Immediate Vault Immediate Access

RIMS Risk Forum India 2021: Building Resilience As COVID, Cyberrisk Top Business Risks

An increasingly key theme year over year, resilience is at the root of the latest Excellence in Risk Management India report from Marsh and RIMS—and the RIMS Risk Forum India 2021 virtual event, where the report was officially released today. In the second year of the COVID-19 pandemic, risk professionals in India reported acute short- and long-term concerns about the interconnected risks of COVID-19 cases, global economic recession, and surging cyberrisks amid shifts in work arrangements.

In addition to the death of more than 5 million people in India, the pandemic has taken a considerable economic toll on the region. “According to the Organization for Economic Co-operation and Development (OECD), India’s economy contracted by close to 8% in 2020, while the world’s economy contracted by 3.5%,” the report noted. “Despite the OECD’s projections for economic expansion—both in India and globally—in 2021 and 2022, the potential for a prolonged global recession remains a concern for organizations in India.”

Previously one of the top risks for India-based risk professionals before COVID-19, cyberrisk has also increased significantly with the pandemic and the shift to remote work. “The shift to a remote workforce necessitated by sweeping lockdowns to stem the spread of the pandemic is widely seen as having increased cyberrisk,” Marsh and RIMS noted. “The Indian Computer Emergency Response Team (CERT-In) data indicated that cyberattacks in India rose by 300% in 2020, according to news reports. And cyber risk remained elevated in 2021, with more than 600,000 cybersecurity incidents reported in the first six months of the year alone, according to CERT.”

The continuing pandemic, resulting fallout, and ever-growing cyberrisk have presented the biggest risks for organizations in India in 2021, and the survey indicates that local risk professionals expect these to dominate the agenda for businesses in the year to come.

Despite the considerable concern, few respondents said their company is fully prepared for the continued fallout from COVID-19 or future pandemics. Asked to rate their organization’s preparedness from 1 to 5 (not prepared to fully prepared, respectively), the majority of India-based risk professionals ranked their organization a 3, and only 10% said they are fully prepared. While cyberrisk has been a top threat for longer, preparation is not much better for the threat—only a quarter of Indian companies said they are fully prepared for a cyberattack. This is particularly concerning as “some extent of remote work is expected to remain, leading to concerns of increased cyberattacks due to unsecured home networks,” Marsh said in a press release.

According to the report, this underscores the imperative to develop robust risk management strategies for both current and emerging risks and to focus on building resilience. Marsh identified four “common behaviors among companies that are on the path to becoming more resilient”: anticipating risk, connecting risk management to business strategy, avoiding gaps in the perception of preparedness, and measuring relevant data. Marsh and RIMS explained these further, defining key pillars that have set successful businesses apart, and potentially also offering considerations for other organizations to develop more mature risk management programs:

  • Anticipation: Resilient companies expect the unexpected. They have crisis management plans in place, but they also dig deeper, look farther ahead. Consider that during the pandemic even organizations with thorough business continuity plans struggled. Why? Many of them didn’t fully anticipate the widespread, long-lasting damage a pandemic could create.
  • Integration: Another key behavior among resilient organizations is to fully integrate risk management with operations and strategy. Doing so increases the ability to develop effective responses. Most organizations do not connect resilience planning with their long-term investment strategy. Those that do make the connection are on the path to better mitigating financial exposure, reputational damage, business interruption, and other losses.
  • Preparedness: On the journey to resilience, it’s important to develop an accurate perception of an organization’s preparedness. A false sense of security can halt an organization in its tracks. Companies often overestimate how quickly and effectively they will be able to respond to and recover from a given risk.
  • Measurement: There is no shortage of data and analytics in today’s business environment. But consistently applying metrics can be a stumbling block. Many companies fail to conduct a high rate of modeling and forecasting even on risks they see as important. And among the companies that do so, most only model in select areas.

Marsh and RIMS recommended that organizations in India focus on resilience heading into 2022 and beyond. “Resilience means being able to absorb the impact from a range of emerging risks and depends in large part on having robust risk management strategies in place,” the report explained. “This includes anticipating risk, connecting risk management to business strategy, ensuring your organization’s perception of preparedness doesn’t lead to a false sense of security, and measuring relevant data.”

Respondents largely indicated that their organization planned to increase investment in risk management, with 55% saying they expect increased resources, 27% expecting investment to stay the same, and only 4% expecting a decrease. This could be a critical differentiator in navigating COVID-19 recovery and other emerging risks in 2022. Indeed, 42% cited budget at the most critical barrier to understanding the impact of emerging risks on risk management.

