Immediate Vault Immediate Access

After COVID, Cyberrisks Top Agenda for Risk Professionals in India, Marsh and RIMS Report

For risk professionals in India, the COVID-19 pandemic has underscored the critical need to build business resilience and develop mature yet flexible business continuity plans to address both short- and long-term threats. In the new Marsh and RIMS report Excellence in Risk Management India 2020, Spotlight on Resilience: Risk Management During COVID-19, 63% of risk professionals in India said a new pandemic or continued fallout from COVID-19 was a top risk facing their organization, followed by cyberattacks (56%), data fraud or theft (36%), failure of critical infrastructure (33%), fiscal crises (31%), and extreme weather events (25%).

This mix of top risks illustrates the critical task before risk professionals heading into 2021: ensuring capability and procedures to respond to fast-emerging disasters, while not losing sight of the critical work to boost baseline resilience against foreseeable risks across the enterprise.

“Organizations need to balance their focus between longstanding and emerging risks,” said Sanjay Kedia, country head and CEO of Marsh India. “While there has long been an awareness of weather-related risks, low-frequency risks generally receive less attention. The pandemic has underlined the need for risk managers to keep all perils on their radar.”

Indeed, Marsh and RIMS found risk assessment and modeling are critical gaps for India-based risk professionals to focus on to mature their risk management programs. “As businesses recover from COVID-19, many senior leaders are shifting attention to questions of resilience. But, as our survey shows, the use of advanced risk management techniques in India remains limited—for example, more than one-fifth of respondents do not assess or model emerging risks,” the report noted.

This is particularly the case with emerging cyberrisks. Cyberattacks and data loss or theft ranked among the top three threats, and the pandemic escalated the already rising number of cyberthreats to companies in India with the shift to remote work, online business, and ransomware attacks. Indeed, the report noted that the pandemic led to a surge in cyberattacks against Indian companies, with New Delhi among the top 10 most often attacked cities with regard to ransomware in 2020, and more than a third of Indian respondents to a June survey by Microsoft reporting they had fallen prey to a pandemic-related phishing email. Yet only a third of respondents to the Marsh/RIMS report said they model potential cyber loss scenarios, and only 26% plan to do so in the next year. Key cyberrisk management measures and the rate of implementation among Indian companies include:

Whether it is phishing attacks on employees or internet outages interrupting operations in the supply chain, the report notes that the next major event for Indian companies could well be a cyberattack. Focusing on building cyber resilience was one of the report’s four key recommendations, noting “organizations should shift their focus from solely trying to prevent an attack to accepting the inevitability of a cyber event and taking action to mitigate its effect.”

The report’s other top recommendations for risk professionals in India were:

  • Regularly review existing business continuity plans – “Companies should carefully review and refine their business continuity plans. They should ensure their plans enable them to respond effectively to threats that bring short-term pain and long-term and widespread challenges, as is the case with COVID-19.”
  • Embrace the changing working environment – “Lockdowns intended to stem the spread of COVID-19 required many companies to quickly move to remote working, change their business models, and implement new safety measures upon return to the workplace. Other perils, like a natural disaster, could necessitate and precipitate such shifts, even if shorter in duration. Businesses should invest in structures that allow employees to work remotely effectively, efficiently, and safely and should educate employees on new ways of working under changing circumstances.”
  • Remap and remodel your supply chain – “The COVID-19 pandemic emphasizes the need to re-examine supply chains regularly, with special focus on understanding the resilience and reliance of vendors. Companies would benefit from understanding their vendors’ ecosystems; both to provide a clearer view of how they could be affected by different risks and to review contracts to better understand liabilities.”

Moving forward, there is considerable room for risk professionals to be more involved in scenario analysis and strategy

In December, RIMS introduced additional resources specifically for risk professionals in India looking to elevate their risk practice. The report was released around the recent RIMS Virtual Risk Forum India 2020, which brought together hundreds of risk and insurance professionals from across India and around the world. Soon thereafter, the risk management society also announced the official formation of a RIMS India Chapter.

“The exchange of knowledge and experience drives the risk management profession, allowing practitioners to more effectively enhance corporate decision-making, strengthen resiliency and leverage new and exciting opportunities for their organizations,” said Roop Kumar, chief of risk at SBI Life and inaugural president of the India chapter’s board of directors. “RIMS India Chapter will quickly become an exceptional resource for all business leaders. We look forward to delivering cutting-edge risk management insight to support our members as they advance their programs and their careers.”

