One of the key questions being asked by audit committees and boards of directors of organizations around the globe is whether their emerging technology risks are being properly identified and managed. To that end, the Global Internal Audit Common Body of Knowledge (CBOK) released “Navigating Technology’s Top 10 Risks,” which identifies the top technology risks and ways that organizations can learn about and address these risks.

Here are the top five out of 10 risks ranked by the study:

1.      Cybersecurity

One of the biggest cybersecurity risks faced by companies is the possibility of theft of confidential data by external perpetrators, and the study found this is the most discussed IT topic among executives, internal auditors, audit committees and the board. One of the biggest cybersecurity risks faced by companies is the possibility of theft of confidential data by external perpetrators. More than 70% of survey respondents consider the risk of a data breach to be extensive or moderate, while 82% of IT specialists consider this risk to be even higher.

2.     Information Security

With the recent spotlight on data breaches, the current focus is a layered defense of critical information rather than a single layer of protection.

A strong information security program encompasses:

● Robust risk assessment process

● Effective governance and compliance procedures

● Documented and communicated information security policies and standards

● Effective security awareness training program

● Efficient access control procedures

● Tested disaster recovery, business continuity and incident response programs

● Operational asset management, network management, patch management and change management processes

● Tight physical security

3.     IT Systems Development Projects

While organizations need to update their technology systems, success rates are low. The study found that the success of systems development projects was 16.2% for overall success, 52.7% for challenged projects and 31.1% for impaired or canceled projects.

Examples of project objectives not achieved include missed deadlines, cost overruns, efficiencies not delivered as expected, flawed software that was not tested before implementation, reduced integration from the initial plan and less functionality than was identified in the business case when the project was approved.

4.     IT Governance

In many organizations, management questions the amount of money spent on IT and increasingly monitors IT costs. This added emphasis is also due to the widening gap of what IT thinks the business needs and what the business thinks IT can deliver.

A good IT governance program must have these elements:

● Clear alignment to business

● Measurable value delivery to business

● Accountable controls of resources, risk, performance and cost

IT Governance Activity

5. Outsourced IT Services

Because of the increased focus on IT costs, some key IT services have been outsourced. According to the study, this can expose an organization to risks that may remain undiscovered until a failure occurs. An average of six out of 10 internal auditors surveyed said they expect an increase in audits of outsourced IT services over the coming year, according to CBOK, which is administered through the Institute of Internal Auditors. The largest increase is expected in Sub-Saharan Africa and the smallest in Europe.

{ 0 comments }

Here are a few articles that caught my attention during the past week highlighting some interesting issues impacting the world of risk and insurance. They include tips on handling cyber disputes, news about the coming El Niño, Department of Labor remote work policies, how students at Butler University are establishing a captive insurer and an interesting look at potential FCPA lessons learned from the July death of Cecil the Lion.

5 Tips for Success in Cyber Litigation

Insurance Thought Leadership: Many insurance coverage disputes can be, should be and are settled without the need for litigation and its attendant costs and distractions. However, some disputes cannot be settled, and organizations are compelled to resort to courts or other tribunals to obtain the coverage they paid for, or, with increasing frequency, they are pulled into proceedings by insurers seeking to preemptively avoid coverage. – See more at: http://insurancethoughtleadership.com/5-tips-for-success-in-cyber-litigation/#sthash.m6sFEr8X.dpuf

El Niño and La Niña: Weather Patterns that Could Impact Your Business

Interstate Restoration: “…the Godzilla El Niño.”“All Signs Indicate a New Monster El Niño is Coming.” These quotes aren’t from a new action movie. They are just a couple of examples of the dramatic headlines and descriptions about the potential of this year’s El Niño. Since most of the stories hearken back to the El Niño of 1997 – 98—the strongest on record—it’s understandable if you’re concerned about the potential impact that of this year’s El Niño on your business. But depending on where you’re located, you may or may not need to worry.

DOL Forcing Everyone to Change Remote Work Policies: Pitfalls to Avoid

HR Morning: If the DOL’s new overtime regs go through as written — and there’s every indication to believe they will — employers of all stripes will have much more than just classification issues to contend with.

Grant Helps Butler Create Student-Run Insurance Company

Butler University Newsroom: The Butler University College of Business will establish a student-run insurance company with the goal of having the company fully operational by the 2019–2020 academic year, thanks to a $250,000 gift from MJ Insurance and Michael M. Bill.

