New RIMS Report Delivers a ‘Wakeup Call’ To Risk Managers

According to the new RIMS report, Enterprise Risk Management’s Wakeup Call: 10 Years After, an increasing number of organizations are at least partially integrating ERM into their frameworks as they prepare for the possibility of another financial crisis or a new threat.

“The evidence shows that risk management has evolved from a promising but somewhat perfunctory exercise into a strategic management competency,” said RIMS Vice President of Strategic Initiatives Carol Fox, who authored the report. “Even so, given increasingly uncertain times, risk management professionals would be unwise to declare victory or become complacent.”

The 10 Years After report highlights a range of perspectives from executives, officers and risk professionals who represent banking, higher education, technology, health care, transportation, and a federal agency. These professionals offer their perspectives on where ERM stands today. In fact, one shared observation is that the factors which contributed to the crisis are resurfacing, but that ERM can help protect against them. As one technology officer noted: “…as soon as people are introduced into the equation, things change and risks are introduced into the process. While financial models and robot investing are agnostic, once you introduce people, their biases come back into play and disrupt the integrity of those models.”

The integration of ERM programs—even partially—has seen a slow-but-steady climb in the past decade. The report cites statistics from recent RIMS surveys, showing that 92% of financial institutions have fully or partially integrated ERM programs since the housing market crisis. Full integration, however, may be the key to protection and value—and this is accordingly the most daunting, long-term task. “At any point in time, changes in an organization itself, given myriad complexities and disruptions, may take focus away from full integration,” Fox said.

The report discusses what the experts and their industries learned from the financial crisis in the way of risk appetite and regulatory systems. By examining recent literature and studies to better understand the risks facing organizations, the report challenges risk professionals to deliver programs that generate value.

It also offers insight as to what organizations should consider as they further integrate programs. Changes in legislation, interest rates and the volatility of cryptocurrencies are on the collective radar as risk professionals look to the future.

“[bitcoin’s] future is unknown, especially given its recent run-up and sudden devaluation,” the technology officer said. “Cryptocurrency could become problematic because of scale—particularly if someone figures out a way to short-sell it much like what occurred with CDOs.”

Enterprise Risk Management’s Wakeup Call: 10 Years After is available to RIMS members only for the first 60 days. After the introductory period, it will become available to the broader risk management community. You can download the report via Risk Knowledge.

Complementary to the report, Risk Management Monitor recently published Compliance in 2018: Q&A with James Reese of the SEC, highlighting how the SEC views organizational risk management.

Hawaii Volcanic Activity Reinforces States’ Need for Catastrophe Planning

Recent volcanic activity in Hawaii has turned national attention to emergency preparedness planning. As previously reported, the Kilauea eruption lessened but caused aftershocks, lava flow and lingering hazardous fumes in nearby areas. About 1,800 people live in the area, which was ordered to be evacuated last week by Hawaii County. No deaths or injuries have been reported.

On May 9, two more actively erupting fissures from the Kilauea volcano opened near Lanipuna, a neighboring community to the already affected Leilani Estates. Fox News reported that first responders went door to door to ensure everyone in the community was safely evacuated. At least 14 fissures are now open from Kilauea—considered one of the world’s most active volcanoes—with some releasing toxic gases and others spewing lava, at times at least 200 feet into the air.

Hawaii Gov. David Ige signed a Presidential Disaster Declaration request, asking President Donald J. Trump to declare the state a major disaster as a result of the ongoing seismic activity. Gov. Ige also requested assistance from the Federal Emergency Management Agency (FEMA), citing the unpredictable nature of the volcano, the number of structures destroyed, and the fact that residents may be unable to return to their homes for an undetermined amount of time.

Gov. Ige said in his Presidential Declaration request:

As more fissures open and toxic gas exposure increases, the potential of a larger scale evacuation increases. A mass evacuation of the lower Puna District would be beyond current county and state capabilities, and would quickly overwhelm our collective resources. Federal assistance would be necessary to enable us to successfully conduct such large-scale operations.

CBS reported that many people in the affected communities live in “lava zone one,” a high-risk area. Lava insurance doesn’t exist and homeowners’ insurance is very expensive, so some are going to be left on their own to try and rebuild.

