Category Archives: Crisis Management

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

When Your Commute Becomes Derailed

Posted on by

Just yesterday I remarked to my husband that my train, the Hudson line, has been amazingly stable and almost always on time. Especially when you consider that there have been major derailments of the Connecticut (May 17) and the Long Island (June 17) lines of the Metropolitan Transit Authority (MTA).

I should have known better. Just when you think you can take a breather, something is bound to happen, as it did this morning. Normally I would have been listening to the news and traffic report, but I was spending some time with my puppy before rushing to the ferry station. Once there I waited, but no ferry, and the few people who were there didn’t seem to know why. Annoying.

I called my husband and asked him to drop me off at the train station across the Hudson (parking is impossible there). On the train platform, however, I quickly learned that there was a big problem—the derailment of 10 CSX garbage train cars on a narrow portion of track used by the Hudson line. There were no injuries, but that is a whole lot of cleanup, not to mention the two tracks that need to be replaced, according to the conductor I talked to. He estimated it would take at least the weekend to repair the damage.

I have to say that I was impressed with the MTA’s contingency planning. The MTA gets a lot of flack, but it’s worth mentioning that they did get it right this time. What I expected to be a nightmare of delays and standing around waiting—on one of the hottest days of the year—wasn’t bad at all. The MTA train took us to Yonkers, just north of the derailment area, where we were quickly led to waiting busses. The busses transported the train’s passengers to a large subway station where we were ushered through a special turnstile, and our train passes were honored. The subway ride took a while, since it was a local covering more than 200 blocks. But a fellow passenger gave me an idea of the subway route and at what stop I should get off. Happily, I had only a block to walk to work.

Research shows that the MTA has an enterprise risk management plan in place. I found a 93-page document online that outlines significant business processes for the MTA bus company, bridges and tunnels, individual train lines and much more. It also notes which business processes have been reviewed. Under the listing of Maintenance of Equipment for the Long Island Railroad, for example, items that have been reviewed include locomotive daily inspection and diesel locomotive periodic inspection, rolling stock inspections and equipment surveys.

From what I have read, however, some passengers last night weren’t as lucky. They were told to wait for busses which didn’t arrive. That was right after the derailment, however, and it takes some time to put a major plan into action.

So, lessons learned:

• Listen to the traffic announcements on the radio every morning

• Don’t be too complacent when things go well

• Roll with the punches, occasionally things do work out

• Take time to play with the puppy, no matter what, even if you’re a little late for work

Best Practices for Business Storm Prep

Posted on by

Winter storm Nemo is approaching the Northeast as, what some are calling, a blizzard for the record books. To prepare, businesses must take into consideration those aspects that will keep their organization up and running — including communication to customers and employees.

To ensure your company is successful at critical communications, Everbridge, an interactive communication and mass notification company, suggests companies:

  • Plan to manage the entire lifecycle of any critical event. Dr. Robert C. Chandler, crisis communication expert, suggests creating a crisis plan that addresses each of the six stages of a crisis: warning, risk assessment, response, management, resolution and recovery.
  • Confirm that you have multiple contact paths for each individual to decrease reliance on any one device.
    buy imuran online medilaw.com/wp-content/uploads/2015/03/jpg/imuran.html no prescription pharmacy

    Set delivery options to attempt email and SMS paths first, as cellular and landline infrastructures could be damaged by the storm.

    buy vilitra online medilaw.com/wp-content/uploads/2015/03/jpg/vilitra.html no prescription pharmacy

  • Focus on message construction. Dr. Chandler recommends that message maps consist of three short sentences that convey three key messages in 30 words. SMS messages should be no longer than 120 characters and audio/video needs to convey its message in the first nine seconds.
  • Don’t forget social media. Use social media as an additional communications channel and be sure to monitor social media sites like Twitter to gain situational intelligence that can help emergency response teams.
  • Ensure that regular system and staff testing and preparation procedures are followed including system testing for effectiveness and data accuracy. Staff should be trained to operate the critical communications system from both computer and mobile devices.

Crisis Management in the Age of Cybercrime

Posted on by

[The following is a guest post by Richard S. Levick, Esq, president and chief executive officer of Levick Strategic Communications. You can Follow Richard on Twitter @RichardLevick where he comments daily on risk management and crisis management.] 