Among the takeaways from the report, Marsh and RIMS urged organizations to invest in preparedness. “Look beyond pandemic as you develop a risk management strategy that is prepared to respond to any number of emerging risks,” the report said. “For example, shifting work patterns have intensified an already escalating cyber risk landscape that calls for a range of responses, from scenario planning to financial quantification.”

In addition to a panel on the Excellence in Risk Management India report, the RIMS Risk Forum India 2021 virtual event includes a number of sessions that address resilience challenges and opportunities for risk professionals in India. The program includes keynote addresses by Ajay Srinivasan, chief executive officer at Aditya Birla Capital Limited (ABCL), and Dr. Soumya Kanti Ghosh, group chief economic advisor at the State Bank of India, as well as education sessions like “Cyber Risk Management: A Priority for a Resilient Economy,” “Climate Risk and Your Path to Resilience,” “What COVID-19 Has Taught Us About ESG Risks and Why Risk Management Needs to Change,” and “Breaking the Chain: How Understanding Business Interruption Exposures Can Mean Supply Chain Resilience.”

The RIMS Risk Forum India 2021 virtual event continues tomorrow, December 4, and sessions will also be available for on-demand viewing for the next 60 days. Registration can be found here: https://www.rims.org/events/rf/india-forum-2021

NCSA and NASDAQ Advise Risk Managers to Look ‘Beyond IT’ Following a Breach

NEW YORK — “Incident Response and Recovery” was the theme of the National Cyber Security Alliance (NCSA) and Nasdaq Cybersecurity Summit on April 17. Security and risk professionals from the Department of Homeland Security (DHS) and various companies and organizations convened at the Nasdaq Marketsite to discuss methods that focus on resilience and recovery following a cyber attack or data breach.

NCSA Executive Director Kelvin Coleman led the fireside chat with Matthew Travis, deputy director for the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). The timing of Travis’ appearance was unique, considering that Kirstjen Nielsen–formerly the secretary of Homeland Security and Travis’ director–recently resigned from her post on April 7. While that announcement grabbed widespread attention due to her involvement with the humanitarian and immigration crisis at the U.S.-Mexico border, it also has major impacts for the country’s efforts to counteract cyberrisk and data breaches. Last September, Nielsen announced the formation of the National Risk Management Center (NRMC), an initiative focused on defending critical infrastructure from cyberattacks and providing a single point of access to the full range of government activities to defend against cyber threats.

“There is no doubt [Nielsen] was the most cyber-savvy secretary the department’s ever had. She brought real bonafide domain expertise in cybersecurity to the department,” Travis said. He added that the creation of CISA is her legacy and that the relationship with Kevin McAleenan, the new acting secretary of homeland security, has been harmonious.   

Travis reminded attendees that its partnerships with the private sector were crucial and that CISA regularly monitors national critical functions such as elections, electrical grids and financial transactions, which he said are the “big things that drive our economy.” He also said that companies can leverage CISA resources immediately after a breach as a supplement to the FBI’s criminal investigation.

“We’re going to help you understand exactly what happened and help you recover the data and mitigate some of the impact. The private sector firms do that very well, but the difference is that…

online pharmacy cytotec with best prices today in the USA

[CISA] is free,” he said. “That is where we would like to work with owners and operators, when there is an event, to help them get back on their feet as soon as possible.”

Additionally, Coleman and Travis discussed that though CISA is not part of the intelligence community, it does have access to the intelligence collection and monitors trends that can be used to warn private sector companies of cyberrisks. He cited the recent Domain Name System (DNS) infrastructure hijacking campaign that CISA warned about in February—in which at least 40 different organizations across 13 different countries were compromised—as an example of the agency taking steps to alert both the public and private sectors.   

“When we issue technical alerts or emergency directives,” Travis said, “[we] communicate to our stakeholders what to look out for.”

How to Reduce Uncertainty After A Breach  

In the next session, panelists agreed that even when companies use new technologies to remedy security flaws and migrate data to cloud storages, new vulnerabilities occur. Dr. Michael Siegel, principal research scientist and director of cybersecurity at the Sloan School of Management at the Massachusetts Institute of Technology (MIT), said that the old adage of risks being rooted in people continue to be prophetic.

“It’s always been about people and things that sit in our systems for a long time,” he said. “You’ve heard this since the 2000s and it’s still true, and even more true today.”

Should a business find itself in a situation where ransom is being demanded for intangible assets and information, Siegel advised that then is not the time when stakeholders should first decide whether they’d be willing to pay.

“They should know whether they’d pay ransomware because they have [presumably] done tabletop exercises…that will be absolutely essential because any time you wait and indecision will be [catastrophic],” he said. “You have to have practiced it in advance. You can build a scenario-generator and run it through a classroom.”

