Immediate Vault Immediate Access

RIMS and ISACA Release Joint Report “Bridging the Digital Risk Gap”

All too often, IT and risk management professionals seem to be speaking a different language—that is, if they even speak at all. Bridging the Digital Risk Gap, the new report jointly authored by the RIMS, the risk management society®, and ISACA®, promotes understanding, collaboration and communication between these professionals to get the most out of their organizations’ technological investments.

Digital enterprise strategy and execution are emerging as essential horizontal competencies to support business objectives. No longer the sole purview of technical experts, cybersecurity risks and opportunities are now a core component of a business risk portfolio. Strong collaboration between IT and risk management professionals facilitates strategic alignment of resources and promotes the creation of value across an enterprise.

ISACA’s Risk IT Framework acknowledges and integrates the interaction between the two professional groups by embedding IT practices within enterprise risk management, enabling an organization to secure optimal risk-adjusted return. In viewing digital risk through an enterprise lens, organizations can better realize a broader operational impact and spur improvements in decision-making, collabora­tion and accountability. In order to achieve optimal value, however, risk management should be a part of technology implementation from a project’s outset and throughout its life cycle. By understanding the technology life cycle, IT and risk management professionals can identify the best opportuni­ties for collaboration among themselves and with other important functional roles.

IT and risk management professionals both employ various tools and strategies to help manage risk. Although the methodologies used by the two groups differ, they are generally designed to achieve similar results. Generally, practitioners from both professions start with a baseline of business objectives and the establishment of context to enable the application of risk-based decision making. By integrating frameworks (such as the NIST Cybersecurity framework and the ANSI RA.1 risk assessment standard), roles and assessment methods, IT and risk management professionals can better coordinate their efforts to address threats and create value.

For example, better coordination of risk assessments allows orga­nizations to improve performance by iden­tifying a broader range of risks and potential mitigations, and ensures that operations are proceeding within acceptable risk tolerances. It also provides a clearer, more informed picture of an enterprise’s risks, which can help an organization’s board as they make IT funding decisions, along with other business investments. Leveraging the respective assessment techniques also leads to more informed underwriting—and thus improves pricing of insurance programs, terms of coverage, products and services.

Overall, developing clear, common language and mutual understanding can serve as a strong bridge to unite the cultures, bring these two areas together and create significant value along the way.

The report is currently available to RIMS and ISACA members through their respective websites. The report can be downloaded through the RIMS Risk Knowledge library by clicking here or from ISACA at www.isaca.org/digital-risk-gap. For more information about RIMS and to learn about other RIMS publications, educational opportunities, conferences and resources, visit www.RIMS.org. To learn more about ISACA and its resources, visit www.isaca.org.

REPORT: Spencer-RIMS Internship Manual For Employers

Step-by-Step Guide Identifies Elements and Tools to
Develop a Successful 
Risk Management Internship

The newly released Spencer-RIMS Internship Manual for Employers offers a roadmap for risk professionals to design a valuable internship program for their organization while creating exciting and rewarding opportunities for future professionals.

Authored by RIMS Student Advisory Council, the manual includes:

  • a justification worksheet for employers,
  • strategies for designing an internship,
  • a worksheet to define intern responsibilities, and
  • potential activities and performance evaluation recommendations.

Additionally, the manual provides directions for risk professionals to apply for a Spencer Internship Grant to fund the program.

“Internships provide an unquestionable opportunity for organizations and their risk management teams to maximize capabilities and support business activities,” said RIMS CEO Mary Roth. “Creating meaningful internships is crucial to the sustainability of this profession and we’re excited to build this bridge to rewarding risk management careers.”

“Insurance industry and risk management learning must extend beyond the classroom,” said Spencer Chairperson Marya Propis. “To complement the sensational curriculums that many colleges and universities now offer, real-world experience gives risk management and insurance students a competitive edge as they enter the workforce. Through scholarships, grants and internship programs, Spencer continues to support new opportunities for students to explore our profession.”

To learn more about Spencer Internship Grant, visit  www.spencered.org/professionals/internships.

The report is currently available exclusively to RIMS members. To download the report, visit RIMS Risk Knowledge library at www.RIMS.org/RiskKnowledge. For more information about the Society and to learn about other RIMS publications, educational opportunities, conferences and resources, visit www.RIMS.org.

About Spencer

Spencer was founded in 1979 and to this day remains the premier organization funding the education of tomorrow’s risk management and insurance leaders. Since its beginning, Spencer has awarded more than 1,050 scholarships totaling over $6.9 million, and $3.25 million in grants to universities and professional institutions for educational programs and conferences.

To learn more about Spencer, visit www.SpencerEd.org.