Immense as it may be, the March 30 Global Payments data breach that dominated headlines is only the latest in a series of events that made this current crisis eminently predictable. If there are any illusions that this breach was anomalous, consider the extent to which high-profile data breaches similarly dominated headlines in 2011.

Sony suffered over a dozen data breaches stemming from attacks that compromised its PlayStation Network, losing millions and facing customer class action lawsuits as a result. Cloud-based email service provider Epsilon suffered a spear-phishing attack, reportedly affecting 60 million customer emails. RSA, whose very business related to on-line security, experienced an embarrassing and damaging theft of information related to its SecureID system, necessitating an expenditure of more than $60 million on remediation, including rebuilding its tattered reputation.

And the list goes on.

Right now, just about all businesses face cyber risks. The worst include intellectual property losses due to economic espionage — by far the greatest risk to companies — as well as data breaches and ideological “hacktivists.” And the growth rate of those risks often exceeds a company’s ability to fight them.

Over the last decade, companies have experienced exponential increases in the volume and type of their digital assets along with an explosion in the types of storage devices that house them. With enterprise resource planning software, email, cloud computing, laptops, iPads, smart phones, and other portable devises, companies may have data storage systems that number in the hundreds. Managing and securing critical information has become a commensurately more daunting task.

As the situation grows worse, many boards and senior management now take a head-in-the-sand approach to cyber-threat management. A recent survey from Carnegie Mellon University’s CyLab analyzed the cyber governance policies of the Forbes Global 2000. Its findings are troubling. “Boards and senior management are still not exercising appropriate governance over the privacy and security of their digital assets,” states the report. Less than one-third undertake even the most basic cyber-governance responsibilities.

These findings are supported by an in-depth look at cyber-crime published by PricewaterhouseCoopers late last year. According to the survey, which polled nearly 4000 executives from 78 countries, while cybercrime ranks as one of the top four economic crimes (falling just after asset misappropriation, accounting fraud, and bribery/corruption), 40% of respondents reported that they had not received any cyber-security training. A quarter said that their CEOs and boards do not conduct regular, formal reviews of cyber-crime threats, and a majority reported either that their company does not have – or they do not know whether their company has – a cyber crisis-response plan.

Welcome to the risk management officer’s worst nightmare.

According to the Ponemon Institute’s most recent statistics, the average cost of a data breach is $7.2 million with the average cost per compromised record coming in at $214. But the damage done by a cyber-breach goes well beyond the initial information loss. Real costs from business interruption, intellectual property theft, lost customers and diminished shareholder value due to reputation damage all can — and do — inflate those figures. In fact, for 40% of respondents in the PwC study, it is the reputational damage from cybercrime that is their biggest fear.

As cyber-risks continue to grow, companies must therefore focus on reputation as well as strengthening the mechanisms with which data is secured. A few things are imperative.

Boards and senior management must take responsibility for crisis response. Their objective must be to crystalize the company’s crisis instincts – to make crisis response part of the institutional DNA.

Crisis plans are actually counter-productive if they are created simply to be put on a shelf and read only when they are needed. Particularly in the context of cyber-crime, a realm in which new risks seem to emerge almost daily, the need to revisit and revise the plans is exigent. Regular rehearsals, refinements, discussions and additions transform the culture into one rooted in not the possibility but, rather, the expectation of crisis.

Education of employees is imperative. Employees often assume that securing company information is solely the responsibility of company IT specialists – an assumption fraught with risk. Every employee in an organization has the responsibility and the means to protect company data.

In addition to education, the key for companies is to keep less information in the first place, according to Paul Rosenzweig, Esq., founder of Red Branch Law & Consulting, PLLC. Backing up data on the other end is also vital. And while there are attendant costs involved, they are well worth it, he says. “In a world in which the bottom line is everything and the benefit of your expenditure may be recaptured only over years, if ever, this is hard,” said Rosenzweig. “It may well seem like all cost and no benefit in the beginning – that is, until the day it is all benefit and no cost.”

Companies must also designate a response team and ensure that all participants understand their roles. During a crisis, the response team must make critical decisions with too little notice and too little information. Regular meetings ensure that team members understand their individual responsibilities and develop trust in one another. Periodic crisis team exercises allow companies to capture what goes right and what goes wrong in each simulation. The lessons learned are critical when a real crisis is at hand.

