Get Ready for the ‘Weather Bomb’

In case you need another reason to dread getting to work this first week of 2018, several weather authorities are warning of a major storm that could affect a majority of the United States with freezing conditions. Storm advisories are being issued from New England states to southeastern winter getaways. Residents of South Carolina, Georgia and even northern Florida should be thinking about stocking up on ground salt, thermal pants and hand warmers.

Nancy Egan, Property Casualty Insurers Association of America’s (PCI) regional manager warned: “A dangerous combination of snow, sleet and freezing rain is on the horizon for the Southeast. Weather like this can cause auto accidents, and property damage, and leave thousands without power. Driving in these treacherous conditions can be tricky, so if you do venture out, make sure your vehicle has a winter storm kit in case you have an accident or get stuck and have to wait for help.”

PCI suggests that winter storm kits include a windshield scraper and small broom; flashlight with extra batteries; road salt, sand or cat litter for traction; booster cables; emergency flares and reflectors; snack food; blankets and a first aid kit.

These warnings are inspired by speculation that intensifying winds and cold will bring about a phenomenon known as “bombogenesis” from Thursday to Friday. In an online primer, Mashable delved into the relevant information that organizations need to know about the “weather bomb” or “bomb cyclone.”

[Bombogenesis] refers to a low pressure area whose minimum central air pressure plummets by at least 24 millibars in 24 hours. By feasting off of intense atmospheric disturbances as well as differences in air masses and ocean temperatures, including the moisture rich Gulf Stream waters, the upcoming tempest is projected to exceed that intensification rate by several more millibars in 24 hours. This intensification rate, if it comes to pass, would be astonishing.

The potential impact of the upcoming storm could equal that of a Category 3 hurricane, the same strength Hurricane Sandy reached at its peak in 2012. With this in mind, companies located anywhere along the projected path should be heeding the warnings and preparing.

This follows a cold snap that has so far killed at least 11 people in cold-related deaths in the U.S. since Tuesday morning, CNN reported. Some of the victims were located in Wisconsin, North Dakota, Missouri and Texas.

The Southeast has a history of being especially vulnerable to cold-weather conditions. On Jan. 29, 2014, the greater-Atlanta area was rendered nearly unnavigable due to about two inches of snow and ice. Although Georgia is the home of the Weather Channel, state officials failed to act on warnings of the precipitation and freezing conditions, and closed all schools mid-day—about the same time that businesses shuttered for the day. Between parents who were on the road to pick up their children and adults leaving their workplaces due to early closings, millions of cars ended up on roadways, causing a gridlock that prevented salt trucks from safely getting to and from storage areas.

The consequences were unprecedented for the area. Although no fatalities were recorded, the Peach State experienced thousands of traffic accidents, closures and even automobile abandonments on interstate highways.

To prevent such a disaster from reoccurring, Georgia’s Department of Transportation announced via Twitter this week that it has mobilized 13 trucks loaded with salt and gravel in anticipation of the storm. While no announcements have been distributed on the Florida Department of Transportation’s site, is keeping its visitors updated with news of “below average temperatures.” South Carolina has been posting updates on its DOT site, and reminding motorists to use particular caution and to “watch for slow moving SCDOT equipment applying deicing materials.”

10 Steps to Effective Enterprise Risk Management

Enterprise risk management (ERM) has emerged as a best practice in gaining an overview of strategic, financial and operational threats, and in determining how to mitigate and manage those risks.

A comprehensive approach to risk management is important because it helps management comprehend the true potential of threats and allows organizations to address the cumulative nature of risk.

The following steps can help your company achieve the ERM objective.

