued for Sexual Harassment at Franchises

This week, 25 women in 20 cities across the United States brought sexual harassment charges and lawsuits against fast food giant McDonald’s with the U.S. Equal Employment Opportunity Commission (EEOC), alleging that the company has neglected its duty to protect employees from harassment. In fact, the women claim, the company has often punished those who have spoken out against abuses, including cutting their hours and revoking promotion or training opportunities.

These are hardly the first claims that female workers have brought against the restaurant chain. In the past 10 years, the EEOC has filed multiple lawsuits against McDonald’s for allegations related to sexual harassment and inappropriate behavior at franchises across the country. In May 2018, 10 women filed harassment complaints, including “alleged groping, propositions for sex, indecent exposure and lewd comments by supervisors,” according to the Associated Press. They too alleged that they faced negative consequences when they objected to these abuses. Workers also launched strikes to protest against sexual harassment and other inappropriate treatment in May 2015 in Chicago and September 2018 in 10 cities.

These lawsuits correspond with a planned strike on Thursday, May 23, to protest low wages and the company’s refusal to get involved with franchises’ pay decisions and negotiations, as well as workers’ ability to create a union. The wider protest movement Fight for 15 (named for their demand for a $15 minimum wage) has backed the sexual harassment claims and lawsuits, as have the National Women’s Law Center’s Time’s Up Legal Defense Fund, the ACLU, and several law firms.

Because it operates on a franchise basis, McDonald’s has said that it has no responsibility or liability for any abuses (or wage decisions) at individual locations—that it is not a “joint employer” with its franchises, and franchise employees are not direct McDonald’s employees. In April, the Trump administration announced that it would reverse Obama-era interpretations of what qualified as a joint employer, which had made chains more liable for labor violations at their franchises. The Trump administration change is still in the proposal stage, but could clarify who can be held responsible for sexual harassment and wage disputes, relying on four factors: who can hire/fire the employee, who has control over work schedules, who sets pay rates and who maintains employment records. This change could make chain companies significantly less responsible for conduct at their franchises.

McDonald’s has stated that it provides comprehensive policies and training to help franchises prevent sexual harassment. The company also said that it has brought in experts to help “evolve” those processes, and set up an anonymous hotline to report harassment. However, advocates say that without visible enforcement of its policies, these steps are not enough. Workers at low-paying jobs, including fast food, are uniquely vulnerable to harassment and other workplace abuses. One 2016 study found that 40% of female fast food workers had been sexually harassed in the workplace, and that this was “substantially higher than in workplaces overall.” Additionally, the study found that 42% of female fast food workers who were harassed in their workplace “feel forced to accept it because they can’t afford to lose their job,” 21% said they faced negative professional consequences after reporting the inappropriate behavior, and 45% said they experienced physical and mental health problems as a result of workplace harassment.

As Risk Management has covered before, no matter what the industry, companies and their HR departments have the obligation to keep their employees safe from workplace harassment, and should implement strict HR policies to address it. These policies should include clear reporting guidelines (not just to tell an immediate supervisor, who is often the person harassing the employee) and strong disciplinary measures, as well as mandatory and regular anti-harassment training. For risk management and HR professionals reviewing their existing policies, these tips can help ensure they foster a workplace culture in which reporting harassment is encouraged and illegal or inappropriate conduct is swiftly and effectively investigated and punished.

Microsoft Vulnerability A Reminder to Update and Patch

Microsoft recently announced a major vulnerability to Windows XP, Windows 7 and several older Windows server versions. According to Simon Pope, the company’s director of incident response, “[A]ny future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” This announcement reinforces the importance of companies patching security vulnerabilities to mitigate the risk, especially on older machines that still serve essential functions.

This news follows a TechCrunch article reporting that at least a million computers worldwide, mostly in the United States, remain vulnerable to the WannaCry and NotPetya malware because users have not installed the necessary patches. Cybercriminals continue to use this malware, based on hacking tools originally developed by the NSA, to deliver all sorts of malicious software to unsuspecting victims online.

WannaCry is ransomware—malicious software that hijacks a computer and demands payment to regain control—that quickly spreads and has affected businesses, government and individuals in over 150 countries since 2017. Around the same time, a malicious software disguised as ransomware called NotPetya spread worldwide, affecting global business operations, and effectively paralyzing multiple companies in what has been called “the most devastating cyberattack in history.” Both caused massive financial damage worldwide, with WannaCry estimated at $8 billion in damages and NotPetya estimated at $3 billion.

Windows has released patches to protect systems from the newly announced vulnerability, even for Windows XP and Windows Server 2003, despite the company not usually offering support for those older systems. However, XP users will have to manually download the patches from Microsoft’s update website. According to a 2017 Spiceworks study, businesses worldwide were still running Windows XP on 11% of their laptops and desktops. While that has likely decreased in the past two years, it would still leave a significant number of machines running exposed systems that require manual updates to patch.

Not patching vulnerabilities has led to serious incidents, like the Equifax breach in 2017, which led to the theft of 143 million Americans’ personal information. In that case, the US Department of Homeland Security had issued a warning about the vulnerability, a patch for a web application vulnerability had reportedly been available for 2 months before the breach, and Equifax failed to implement the fix. A US House Oversight Committee report blamed the company entirely, saying that Equifax “failed to implement an adequate security program to protect this sensitive data,” and that “such a breach was entirely preventable.”

Companies use numerous different types of software in their daily operations, and software providers issue many patches for their products, which leaves companies overwhelmed. According to an April 2018 Ponemon Institute study, 68% of companies “find it difficult to prioritize what needs to be patched first.” IT staffing limitations and competing priorities within organizations can hinder these efforts, since patching requires heavy time investment and sometimes taking important aspects of the business offline to implement fixes. Companies with third-party partners and supply chains face even more complex risks, since their systems are often integrated or dependent, and companies likely do not have direct control over partners’ systems to ensure patching. Mitigating outside risk by including in contracts stipulations that third-party partners meet certain security requirements can also help.