Category Archives: Emerging Risk

Игроки всегда ценят удобный и стабильный доступ к играм. Для этого идеально подходит зеркало Вавады, которое позволяет обходить любые ограничения, обеспечивая доступ ко всем бонусам и слотам.

5 Questions Boards and the C-Suite Should Be Asking About Cyberrisk

Posted on by

There is growing concern that corporate boards and senior executives are not prepared to govern their organization’s exposure to cyberrisk. While true to some degree, executive management can learn to identify and focus on the strategic and systemic sources of cyberrisk, without becoming distracted by complex technology-related symptoms, by understanding the organization’s ability to make well-informed decisions about cyberrisk and reliably execute those decisions.

Making well-informed cyberrisk decisions

To gain greater confidence regarding cyberrisk decision-making, executives should ensure that their organizations are functioning well in two areas: visibility into the cyber risk landscape, and risk analysis accuracy.

1. “How good is our cyberrisk visibility?”

You can’t manage what you haven’t identified. Many companies focus so strongly on supporting rapidly evolving business objectives that they lose sight of closely managing the technology changes that result from those objectives. Consequently, it is common to find that organizations have an incomplete and out-of-date understanding of:

  • Their company’s network connectivity to other companies and the Internet
  • Which systems, applications, and technologies support critical business functions
  • Where sensitive data resides, both inside and outside their company’s network

Without this foundational information, an organization can’t realistically claim to understand how much cyberrisk it has or where its cyber risk priorities need to be.

2. “How accurately are we analyzing cyberrisk?

buy keflex online azimsolutions.com/wp-content/uploads/2023/10/jpg/keflex.html no prescription pharmacy

It is common to find that over 70% of the “high-risk” issues brought before management do not, in fact, represent high risk. In some organizations more than 90% of “high risk” issues are mislabeled. When it comes to analyzing cyberrisk, several foundational challenges exist in many organizations:

Nomenclature

How anxious would you be to ride on a space shuttle mission if you knew that the engineers and scientists who planned the mission and designed the spacecraft couldn’t agree on definitions for mass, weight, and velocity?

Odds are good that if you ask six people within your risk management organization to define “risk” or provide examples of “risks” you’ll get several different, perhaps very different, answers. Given this, it isn’t hard to imagine that risk analysis quality will be inconsistent.

Broken models

In the cyberrisk industry today, there is heavy reliance on the informal mental models of personnel. As a result, very often the focus of a “risk rating” is strongly biased on a control deficiency rather than a more explicit consideration of the loss scenario(s) the control may be relevant to. Without applying a probabilistic lens to risk analysis it is much more difficult to differentiate and prioritize effectively among the myriad loss events that could, possibly, happen.

buy tenormin online azimsolutions.com/wp-content/uploads/2023/10/jpg/tenormin.html no prescription pharmacy

Another challenge is that most technologies that identify weaknesses in security generate significantly inflated risk ratings. The outcome is wasted resources, unwarranted angst, and an inability to identify and resolve the issues that truly deserve immediate attention.

Although risk management programs within some industries have begun to examine and manage the risk associated with poor models, this focus is often limited to models that do quantitative financial analysis. This leaves unexamined:

  • The mental models of risk professionals and whether their off-the-cuff risk estimates are accurate
  • Home-grown qualitative and ordinal models
  • Models embedded within cyberrisk tools

Yet these models, with their implicit assumptions and weaknesses, are responsible for driving critical decisions about how organizations manage their cyber risk landscapes.

Reliable execution

Although risk management expectations and objectives are set through decision-making, execution is the deciding factor on whether the organization is able to consistently realize the intended outcomes.

3. “How well do personnel understand what’s expected of them?”

In one organization, the information security policies were written at a grade 21 level. Most organizations today have some form of information security policy and related standards, and many even require personnel to read and acknowledge those policies annually. Very often however, the policies have been written by consultants or subject matter experts using verbiage that is complex and/or ambiguous. As a result, personnel may dutifully read and acknowledge the policies but they may not have a clear understanding of what actually is expected of them.

4. “How capable are personnel of meeting expectations?”

Things change. When budget belts get tightened organizations often cut training budgets. Given the rapid pace of change in the cyberrisk landscape, this can create serious skills gaps for cyberrisk professionals and technologists.

Another challenge in this regard has to do with outdated technology. Many organizations hang on to technologies well beyond the point where they can be maintained in a secure state. As a result, “policy exceptions” for these technologies become routinely accepted, which limits the ability of the organization to achieve or maintain its own security objectives.