On the Death of Cecil the Lion and the FCPA

Compliance Week: Cecil the Lion was shot and killed in July. What does the death of this well-known and well-beloved lion in Zimbabwe have to do with the Foreign Corrupt Practices Act? More importantly, what are the lessons to be learned by any chief compliance officer or compliance professional from this event? Much more than you would first think, actually.

{ 0 comments }

From the Middle East to Eurasia to Eastern Europe, events and potential events that translate into political risk fill the news.

Political risk is instability that damages or threatens to damage an existing or potential asset, or significantly disrupt a business operation. Examples include sustained political and labor unrest, terrorism and violent conflict. This risk is increasingly regional in nature, as the Arab Spring and sudden spread of Islamic State control demonstrate.

According to the new Clements Worldwide Risk Index, political unrest is the number one concern among top global managers at multinational corporations and global aid and development organizations.

Risk managers in these organizations responded in the Worldwide Risk Index survey that political risk and instability—including cyber attacks—are real and growing. Twenty-eight percent of top managers surveyed stated political unrest was their top concern, while 25% cited kidnapping, and nearly 10% cited terrorism.

When it comes to terrorism, the Worldwide Risk Index results align with the data. The U.S. State Department’s Annual Country Report on Terrorism released recently indicates that the number of terrorist attacks worldwide in 2014 increased 35%, while total fatalities from terrorism activities grew by 81%, compared to 2013.

But as violence and unrest have increased, readiness for it trails far behind. Twenty-one percent of respondents admitted being “not prepared at all” for a terrorist attack, while 11% considered themselves “very prepared;” 17% said they were “very prepared” for the ramifications of a disease outbreak, while 10% they were “not prepared at all” for that threat; and 21% said they were “not prepared at all” for a cyberattack.

Perhaps most troubling, these concerns and lack of preparedness are impacting business decisions. Twenty-one percent of Worldwide Risk Index respondents had delayed plans to expand into new countries due to rising international risks.

So what can executives do to bring their organizations’ preparedness in line with growing risks around the world?

First, they can invest more in risk management overall. This means emergency planning, training, security and other techniques to manage and reduce risk. An important element is also testing the plan, which typically highlights gaps. Forty-four percent of Worldwide Risk Index respondents increased spending on this activity. While not a majority, it is still a significant percentage of organizations investing more in basic risk management.

Next, corporate executives should consider retaining the services of the growing number of political risk, insurance and security consultancies that provide political intelligence. While the quality of these firms vary and they are not a substitute for direct experience, these companies provide useful insights into potential risks one might encounter, especially when starting operations in a new location. Risk managers can also personally monitor catalysts to political unrest, such as elections, which are often linked to demonstrations and disturbances in developing countries, particularly with the rise of social media. Elections and other catalysts have caused disruptions in surprising places around the globe, such as Thailand. Corporate executives, including risk managers, need to understand that no country is absolutely “safe” anymore.

Finally, organizations need to consider increasing their spending on international insurance. Fifty-seven percent of the respondents to the Worldwide Risk Index report doing just that. There are more options than ever before for political violence and risk, kidnap and ransom (K&R), evacuation and related policies. Organizations can work with individual carriers, or with brokers who can help tailor policies to specific risk profiles. The best organizations link their brokers or insurance carriers to their overall risk management strategy and ensure their plans include which broker to contact in case of which emergency, as it may differ for a medical versus a property event.

The global economy is more integrated than ever, with more markets opening every year. Yet global supply lines and other business operations and investments are more dependent on particular political factors than at any time in modern history. Political unrest, instability and even conflict are “normal” realities that drive business decisions in evermore areas of the world. This risk can be managed. To do it, executives need to get serious about bringing their risk management strategies into line with the new “facts on the ground.”

{ 0 comments }

In anticipation of the 10th anniversary of Hurricane Katrina next week, the Insurance Information Institute collated data on the range of damage it caused, including insurance claims by coverage and state, National Flood Insurance Program losses, and other sources of recovery funds. The costliest hurricane in U.S. history, Katrina killed 1,800 people and cost $125 billion in total economic losses. Such catastrophic losses do not just demonstrate the impact of megadisasters, however. As the III points out, while “awareness of flooding due to coastal storms rises, so too does the population of coastal communities.”

Check out the infographic below for a look at Hurricane Katrina’s total toll and key takeaways:

hurricane katrina damage infographic

{ 0 comments }