About Morgan O'Rourke

Morgan O’Rourke is editor in chief of Risk Management magazine and director of publications for the Risk & Insurance Management Society (RIMS).

10 Tips for Securing Responsive Cyber Coverage

SAN DIEGO—With hacking incidents becoming all too common, risk managers are under increasing pressure to help protect their companies from the inevitable breach. Insurance is an option but policy forms are still developing. In a session at RIMS 2016, Joshua Gold, a shareholder with Anderson Kill and Debbie Gramer, director of global risk management at Arrow Electronics, Inc., offered the following 10 tips to risk mangers looking to secure the best possible coverage for their organizations.

  1. Be careful with insurance applications. Use precise language to convey your exposures to underwriters. Never answer “yes” or “no” to a question that doesn’t really have a yes or no answer.
  2. Retro dates. Hackers can be in systems for days, months or even years so it is important push retro dates back as far as possible.
  3. Look for clear policy coverage. Forms and terms change over time as the risks shift. Having clear language can remove ambiguity.
  4. Symmetry with other insurance (e.g., CGL, property). Review existing policies to determine where there may or not be coverage gaps.
  5. Get endorsements of special coverage needs. If you have exposures from cloud providers and third-party vendors, for example, you will need to specifically address these. Exclusions matter.
  6. If you accept payment cards, be aware of PCI issues and card brand fines and penalties.
  7. Address sub-limit concerns. Losses can be expensive. Make sure sub-limits are adequate.
  8. Beware of breach of contract exclusions.
  9. Beware of conditions on “reasonable” cybersecurity measures. “Reasonable” is a  subjective term. Specifically define security measures to remove any grey areas that could lead to a coverage dispute.
  10. Business interruption and reputational damage insurance may be vague but they are becoming more relevant. Business disruption is quickly becoming the most important operational consequence of a hacking incident. Make sure you are protected.

Intuit Wins 2015 ERM Award of Distinction

CHICAGO—In recognition of its success in building a sustainable enterprise risk management (ERM) program to enable its business lines to identify and intelligently manage the most important risks, software company Intuit was presented with the 2015 Enterprise Risk Management Award of Distinction at this year’s RIMS ERM Conference.

“ERM transformed Intuit’s risk management capability requiring our leaders to think cross-organizationally and cross-functionally to understand the most significant risks and drive strategies to address them,” said Janet Nasburg, chief risk officer at Intuit. “ERM was instrumental in not only providing insights about the company but has also driven changes in the way we align our focus. It is a tremendous honor to be recognized by RIMS for our hard work and to share our ERM experiences with the risk management community.”

Honorable mention for this year’s ERM Award of Distinction went to VIA Rail Canada Inc., the country’s national passenger rail company. As a result of its ERM program, the company developed a risk appetite and tolerance framework based on measurable leading key risk indicators.

“Applying this framework to its key strategic risks strengthened VIA’s ability to assess, monitor, and respond timely to changes in its enterprise-wide risk portfolio, thereby adding value to its decision-making process and enhancing risk oversight by its board of directors” said Denis Lavoie, VIA’s director of enterprise risk management.

“RIMS is delighted to recognize the accomplishments of these two organizations and their risk professionals through the RIMS Award of Distinction,” said RIMS Executive Director Mary Roth. “The Intuit and VIA Rail programs demonstrate the tangible value that ERM brings to their respective organizations for both strategy-setting and strategy execution.”

Judging criteria for the ERM Award of Distinction includes the scope of the ERM program and how it engages different levels throughout the organization; the program’s link or connection to the company’s overall mission; and its ability to create additional value for the organization.