5. “How well are personnel prioritizing cyberrisk?”

Which is more important; revenue, budgets, deadlines, or cyber risk?

Root cause analyses performed on cyberrisk deficiencies have found that personnel routinely choose not to comply with cyberrisk policies because they believe revenue, budgets, and/or deadlines are more important. This is influenced in part (perhaps a significant part) by the challenges noted above regarding risk-rating inaccuracies. It isn’t unusual to find that overestimated risk ratings create a “boy who cried wolf” syndrome within organizations. The result is that organizations don’t consistently or meaningfully incentivize executives to achieve cyberrisk management objectives because there is tacit recognition that much of what is claimed to be high-risk is not. Another factor is that revenue, cost, and deadlines are measureable in the near-term, whereas many high-impact risk scenarios are less likely to materialize before they become “someone else’s problem.”

The bottom line is that prudent risk-taking is only likely to occur if executives are provided accurate risk information and if they are appropriately incentivized based on the level of risk they subject the organization to.

At the end of the day…

Effectively governing cyberrisk is within the grasp of senior executives who deal with complex and dynamic challenges every day. By examining their organization’s ability to make well-informed decisions and to execute reliably, senior executives can more effectively identify and address the strategic and systemic sources of risk within their organizations.

buy amoxil online azimsolutions.com/wp-content/uploads/2023/10/jpg/amoxil.html no prescription pharmacy

Cybersecurity, Product Recall and Drones Top List of Emerging Casualty Risks

Posted on by

The cybersecurity insurance industry is booming, with demand for this specialty coverage vastly outpacing any other emerging risk line, according to a new survey by London-based broker RKH Specialty. In fact, 70% of the insurance professionals surveyed listed cyber as the top casualty exposure.

buy fluoxetine online https://www.rhythmedix.com/wp-content/uploads/2023/10/jpg/fluoxetine.html no prescription pharmacy

The brokers, agents, insurers and risk managers RKH queried after April’s RIMS 2015 conference said their top casualty concerns after cyber are product recall and drones (11% each), with others including e-cigarettes, autonomous vehicles and telematics totaling only eight percent.

RKH Specialty Study Graph

“Losses stemming from cyber-related attacks and business interruption can be catastrophic for individual businesses,” said Barnaby Rugge-Price, RKH Specialty’s CEO.

“Healthcare and retail have been the major buyers in the cyber space to date but we are seeing an increasing conversion rate across the whole of our portfolio. After a number of years of looking at the offering, clients are increasingly deciding to purchase the cover as the product has improved and the frequency of attacks has continued to increase. There has also been a heightened focus on the business interruption aspect, where cyber attacks can cause whole facilities to shut down. But whether cyber related or not, any interruption to the supply chain can cause a disproportionate loss. The survey highlights the importance of specialist insurance for a whole host of emerging risks.”

Turning specifically to property exposures, supply chain disruption was identified by 61% as the top risk, followed by flood (30%) and tornadoes (9%). The findings reflect a growing recognition of the potential exposures that longer and more complex supply chains introduce, the firm said.

The brokerage also asked insurance professionals what they think clients are and will be most concerned about when evaluating a broker’s service, and in turn, what brokers will need to focus on to stay competitive. They predict:

RKH Specialty broker service

Quantifying Supply Chain Risk

Posted on by

Today, more businesses around the world depend on efficient and resilient global supply chains to drive performance and achieve ongoing success. By quantifying where and how value is generated along the supply chain and overlaying of the array of risks that might cause the most significant disruptions, risk managers will help their businesses determine how to deploy mitigation resources in ways that will deliver the most return in strengthening the resiliency of their supply chains. At the same time, they will gain needed insights to make critical decisions on risk transfer and insurance solutions to protect their companies against the financial consequences of potential disruptions.

As businesses evaluate their supply chain risk and develop strategies for managing it, they might consider using a quantification framework, which can be adapted to any traditional or emerging risk.

