Category Archives: Emerging Risk

Want to scan your crypto wallet for risks? Check: AML check BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money. You may not be aware of a risky transaction and at any moment, even can increase your AML rating into the red zone.

Building a Successful ERM Program

Posted on by

Iman H. Al-Gharabally is responsible for the enterprise risk management program at Kuwait Petroleum Corporation (KPC) and its subsidiaries since 2004. She is the team iman-h-al-gharabally-picleader, coordinator and project manager for the ERM program and its strategic implementation across the Kuwait oil sector. Al-Gharabally, a speaker at RIMS’ Middle East Risk Forum 2016, taking place Dec. 13 and 14 in Dubai, United Arab Emirates, discusses the implementation strategies and successes of KPC’s ERM program.

buy prelone online https://silvermancare.com/wp-content/uploads/2023/10/jpg/prelone.html no prescription pharmacy

RIMS: How did you begin the process of building KPC’s ERM program?

Al-Gharabally: In 2002 the KPC managing directors at the time recognized there was a serious need to look into and have in place a consolidated view of potential risks and a consolidated risk management format of those risks facing the organization. Hence the ERM initiative was introduced as a way to instill this unified format of consolidated risk management mainly through the insurance section. In 2004 the ERM initiative was introduced and in 2006 the ISO 31000 was launched.

RIMS: How did you develop your ERM structure?

Al-Gharabally: Initially I had no prior knowledge of what ERM stood for. I was recruited in April 2004 from Kuwait Oil Company (a subsidiary to KPC) to project manage and lead this new ERM initiative. I studied the topic extensively and slowly had to lay down the foundation for a dynamic ERM program for KPC and its subsidiaries. We started at the very top, first in the corporate office looking at the strategy of the corporation and what the corporate objectives aimed to achieve in the coming five years from 2004 to 2009. We then looked at the potential risks that would prevent the corporation from achieving those objectives and started the communication lines across the subsidiaries to initiate awareness on these potential risks and put forth mitigation options to ensure the corporation was well prepared and to increase our abilities to deliver on our strategic objectives.

It was imperative at the very beginning to ensure that we worked hand-in-hand with the various planning, HSE and marketing units across the entire value chain. The idea was to start the conversations early and brainstorm unilaterally for solutions to be placed to counteract any potential risks emerging that would hinder our 2020 strategic business goals.

Over the first few months in 2004, we managed to convince CEOs across the group to create and assign a focal point to be internally responsible for ERM and coordinate and liaise with us at the corporate head office on all ERM related matters. It took 10-12 months before having each subsidiary assign a dedicated ERM focal point. Once there were dedicated individuals to communicate with and be internally responsible for monitoring and reporting on all risk-related matters, the next phase of setting up an ERM framework and governance structure was initiated. In 2007 the ISO 31000 framework was launched across the group for implementation.

KPC’s ERM structure is that of a hybrid matrix in which central ERM policies, procedures and key performance measures are set, while subsidiaries and ERM units across the group are free to implement according to their individual company’s needs and business model.

RIMS: How did you make ERM a success?

Al-Gharabally: It was not an easy task, to be honest. KPC is the corporate head office to eight other companies from upstream to downstream. The nature of their business is quite complex and diversified. So to lead ERM initiatives and have them fully incorporated and periodically monitor and report on the progress is a challenging full time task. The key is to be well integrated.

From the very start of our initiative in 2004 we made certain that the corporate head office ERM unit was well integrated with each and every single subsidiary ERM unit. We put in place a platform establishing a community of ERM best practice and there are means to discuss, troubleshoot and share various topics to ensure the benefit is widely absorbed across the entire oil sector. We conduct periodic risk culture surveys and benchmark ourselves not only internally across the group, but also against international financial and oil corporations with advanced risk management programs.

RIMS: What is unique about KPC’s approach to ERM?