With all these events, however, visitors to Hawaii.gov will find very little, if anything about the volcanic eruption on the state’s homepage [see screenshot]. Instead, there is much about the mild weather and announcements of a groundbreaking ceremony for a road pavement rehabilitation and the modernization of its payroll system. All-in-all, it’s difficult for the public to gage imminent dangers, such as the dangers of molten lava on the site. Visitors, as well as residents, need to navigate to the Residents Page to find the Emergency Information.

What Other States Can Learn
While volcanic eruptions may be relatively infrequent in the continental United States, the threat exists: There are 169 active volcanoes in the U.S., and 54 of them are considered high threats by the United States Geological Survey (USGS). Washington is one state that is proactive in its planning, and May just happens to be when it observes Volcano Preparedness Month. Washington has had five active volcanoes: Mount Rainier, Mount Baker, Mount Adams, Glacier Peak, and Mount St. Helens. The latter volcano erupted in 1980 and demonstrated the disaster potential of volcanoes, causing an estimated $31 million in insured losses. That eruption killed 57 people and left dramatic changes to the landscape. It undoubtedly impacted state officials, who regularly include environmental and natural disasters in their strategic plans.

King County, Washington is in close proximity to these volcanoes and has a page dedicated to volcanic activity. It explains how its active volcanoes pose different threats from Hawaii’s:

Unlike Hawaiian volcanoes that ooze molten lava, volcanoes in the Pacific Northwest are known for sending choking ash, hot rocks, and poisonous gases high into the sky. Lahars, which are deadly mixes of hot mud, ash, and other debris, are also a big concern.

It also advises how residents and businesses should prepare and react in the event of an eruption. After ashfall:

  • Wear goggles to protect your eyes and long-sleeved shirt and pants to protect your skin.
  • Clear roofs and rain gutters of ashfall. Ashfall is very heavy and can cause buildings to collapse. Use extreme caution when working on a roof.
  • Avoid running vehicle engines. Driving can stir up volcanic ash that can clog engines, damage moving parts, and stall vehicles.
  • Avoid driving in heavy ashfall unless absolutely required. If you must drive, keep the speed down to 35 MPH or slower. Be prepared to change oil, oil filter, and air filters frequently (every 50 to 100 miles in heavy dust and every 500 to 1,000 miles in light dust).
  • As much as possible, keep ash out of buildings, machinery, air and water supplies, downspouts, storm drains, etc.

In 2017, King County co-hosted a climate change resiliency summit with the United Kingdom’s consulate to assess the physical geography and explore better emergency preparedness plans.

Risk Manager of the Year Honor Roll Member Jennifer Hills already had natural disasters on her radar. The director of risk management for King County, Hills is continually learning about the practical threats of a natural disaster and the county’s resiliency.

“We’re now looking at where emergencies and climate change should be on our risk register,” she told Risk Management magazine earlier this year, adding that she frequently collaborates with the county’s climate change and emergency management offices. “There’s a lot we’re understanding about King County’s exposures to natural disasters and we’re planning for those risks and how to mitigate them.  There’s a lot of untapped resources we may need to open.”

Business Continuity Awareness Week Takes On Emergency Preparedness

Resilience is constantly on the minds of risk professionals. If last year taught us anything—between ransomware attacks, natural disasters, and pandemics, just to name a few examples—it is that businesses have unlimited reasons to plan for major disruptions.

To help professionals address emergency preparedness, the Business Continuity Institute (BCI) has initiated the annual Business Continuity Awareness Week (BCAW), May 14 through May 18. The online event will feature 29 webinars tackling a variety of issues under the resiliency umbrella, including crisis leadership, workplace recovery and data breaches that will be hosted by BCI members and organizations such as Amazon and Google. Additionally, BCI will host three onsite launches for its organizational resilience manifesto in London, Toronto and Sydney.

BCI uses the global event as a vehicle to raise awareness of the profession and demonstrate the value effective business continuity management can have to organizations of all sizes. The organization is also hosting a blog writing competition and a photo face cut-out contest with Amazon vouchers for prizes.