  • Begin with a “bricks and mortar” risk assessment. Start with the traditional property business interruption risk, focusing first on exposures related to your company’s owned physical plants and facilities as well as those of critical trading partners.
  • Understand and analyze your global business model, as well as any changes that have been implemented to create efficiencies or as a result of mergers, acquisitions or divestitures. Determine exactly how and where value is created and use this information to identify and assess potential vulnerabilities.
  • Distinguish between volume and value. You may have significant trade volume in dollar terms with one partner that can be easily replaced while the dollar volume of trade with a supplier of a critical raw material, component or ingredient may be small, but difficult and costly to replace.  In this case, the supplier with the least spend could be the one that has the most impact if disrupted.
  • Tie financial impacts to risk of disruption. This will enable your company to establish priorities and allocate resources in dealing with potential exposures.
  • Beginning with your most significant potential exposures, understand what mitigation options are available and compare them to what you already have in place.
  • Quantify your worst-case exposures in terms of maximum foreseeable losses.
  • Know your company’s ability to respond to events and threats, especially those that might affect the most critical elements of your supply chain. Identify specific emerging risks that are likely to have the greatest potential financial consequences, such as: cyber network interruption; political and expropriation risk; infectious disease and pandemic; product liability and recall, as well as other potential exposures.
  • In evaluating various supply chain exposures, leverage findings from the traditional business interruption study conducted earlier in the process. This can help determine how other risks might affect specific operations and individual trading partners and, in turn, cause disruptions along the supply chain. Remember, all business interruption risk resides on your company’s P&L and within your unique business model, regardless of cause.
  • Revisit your business continuity, incident response and crisis management plans in the context of the wider range of potential risks confronting your supply chain and individual trading partners.
  • Quantify worst-case financial exposures.  This will give you the ability to pinpoint how and where to allocate resources to mitigate exposures as well as to set priorities with respect to your risk transfer decisions, including coverages purchased, limits and optimal program structure.

What to Do About Reputation Risk

Posted on by

Of executives surveyed, 87% rate reputation risk as either more important or much more important than any other strategic risks their companies face, according to a new study from Forbes Insights and Deloitte Touche Tohmatsu Limited. Further, 88% say their companies are explicitly focusing on managing reputation risk.

Yet a bevy of factors contribute to reputation risk, making monitoring and mitigating the dangers seem particularly unwieldy. These include business decisions and performance in the following areas:

Financial performance: Shareholders, investors, lenders, and many other stakeholders consider financial performance when assessing a firm’s reputation.

Quality: An organization’s willingness to adhere to quality standards goes a long way to enhancing its reputation. Product defects and recalls have an adverse impact.

Innovation: Firms that differentiate themselves from their competitors through innovative processes and unique/niche products tend to have strong name recognition and high reputation value.

Ethics and integrity: Firms with strong ethical policies are more trustworthy in the eyes of stakeholders.

Crisis response: Stakeholders keep a close eye on how a company responds to difficult situations. Any action during a crisis can ultimately affect the company’s reputation.

Safety: Strong safety policies affirm that safety and risk management are top strategic priorities for the company, building trust, and value creation.

Corporate social responsibility: Actively promoting sound environmental management and social responsibility programs helps create a reputation “safety net” that reduces risk.

Security: Strong infrastructure to defend against physical and cybersecurity threats helps avoid security breaches that could damage a company’s reputation.

But brand crises make headlines with increasing frequency, and companies are laying responsibility at the feet of the C-suite, particularly chief risk officers. Deloitte reports that respondents considered the primary responsibility to rest with: the chief executive officer (36%), chief risk officer (21%), board of directors (14%), or chief financial officer (11%).

What can they do? The study offered these key points to consider when crafting a crisis management plan:

  • Don’t wait until a crisis hits to get ready. Monitoring, preparation and rehearsal are the most effective ways to get ready for a crisis event. Organizations that can plan and rehearse potential crisis scenarios should be better positioned to respond effectively when a crisis actually hits.
  • Every decision during a major crisis can affect stakeholder value. Reputation risks destroy value more quickly than operational risks.
  • Response times should be in minutes, not hours or days. Teams on the ground need to take control, lead with flexibility, make decisions with less-than-perfect information, communicate well internally and externally, and inspire confidence. This often requires outside-the-box thinking and innovation.
  • You can emerge stronger. Almost every crisis creates opportunities for companies to rebound. However, those opportunities will surface only if you’re looking for them.
  • When a crisis seems like it’s over, it’s not. The work goes on long after you breathe a sigh of relief. The way you capture and manage data, log decisions, manage finances, handle insurance claims, and meet legal requirements on the road back to normality can determine how strongly you recover.

But the real objective should be preventing these potential crises to begin with. Deloitte recommends exploring the possibilities of “risk sensing” – using real-time data to monitor the issues that might impact a company’s reputation:

Crisis management for C-suite executives

Check out the infographic below for more insights from the Deloitte Reputation@Risk survey:

Deloitte Reputation@Risk Global Survey