Companies can also learn from breaches, if tracking is implemented within their code, noted Tyler Shields, vice president of strategy for Sonatype, and open source governance platform. “The ability to track your code from creation to deployment—that entire life cycle—needs to be instrumented so that when a breach occurs you know what component was affected, where it came from, who implemented it and what protections were in place.”

Incident Response Recovery Beyond IT

The final session panelists agreed that holistic approaches were essential for successful responses and recovery periods. Internal and external communications should be well thought-out and designating a person or team to handle them sets the appropriate company precedent. Lisa Plaggemier, chief evangelist at Infosec and NCSA board member said that, for example, while a company’s lawyers are critical during these times, they might not be the best communicators.

“Lawyers, when they write for communications, tend to sound more scary than reassuring,” she said.

online pharmacy arava with best prices today in the USA

“You want to have collaborations and have that communications person in the room with them.”   

Photo courtesy of the National Cyber Security Alliance

When it comes to crisis communication, Plaggemeir advocated that employees—especially those who detected the incident—should be armed with talking points for traditional and social media outlets to avoid data leakage.

“We want to make sure we equip those people so that the rumor mill doesn’t start flying and we don’t end up with communications that are out of our control,” she said.

online pharmacy chloroquine with best prices today in the USA

buy penegra online https://royalcitydrugs.com/penegra.html no prescription

Dovetailing on that notion, moderator Andrew Derboben, senior director of security operations at Nasdaq was quick to mention reputation risk. He said another way to reduce data leakage and misrepresentations in the media—which can further harm a company’s reputation in the aftermath of a breach—is to arm all company employees with a brief script on what to say to anyone, even just passersby making small talk.

“Don’t even have them say ‘no comment,’” Derboben said. “Point them to the experts who have all the data. Because if we’re missing a key piece of information and it’s not communicated properly it could determine how an article will be written.”

RIMS Risk Forum 2018 India Kicks Off In Mumbai

MUMBAI – The inaugural RIMS Risk Forum 2018 India launched on November 13, and leading risk professionals from India and Asia-Pacific countries met for two days to address the challenges facing companies in the region. In a country of 1.3 billion people, expectations are for India’s risk management profession to grow, though some presenters acknowledged the proactive need to fill a potential talent gap.

During the opening keynote address, Dr. Viswanathan Ragunathan, CEO and general manager of the Varalakshmi Foundation said that examining the role of risk in Indians’ behavior and culture will initiate the dialogue among students and aspiring professionals.

“We are obviously a contradiction,” he said. “We are, at once, eternal optimists and fatalistic. At one level you can relate to what I’m saying in that Indians do not take too much risk in their day-to-day lives. Yet anyone who has taken the Mumbai trains knows…it’s almost as if we have a death wish.”

Ragunathan also discussed approaches he tends to use to assess risk, including viewing them in a VUCA environment (volatility, uncertainty, complexity and ambiguity), where one weighs how much of a situation is known against the results of controllable actions and their predictability.

“The management of volume,” he said, is ultimately at the heart of India’s challenges, and that issue is exacerbated by interconnected risks, such as a dense population and struggling infrastructure. He proposed transparency and broad communication within the Indian risk management community as starting points for solutions.

“The risk manager who understands the risk but does not share it widely does not help,” he said.

As the forum progressed, ISO31000 implementation, natural disasters and resilience, infrastructure, risk frameworks, data storage and diversity hiring practices were some of topics that received special focus on Tuesday.

“The State of Risk Management in India” was a Marsh-led panel on the findings from the newly-released, India-wide survey on risk management practices co-conducted by RIMS. The report found that risk managers are a crossroads in India, where they can assume greater leadership roles that transcend just compliance and insurance matters and can expand their knowledge base, hone their skillsets and gain access to best practices, tools and technology.

During “Thinking About Thinking in Risk Management,” Peter Young, PhD of the University of St. Thomas’ Opus, discussed the major questions facing risk managers today. He discussed how, according to his findings, experience rises dealing with uncertainty – as opposed to risk – as one looks further up on the corporate ladder.

“Risk is uncertainty when you have the capacity to measure it, and when you get to the executive suite you hardly ever deal with risk at all because you’re responsible for the strategy,” he said. “I would submit that’s broadly true among organizations at all levels. We are little ships bobbing in a big sea of uncertainty.

“[Executives] can bring a level of comfort operating in an environment of uncertainty. That turned out to be only partly true, but we think it’s an abiding truth that is slowly revealing itself.”

“Diversity in Corporate India” inspired some spirited discussions about how women’s voices and the concept of assumption are emerging as integral parts of hiring practices throughout organizations in India. Panelists were Ragunthian, Praveen Gupta, CEO of Raheja QBE General Insurance Co., and Carissa Hickling, Talent Acquisition Strategy and Technology Global Consultant for Siemens Technology India.

