Immediate Vault Immediate Access

A TechRisk/RiskTech Reading List from Risk Management Magazine

Last week, the RIMS TechRisk/RiskTech virtual event featured two days of education content on some of the biggest challenges and opportunities in modern risk management, focusing extensively on cyberrisk as well as risktech—the latest technology tools and techniques for managing risk. As the presentations made clear, technology introduces some of the greatest risks to organizations, but also some of the most promising innovations to introduce or enhance risk management.

“We all know that, ‘As fast as a business develops a strategy to protect their organization’s digital assets, cyber predators have already figured out their next move,’” said Patrick Sterling, vice president of legendary people and risk management at Texas Roadhouse Restaurants and 2022 president of RIMS. “So, risk professionals must do what risk professionals do best: We must adapt. And we must adapt quickly.”

“We can’t forget about the risks that preceded this pandemic, and top on that list stands technology,” Sterling added in his address during the event. “Cyber gets a bad rap—when we talk about risk, we must remember risk can lead to positive outcomes. While greater dependency on technology has opened the door to more threats, it also allows us to improve processes, keep employees safe, boost efficiencies and engage our customers in a whole new way.”

As a RIMS virtual event, the content from TechRisk/RiskTech will be available for attendees or new registrants to view on-demand for the next 60 days, and you can check out the sessions here.

Following the TechRisk/RiskTech event and last Friday’s international Data Privacy Day, risk professionals who want to learn more about cyberrisk and risktech topics can also check out a wealth of related articles from Risk Management Magazine. Whether you would like to keep up the education after attending TechRisk/Risktech or just want to catch up on topics like cyberrisk, ransomware, cyber insurance, risktech, artificial intelligence, the internet of things and connected devices, and other technology that can help manage risk, here’s a roundup of recent Risk Management articles on cyberrisk and risktech:

Tech Risk (Cyberrisk):

Risktech:

RIMS Risk Forum India 2021: Building Resilience As COVID, Cyberrisk Top Business Risks

An increasingly key theme year over year, resilience is at the root of the latest Excellence in Risk Management India report from Marsh and RIMS—and the RIMS Risk Forum India 2021 virtual event, where the report was officially released today. In the second year of the COVID-19 pandemic, risk professionals in India reported acute short- and long-term concerns about the interconnected risks of COVID-19 cases, global economic recession, and surging cyberrisks amid shifts in work arrangements.

In addition to the death of more than 5 million people in India, the pandemic has taken a considerable economic toll on the region. “According to the Organization for Economic Co-operation and Development (OECD), India’s economy contracted by close to 8% in 2020, while the world’s economy contracted by 3.5%,” the report noted. “Despite the OECD’s projections for economic expansion—both in India and globally—in 2021 and 2022, the potential for a prolonged global recession remains a concern for organizations in India.”

Previously one of the top risks for India-based risk professionals before COVID-19, cyberrisk has also increased significantly with the pandemic and the shift to remote work. “The shift to a remote workforce necessitated by sweeping lockdowns to stem the spread of the pandemic is widely seen as having increased cyberrisk,” Marsh and RIMS noted. “The Indian Computer Emergency Response Team (CERT-In) data indicated that cyberattacks in India rose by 300% in 2020, according to news reports. And cyber risk remained elevated in 2021, with more than 600,000 cybersecurity incidents reported in the first six months of the year alone, according to CERT.”

The continuing pandemic, resulting fallout, and ever-growing cyberrisk have presented the biggest risks for organizations in India in 2021, and the survey indicates that local risk professionals expect these to dominate the agenda for businesses in the year to come.

Despite the considerable concern, few respondents said their company is fully prepared for the continued fallout from COVID-19 or future pandemics. Asked to rate their organization’s preparedness from 1 to 5 (not prepared to fully prepared, respectively), the majority of India-based risk professionals ranked their organization a 3, and only 10% said they are fully prepared. While cyberrisk has been a top threat for longer, preparation is not much better for the threat—only a quarter of Indian companies said they are fully prepared for a cyberattack. This is particularly concerning as “some extent of remote work is expected to remain, leading to concerns of increased cyberattacks due to unsecured home networks,” Marsh said in a press release.