Other resources include BC24, an interactive roleplay game where you and up to five colleagues can test your responses in an emergency and tackle the challenge of recovering after an incident. The game is designed to encourage critical thinking about the importance of decisions made in a crisis and demonstrates how these decisions can impact the wider organization. There is free access to the game for the month of May only.

In an effort to bring BCAW awareness into the workplace, BCI advises risk managers to initiate campaigns in their companies, with suggestions including:

  • Run an exercise. You can use BC24 or devise your own exercise to ensure that employees and colleagues are informed on what to do during an incident.
  • Host Q&A sessions. These can be in-person or on social media channels. Asking your staff important questions relating to your incident response strategies can help in identifying your training needs.
  • Circulate your documentation. Does your staff know where to find your business continuity plans? Why not circulate them to everyone, asking for feedback or questions.
  • Hold competitions. You put some fun into learning by holding your own contests. Devise a quiz relating to your business continuity plan, or even send staff members on a scavenger hunt for clues relating to an incident.
  • Host a webinar. BCI will host webinars throughout BCAW, however, there may be a topic relevant to your organization or discipline that it does not cover. You can contact the BCI with questions on how to host a webinar and the best ways to engage your staff.
  • Publish white papers. Every organization approaches disaster recovery in a slightly different way. You can share your analysis with staff members by publishing white papers from various disciplines. This raises awareness about resilience and helps employees understand your organization in more depth. You can email yours to BCI here, and it may publish via its news channel through BCAW.
  • Social media. Social media campaigns will be running throughout the week, asking questions about business continuity and organizational resilience. Tweet BCI at @thebceye with your BCAW activities to inspire other organizations.

Reputational Crisis Forces Cambridge Analytica’s Closure

Most of us are aware of the recent scandal involving Facebook and political consulting firm Cambridge Analytica, wherein the latter company obtained data from up to 87 million Facebook users and, in turn, built profiles of individual voters and their political preferences to best target advertising and sway voter sentiment. This information was used to enable Donald Trump’s campaign in the 2016 presidential election.

Right around that time it was reported that the Cambridge Analytica board of directors suspended CEO Alexander Nix. This action was taken after a whistleblower claimed Nix set up a “fake office” in Cambridge to present a more academic side to the company, and made comments to undercover reporters  that “do not represent the values or operations of the firm and his suspension reflects the seriousness with which we view this violation.”

A feature about the scandal in Risk Management’s current issue explains why the incident was not a data breach and how companies can learn from this and comply with EU’s General Data Protection Regulation (GDPR) in time for its May 25 implementation.

In the aftermath of the scandal and Cambridge Analytica’s concession that it will not be able to recover from its reputational crisis—although the company’s leadership maintains that it acted ethically—the UK-based firm and its affiliates announced on May 2 that it will be “ceasing all operations.” Excerpts from its statement are below:

Over the past several months, Cambridge Analytica has been the subject of numerous unfounded accusations and, despite the Company’s efforts to correct the record, has been vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas.    

Despite Cambridge Analytica’s unwavering confidence that its employees have acted ethically and lawfully, which view is now fully supported by [Queen’s Counsel Julian Malins] report, the siege of media coverage has driven away virtually all of the Company’s customers and suppliers. As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the Company into administration.

This once again demonstrates how attacks in the court of public opinion can cripple a business. Despite a fast reaction and being exonerated by a credible authority, no amount of crisis management and communication could make up for the actions of Cambridge Analytica’s leadership. It also seems that the company had not considered a business continuity plan for a reputation crisis of this magnitude.

Last year, Steel City Re CEO Nir Kossovsky wrote for Risk Management Monitor about reputational risk—reflecting on it and warning of the consequences to an organization. When public anger rises, he said, “more blame is being cast upon recognizable targets, such as CEOs.”

And while Facebook CEO Mark Zuckerberg seems to have dodged the bullets fired his way during a Congressional hearing last month (did you #deletefacebook?), Cambridge Analytica’s leadership knew that, based on its actions and the cavalcade of accusations, neither their clients nor the public would ever “like” them again.