Al-Gharabally: Having an ERM program in place in an oil corporation is in itself unique. To take that further and have a single unified ERM strategy and shared initiatives across multi discipline functions and across eight subsidiaries elevates the uniqueness. Having delivered a successful fully functioning ERM program over the past 13 years in close collaboration with the corporation’s strategic planning, financial and marketing departments sets KPC’s ERM program apart.

RIMS: What tools/resources have been the most helpful on this journey?

Al-Gharabally: From a risk culture perspective, establishing a community of best practices for ERM individuals to have a platform to share and collaborate various ideas, trouble-shoot implementation issues or integrate objectives on unilateral ERM implementation plans is critical to the success of our program. Having a risk operating committee chaired by the CFO and reporting to the corporation’s risk and audit committee was also a critical success factor to KPC’s ERM initiative. Subsidiaries learned early on that having a dedicated ERM unit reporting directly to the CEO, with no conflicts of interest of shared ownership of risks in the reporting line, was a critical success factor to KPC’s ERM structure. From a technical perspective, establishing a clear ERM framework, policy and procedure as well as systematic reporting of risks in a unified ERM information system, and linking the reporting to the corporations was a critical success factor.

Rims: How can ERM best inform strategy?

Al-Gharabally: KPC’s decision to maximize transparency and work closely with strategy marketing and finance was a key aspect in making our ERM program successful. To be able to look at leading risk indicators and have in place the appropriate mitigation options for improving the corporation’s performance in meeting its strategic objectives is an invaluable resource.

RIMS: What advice can you give those embarking on building a world-class ERM program?

Al-Gharabally: Communication, communication, communication! Had we not lobbied, or brainstormed across various business functions early in our journey in 2004, or not ensured that we had the full support of planning and finance on board for our ERM initiatives, our program most likely would have flopped!

Retail Data Security: Preparing for the Top Threat for Holiday Breaches

Posted on by

holiday shopping retail risk

Here’s the question of the season: What is the true cause of the retail breaches we read about year after year? While malware or ransomware may get most of the scary security press, they aren’t in fact the main culprit. The primary cause of most retail breaches is, by far, stolen credentials. These are the usernames and passwords of employees, contractors or partners of a retail firm. Victim firms such as Target Corp., Home Depot, eBay and others have fallen prey to similar attacks in recent years: a trusted insider’s credentials were stolen and hackers used those to access the network. In some cases, the credentialed access led to the installation of malware on card reader systems, while in others, hackers took different paths.

The point is clear, however: the access credentials of trusted insiders are in fact the biggest risk factor for a breach in the retail sector. Verizon’s annual data breach survey, released earlier this year, confirms this, with credential attacks identified as the top source of data breaches as 63% occurred via weak or stolen credentials.

This isn’t a particularly new insight. The Target and Home Depot breaches, both via stolen vendor credentials, happened more than two years ago.

And yet, as the Verizon report indicates, large firms are still quite vulnerable to credential attacks. Why is a credential-based attack so hard to detect? The point of the attack is to impersonate a valid user (an employee, contractor or some other insider) going about his or her daily job. When a financial analyst logs into a financial system using her regular ID and password, for example, we do not expect an alarm to sound.

The retail environment has some unique factors that make detection more difficult.

For example, retailers employ large numbers of seasonal workers, so knowing whether a particular person should be allowed near a secure server in the back room of a store may be difficult. The general buzz and chaos in retail stores may weaken security checks, and sheer volume of transactions, returns, special orders, and the like can distract employees and open up security gaps.

There are, however, concrete steps that can be taken.

The first is simple: most if not all retailers have two networks, one corporate and one retail (in-store). Human resources, research and development, accounting, and other corporate functions operate on the corporate network. Point of sale systems, cashiers, and store managers operate on the retail network. In theory, these networks are completely walled off from each other, using two-factor authentication and other security systems. A temporary sales clerk should not be able to access the payroll system at corporate headquarters and download employee social security numbers, just as an HR specialist at headquarters should not be able to access the credit card database within a store point-of-sale (POS) server. This is especially sensitive since many retailers haven’t yet rolled out chip-and-pin readers. If a card number is stolen from a POS system, it’s usable in many places.