According to the report, this underscores the imperative to develop robust risk management strategies for both current and emerging risks and to focus on building resilience. Marsh identified four “common behaviors among companies that are on the path to becoming more resilient”: anticipating risk, connecting risk management to business strategy, avoiding gaps in the perception of preparedness, and measuring relevant data. Marsh and RIMS explained these further, defining key pillars that have set successful businesses apart, and potentially also offering considerations for other organizations to develop more mature risk management programs:

  • Anticipation: Resilient companies expect the unexpected. They have crisis management plans in place, but they also dig deeper, look farther ahead. Consider that during the pandemic even organizations with thorough business continuity plans struggled. Why? Many of them didn’t fully anticipate the widespread, long-lasting damage a pandemic could create.
  • Integration: Another key behavior among resilient organizations is to fully integrate risk management with operations and strategy. Doing so increases the ability to develop effective responses. Most organizations do not connect resilience planning with their long-term investment strategy. Those that do make the connection are on the path to better mitigating financial exposure, reputational damage, business interruption, and other losses.
  • Preparedness: On the journey to resilience, it’s important to develop an accurate perception of an organization’s preparedness. A false sense of security can halt an organization in its tracks. Companies often overestimate how quickly and effectively they will be able to respond to and recover from a given risk.
  • Measurement: There is no shortage of data and analytics in today’s business environment. But consistently applying metrics can be a stumbling block. Many companies fail to conduct a high rate of modeling and forecasting even on risks they see as important. And among the companies that do so, most only model in select areas.

Marsh and RIMS recommended that organizations in India focus on resilience heading into 2022 and beyond. “Resilience means being able to absorb the impact from a range of emerging risks and depends in large part on having robust risk management strategies in place,” the report explained. “This includes anticipating risk, connecting risk management to business strategy, ensuring your organization’s perception of preparedness doesn’t lead to a false sense of security, and measuring relevant data.”

Respondents largely indicated that their organization planned to increase investment in risk management, with 55% saying they expect increased resources, 27% expecting investment to stay the same, and only 4% expecting a decrease. This could be a critical differentiator in navigating COVID-19 recovery and other emerging risks in 2022. Indeed, 42% cited budget at the most critical barrier to understanding the impact of emerging risks on risk management.

Among the takeaways from the report, Marsh and RIMS urged organizations to invest in preparedness. “Look beyond pandemic as you develop a risk management strategy that is prepared to respond to any number of emerging risks,” the report said. “For example, shifting work patterns have intensified an already escalating cyber risk landscape that calls for a range of responses, from scenario planning to financial quantification.”

In addition to a panel on the Excellence in Risk Management India report, the RIMS Risk Forum India 2021 virtual event includes a number of sessions that address resilience challenges and opportunities for risk professionals in India. The program includes keynote addresses by Ajay Srinivasan, chief executive officer at Aditya Birla Capital Limited (ABCL), and Dr. Soumya Kanti Ghosh, group chief economic advisor at the State Bank of India, as well as education sessions like “Cyber Risk Management: A Priority for a Resilient Economy,” “Climate Risk and Your Path to Resilience,” “What COVID-19 Has Taught Us About ESG Risks and Why Risk Management Needs to Change,” and “Breaking the Chain: How Understanding Business Interruption Exposures Can Mean Supply Chain Resilience.”

The RIMS Risk Forum India 2021 virtual event continues tomorrow, December 4, and sessions will also be available for on-demand viewing for the next 60 days. Registration can be found here: https://www.rims.org/events/rf/india-forum-2021

How to Conduct Better Third-Party Risk Assessments

Today’s enterprises operate in a complex digital ecosystem that connects customers, vendors and partners and through which data is shared and transactions are processed. Because much of this is done through outsourcing of systems and services to third parties, many enterprises have dramatically increased the scale and complexity of their risk surface.