Other members of the inaugural board of the India chapter include: Keerthana Mainkar, head ERM at Infosys; Amol Padhye, head of market risk at HDFC Bank; Amber Gupta, head legal and corporate secretary at Birla Sunlife Insurance; Anand Shirur, CEO of Digitangle Consulting PVT, Ltd; Steward Doss, associate professor at National Insurance Academy; Monika Mittal, professor at BIMTECH; Shibyanshu Sharma, vice president of risk management at SBI Life; and Yogesh Ghorpade, head of ERM and insurance lead at Thermax Industries.

“RIMS India’s Board of Directors truly represent a cross-section of the country’s risk management community,” said Gopal Krishnan K S, head of RIMS India Operations. “The Society looks forward to learning from their unique experiences and welcoming others to contribute so that, together, we can develop the highest standard of risk management education to address corporate India’s biggest concerns.”

Preparing for a Pandemic: Review Business Continuity Plans Amid Coronavirus Outbreak

Organizations worldwide have been reacting to the recent coronavirus outbreak, COVID-19, in a variety of ways, from restricting nonessential employee travel to canceling large events. The possibility of a pandemic has the potential to disrupt workforces, supply chains and economic activity in the months ahead. So, it is with a sense of urgency that prudent organizations review and update their business continuity plans to insure their operational resiliency.

A healthy and available workforce is any organization’s most valuable asset. A pandemic will incapacitate some employees and result in other employees being quarantined. This could result in a major disruption to normal operations, with potentially large numbers of employees working from home or remote locations.

To protect your workforce and help ensure its continued productivity, it is critical to:

  • Establish a strategy that enables employees to continue to function without endangering them.
  • Have a plan to isolate employees should the threat of possible infection arise.
  • Ensure employees can effectively work from home.
  • Verify that you have the tools, technology, capacity, and security measures in place to support a large remote workforce.
  • Review your HR policies to ensure employees will not be personally impacted if they must be quarantined for an extended period and modify any policies as appropriate to give greater flexibility to normal working arrangements. 
  • Determine your priorities and the minimum staffing requirements to support these priorities, in case you need to function with a significantly reduced workforce.
  • Identify key employees and ensure other staff members have received appropriate training to comprehensively cover their absence.
  • Create a communications plan that includes providing employees and other stakeholders with regular situation updates as well as actions taken.

In a global economy, virtually every organization is connected to or dependent upon others. You may not be directly affected by a pandemic, but could be impacted if a vendor at a critical point in your supply chain is. Understanding your dependence on entities outside your organization is critical. Are your critical third parties (e.g., suppliers, vendors and service providers) prepared?

To protect your operations and ensure continuity of services or products to your customers, it is important that you:

  • Map your dependencies to understand where disruptions might impact your value chains.
  • Review the preparedness of your critical third parties (suppliers, vendors, service providers, etc.).
  • Identify single points of failure in your ecosystem.

When assessing the impact of a disruption to your ecosystem, it is important to recognize the amount of time before the actual impact occurs. So, as you review and update your plans, you should also conduct walkthroughs and exercises. This is the best method for identifying gaps in your procedures and will give you the highest chance of successful execution. Active participants will become familiar with the goals and objectives of the plan and begin to use it as guidance rather than a prescriptive list of tasks to be followed without applying rational thought. Practicing the execution of your plan ensures all necessary parties understand their roles and responsibilities.

During preparedness reviews, you should also assess the tools used to maintain relevant information and assist in executing your plans. Old technologies and obsolete tools will put successful execution of even the best plans at risk. Identify any deficiencies in the tools available and create a comprehensive list of requirements that will enhance your ability to execute. The sooner you begin to upgrade your tool set, the sooner you will be able to reduce execution risk.

An organization’s ability to effectively respond to a disruption of its workforce or a critical third-party not only depends on how effective you were in the planning process, but also how effective you were with the tools you have and the training you implemented. The tools you use to communicate, maintain situational awareness, and provide current and accurate information will also have a major impact on the execution of the plan.

Secure Messaging in Incident Response and Business Continuity

Today’s businesses face unprecedented risks. As mass interconnectivity replaces operational silos, every aspect of business, from transportation and the supply chain to email, data storage, facilities management and financial transactions, are all vulnerable to compromise, disruption and human error. In addition to the people, processes and technology that are at risk in a crisis, so too are the communications mediums most commonly used for incident notification and response.

At the forefront of defining their organization’s risk management strategies, risk managers, board members, chief security officers and chief information security officers all have a responsibility to initiate both incident response plans and business continuity strategies that transcend the digital and physical worlds. After all, a digital threat can quickly evolve into physical damages and destruction while a physical event can negatively impact digitally-driven business operations. However, if the communications mediums through which companies collaborate and disperse important news and information are also compromised, challenging situations increasingly become more complex.