A basic check would be to ensure that the two-factor authentication system between the corporate and retail networks is working correctly, is updated with patches, and is applied as broadly as possible. However, this is not always the case, and there have been instances where hackers have been able to steal a corporate user’s credentials (using a keylogger or other type of malware) and then bypass the authentication system to connect to hundreds of in-store POS systems. Perhaps the system configuration has “drifted” over time and needs re-certification. This is an easy check on network security risk.

Another step relates to context—in other words, understanding what is normal. As mentioned above, a retailer during the holiday season manages chaos on a daily basis. It is too easy for attacks to slip by without notice during the noise and commotion. Recall the advice given to New Yorkers after 9/11: “If you see something, say something.” While relying on employees to notice unusual behavior is fine, a better approach is to augment humans with smart technology that understands normal behavior and can raise an alarm when behavior is suddenly not normal.

For example, a specialist in IT is accessing hundreds of POS systems in multiple stores via the corporate network. Is that okay? It is hard to say. Perhaps he is doing it as part of a backup process or maybe he is helping restore systems after a failure. Without knowing what is normal for this person, as well as for his peers, it is very difficult to judge the riskiness of his actions. Behavioral analytics systems are built for this problem. They analyze past behavior and build baselines, just as VISA and MasterCard do for every credit card owner. When an employee suddenly starts logging into store POS systems but has never done so before, behavioral baselines can provide the context needed to alert that this user might in fact be a hacker.

Retailers are getting better about security every year, improving risk management processes and rolling out new security technologies. Credential attacks remain the top threat for retail breaches, however, and retail firms must both verify their processes and also look to new solutions, such as behavioral analytics, to close the risk gap.

Creating a Strong Defense and Offense in Your Risk Management Program

Posted on by

Stakeholders demand that companies grow, but at the same time, they expect growth to be managed to make sure the brand is not tarnished. That means enabling value as well as protecting value, which comes down to striking the appropriate balance between risk agility and risk resiliency.

For many years, risk management has focused on protecting the brand and keeping the company out of trouble. But if it’s done right, risk management is about playing not only defense but offense as well—it’s about value protection and value enablement.

Defensive Risk Management

Defensive risk management is mostly about risk resiliency, enabling a company to either prevent bad things from happening or recover more efficiently from disruption. Defensive tactics include setting up a risk appetite statement and framework that are approved by the board on down. Next, the risks should be aggregated across the enterprise and mapped against that appetite along with related risk tolerances and limits. Defensive risk management is also about developing a set of very specific key risk indicators (KRIs) to look for. This includes having a solid business continuity management strategy that will quickly get things back on track after a risk event. These activities keep the company out of harm’s way, and may be the easier part of risk management.

Offensive Risk Management

The more difficult part is thinking about risk management offensively—leveraging it for strategic advantage and growth. The first offensive tactic is to align your risk management process with strategic planning so you can drive those priorities forward in light of all the risks you are facing. That’s not an easy thing to do because even though companies may think they’re aligned, many of them actually run two very distinct and separate processes. Another offensive tactic involves giving some of the risk management activities back to the business units—so they can run faster and drive risk-adjusted decisions and revenue plans.

Risk agility lets a company flex and grow by making the risk management process adaptable to changes in the business model or to external changes affecting the company.

online pharmacy cozaar with best prices today in the USA

It is also something that has to be thought about more formally so that it does not become counterintuitive to the growth agenda, but actually supports it and even helps drive it.

If a company is being held accountable by its stakeholders to grow—and they all are—that growth has to be pursued in a controlled manner so the brand doesn’t become tarnished. That is about striking the appropriate balance between risk agility and risk resiliency—playing offense and defense.