10 Tips to Excel in ERM

05a9ef2CHICAGO—For many risk managers looking to implement enterprise risk management programs, one of the biggest challenges is figuring out how to do it properly. Unfortunately, as Steve Zawoyski, ERM leader at PwC, pointed out in a session at this year’s RIMS ERM Conference, you will never find the perfect ERM program—it’s basically as mythical as a unicorn. But there are certain key steps you can take to increase your chances for a successful ERM program. Zawoyski’s top tips are:

  1. Establish ERM program objectives. One of the common stumbling blocks to a successful program is the lack of agreement as to why you are doing this in the first place. Some may be doing it in order to make better decisions around strategy while others have governance concerns in mind or are simply doing it because the board said so. Establishing proper objectives will allow you create the program that works best for your organization.
  2. Manage stakeholders. There are likely multiple parties that have a vested interest in your ERM efforts from the board to business managers to legal and audit to regulators. You will need to consider all of their specific needs and concerns.
  3. Align risk functions. Risk management is part of every division’s responsibility. Getting everyone on the same page will avoid allowing fatigue to set in over yet another risk management effort.
  4. Align risk and management processes. It is important to understand how the business is being managed and connect to those processes in order to be in a position share information up and down the organizational hierarchy.
  5. Define risk. The traditional definition of risk denotes a hazard or a failure of some process. Make sure you organization understands that risk is merely uncertainty that can have both a positive or negative impact on objectives. It is ok to take on risk.
  6. Give credit. Different functions already have risk management capabilities and processes. Rather than reinvent the wheel, harvest the data and expertise already out there and build off that. Don’t build unnecessary steps into the process when those areas are already being addressed.
  7. Remember that risk is a four-letter word. Risk is an overused, ambiguous word with an often negative connotation. Risks are nothing more than variables that can present opportunities for greater success.
  8. Beware of risk categories. Labels like operational, financial, strategic or technology are overemphasized and not how business units think of risk. It is more effective to talk about risk in terms of management of hazards, compliance obligations or other uncertainties.
  9. Do your research. It is vital to develop a thorough understanding of the business and its drivers, from its capabilities to its competitive advantages to its strategic priorities and objectives.
  10. Simplify risk appetite. Risk appetite should be considered on a risk-by-risk basis and should boil down to a simple question of once risk controls and processes are in place, are you satisfied with the results?

ERM implementation can be challenging. But according to Zawoyski, it is all about keeping it simple for the stakeholders, ensuring that value is created, aligning to the business and evolving over time. By approaching your program in this way, all stakeholders will understand their role and how ERM relates to the overall strategy of the organization.

Risks and Questions Surround 3D Printing Technology

NEW ORLEANS—One of the most promising new technologies to hit the wider market in recent years, 3D printing is poised to revolutionize manufacturing as we know it. Otherwise known as additive manufacturing, 3D printing allows users to print almost anything they can dream up, including toys, machine parts, clothing, food, and prosthetic (as well as actual) body parts. There even companies that can print a lifesize, 3D model of your unborn fetus using ultrasound scans.

Of course, as with any new technology, there are many risks to consider and just as many unanswered questions about how to address those risks. At an educational session this morning at the RIMS 2015 Annual Conference & Exhibition, Cynthia Slubowski, head o f manufacturing at Zurich, Lisa Cirando, and attorney with Jones Day and Toni Herwaldt, risk manager at Kraft Foods, provided a risk checklist, outlining at the wide range of risks and questions facing those in the 3D printing space and those whose industries will be impacted by this new technology:

Product risk. Since 3D printing changes the traditional manufacturing model, industries will need to determine who owns a 3D printed product and in the event of an accident how will liability be apportioned?

Technology risk. Who owns the software and designs used to create products, particularly when users can make endless customizations?

Operations risk. How will 3D printing impact power supplies (the printers generate a lot of heat during operation), and how will the possible toxicity of ingredients and their byproducts be addressed. In addition, what are the business interruption and transportation risks?

Cybersecurity risk. How do you protect you designs and formulas? How do you prevent counterfeiting?

Environmental risk. How do you address exhaust, housing and disposal issues?

Contract risk. What kind of risk transfer or licensing agreements do you want to have in place?

Insurance risk. Do you have the appropriate coverage and where will it be coming from?

Strategic risk. How do you handle reputation and intellectual property issues? What happens to your product development lifecycle management?

Supply chain risk. Does your supply chain risk increase or decrease?

Market risk. What differentiates your product? What happens to your geographical risk?