Many organizations spend time and effort building and developing robust risk mitigation frameworks and strategies to handle business-specific risks. In spite of constant monitoring through dashboards and reports, many companies still face major and unexpected issues. One of the main reasons for shortfalls in risk management is the general attitude towards risk mitigation. Although companies are well-prepared with an infrastructure in place, they often struggle when cultivating a sense of risk awareness, responsibility and intelligence into and across the fabric of an organization, which results in gaps and deficiencies.

Every organization realizes the significance of risk intelligence, but they frequently face issues in the initial stage of their transition. Developing a risk culture is frequently viewed as just a requirement to be fulfilled rather than something that adds value to an enterprise. Without a clear agenda, many companies find it impossible to cultivate risk-taking capabilities into its employee base.

Risk intelligence demands that every individual in an organization take responsibility for managing risks in the day-to-day operations. Senior management should assess the existing risk management strategy and gauge its effectiveness in alleviating risks as well as developing awareness throughout the organizational structure.

Factors Influencing Risk Culture

For a smooth journey in risk intelligence, the senior management has to be completely aware of the levers influencing risk-taking behavior of their employees. Some of the major factors that impact smart risk-taking decisions include talent management, training and education, qualification of staffs, incentives, leadership at the top of the organizational hierarchy, and the ability of an organization to take risk-based decisions.

To develop a risk-intelligent structure in business enterprises, organizations should perform a thorough assessment. This can be achieved by setting up objectives, conducting surveys and interviews, analyzing gaps, prioritizing actions, incorporating recommendations and keeping track of the effectiveness of the strategy. Comparing the existing culture against other influential factors such as governance, policies and procedures, competence, relationships, performance, and accountability will help the top management understand the current state of culture and the level of contribution of existing risk initiatives to create a positive impact on the business’s risk culture.

Conducting gap analysis around the influential factors will offer a better understanding of what needs improvement. To create an effective risk culture and make it work successfully to the benefit of an organization, management should continuously improve it to fit the changing business objectives and requirements.

Strengthening Risk Culture through Technology

Leveraging technology to create a centralized framework for capturing risks and organizing data elements will strengthen the risk culture to a greater extent. A risk management framework should speak a common language that is well understood throughout the organization, including stakeholders. Developing a technically assisted risk management strategy will eliminate the most common challenges faced by an organization.

A centralized data model will aid in managing risks that may arise due to external and internal events. It will also give the organization a top-down view of the business goals, global risks and controls associated with it.  A common risk environment enables effective monitoring and reporting of the gaps and risks using heat maps, dashboards, and charts. This will enhance the organization’s risk intelligence by providing real-time visibility into scores, its risk appetite, as well as limitations towards risks.

Risk and security officers will be able to get a better picture through trend analysis and obtain useful insights. A flexible framework that is developed on the basis of industry standards will provide a strong foundation for risk intelligence and aid in timely capture and categorizing of risks and initiate appropriate corrective actions.

Key Elements of a Risk Intelligent Organization

  • A risk intelligent organization follows a unified and standardized risk framework that speaks the same language across the entire organization. A framework that follows a common language is easy to understand and helps mitigate risks in a timely manner, thereby driving value.
  • Successful creation of risk intelligence defines roles, responsibilities, and the hierarchy structure in an enterprise.
  • A centralized framework will also bolster support to business operations and a wide array of functions.
  • Creating risk intelligence will enhance performance and accountability.
  • A risk intelligent organization will be able to strike a perfect balance between risk and reward.
  • Risk intelligent architecture offers the executive management, board members, stakeholders, and audit committees the ability to effectively perform their duties by promoting a greater level of transparency. Executive management is assigned with the task of developing, incorporating, and maintaining a robust and efficient risk management strategy and improvise it on a regular basis it to fit the changing requirements.
  • Business units are obligated to monitor the performance of their respective units and their approaches to managing risks as specified by the risk management and independent assurance functions, as well as oversight from executive management.
  • In a risk intelligent organization, finance, legal, HR, and IT units offer support to the individual departments in the organization in their efforts to mitigate risks.

The role of the internal audit is assigned with providing independent and unbiased assurance to the senior management by assessing the efficiency of the risk management practices and finding ways to enhance those strategies.