The simple fact is that companies that use their risk management activities to play both sides are more likely to see sustainable growth and better performance patterns because they are balanced between moving the business forward and keeping the business in check.

PwC’s study 2016 Risk in review: Going the distance highlights how companies can achieve this important balance. For example, companies that structure their risk management programs to play both offense and defense are more likely to see sustainable growth and better performance patterns.

online pharmacy rogaine with best prices today in the USA

In addition, these companies are nearly as likely to report that they expect significant revenue and profit margin growth (greater than 5%) as companies that are focused only on growth—and they are better positioned for sustainable success. Such companies are balanced between having the agility to move their business forward and the resilience to prevent bad things from happening and/or recover more efficiently from disruption.

online pharmacy fluoxetine with best prices today in the USA

pwc-3

High-risk growth

Some companies with aggressive top-line growth targets decide not to invest at the appropriate levels in their risk management programs, which can allow their growth to outpace their infrastructure. Following this course can bring more risks—vulnerability peaks and risk events become more crippling to the brand. In the end, more capital is spent on investments to take risk management activities to the next level after something bad happens to the business.

The mindset across industries is that immediate growth is great, but longer term, sustainable growth is better. Companies are building up stronger and more relevant second-line (risk and compliance) functions, and holding the first line more accountable on risk because they see that will help them achieve sustainable growth.
pwc-2

Adapt or get left behind

As the business landscape continues to evolve, companies need to adapt or find themselves in deep distress. The key to creating an effective risk management program is to find the right balance that allows for growth at a comfortable pace relative to the risk appetite and risk tolerance levels set by management, and accepted by the board. When that is done, your risk management program truly becomes a strategic asset, supporting both offense and defense.

Charting the Rise of Ransomware

Posted on by

At the beginning of the year, Risk Management put ransomware at the top of the list when surveying the 2016 cyberrisk threat landscape, and these attacks have arguably come to the fore as cyberthreat of the year, whether you measure by buzz or by increase in incidents.

Indeed, ransomware is not just grabbing headlines—these cyberattacks have quadrupled in 2016, according to a recent Beazley Breach Response Services review of client data breaches. Authorities report a similar surge at large, with the Department of Justice estimating that more than 4,000 ransomware attacks have occurred daily since the beginning of the year, representing a 300% increase from 2015.

buy imuran online www.arborvita.com/wp-content/uploads/2023/10/jpg/imuran.html no prescription pharmacy

In July and August alone, 20% more of Beazley’s clients suffered a ransomware attack than in all of 2015. While the ransoms remain low, often in the range of $1,000, the firm points out that the true costs are dramatically higher due to the extensive review of company systems and data required to ensure the malware has been removed and data is clean.

Looking at specific industries, Beazley noted a significant uptick in attacks against financial institutions in the first three quarters of 2016, with hacking and malware accounting for 39% of breaches in the sector, up from 26% in 2015, and in higher education, these attacks increased from 38% last year to 46% in 2016. Hacking and malware account for a relatively steady proportion of just over half of breaches in the retail sector.

buy synthroid online www.arborvita.com/wp-content/uploads/2023/10/jpg/synthroid.html no prescription pharmacy

Among healthcare organizations, however, human error has spiked, with 40% of industry incidents caused by unintended disclosure compared to 28% last year.

“From what we are seeing, it appears that many hackers are finding it easier to make money by holding companies to ransom for bitcoin than through selling personal data on the dark web,” said Katherine Keefe, global head of BBR Services. “But, the persistently high levels of hacking and malware attacks of all kinds are a reminder that organizations across industries, and of all sizes, need actionable plans ready to implement when a breach occurs.

buy addyi online www.arborvita.com/wp-content/uploads/2023/10/jpg/addyi.html no prescription pharmacy

Check out the infographic below from security intelligence firm LogRhythm for more background on the rise in ransomware, how these attacks are impacting businesses, and how businesses are responding.

ransomware logrhythm
ransomware logrhythm