Tag Archives: enterprise risk management

Immediate Vault Immediate Access

Holding Executives Accountable for Cybersecurity Failures

Posted on by

The average cost of a data breach for companies surveyed has grown to $4 million, a 29% increase since 2013, with the per-record costs continuing to rise, according to the 2016 Ponemon Cost of a Data Breach Study, sponsored by IBM. The average cost hit $158 per record, but they are far more costly in highly regulated industries—in healthcare, for example, businesses are looking at $355 each, a full $100 more than in 2013. These incidents have grown in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014.

Ponemon wrote:

Leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach–saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach. Part of these high costs may be linked to the fact that 70 percent of U.S. security executives report they don’t have incident response plans in place.

With so much on the line, more and more companies and consumers continue to search for whom to hold accountable for cybersecurity failures, and the message is becoming clearer: executives need to get serious or watch out.

In a recent report from Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports,” board members expressed a surprising amount of confidence in their abilities to understand and act on cyberrisk threats and indicated there are real risks on the table for IT and security executives. Almost all of those surveyed said that some form of action will be taken should these executives not provide useful and actionable information, with 59% claiming there is a good chance one or more security executives would lose their job over such reporting failures.

More board members (26%) ranked cybersecurity risk as their highest corporate priority than any other risk, including financial, legal, regulatory and competitive risks, and 89% said they are “very involved” in making cybersecurity decisions.

Following the typical presentations from IT and security executives, more than three in five board members are both significantly or very “satisfied” (64%) and “inspired” (65%), but 32% are significantly or very “worried,” and 19% are significantly or very “confused” and “angry.”

According to the report:

Of the information provided to them during these presentations, the majority of board members (97%) say they know exactly what to do or have a good idea of what to do with the information. This statistic, however, does conflict with IT and security executives’ thoughts on the information they present. Based on our December 2015 survey, only 40% of IT and security executives believe the information they provide the board is actionable. There is a clear disconnect here between what the board perceives is actionable information, and what IT and security executives define as data that can be used to make informed decisions.

“IT and security executives are focusing on what they believe are the most impactful issues: a) forward-looking information about known vulnerabilities that could potentially harm the company in the future, b) specifics about data that was lost as a result of known infiltrations and data breaches, and c) the impact of these infiltrations and breaches,” Bay reports. “Interestingly, while information about how much is spent to address cyber risk is reported by IT and security executives in less than one-half of the companies surveyed, this was the most commonly cited information that board members said they needed to make investments for cyber risk planning and expenditures.”

Bay also pointed to a critical challenge in the education gap of many board members and the reliance upon information security executives: a large portion of the education board members have on infosec is from the organization’s IT and security executives, and “when the person education you on cybersecurity is the same individual tasted with measuring and reducing cyberrisk, there’s a fundamental disconnect.” It is extremely difficult for board members to understand what they are missing without education of their own and a third-party audit in place.

As cyberrisk continues to become a top enterprise risk priority, the consequences of failure may impact more of the C-suite than just chief information security officers or top IT executives. In May, following a social engineering fraud case that resulted in a wire transfer of 50 million euros, Austrian aircraft parts manufacturer FACC fired its chief executive of 17 years. Some regulators also want to start holding chief executives accountable in a way that truly speaks to them: their paychecks.

online pharmacy suhagra with best prices today in the USA

According to a report from members of parliament on the British Culture, Media and Sport Select Committee, Britain’s status as the leading internet economy in the G20 is under threat from a combination of increasing reliance on digital infrastructure, and inadequate protection of it. To address the issue, they suggest that chief executives who fail to prevent cybersecurity breaches have a portion of their pay docked.

Such was the case with Baroness Harding, the chief executive of TalkTalk, Britain’s fourth-largest broadband provider, which suffered a high-profile cyberattack recently.

online pharmacy mobic with best prices today in the USA

Her performance bonus was slashed by more than a third as a result of the company’s security failings.

online pharmacy naprosyn with best prices today in the USA

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment,” said Jesse Norman, chairman of the committee. “Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”

Two-Thirds of Latin American Companies Have a Risk Management Policy

Posted on by

Latin AmericaA majority of firms in Latin America (66%) have developed a risk management policy and, of those, 70% make sure that the policy is known throughout the organization.

online pharmacy proscar with best prices today in the USA

From these numbers, it is clear that risk management and enterprise risk management practices have made significant progress in Latin America, according to a joint survey by Marsh Risk Consulting and RIMS of businesses from 15 countries in the region.