FM Global Fire Hazard Lab

This week, I ventured up to West Glocester, Rhode Island, home of the coolest place any insurance broker, insurance client, or risk management journalist can visit: the FM Global Research Campus.

Hurricane Force Wind Simulation

Because FM Global is intently focused on prevention of loss as the chief means of minimizing claims, the company maintains a 1,600-acre campus dedicated to property loss prevention scientific research. The biggest center of its kind, the research center features some of the most advanced technology to conduct research on fire, natural hazards, electrical hazards, and hydraulics. Here, experts can recreate clients’ warehouse conditions to test whether existing suppression practices would be sufficient in the event of a massive fire, for example. Fabricated hail or seven-foot 2x4s are shot from a cannon-like instrument at plywood, windows, or roofing to test whether these materials can withstand debris that goes flying in hurricane-strength winds. Hydraulic, mechanical and environmental tests are conducted on components of fire protection systems, like sprinklers, to ensure effectiveness overall and under the specific conditions clients face. Further, in cases where there were not sufficient loss prevention solutions, the company’s scientists and engineers have even designed and patented new, more effective sprinklers and other loss prevention technology, the rights to which are released so anyone can manufacture these improved safety measures.

Fire is the leading cause of loss in every calendar year, and watching a pile of plastic pallets ignite into a 60-foot fire while you feel the radiant heat through the glass of the lab’s observation deck is a powerful reality check for anyone evaluating risk exposure in their facility. As you watch the pallets melt, forming a plastic pool that also catches fire and spreads, you see the fire double in size every 45 seconds. If your strategy is primarily to rely on the local fire station, the researchers note, a minimal response time, assuming decent proximity, no traffic or inclement weather, and full staffing, would probably be at least five to 10 minutes. It only took seven minutes for their sample fire to reach almost three stories high, flickering around the edges of the massive ceiling-mounted calorimeter (which measures heat and the particles and smoke released).

One of the most striking demonstrations comes in the form of a dust explosion. Whether released through product manufacturing, a byproduct of processing, or simply lazy housekeeping, a wide variety of dusts can fill the air in many facilities. Flour, sugar, metal dust, wood and resin are all highly flammable and exceptionally common. To cause an explosion, you simply need a few conditions: fuel (the dust), oxygen, ignition, suspension (in other words, the dust has not settled, increasing the surface area), and a confined space (ie. inside the facility, the dust stays in the environment). What happens then? Check out the video below for a slow-motion look at the explosion that results from just a hard hat full of phenolic resin.


In Maglio v. Advocate Health and Hosps. Corp., (Ill. App. Ct. June 2, 2015), the Illinois Appellate Court was asked to decide whether individuals have standing to bring suit for violations of consumer data protection laws where their personal data, while compromised, has not been used to harm the individuals. The Illinois Appellate Court, in holding that such individuals do not have standing, established that, at least in Illinois, plaintiffs who suffer no concrete harm, but instead allege only technical statutory violations, cannot sue for violations of consumer and, presumably, workplace-related laws.

The decision of the Illinois Appellate Court could have implications beyond Illinois. As we previously reported, the U.S. Supreme Court recently granted certiorari in Spokeo, Inc. v. Robins (U.S. Apr. 27, 2015). In the Spokeo matter, the U.S. Supreme Court will confront a nearly identical issue: Do individuals have standing to sue for violations of the Fair Credit Reporting Act (FCRA) even when they have not suffered any harm or injury? If the U.S. Supreme Court reasons in the same way that the Illinois Appellate Court did and answers this question “no,” the decision would likely discourage the current wave of consumer, workplace, and other class actions seeking millions in statutory damages.

Case Background

Advocate is a network of hospitals and doctors. On July 15, 2013, burglars stole four computers from Advocate’s administrative building that contained the personal information of about four million of Advocate’s patients. Advocate notified these patients of the theft on August 23, 2013.

Two sets of plaintiffs filed class actions against Advocate, claiming that Advocate violated two state consumer data protection laws by failing to maintain adequate procedures to protect the personal information of plaintiffs and putative class members and by failing to notify the plaintiffs and putative class about the breach in a timely matter. The plaintiffs also sued Advocate on theories of negligence and invasion of privacy.