While companies are reliant on third and fourth parties to do business and often benefit from using such external services, these relationships also pose a risk to the enterprise’s sensitive data. Enterprises rely on these third parties to fulfill essential services and often expect them to secure the enterprise’s data in the process. Unfortunately, this does not always happen. 

According to a survey by RiskRecon, a Mastercard company, and the Cyentia Institute, third-party risk practitioners said that 31% of their vendors could cause a critical impact to their organization if breached, while 25% claimed that half of their entire network could trigger severe impacts.

Recent catastrophic cybersecurity incidents like the SolarWinds case demonstrate that cyberrisk can come from supply chain layers beyond the company’s immediate third parties. These multi-party cyber breaches create a ripple effect and threaten to have a far greater impact than those affecting single companies.

Business leaders, third-party risk practitioners, and cybersecurity professionals are well aware of the potential impacts of third-party risk, yet many struggle to keep up. In fact, research shows that only 14% of third-party risk professionals are confident that vendors are capable of meeting third-party security requirements. Managing vendor risk can seem like an impossible problem, but the key is having greater visibility into your digital supply chain and monitoring the external parties that pose the greatest risks to your firm.

Traditional Risk Assessments vs. Continuous Third-Party Monitoring

Traditional risk assessment processes cannot fully address today’s dynamic cyberrisk landscape, as they can be difficult to validate, take a long time for both the vendor and the organization to process, and are pinned to a single point in time. Without a valid, current assessment, security teams are forced to prioritize vulnerabilities blindly, which ultimately compromises risk mitigation, and limits their value as an accurate barometer of third-party risk.

It can be easy and tempting to complete a third-party risk assessment in one month and then forget about it for another year, but third-party risk management is not a once-a-year project—it requires an ongoing program with ongoing monitoring. This may appear to be overwhelming, confusing and time-consuming. While there will always be more vendors to find, a well-structured and continuous third-party monitoring program can help your security team to prioritize.

It is also important to take action on the vulnerabilities these critical vendors produce and gain visibility into how to remediate these issues. Continuous third-party monitoring can not only help you identify and remediate risk, but can also serve as a helpful tool in communicating your organization’s security hygiene to board members or executive leadership.

Below are practical steps that cybersecurity teams and risk professionals can take to better manage their organization’s third-party cyberrisk:

  1. Ask the right questions: Build and collect security questionnaires that ask important questions about how a vendor is handling the company’s data. To better manage risk, security teams need insight into the technologies that are being used internally and externally by third parties, fourth parties, and beyond.
  2. Assign a risk rating: Based on the answers to the questionnaires, assign the vendor a risk rating. By having a clear understanding of a vendor’s security posture, the security team can then rank vulnerabilities in order of priority, so they know which issues to tackle first.
  3. Take action: Create custom-fitted risk action plans so you can immediately start engaging with your vendors on remediation. If a vendor’s cyber risk degrades or an element falls out of policy, you will be notified instantly. By having accurate visibility into supply chain risk, security teams can then use that information to make decisions about whom to share data with moving forward.

By utilizing these best practices, organizations can better manage their third-party risk, further reduce overall risk, increase cyber visibility, and improve the quality of vendor and supplier networks.

8 Steps to Create Strong Disaster Management Plans

A core responsibility of any risk professional is planning for any possible disasters your business might face. These could be man-made, such as a data breach or accidents involving machinery, or natural, like a tornado or flood.

Disasters and crises affect different organizations in different ways—one company might consider something a catastrophe, while another may not even notice a change in its workflow. It is important to look at your own business operations and evaluate what you would consider a crisis. Generally, business crises fall into one of three categories:

  1. A danger to the physical safety of employees or customers
  2. Loss of income or means of making income
  3. Events or people negatively affecting your business reputation

In many cases, the crisis may fall into more than one of these categories. An accident in the workplace that is hazardous to employees can impact the company’s income because the factory has to shut down. This can also negatively affect the company’s reputation if it turns out that the company did not provide a safe working environment.