When a data breach does occur, companies must make full disclosure as quickly as possible and let stakeholders know how they plan to remediate the situation so that it will not recur. Focusing on corrective future initiatives can restore trust.

With the advent of new technologies, the risks for companies are now greater than ever. Companies’ ability to recognize this moment and transform the way they think about their information is key to long-term sustainability and brand value.

When Risk Management Hits Closer to Home

Posted on by

(The following is a guest post by Marcus Cree, vice president of risk solutions for SunGard’s capital markets.)

A couple of weeks ago, there was a house fire at my home (no one was hurt, and the house is now in a restoration stage). Afterward, it occurred to me that I write, speak and consult exclusively on the subject of risk management, so this raises an interesting set of questions. How well do I internalize the risk management mindset, and do I apply the principles I espouse in the most important environment I know: my own home?

With this in mind, I decided to move away from strict financial firm risk management and instead apply the same kinds of tests to myself. In a risk strategy assessment, I would normally look at a range of indicators, so I decided to assess the recent situation with the same criteria:

  • Early warning of impending crisis
  • Contingency tactics for immediate reaction to the crisis
  • Post crisis, effect mitigation
  • Buy in across the team to the crisis management strategy

Early warning of impending crisis
In a typical financial institution, an “early warning system” would involve the risk management team understanding the level of risk that was deemed acceptable, and understanding what factors feed into this risk metric. This enables tail analysis to be done in order to understand what negative effects are hiding in the extremes of possible immediate spikes in the risk factors as they are being observed now. If the limits are set in accordance with the risk policy, then while the firm is taking active risks, these should be within the boundaries of management risk tolerance.

In a home and family situation, it is not much different. Understanding the potential sources of risk, such as wood burning stoves, electrical wiring, etc., and establishing the accepted level of risk is critical. A home needs to be heated in the winter, and the risk that this poses in terms of fire has to be offset by the need to maintain a reasonable house temperature. That said, appreciating the risk of fire has to be taken into account, and mitigated to the extent to which it can by regular maintenance of the chimneys and stoves. It is also vital to have a warning system in place.

In this case, most likely a smoke alarm system.

Contingency tactics for immediate reaction to the crisis
This is the second most important aspect of risk management. Once the emergency (or financial crisis) is underway, the situation (or losses) need to be held under as much control as can be expected.

In banking terms, this could be seen as liquidity reserves. How long can we survive as an institution under stressed conditions, and how do we make the most of the liquidity that we have? It is here that liquid assets, collateral and re-hypothecation of that collateral come under scrutiny

In the home fire situation, it is more a matter of evacuation. Does each room have at least two viable exits? Do all members of the family know the exit strategy, meeting points, etc.? It is important to understand that a fire is most unlikely on a sunny afternoon, with everyone wide awake. It is far more likely that smoke could be filling the exit corridors while everyone has been sleeping soundly until the moment of crisis.

In many ways, this is the same kind of problem faced by risk managers, who report on VaR numbers based on normal market conditions, only to be faced with a collapsing market and generalized confusion and panic across the market. Indeed, it is the stressed vs. normal assumptions that have caused a lot of criticism of the VaR based risk reporting.

Post crisis, effect mitigation
This stage is really covering the failure contingency, or hedging effects. In banking terms, this typically takes the form of credit default swaps, diversification and market hedges. Stressing these relationships and running disaster scenarios should be a routine job of a risk department. In the home situation, it comes down to insurance, and protection of key documents needed to activate that insurance.

Buy-in across the team to the crisis management strategy
I regularly speak and blog about risk culture and how the true risk managers in a bank are the traders and portfolio managers. The role of the risk department itself, in my view, is to facilitate communication of the risk appetite and the risk position between the senior management (who create the appetite) and the risk takers (who assume it).

In the home situation, the same thing applies. A fire evacuation plan is only good if it is understood by all who may be affected. Smoky 4:00 a.m. darkness is not an environment to start communicating about what needs to be done to prevent or survive a fire. The family has to recognize the smoke alarms, know to call 911, understand the exit options – including how to select the best one, and then know where to meet safely outside.

Ultimately there are risk management trade-offs to be made in order to achieve levels of reward or comfort. This is as true at home as it is within a Wall Street firm. I would rather not have tested my own “micro” risk culture in this way, but since it was tested, I now believe it can improved.