  1. Just Do It!
    The process of creating an ERM program is valuable, revealing much about your organization and the interrelatedness of elements within it. Document your efforts in your board minutes and share them with any auditors. You will generally find those parties willing to provide constructive feedback because they have a vested interest in the success of your efforts.
  1. Get a Champion
    Your board of directors is accountable to shareholders and the SEC (if your company is public)—and possibly to other entities by industry—for the adequacy of risk management procedures, controls and ultimately for the competence of management. A logical champion of your ERM efforts is the chairperson of your board audit or ERM committee, followed by the chair of the board and other board members. If these individuals understand that an ERM program can help them discharge their duties and protect them from personal financial risk, you will likely see top-level buy-in and a trickle-down effect through senior management.
  1. Merge the Silos
    If existing risk committees and sub-committees are functioning as intended and get consistently high marks from outside auditors, it’s unlikely that fundamental changes are needed. Yet it is important they understand where they fit in the bigger picture. A board-level champion can help provide this perspective, and reinforce the role of the ERM committee in setting the organization-wide level of acceptable risk.
  1. Weight the Risks
    Certain areas of risk have the potential to seriously harm your organization. Others, however, are less critical. When your management team assembles an ERM framework, create a logical mechanism for assigning relative weights to each area of risk, and to selected components within those areas.
  1. Create a Dashboard
    A dashboard containing a high-level summary of major risk elements supported by “drill-down” detail enables board members and senior managers to connect all the pieces of the risk management puzzle.A dashboard need not be complex. Some managers use Microsoft Excel to create multi-layered risk workbooks, which summarize details provided by the risk sub-committees into a single page of high-level information.
  1. Understand Risk and Reward
    Some risks are worth taking, because the reward is greater than the likelihood and consequences of failure. In other cases the reward does not outweigh the potential consequences. Then there are risks not worth considering, when the risk is a “bet-the-farm” proposition, or is illegal or immoral. Each risk committee and sub-committee should understand the risk-versus-reward proposition.
  1. Set Limits
    One important function of the board ERM committee is to work with management to establish limits to risk taking. Management should make recommendations to the board, supported by reasonable data and arguments, which establish the boundaries of the organization’s risk appetite. Management’s role is to advise and inform, with the ultimate decision resting with the board.
  1. Understand the Cumulative Nature of Risk
    An organization that could sustain itself through one or two major weaknesses, or several minor ones, will succumb under too many. For this reason, the board ERM committee should set limits for both individual risks and cumulatively.
  1. Make It Easy
    In the areas of setting limits and risk weighting, management should make it as easy as possible for board members to comprehend and participate in the process. Distill complex regulations, and use accepted business terminology. Implementing an ERM framework should be spread over several months, if possible. Give the board ERM committee two or three recommendations per month, in advance, so they can be reviewed, summarized, presented and adopted at the regular monthly meeting.
  1. Refine, Refine, Refine
    New risks emerge every day, and your process must be flexible enough to identify, quantify and incorporate them. The chief risk officer and other senior managers should devote time to researching emerging risks, imagining worst case scenarios and creating stress tests to understand the implications of critical failures.

A Top-To-Bottom Effort
It is possible for ERM practices to become part of your organizational culture. Global awareness of the process and a rank-and-file understanding of the board’s focus on effective risk management are critical to obtaining the buy-in of the entire organization. After all, risk management is everybody’s job—today more than ever.

Proposed Bills Highlight Legal Risks of Sexual Misconduct Claims

In the current climate of sexual harassment incidents being reported in a variety of industries across the country, organizations and their legal departments should be reviewing legislation and considering their legal risks, should they need to defend against sexual harassment or misconduct allegations.

Just this month, in fact, legislation was proposed at state and federal levels to keep employers from trying to silence accusers following mediation and settlements. The

Sen. Kirsten Gillibrand (D-N.Y.)

Huffington Post reported that the bipartisan legislation from Sen. Kirsten Gillibrand (D-N.Y.) and Rep. Cheri Bustos (D-Ill.) would ban employers from holding employees to forced arbitration clauses, which often prevent sexual misconduct survivors from speaking publicly about abuses in the workplace.

Similarly, legislation targeting nondisclosure agreements was recently introduced by state officials in New Jersey, California, New York and Pennsylvania to their respective legislatures. These involve standard confidentiality contracts that companies use in the event of a lawsuit so that the terms of a settlement do not become public knowledge. Depending on if, and with what wording, these bills are passed it will almost certainly affect companies’ and leaders’ policies and behaviors.

Linda B. Hollinshead, a partner in the employment law practice of Duane Morris told Risk Management Monitor that if confidentiality cannot be guaranteed during a settlement, there could be less mediation and arbitration and more courtroom battles as a result.

“If these bills are passed into law, I will be curious to see how employers change the way they handle these issues—because one of the things you hope to buy when you settle, is quiet,” said Hollinshead. “I would presume that if this is the direction in which things are going, employers may become increasingly more vigilant on preventing [misconduct] in the first place.”

Regarding the New Jersey legislation, advocates seem to be pleased with the bill’s introduction but do not disregard the value confidentiality can provide for a victim of sexual misconduct.

