Author Archives: Adam Jacobson

About Adam Jacobson

Adam Jacobson is a former associate editor of the Risk Management Monitor and Risk Management magazine.
Immediate Vault Immediate Access

RIMS ERM Conference 2021: Introducing the New RIMS Maturity Model

Posted on by

This morning at the two-day RIMS ERM Conference 2021, attendees got a “sneak preview” of the new RIMS Risk Maturity Model, presented by Carol Fox, former RIMS vice president of strategic initiatives, and Tom Easthope of Microsoft’s enterprise risk management team. RIMS decided to “reboot” the Risk Maturity Model, Fox said, since the original model was launched in 2006, and the field of risk management had changed quite a bit in the years since, as had the world in general.

Easthope outlined how the new Risk Maturity Model was “designed by practitioners, for practitioners” with input from peers, pundits, academics and critics, to show what success looks like in mature organizations. To achieve this, the new model focuses on how advanced an organization’s risk management capabilities are, not necessarily whether the organization had performed specific actions, as the previous model stressed.

Fox told the audience, which attended in person and tuned in online, that the new Risk Maturity Model was built to “grow as the profession grows,” and outlined its five pillars:

  1. Strategy Alignment: Risk related to strategy can lead to riches or ruin.
  2. Culture and Accountability: Culture and accountability drive action.
  3. Risk Management Capabilities: Risk management capabilities encompass more than proficiencies in a single process.
  4. Risk Governance: Integrated governance leads to performance improvements.
  5. Analytics: Analytics are the engines to inform decision making and influence action.

The model is also customizable for each individual organization’s goals and context. When answering the model’s questions, risk managers will have the opportunity to specify their organization’s target on each metric. Success is then measured along five tiers, with Tier 1 being “No formal capacity in place” and Tier 5 indicating that “Capability exists in a continuous improving cycle, informed by internal/external inputs.” The model will not only give a score, but also provide risk managers next steps to help them advance their programs to the next level.

A presentation slide titled "Differentiating the Five Tiers," outlining the five tiers of the model's potential results.

As more people enter data and use the model, risk managers will be able to compare their own performance against that of other organizations and industries—though the presenters stressed that the data provided will be anonymized to both users and the researchers behind the scenes. Companies will also be able to access reports on different respondents across departments to see how answers differed within the organization.

The presenters extended an invitation to participate in the next phase of testing and to give feedback. The goal, they said, is for the model to reflect the reality of risk management today and to “evolve with the world that we live in.” Beta testing is slated to begin in December and to get involved, interested risk managers can contact the organization through the RIMS app, get in touch with Fox and Easthope via LinkedIn, or email RIMS vice president of strategic initiatives Soraya Wright.

This session and many others from the conference can be viewed on-demand online after the event.

RIMS ERM Conference 2021: Integrating Net Zero Commitments into ERM Plans

Posted on by

In a session titled “Integrating Net Zero Commitments into ERM Plans” at the RIMS ERM Conference 2021, Michelle Tuveson, executive director of the Cambridge Centre for Risk Studies, led an interactive session focused on how risk managers were handling their companies’ emission reduction pledges and efforts. Tuveson told the audience that while one-third of companies in G20 countries had signed onto “net zero” commitments—promises to eventually eliminate their companies’ carbon emissions completely—it is unclear how much analysis went into these pledges. As countries around the world start to require emission reporting, this lack of analysis (plus a lack of data to assess progress) is a major concern for these companies’ risk managers.

buy azithromycin online meadowcrestdental.com/wp-content/uploads/2023/10/jpg/azithromycin.html no prescription pharmacy

The audience seemed to back up this assertion.

buy augmentin online meadowcrestdental.com/wp-content/uploads/2023/10/jpg/augmentin.html no prescription pharmacy

Tuveson conducted a live poll, which revealed that most attendees felt that their industries were on the less prepared side for net zero developments and that their ERM and net zero plans were not very integrated. When asked which group was most driving their companies’ climate action, most answered that it was investors/rating agencies (31%), followed by the board and executive management (20%), consumers (17%), and peer companies (11%).