But while risk management programs are in place at a majority of organizations in Latin America, much more can be done. Only 42% of respondents reported that their organization’s boards are involved with risk management.

online pharmacy actos with best prices today in the USA

What’s more, just 21% of respondents said their risk management programs are integrated with strategic planning.

“The report demonstrates that Latin American companies increasingly understanding the competitive advantage and added value risk management brings to their organizations,” said Rodrigo Fajardo, Marsh Risk Consulting Leader for Latin America. “While the trend is encouraging, we must continue to educate Latin American business leaders about the benefits of an integrated and strategic risk management approach by demonstrating its ability to positively impact finances, sustainability and governance.”

The study was released as part of RIMS’ first Risk Forum Latin America, taking place Nov. 9 and 10 in Lima, Peru.

“Latin America’s growing economy offers many opportunities but, before engaging in commerce in the region, it is critical for risk professionals to be able to identify and assess all uncertainties,” said RIMS President Rick Roberts. “The report and RIMS’ forum are aimed at providing practitioners with a better understanding of the region’s risk management landscape and most pressing challenges to make informed recommendations for their organizations.

online pharmacy reglan with best prices today in the USA

Intuit Wins 2015 ERM Award of Distinction

Posted on by

CHICAGO—In recognition of its success in building a sustainable enterprise risk management (ERM) program to enable its business lines to identify and intelligently manage the most important risks, software company Intuit was presented with the 2015 Enterprise Risk Management Award of Distinction at this year’s RIMS ERM Conference.

“ERM transformed Intuit’s risk management capability requiring our leaders to think cross-organizationally and cross-functionally to understand the most significant risks and drive strategies to address them,” said Janet Nasburg, chief risk officer at Intuit.

buy bimatoprost online imed.isid.org/wp-content/uploads/2023/10/jpg/bimatoprost.html no prescription pharmacy

“ERM was instrumental in not only providing insights about the company but has also driven changes in the way we align our focus. It is a tremendous honor to be recognized by RIMS for our hard work and to share our ERM experiences with the risk management community.”

Honorable mention for this year’s ERM Award of Distinction went to VIA Rail Canada Inc., the country’s national passenger rail company.

buy tobrex online imed.isid.org/wp-content/uploads/2023/10/jpg/tobrex.html no prescription pharmacy

As a result of its ERM program, the company developed a risk appetite and tolerance framework based on measurable leading key risk indicators.

“Applying this framework to its key strategic risks strengthened VIA’s ability to assess, monitor, and respond timely to changes in its enterprise-wide risk portfolio, thereby adding value to its decision-making process and enhancing risk oversight by its board of directors” said Denis Lavoie, VIA’s director of enterprise risk management.

“RIMS is delighted to recognize the accomplishments of these two organizations and their risk professionals through the RIMS Award of Distinction,” said RIMS Executive Director Mary Roth. “The Intuit and VIA Rail programs demonstrate the tangible value that ERM brings to their respective organizations for both strategy-setting and strategy execution.

buy prevacid online imed.isid.org/wp-content/uploads/2023/10/jpg/prevacid.html no prescription pharmacy

Judging criteria for the ERM Award of Distinction includes the scope of the ERM program and how it engages different levels throughout the organization; the program’s link or connection to the company’s overall mission; and its ability to create additional value for the organization.

How Active Governance Can Advance Proactive Risk Intelligence

Posted on by

Boards, regulators and leadership teams are demanding more and more of risk, compliance, audit, IT and security teams. They are asking them to collaboratively focus on identifying, analyzing and managing the portfolio of risks that really matter to the business.

As risk management programs evolve to more formal processes aligned with business objectives, leaders are realizing that by developing a proactive mindset in risk and compliance management, teams can provide added value to help the organization gain agility by identifying new opportunities as well as managing down-side risk. Organizations with this new perspective are more successful in orchestrating change to provide a 360-degree view of both risk and opportunity.

Risk teams that are further along on the journey of leveraging proactive approaches to risk management look not only within the organization but beyond to supplier, third party and customer ecosystems. This means developing a view across the larger enterprise infocosm, to ensure alignment of people, processes and technologies.

An essential prerequisite to proactive risk management is a shift from passive to active governance. To build an active governance competence effectively, governance needs to be “active, engaged and embedded,” rather than “passive, reactive and irrelevant.”