They spoke of how efforts to better represent women have progressed. Additionally, gay and lesbian communities are experiencing a new level of acceptance now since September, when the Supreme Court of India ruled parts of Section 377 – which was introduced in 1864 – was unconstitutional for criminalizing homosexuality. The panel agreed that while talent itself should win above all else, they acknowledged that it was a sign of progress for the nation and should be thought of as such by its corporate sectors. Hickling explained how Indian companies can now use be more open-minded in their hiring and promotion practices.

“When we look at onboarding plans and organizations, these are the moments of truth,” she said. “We can have conversations about making a small change to our HR system because this is an opportunity to change the first impression of our organization.”

She added that Siemens leadership is taking the initiative to recognize same-sex partners when discussing health benefits and taking the progress a step further extending the welcoming to transgender workers. “This is all happening very fast,” she said, “but it is a time when an organization can demonstrate that this is a time when this does matter.”

For more coverage of the forum, visit Risk Management Monitor’s Q&A with Shankar Garigiparthy.

Live RIMScast coverage of the forum is also available. Download Speaking with Leaders in Risk Management Part I and Part II.

And exclusively for RIMS members, download Peter Young’s audio live from Mumbai: Thinking about Thinking in Risk Management: New Skills for the Future.

Critical Infrastructure, Security and Resilience Highlighted in November

National Critical Infrastructure Security and Resilience Month (CISRM) kicked off on Nov. 1. The month’s initiatives address risks such as extreme weather, aging infrastructure, cyber threats and acts of terrorism.

online pharmacy tobradex with best prices today in the USA

Its timing is certainly appropriate, as the effects of recent hurricanes on infrastructures in southern states and Puerto Rico continue to be assessed, as well as Northern California’s devastating wildfires and the deadliest shooting massacre in modern U. S. history.

The month was created by the Obama administration and the Department of Homeland Security (DHS) hosts CISRM in an effort to promote education and awareness of the 16 critical infrastructure sectors that are vital to public safety and national security. Its page reads:

The evolving nature of the threat to critical infrastructure—as well as the maturation of our work and partnership with the private sector—has necessitated a shift from a focus on asset protection to an overarching system that builds resilience from all threats and hazards.

A CISRM toolkit provides companies with templates and drafts of newsletter articles, blogs, and other collateral material for use in outreach efforts. Activities geared toward business owners, public entities and private citizens focus on several key themes to enhance security and resilience, including:

  • Highlighting interdependencies between cyber and physical infrastructure
  • Pointing small and medium-sized businesses to the free tools and resources available to them to increase their security and resilience through Hometown Security and the four steps of “Connect, Plan, Train, and Report”
  • Promoting public-private partnerships
  • Fostering innovation and investments in infrastructure resilience

In his proclamation of CISRM earlier this week, President Trump further committed to helping businesses invest in “needed capital and research and development by reducing burdensome regulations and enacting comprehensive tax reform.” The proclamation states:

We will also renew our Nation’s focus on ensuring that the next generation has the education and training, particularly in science, technology, engineering, and math, required to meet the known and unknown threats of the future.

Overall the United States’ infrastructure is among the top 18 in the world, according to the 2017 FM Global Resilience Index, which aggregates data to help companies identify their key supply chain risks. The U.S. continued to hold high rankings among 130 countries based on drivers in three categories: economic, risk quality and supply chain factors. The U.S. is segmented into three regions to reflect disparate natural hazards exposure:

  • Region 1, encompasses much of the East Coast, is ranked #10 in the index (a one-spot upgrade from last year)
  • Region 2, primarily the Western U.S., is ranked #18 (a three-spot upgrade)
  • Region 3, which includes most of the central portion of the country, is ranked #9 (down three places)

Although the federal government is less focused on asset protection, business owners can still get involved by safeguarding workplaces. In its October 2017 edition, CLM magazine noted that another path toward resilience involves reducing property damage caused by extreme weather and natural disasters. Literally looking to the sky is one suggestion; business and property owners should pay particular attention to their roofs in order to prevent degradation and enable them to withstand high winds.

“Property owners need to have maintenance personnel adopt and implement preventative maintenance and roof inspection programs that alert them to potential and active degradation,” wrote the authors of the article, “Time For Resilience.

online pharmacy renova with best prices today in the USA

” “Weak links such as roof detachment, corrosion, or other damage could tear off roofing during an enhanced wind event. Such risks need to be mitigated before an event occurs.”

Ready.gov provides resources on disaster planning and management, and also has this section on Business Continuity.