“While we are in favor of the intent of the bill, we do want to make sure survivors have the option to confidentiality,” said Patricia Teffenhart, executive director of the New Jersey Coalition Against Sexual Assault. “Many survivors might wish to engage in a nondisclosure agreement, and we need to expand the opportunity for them to have the option to pursue nondisclosure.”

According to XpertHR’s Top 15 Most Challenging HR Compliance Issues for 2018  small, medium and large employers across the country expect sexual harassment to be a top matter of urgency moving forward. The report reminds that misconduct can occur between co-workers, both in and out of the workplace:

Harassment also may involve a wide variety of conduct—physical, written or verbal, as well as conduct over the internet and social media including cyberbullying.

For more legal risks to consider, visit to download the new RIMS Professional Report, The Top 8 Legal Developments You Need to Know About in 2017.

Using ERM to Protect Your Business from The Equifax Fallout

As with many data breaches, the general conclusion of the Equifax attack is that personnel were not aware of the issue beforehand. This conclusion, however, is false.

In early September, I anticipated that a vulnerability in Equifax’s software was known ahead of time, and that this scandal was, therefore, entirely preventable. A month later, the NY Times reported that the Department of Homeland Security sent Equifax an alert about a critical vulnerability in their software. Equifax then sent out an internal email requesting its IT department to fix the software, but “an individual did not ensure communication got to the right person to manually patch the application.”

The Equifax data breach was a failure in risk management. As a credit bureau that deals with the personally identifiable information (PII) of 200 million U.S. customers, Equifax has a legal and moral responsibility to safeguard their customers’ security, and to adopt the proper systems to do so.

For instance, if Equifax had an enterprise risk management (ERM) system in place, the warning from Homeland Security would have been properly recorded and assigned out to the appropriate personnel. This system would have provided transparency over the status of the task in progress, and would have triggered reminders until the vulnerability was patched and verified by the right subject matter expert.

A Point of No Return

It’s my opinion that this scandal is a point of no return for risk management. While data breaches have abounded in recent years, there has never been one of this magnitude or one that provides every piece of information hackers need to steal our identities. Of course, lawsuits and penalties are piling up around the company’s negligence, but these financial losses are nothing compared to the reputational damages Equifax will suffer—shares fell by 18% following the breach and have yet to fully recover.

What makes this scandal so unique, and therefore a point of no return, is that these reputational damages reach far beyond Equifax. Consumers can’t always choose whether they’re a customer of Equifax, but they can choose whether to do business with the institutions that gave away their information to Equifax in the first place.

I also believe that consumers’ outrage with this scandal will cause them to shift their money, loyalty, and trust to institutions that can demonstrate effective risk management. CEOs and boards of every company will have to prove their organizations have adequate enterprise risk management systems in place. They’ll find that more effective risk management and governance programs are necessary to keep their market shares up and their reputation clean.

Where to Go from Here

While this breach may appear to be an event of the distant past, we are in the eye of the storm. Stolen information can lie dormant for months or years as criminals wait to make their move, and when they do, you’ll have either taken this period of calm as a chance to forget the scandal, finding yourself ill-prepared, or a chance to get to higher ground, finding yourself fully protected.

To protect themselves, businesses must:

  • First, to determine where to focus your security resources, recognize that people, processes, and procedures are now the biggest risks. Businesses need to perform risk assessments across all departments to determine who has access to sensitive information and authentication processes, and what the business impact would be if these employees were to be impersonated.
  • Next, to address these risks, businesses must rewrite their procedures for authenticating the people involved in sensitive requests and actions both verbally and electronically. With so much PII now in the public domain, it is no longer safe to rely on traditional authentication based on these pieces of information. For example, the security question “What was your first car?” is not effective because the answer is now easily accessible. A more effective question would be “Who was your best friend in elementary school?”
  • Finally, it is important to keep your third-party vendors in mind. Vendors often have access to sensitive information and processes, which could have an enormous impact on your company. It is crucial, therefore, to extend your internal authentication procedures out to your third parties so that they are authorizing sensitive requests and actions as securely as your own organization.

Our world, including the business world, is becoming increasingly transparent, meaning it’s up to you to act with integrity and protect your stakeholders. Keeping the Equifax data breach in mind, along with enacting these tactical steps, will help you stay ahead of the competition and out of glaring social media headlines.