Cyber Insurance Strategies Explored: RIMS Report

High-profile data breaches have been making headlines recently, and their damage can transcend industries, which is why cybersecurity is often a top priority for risk managers. With many traditional insurance policies no longer responding to or outright excluding cyber events, risk professionals must understand their options to ensure the organization is protected in the event of a data breach.

online pharmacy phenergan with best prices today in the USA

A new report by RIMS, A Guide to Cyber Insurance, provides a roadmap for determining the type of coverage risk managers need in the fast-changing world of privacy, data protection, and cyber risk management. The study serves as a reference for risk professionals who are exploring options to effectively manage cyberrisks that are uncovered or not addressed by the organization’s existing risk management program.

Topics include:

  • The cyber insurance application process
  • Procurement of insurance
  • Management of cyber claims
  • Third-party coverage
  • Litigation strategies, and other pertinent details

“While cyber risk management policies are necessary for every organization, reducing a category of risk to zero is impossible,” the report notes. “Cyber insurance can help cover the gaps between a robust risk management program and any remaining risks.”

The report also features case reviews in the areas of cyber policy coverage litigation, negligence, computer fraud, technology errors and advertising and personal injury coverage. “While the overall decision-making process is much the same as with other litigation decisions, certain factors are more complex in the cyber insurance context compared to other insurance disputes,” the authors note.

The Guide doesn’t only focus on insurance. It also features helpful tips when implementing a strategic risk management program characterized by a cybersecurity framework. Pre-event planning and preparation, penetration testing and response ideas are offered as well.

“Following the purchase of some form of cyber coverage, risk professionals need to be prepared for the worst: a cyber event and any resulting claims,” the report states.

online pharmacy xtandi with best prices today in the USA

“An organization needs to understand both the risk it faces and the coverage options available to ensure that the cyber policies it purchases provide the necessary coverage when it experiences the inevitable data breach or other cyber events.”

A Guide to Cyber Insurance is authored by Bradley Arant Boult Cummings law firm members: Dylan C. Black, A. Kate Margolis, G. Benjamin Milam and Emily M. Ruzic.

The report is currently available to RIMS members.

online pharmacy ventolin with best prices today in the USA

To download the report, visit the RIMS Risk Knowledge library at www.RIMS.org/RiskKnowledge. To learn about other RIMS publications, educational opportunities, conferences and resources, visit www.RIMS.org.

Words (and Clauses) Matter

A recent report published by RIMS highlights the importance for risk professionals—or the person within the organization tasked with the responsibility—to fully understand the language included in their insurance policies.

The report A Common Language: Aligning Third-Party Contracts with Insurance Policies, suggests that there are “clauses in contacts that may not be understood as well as others, and some people may be tempted to skim past those to move work along.”  But, in this haste, deciding to “skim” past those clauses may activate exclusions, limitations and even, unknowingly, nullify the transfer of risk to a third-party.

Authored for RIMS by Brenda Tappan of United Educators, the report defines key insurance terms that should be understood by contract reviewers, as well as common contract clauses that impact the validity of both the contract and insurance policies.

“At any given time, an organization could have hundreds of contracts with external stakeholders,” Tappan said. “With in-depth knowledge of coverages held by the organization, risk professionals can play an integral role in ensuring terminology is understood and that discrepancies between third-party contracts and insurance policies are identified.”

The report advises risk managers to be aware of the following insurance contract elements:

  • Indemnification Clauses – This clause delineates whether the parties of a contract wish to retain, transfer or share responsibility from a potential third-party. Be aware that not all “bodily injury” or “property damage” will be covered, even if you have stipulated everything correctly in the indemnification clause.
  • Additional Insured Status – This status provides proof of financial capability to cover what is assumed in the indemnity clause. Keep the additional insured provision separate from indemnification clause because if the latter is found unenforceable, the additional insured clause might be unenforceable as well.
  • Waivers of Subrogation – This says that the insurer has the right to stand in the place of the insured and go against the responsible party to make themselves whole. Risk professionals might consider requesting a Waiver of Transfer of Rights endorsement. Also, get as much in writing as possible – don’t leave anything up to chance or interpretation.
  • Primary and Non-Contributory – Essentially, the insured will not seek contribution from any other insurance available. When named an additional insured, you are afforded coverage as provided by the other insurance policy.
  • Excess and Umbrella Coverage – Organizations buy this coverage to increase the limits. It can be used for commercial general liability, commercial auto, employers liability, and other primary liability policies. As an indemnitor, you will want to ensure that for any coverage that taps into the policies that provide the upper limits, there is a specified cap to the coverage contractually offered to the indemnitee.
  • Limitation of Liability – It’s an attempt by third-party contractors to cap the amount of liability they will be responsible for to a set amount prior to an incident. Be on the lookout for these limitation of liability clauses. Generally, they are found toward the end of the contract, but can have a significant impact on indemnification.