Active governance means being thoughtful about alignment and interlocks policy, risk, compliance, quality and operational programs. Proactive risk intelligence throughout the organization can help it advance by aligning policies, procedures, facilitating an enterprise view of issues and orchestrating change to mitigate risk.

Align Policies, Procedures and Roles

Once proactive risk intelligence is understood and embraced as a concept, the next step is to develop agile and consistent policies that truly reflect and produce desired behavior. This means aligning business strategy and appetites with prescribed behavior, which is typically described not only through policies, but also through procedures, and embedded in role descriptions. It is important to make governance traceable in this way. Likewise, it is critical to make sure roles and responsibilities are aligned with policies and procedures so that employees, partners and third parties are empowered to do the right thing.

buy symbicort online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/symbicort.html no prescription pharmacy

Foundational is consistency between policies and procedures in similar roles across geographies, cultures and business units. Some key things you can do to help your organization include:

  • Align Policies to Business Objectives — Ensure responsible management and oversight of resources by aligning policy to business intent. You can do this by mapping policies to risk tolerances and compliance requirements. Be explicit when defining legal and ethical boundaries.
  • Resolve Global/Local Conflicts in Policies and Procedures — Improve active governance by resolving local/global dissonance—often a policy at one level can contradict a similar overlapping policy at another level—it’s important to iron out discrepancies so that people have confidence in the policy and know it stands for something the organization values.
  • Engage the Right Subject Matter Experts for Policy Creation and Review — Policy life-cycle management can really help. Be sure to include alerts and intelligence to ensure policies reflect compliance to new and changing regulations and business obligations. Establish the right roles and responsibilities for creating, editing, reviewing and publishing polices. Automated workflow can help make this seemingly monumental task achievable. Empower the right decision-making processes for governance of policies and allocation of resources.

Gain an Enterprise View of Issues and Remediation

Now that your organization is looking at risks in the context of appetites, tied to policies that reinforce desired behavior, based on a common language, the next step is rapid, complete issue resolution. Mature organizations can provide a portfolio of issues and incidents, facilitating a 360 view.

By looking at all the incidents and issues tied to a risk, process or asset, your team will begin to develop a preventive capability, and be able to ‘right-size’ remediation investments. Key things you can do to help your organization include:

  • Manage issues as a portfolio — Look at issues across all sources, through a common process, across all aspects of the organization. Not only issues arising from audit, risk management and privacy and compliance teams, IT and security, but also extended to research and development, quality, environmental health and safety and human resource groups.
  • Develop a Proactive, preventive capability  — Think in terms of future changes and what issues may arise in risk and compliance management. For example, getting teams involved early in initiatives such as mergers and acquisitions, new product or service launches or expansion into new markets.
  • ‘Right-Size’ remediation investments — Optimize investments in remediation through end-end root cause analysis—when business units look at an issue in isolation, investments can be made that solve the problem locally, but push symptoms to an upstream or downstream process. Looking at issues across, down and through will help build the 360 views that get at the real root cause and appropriate remediation.

Orchestrate Change across Risk Processes

Creating proactive risk intelligence as a competency is in many ways all about orchestrating change. Continuous value creation is demanded of successful organizations in today’s dynamic world. When collaborative risk teams focus on continuous improvement, they will spot opportunities for operational efficiency and savings that can be used to fund innovations. As organizations mature, collaborative teams can be supported by risk and compliance centers of excellence, shared services and innovation labs.

  • Build a community dedicated to the vision of risk intelligence — Bring people and partners on board with a proactive mindset. Make sure continuous improvement fuels and funds innovation across and within core processes of governance, risk, compliance, privacy and security.
  • Continuously innovate — Manage a portfolio of innovation projects to mature centers of excellence, shared services and distinctive risk and compliance competencies. Leverage technologies to accelerate innovation and gain economies of scale.
  • Continuously improve — A formal investment program identifies synergies and funds strategic initiatives, certification and training programs.

The GRC journey is about orchestrating change to gain a competency of risk intelligence. It requires a proactive mindset and anticipation of future problems needs and changes.

buy pepcid online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/pepcid.html no prescription pharmacy

Active governance is the first step in supporting change and building a competency of proactive risk intelligence by planning and thinking ahead at every stage of the risk management process.

buy revia online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/revia.html no prescription pharmacy

Active governance goes beyond general oversight to ensure alignment and interlock strategy, through policy, procedures and roles in the operational fabric of the organization and carries through to suppliers, customers and third parties. By starting with these core aspects of active governance, you are in your way to creating a competency of proactive risk intelligence in your organization.