Increasing Risk Complexity Outpaces ERM Oversight

More organizations are recognizing the value of a structured focus on emerging risks. The number of organizations with a complete enterprise risk management (ERM) program in place has steadily risen from 9% in 2009 to 28% in 2016, according to the N.C. State Poole College of Management’s survey “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.”

Yet this progress may lag behind the increasingly complicated risks that need addressing. Of respondents, 20% noted an “extensive” increase in the volume and complexity of risks the past five years, with an additional 38% saying the volume and complexity of risks have increased “mostly.” This is similar to participant responses in the most recent prior years. In fact, only 2% said the volume and complexity of risks have not changed at all.

Even with improvements in the number of programs implemented, the study—which is based on responses of 432 executives from a variety of industries—found there is room for improvement. Overall, 26% of respondents have no formal enterprise-wide approach to risk oversight and currently have no plans to consider this form of risk oversight.

Organizations that do have programs continue to struggle to integrate their risk oversight efforts with strategic planning processes. “Significant opportunities remain for organizations to continue to strengthen their approaches to identifying and assessing key risks facing the entity especially as it relates to coordinating these efforts with strategic planning activities,” the researchers found.

According to the study:

Many argue that the volume and complexity of risks faced by organizations today continue to evolve at a rapid pace, creating huge challenges for management and boards in their oversight of the most important risks. Recent events such as Brexit, the U.S. presidential election, immigration challenges, the constant threat of terrorism, and cyber threats, among numerous other issues, represent examples of challenges management and boards face in navigating an organization’s risk landscape.

Key findings include:

Software May Help Oil Companies Determine a Location’s Earthquake Potential

New software for monitoring the probability of earthquakes in a targeted location could help energy companies determine where they can operate safely.

The free tool, developed by Stanford University’s School of Earth, Energy & Environmental Sciences, helps operators estimate how much pressure nearby faults can handle before rupturing, by combining three important pieces of information:

  • Location and geometry of the fault
  • Natural stresses in the ground
  • Pressure changes likely to be brought on by injections

“Faults are everywhere in the Earth’s crust, so you can’t avoid them. Fortunately, the majority of them are not active and pose no hazard to the public. The trick is to identify which faults are likely to be problematic, and that’s what our tool does,” said Mark Zoback, professor of geophysics at Stanford, who developed the approach with graduate student Rail Walsh.

Fossil fuel exploration companies have been linked to the increased number of earthquakes in some areas—Oklahoma in particular—that have been determined to be the result of fracking. According to the Dallas Morning News:

Only around 10% of wastewater wells in the central and eastern United States have been linked with earthquakes. But that small share, scientists believe, helped kick-start the most dramatic earthquake surge in modern history.

From 2000 — before the start of America’s recent energy boom — to 2015, Oklahoma saw its earthquake rate jump from two per year to 4,000 per year. In 2016, its overall number fell to 2,500, but its quakes grew stronger.

Five other states, including Texas, Arkansas and Kansas, have seen unprecedented increases in ground shaking tied to the wells, although North Texas had no earthquakes strong enough to be felt last year.

The insurance industry has also been monitoring the rise in temblors. A Swiss Re report concluded, “It’s highly likely that this dramatic rise in earthquake occurrence is largely a consequence of human actions.”

According to the report:

Along with the increase in seismicity, Oklahoma has seen a growth in its oil and natural gas operations since 2008, specifically hydraulic fracturing (often referred to as “hydrofracking” or “fracking”) and the disposal of wastewater via deep well injection. Both hydrofracking and deep well injection involve pumping high-pressure fluids into the ground. A consensus of scientific opinion now links these practices to observed increases in seismic activity. Earthquakes where the cause can be linked to human actions are termed ‘induced earthquakes,’ and present an emerging risk of which the insurance industry is taking note.

International Women’s Day: Risk Management Issues to Watch

A 2013 piece on the role of women in risk management remains the most controversial article we’ve ever run in Risk Management magazine and the one that received the most comments and letters to the editor, hands down. Many of those reader comments were…let’s just say less than kind or receptive.

Today, International Women’s Day, offers the perfect opportunity to revisit that article, Woman at Work: Why Women Should Lead Risk Management, and some of our more recent coverage of pressing issues like the wage gap and gender parity at the board level.

The significance of this conversation is ever clearer, given not only the political climate and regulatory concerns, but also the simple data about the bottom line. Just last year, the Peterson Institute for International Economics and EY found that almost a third of companies globally have no women in either board or C-suite positions, 60% have no female board members, 50% have no female top executives, and less than 5% have a female CEO. After analyzing 21,980 publicly traded companies from 91 countries and a wide range of industries, their report, Is Gender Diversity Profitable? Evidence from a Global Study, found that organizations with leadership that is at least 30% female could add up to 6 percentage points to its net margin.

“The impact of having more women in senior leadership on net margin, when a third of companies studied do not, begs the question of what would be the global economic impact if more women rose in the ranks?” said Stephen R. Howe Jr., EY’s U.S. chairman and Americas managing partner. “The research demonstrates that while increasing the number of women directors and CEOs is important, growing the percentage of female leaders in the C-suite would likely benefit the bottom line even more.”