Tuveson was joined by Joerg Osterloh, director of enterprise risk management at Coca-Cola Europacific Partners, who outlined the company’s net zero activities.

buy albenza online meadowcrestdental.com/wp-content/uploads/2023/10/jpg/albenza.html no prescription pharmacy

With a commitment to be net zero by 2040, it had already reduced emissions across the company by 30% by 2019. The company was prioritizing this effort partially because it saw climate change risks “front and center,” impacting all aspects of its supply chain.

Osterloh credited a strategy that included analyzing how much emissions each sector of the company’s business produced, then strategically addressing each. For Coca-Cola Europacific Partners, the most emissions came from drink packaging, which was not as easy to reduce as other categories like operations and supply cooling. Overall, Osterloh noted the importance of being fully transparent in the company’s net zero activities and its advocacy to influence public policy on transitioning to a low carbon future. He also stressed investing now in new technologies, rather than waiting for those technologies to mature.

At least some risk managers and their companies may already be following this advice. In a final poll, most audience members said that the focus of their companies’ net zero strategy was substituting renewable power (26%), followed by greening supply chains (19%), adopting new technologies (18%), altering products and services (15%), and purchasing carbon offsets (9%).

If you missed this session, it and many of the other sessions at RIMS ERM Conference 2021 can be viewed on-demand online.

Court Overturns Prop 22, California’s Gig Worker Classification Law

Posted on by

On August 25, the Alameda County Superior Court in California declared that Proposition 22 (better known as Prop 22) violated the state’s constitution, overturning it and potentially putting a portion of the state’s gig work industry in peril. The controversial California ballot measure designated app-based gig workers like rideshare and food delivery drivers as independent contractors, meaning that the companies they ostensibly work for would not have to provide a minimum wage, health insurance, unemployment, sick leave or other benefits. Because the initiative was a ballot measure, the court found the law restricted the state legislature’s ability to regulate compensation rules, and said the measure also illegally prevented workers from collective bargaining and unionization. However, this ruling does not mean that gig workers will automatically be considered employees, as no previous law mandated that classification.

Before Prop 22’s passage in November 2020, California passed AB 5 in May 2019, which instituted a more rigorous test to determine whether workers were employees or independent contractors: if “the person is free from the control and direction of the hiring entity in connection with the performance of the work,” the work was outside the company’s usual business, and if the worker “customarily engaged in an independently established trade, occupation or business of the same nature as that involved in the work performed.”

Rideshare companies like Uber and Lyft essentially ignored AB 5 and poured $224 million into fighting for Prop 22, making it “the most expensive ballot measure in California history,” according to the Los Angeles Times. The measure passed with around 59% of the vote.

In a small concession for workers, Prop 22 did provide for a health insurance stipend, but an August 2021 UC Berkeley Labor Center survey of 500 drivers showed that only around 10% of workers were receiving it, and 40% had not heard about it at all. Since work hours are only defined by the time spent driving with a passenger, others do not work the required 15 hours per week on one app to qualify for the stipend. These and other factors prompted drivers and the Service Employees International Union (SEIU) to sue the state seeking to overturn the law.

For now, the Superior Court ruling will likely not change much for gig workers in California, as Uber and other companies have announced their intention to challenge it in higher courts and may ignore any of its other legal implications, leaving everyone involved with a shaky status quo: an overturned law that is effectively still being followed.

As Risk Management wrote in May, one danger of the continuing ambiguity surrounding gig worker classification is misclassifying workers, which can lead to heavy fines or lawsuits. For example, in January 2020, D.C.-based contractor Power Design Inc. agreed to pay $2.5 million for misclassifying 500 workers as independent contractors rather than employees. In August, food delivery app company Postmates settled with the city of Seattle for nearly $1 million for violating the city’s Gig Worker Paid Sick and Safe Time (PSST) ordinance. The payment will go to cover city fines and compensate more than 1,600 workers for back wages. Additionally, withholding benefits, overtime, and meal and rest breaks (whether a result of misclassification, or in general) can result in workers filing class action lawsuits against the company, potentially resulting in significant costs, impacting productivity and damaging the organization’s reputation.

Another risk for gig work companies is insufficient safety measures for workers. Unlike with formal employees, companies often do not provide gig workers with safety training and may not offer formal ways to report safety concerns. This creates an environment where workers who are often under pressure to complete as many rides or tasks as quickly as possible may get into accidents or leave dangers unreported, creating liabilities for themselves and the company.

online pharmacy reglan with best prices today in the USA

Other states have their own gig work regulations either on the books or in the works and President Joe Biden has expressed support for gig worker classification as employees, but there is currently no national legislation on this issue. However, in March, the House of Representatives passed the Protect the Right to Organize Act (or PRO Act), which would reclassify gig workers as employees, affording them all the benefits included in that status.

online pharmacy spiriva inhaler with best prices today in the USA

The Senate has not yet taken up the measure.