Secure Messaging’s Role in Incident Response & Business Continuity
All organizations must prepare for out-of-course events. Situations like acts of nature, data breaches or other compromises require planned responses under the assumption that one day they will occur. Yes, different situations will require a different chain of events to take place, but there is one thing that all incident response and business continuity plans have in common: the need for ongoing communication during and after the event.

Whether you represent a power company that needs to notify first responders and emergency managers of an unexpected power outage/grid loss, an IT department discussing a plan of action during and after a ransomware attack, a healthcare team in different parts of a university communicating information during an active shooter event, or an enterprise sending messages to employees during a blizzard, fast, efficient and secure communications are essential.

How risk managers keep their businesses safe, how stakeholders communicate with colleagues and clients during a crisis and how an organization continues operations as quickly as possible is of the utmost importance. In some settings such as healthcare, energy or even on a campus, business can’t stop. So how do we ensure that caring for patients can continue and that we are prepared for any type of incident, emergency or crisis?

The first step is certifying that your company’s communication plans are solid. No one should want to depend on a phone tree in which you never know if someone receives a voicemail, wonder if information sent via fax is shared after receipt, or worry if a text has been compromised.

That means instantaneous response is required. For example, an organization’s proactive incident response personnel can use their secure messaging platform to preemptively set up templates and pre-schedule a series of texts to notify first responders and emergency management offices as well as all field employees during a declared emergency. Replies to these automated communications can be routed to a specific mailbox or group for monitoring and response, or disallowed based on the type of communication and need, providing a central communication hub.

Many communications, even during an emergency, are confidential to the business. They must be retained for compliance and reporting purposes and need to be protected from leaks. Simply put, communications that require confidentiality and secure discussions do not belong on non-secure channels. In these situations, secure messaging platforms allow for rapid, secure notifications and response communications to meet corporate operating procedures and compliance mandates, without worry of third-party surveillance or leaks.

Every organization must proactively prepare to respond in a secure and efficient manner to minimize the impact to employees, clients and its bottom line. With email and SMS texts plagued with inherent risk, secure messaging platforms are emerging as the trusted option to ensure rapid, efficient and secure communications when they matter most.

Making the Most out of a Crisis

CALGARY, ALBERTA, CANADA—Suppose your company experiences a major hurricane, tornado or fire: Property is destroyed and your business is stalled, meaning customers are left waiting. But there are buildings to be rebuilt and equipment to be replaced, and the claims process hasn’t even started. This is when the risk manager’s skills at placing the company’s insurance coverage and negotiating for the best payout can not only demonstrate their true value, but can put the company back on course, according to experts here at RIMS Canada’s annual conference.

“When there’s a serious property loss, this is the time for the risk manager to shine, because up until then it’s about premium, premium, premium,” Tom Parsons, manager of risk management at Fairmont Raffles Hotels International in Toronto said during a RIMS Canada Conference session. “Up until a serious loss occurs, I don’t think you feel the impact that you can give back to the company. Because what we do is buy insurance, so it has to work. It is what you helped craft and build into your policy through the years. You have created a policy that is robust, and that is going to cover everything—you hope.”

Among the examples cited was a soft drink bottling plant flooded with eight feet of water following a hurricane. While the company’s high-speed bottling equipment was damaged and would need to be replaced, explained Jeffrey Phillips, managing director in PwC’s U.S. forensic advisory practice, the issue was that floodwaters were highly contaminated due to a number of chicken and hog farms in the area. As a result, the company determined that the building could not be used for any type of food processing and would need to be demolished. The insurer, however, argued that the walls could be sealed, containing any contaminants. The company had found a competitor to do some of the bottling, but it wasn’t enough to fill their orders, Phillips said.

Because delivery of the new bottling equipment was slated to take months, there was also a large business interruption period being covered, he said. This is when innovation came into play. The bottling company was able to show the insurer that buying another plant rather than rebuilding would put them back in business sooner, cutting back on their losses. The insurer agreed and sent them a check. As a result, the company purchased a larger facility in a better location.

“They were up and running in six months—the business interruption had stopped,” he said. The better location also meant reduced shipping costs and the company gained market share. Because the company was able to make the case to its insurer, both came out ahead in the long run.

Phillips recommended that companies negotiating after a crisis “communicate, communicate, communicate” with their insurers.

They should also get their insurers to sign off on major contracts such as scope of work, rates and overhead and discuss changes to operations or facilities with the adjustment team and agree on scope of property damage repair or replacement whenever possible.

Insurers will typically push to return the facility to pre-loss condition, “unless you can prove the changes will save them money,” he added. “Insurers will not be creative for you, they don’t know your business or your goals.”