Advocate moved to dismiss both class actions, arguing that the plaintiffs lacked standing because they had not suffered any injury as a result of their data being stolen. Both trial courts dismissed the class actions. The trial courts found that “[t]he increased risk that plaintiffs will be identity theft victims at some indeterminate point in the future . . . . did not constitute an injury sufficient to confer standing,” and that the plaintiffs’ “allegations concerning anxiety and emotional distress . . . . were insufficient to establish standing, where they were not based on an imminent threat.” The plaintiffs appealed.

Appellate Court’s Decision

The Appellate Court pointed out that, under Illinois law, a plaintiff only has standing if he or she has suffered “some injury in fact to a legally cognizable interest. [T]he claimed injury may be actual or threatened and it must be: (1) distinct and palpable; (2) fairly traceable to the defendant’s actions; and (3) substantially likely to be prevented or redressed by the grant of the requested relief.”

The Appellate Court then considered whether the plaintiffs had suffered a “distinct and palpable” injury under Illinois law. It found, in light of Chicago Teachers Union, Local 1 v. Bd. of Educ., – a case in which the Illinois Supreme Court held that physical education teachers did not have standing to challenge a statute allowing school districts to waive mandatory physical education requirements because the teachers were not “in immediate danger of sustaining a direct injury as a result of enforcement of the challenged statute that is distinct and palpable” – that the plaintiffs’ allegations of injury were speculative and the plaintiffs thus did not have standing to bring suit.

The Appellate Court reasoned that this result was supported by federal case law on standing. It observed that, “[i]n federal courts, to show standing under Article III of the Constitution, a plaintiff must establish the existence of an injury that is: (1) concrete, particularized, and actual or imminent; (2) fairly traceable to the challenged action; and (3) redressable by a favorable ruling.”  To meet the first requirement, “an ‘allegation of future injury may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.” (quoting Susan B. Anthony List v. Driehaus, 2014). “Allegations of possible future injury are not sufficient,” nor is an “objectively-reasonable-likelihood” that the future injury will occur.

The Appellate Court went on to find that an increased risk of harm is not sufficient to confer standing. While agreeing that the Seventh Circuit appears to have held that an increased risk of harm can confer standing in Posciotta v. Old Nat’l Bank Corp., it found that the later-decided Clapper case compelled rejection of this position. (Citing Strautins v. Trustwave Holdings, Inc., (N.D. Ill. 2014).

Finally, the Appellate Court found that alleged “appreciable emotional injury” did not confer standing on the plaintiffs. Specifically, the Appellate Court found that, because the purported emotional injury did not flow from an “imminent, certainly impending, or substantial risk of harm,” it could not, on its own, confer standing.

Implications for Employers

This case is welcome news for Illinois employers, who can use this case to defeat consumer and workplace class actions based on technical violations of state laws without any resulting harm to consumers or employees. Outside of Illinois, if the U.S. Supreme Court interprets federal standing requirements as the Illinois Appellate Court did, employers could be handed a significant win in the Spokeomatter. If Spokeo is decided as Maglio, employers nationally should have a powerful tool to achieve dismissal of class action lawsuits based on technical violations of both federal and state consumer and worker protection laws. Stay tuned.

This column previously appeared on the Seyfarth Shaw LLP website.


While every organization is at risk of employee theft–with the typical company losing 5% of revenue to fraud each year–smaller organizations with less than 500 employees (72%) were the most targeted.

According to The 2015 Hiscox Embezzlement Watchlist: A Snapshot of Employee Theft in the U.S., of the smaller companies targeted, four out of five had less than 100 employees and more than half had fewer than 25 employees. Smaller organizations also had the largest losses, according to the survey. Financial services companies were most at risk (21%), followed by non-profits, labor unions and municipalities.

Hiscox noted steps organizations can take to minimize employee theft, adding that this is most important for small- to medium-sized businesses, which can be more impacted by theft. In fact, the survey found that 58% showed no recovery of their losses.

Perpetrators of crime include tellers, bookkeepers and office managers. There is also a wide variety of schemes that have been used.