With even the best risk management programs, no organization can avoid all disasters completely. Risk mitigation often comes down to crafting the best plans possible for the moment disaster inevitably strikes. These eight steps can help risk professionals develop strong crisis and disaster response plans:

1. Define The Types of Crises You Could Face: There is not a one-size-fits-all approach to a crisis management plan. Working out what is likely to affect your business specifically can relate to your geography—areas that get hit by severe storms or earthquakes must include those potential disasters, and what knock-on effects they may cause. For example, storms may cause flooding, loss of power, or blocked roads that make it difficult to reach your premises. The type of crisis can also be specific to your industry. Employees in a manufacturing facility are likely at greater risk in a physical disaster than those working in a tax consultancy, for example. Security should also be a consideration. Is your business likely to get robbed of cash or equipment? Do you have high-profile proprietary information that makes you more likely to be the victims of cybercrime?

2. Triggering the Plan: Including levels of urgency in your plan will help people responding to the crisis pinpoint how significant the event is, and how much of the plan must be put into action. A step-by-step approach for specific scenarios can be helpful and cover dealing with man-made and natural disasters in different ways. The risk for each will be unique to the situation and knowing when and how to trigger a response is key. The plan should include how and when to escalate the response should the crisis worsen, as well as how to identify when the crisis has passed. It can be helpful to use red, yellow and green system to indicate severity and urgency, and this classification approach is easy to adapt to any scenario.

3. The Base of Operations Location: Accidents or natural disasters may cause your usual place of business to close temporarily or permanently. In your plan, designate a backup command center in an alternate location for dealing with the crisis until you can get back to work. This location can be your company’s operations hub, a point for gathering after a crisis, or where you know your sensitive and important data backs up. If a natural disaster has made travel dangerous or roads impossible to navigate, you will also need a virtual base of operations—some possibilities include message boards, chat apps or email. With so many employees working remotely because of COVID-19, this may be easier to implement now.

4. The Chain of Command: Ensuring a clear chain of command so that there is no arguing or confusion when people and the business are at risk. Wherever possible, appoint a back-up for each person in charge so if someone cannot perform their duty, it falls to the next in line.

5. Internal and External Communication: When a crisis compromises an office or business, communication can become tricky. Have a clear set of rules for how you get information to and from your employees, what information you must and must not share with those outside of the company, and how to achieve that. This part of your crisis management plan can save lives and stop rumors from spreading.

6. Necessary Resources: Though this will depend on the nature of the business, consider first aid and safety equipment if you are likely to have injuries or get cut off because of poor weather. Also, think about alternate communication methods if mobile phone towers go down or the electricity gets cut, as well as access to your sensitive data, such as employee contracts and supplier agreements.Include all necessary resources you would need to operate and highlight any alternate replacements. For example, if a storm knocks out your power, you may have a generator.

7. Training: It is no good putting a crisis management plan together and not giving the relevant people the training they need to execute it. For example, the people you name as first aid providers or unit leaders need to know what is expected of them and undergo the necessary training. If you have safety equipment on your premises, like fire extinguishers or emergency release valves for machinery, you need to educate all stakeholders how these work.

8. Testing the Plan: Finally, test that your plan actually works. Review it with staff and conduct safety drills regularly—every two months at least. Look for any weak points or flaws in the plan before an actual crisis.While it may not be possible to anticipate everything a disaster brings, you can set up several response plans and test each one individually. These plans can tie in with your standard safety drills, or stand alone, depending on the nature of the event anticipated.

A crisis management plan is integral to every business, no matter its size, scope, or sector. By preparing for various potential disasters, you can take action when needed without putting your organization, employees, or yourself at unnecessary risk.