Only 18% of IT Pros Confident in Current Password Risk Management

Posted on by

Many are having trouble maintaining the security of their employees’ log-in information, resulting in serious risks to their networks and private information. According to a recent LastPass and VansonBourne survey of 750 IT and security professionals in the United States, United Kingdom, France, Germany, Australia and Singapore, only 18% feel their company’s current access security is “fully secure and does not require improvement.” Risk management professionals have a significant role to play in determining how their organizations handle these risks and protect their data.

Some of the biggest ways that employees’ poor password management creates potential security threats to organizations’ data, according to the security professionals surveyed, are password reuse (according to 67%), weak passwords (65%), and not changing default passwords (36%), according to the security professionals surveyed. Nearly all respondents (95%) said that the risks that come along with using passwords create threats to the organization.

Given the importance of strong login information, companies often attempt to implement password rules to reduce security risks, such as requiring employees to choose complex passwords and change them frequently. However, these issues can lead to frustrations for both IT staff and employees. According to the LastPass/VansonBourne survey, the top frustrations for IT are employees reusing passwords for multiple applications, forgetting their passwords, and the time it takes to manage the company’s passwords. Employees are frustrated by having to regularly change their passwords, remember multiple passwords, and type long and complicated passwords.

The rapid increase in the number of employees working from home due to the COVID-19 pandemic has also exacerbated the risks, given a corresponding surge in cyberattacks on remote workers since March. Many employees are now working on home networks that may not have the protections that office networks offer, their passwords may not follow the stringent guidelines their companies would normally require, and they may store their passwords in less secure ways. In fact, Entrust Datacard released a survey showing that 42% of employees working from home kept passwords by physically writing them down, while 34% saved them in their phones and 27% kept them on their computers. The survey also found that almost 20% of employees reused passwords across multiple systems, which could make it easier for malicious actors to compromise those systems.

Maintaining Secure Logins

There are ways for risk professionals to help protect their companies’ systems and data. Experts recommend mandatory cybersecurity training for all employees, including instructions on how to choose adequate passwords, how often to change them and how to avoid cyber threats like phishing and malware.

There are also technological ways that risk managers can help secure their organizations’ passwords. As a first step, the National Institute for Standards and Technology (NIST) recommends that organizations ensure that employees’ passwords do not match those exposed in previous data breaches.

buy cipro online healthdirectionsinc.com/flash/swf/cipro.html no prescription pharmacy

There are publicly available services online that allow users to check whether email addresses and passwords have been compromised in breaches.

Additionally, the NIST recommends that employers restrict passwords to those that are not dictionary words, are not made up of repeated or sequential characters (such as 11111 or 12345 or qwerty), and do not contain specifics like the company’s name or the user’s name. NIST also suggests using multi-factor authentication (MFA), which would require employees to provide their login and password as well as a second piece of information, biometric data, or a physical device like a security key to verify their identity and log in.

With so many passwords to remember, a password manager—a program that stores and creates multiple complex passwords—may also be a good choice for organizations to protect their systems.

buy hydroxychloroquine online healthdirectionsinc.com/flash/swf/hydroxychloroquine.html no prescription pharmacy

Like all security precautions, password managers are not perfect. While still recommending their use, the Electronic Frontier Foundation warns that “using a password manager creates a single point of failure,” “password managers are an obvious target for adversaries” and “research suggests that many password managers have vulnerabilities.
buy tretiva online healthdirectionsinc.com/flash/swf/tretiva.html no prescription pharmacy

While a password manager or single sign-on technology can have benefits like faster authentication and letting employees remember fewer passwords, they also have downsides. The IT professionals surveyed by LastPass cited “the initial financial investment required to migrate to such solution,” “the regulations around the storage of the data required,” and “the initial time required to migrate to new types of methods” as the biggest challenges about using this technology. Additionally, 74% surveyed said that they thought employees at their companies would likely prefer to continue using passwords over passwordless methods because it was more familiar.