While study after study comes to similar conclusions, a recent report from EY explored why businesses need gender diversity for the innovation to thrive. Five disconnects continue to hold businesses back from achieving gender diversity on their boards, the firm found:

  1. The reality disconnect: Business leaders assume the issue is nearly solved despite little progress within their own companies.
  2. The data disconnect: Companies don’t effectively measure how well women are progressing through the workforce and into senior leadership.
  3. The pipeline disconnect: Organizations aren’t creating pipelines for future female leaders.
  4. The perception and perspective disconnect: Men and women don’t see issues the same way.
  5. The progress disconnect: Different sectors agree on the value of diversity but are making uneven progress toward gender parity.

Check out some of our previous coverage of key issues regarding women in business and risk management specifically:
Equal Work, Unequal Pay: Risks of the Gender Wage Gap
The Wage Gap in the Boardroom
Is the Insurance Industry Improving for Women?
Boards Still Lagging on Gender Parity
Preparing for New Pay Equity Requirements

Closing the Vendor Security Gap

What do organizations really know about their relationships with their vendors?

It’s a question that most companies can’t answer, and for many, that lack of knowledge could represent increased risk of a security breach. This year, Bomgar conducted research into vendor security on a global scale, and the findings underscore that much work remains to be done to shore up third-party security.

The 2016 Vendor Vulnerability Index report produced eye-opening results that should be a wake-up call for business leaders, CIOs and senior IT managers. The survey of more than 600 IT and security professionals explores the visibility, control, and management that organizations in the U.S. and Europe have over external parties accessing their IT networks. Some of the most surprising statistics are summarized below:

  • An average of 89 vendors are accessing a company’s network every week.
  • 92% of respondents reported they trusted their vendors completely or most of the time.
  • 69% said they definitely or possibly suffered a security breach resulting from vendor access in the past year.
  • In the U.S., just 46% of companies said they know the number of log-ins that could be attributed to vendors.
  • Only 51% enforce policies around third-party access.

It’s evident from these findings that third-party access is pervasive throughout most organizations. What’s more, this practice is likely to grow—75% of the respondents stated that more vendors access their systems today than did two years ago. An additional 71% believe this number will continue to increase for another two years.

Two-thirds of those polled admit they have a tendency to trust vendors too much—confidence that should be questioned based on the results of this report. The data revealed that, while most organizations place a high level of trust in their vendors, they still have a low level of visibility into how vendors are accessing their systems.

This contradiction is not something organizations should take lightly. As noted above, 69% of respondents admitted they had either definitely or possibly suffered a security breach resulting from vendor access. An additional 77% believe their company will experience a security issue within the next two years as a result of vendor activity on their networks.

As an organization’s network of vendors grows, so too does the risk of a potential breach. For most companies, it is essential that third-parties have access to sensitive systems as a course of doing business—the question centers on how to grant this access securely.

Historically, companies have used VPNs to provide network access to third-parties. While appropriate for the intended end-user—remote and/or traveling employees—issues arise when the scope of VPN is trusted to manage connections from external groups. If a system connected via VPN is exploited and used as a point of persistence for leap-frogging into the broader network, hackers can persist for days or months and move stealthily about the network. Companies have also seen malicious (or well-intentioned) insiders choosing to abuse their access to steal or leak sensitive information, as this is all made fairly trivial when leveraging open-ended VPN connectivity.

To balance the dual demands of access and security, companies need a solution that allows them to control, monitor and manage how external parties are accessing their systems. Rather than providing “the keys to the kingdom,” a modern secure access solution enables organizations to grant vendors and other third-parties access only to the specific systems and applications needed to do their jobs.

To ensure security, organizations should also select a secure access solution that provides video and text logs of all session activity. This allows companies to monitor how remote access is being used and, perhaps more importantly, by whom. With this technology, any suspicious activity can be immediately flagged for further investigation. In addition, these session forensics can help companies meet internal and external compliance requirements.

Another secure access best practice is to employ a password/credential vaulting solution. This enables organizations to mitigate the risk of credentials shared between privileged users, which are often the target of a threat actor. It also reduces the risk of what system administrators often think of as “the stickynote nightmare,” where a sensitive credential is written on a stickynote and stuck on someone’s monitor for all who walk by to see. Password vaulting technologies also help with the dangers posed by embedded system service accounts that have administrative privileges and are rarely rotated for fear of bringing critical business services down. A small, yet strong initiative to protect network security would include requiring every privileged user to access credentials required for elevated work via checking out of a password vault. This removes most of the challenges associated with sharing credentials as, once they are checked back in, those credentials can be immediately rotated and thus become unknown to the employee or the bad actor who may have stolen them. Incorporating multi-factor technology in order to access the password vault and other sensitive systems takes it a step further.

In today’s heightened environment, following these steps should be essential security best practices for any company allowing vendors or other third-parties to access their network.

The Vendor Vulnerability Index report suggests that companies are aware of the threats posed by ineffective management and poor visibility into vendor access. Yet, as the data shows, just slightly over half of the respondents are enforcing any policies around third-party access. In light of these findings, companies should also ensure that they are properly screening any third-parties with whom they share network access. For example, does the vendor provide security awareness training as part of their employee on-boarding process? Asking this and similar questions will give companies a clearer picture of the vendor’s security ethos, and help them to determine if the partnership is a good fit to begin with.

In order to combat this growing vulnerability, organizations need granular control over external access. Only with such a solution in place can companies feel confident that their vendors won’t unintentionally become their weakest security link.