Category Archives: Enterprise Risk Management

Boards Are Failing at Cyber, New Report Finds

Posted on by

SAN FRANCISCO—Information security executives are telling boards what they want to hear, not what they need to hear, and boards are frequently not asking the right questions or understanding the responses, according to a report released today by Bay Dynamics at the RSA Conference.

“The report reveals that both the board and security professionals are not doing their jobs when it comes to security reporting,” said Feris Rifai, co-founder and CEO at Bay Dynamics. “The board isn’t holding IT and security executives accountable for providing accurate, traceable and actionable information and security executives are failing to report information that is accurate, traceable and actionable. Both parties must do better if they want to make the right decisions that minimize their cyberrisk”.

While the majority surveyed say they know what to present to the board, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cyber security threats. This may be in part because of the ongoing struggle to fully understand and measure cyberrisk exposure and the costs of failure.

buy doxycycline online familyvoicesal.org/resources/images/jpg/doxycycline.html no prescription pharmacy

Just over half of boards expressed a strong preference for qualitative information, while 38% have a preference for quantitative data. To truly make appropriate decisions, however, the board must focus more on quantitative information in context, meaning qualitative information must be wrapped around quantitative information, the report explained.

Regardless of what information they provide, only a third of IT and security executives believe the board understands the information they are given about cyber threats. In turn, only 39% think they are getting the support they need from the board to address threats. Some other major issues these executives identified in their reporting included:

cyberrisk information reported to board

While 36% of boards want recommendations for additional spending and 34% want recommendations to reduce cybersecurity spending, boards are getting little data about the specifics of information security investments. The most common type of information reported about cybersecurity issues is known vulnerabilities within the organizational systems, followed by recommendations about cybersecurity program improvements and specific details on data loss incidents, Bay reported, while information about the cost of cybersecurity programs and details about expenditures on specific projects or controls are not as commonly reported.

cyberrisk information reported to board

Reporting is also relatively infrequent for such a rapidly evolving high-risk exposure, with most executives only presenting to the board quarterly, and 18% even less frequently.

reporting frequency

Looking forward, Bay Dynamics had the following suggestions for how both boards and IT and security executives can improve:

Issues the board must address:

  • The board is not doing its job when it comes to effectively managing cyberrisk.
  • Boards of directors must hold IT and security executives accountable for providing accurate, actionable information about their cyberrisk to help the board make effective decisions about their cybersecurity programs.
    buy mobic online familyvoicesal.org/resources/images/jpg/mobic.html no prescription pharmacy

    Boards cannot make decisions about what they consider acceptable risk if they don’t have actionable information.

    buy tenormin online familyvoicesal.org/resources/images/jpg/tenormin.html no prescription pharmacy

  • Boards must demand actionable information from IT and security executives about their cyberrisk since the board is responsible for the company’s risk appetite. Strengthening their cyberrisk program begins with the board.

Issues IT and security executives must address:

  • IT and security executives must communicate to their boards more effectively and more completely using quantitative and qualitative information. They should communicate the value of data at risk using numbers that explain what it is and how to take action to protect it.
  • Given that board members in many organizations are typically less technical than the IT and security executives reporting to them, the latter must contextualize the information in order to make it both understandable and actionable.

Two-Thirds of Latin American Companies Have a Risk Management Policy

Posted on by

Latin AmericaA majority of firms in Latin America (66%) have developed a risk management policy and, of those, 70% make sure that the policy is known throughout the organization.

online pharmacy proscar with best prices today in the USA

From these numbers, it is clear that risk management and enterprise risk management practices have made significant progress in Latin America, according to a joint survey by Marsh Risk Consulting and RIMS of businesses from 15 countries in the region.

But while risk management programs are in place at a majority of organizations in Latin America, much more can be done. Only 42% of respondents reported that their organization’s boards are involved with risk management.

online pharmacy actos with best prices today in the USA

What’s more, just 21% of respondents said their risk management programs are integrated with strategic planning.

“The report demonstrates that Latin American companies increasingly understanding the competitive advantage and added value risk management brings to their organizations,” said Rodrigo Fajardo, Marsh Risk Consulting Leader for Latin America. “While the trend is encouraging, we must continue to educate Latin American business leaders about the benefits of an integrated and strategic risk management approach by demonstrating its ability to positively impact finances, sustainability and governance.”

The study was released as part of RIMS’ first Risk Forum Latin America, taking place Nov. 9 and 10 in Lima, Peru.

“Latin America’s growing economy offers many opportunities but, before engaging in commerce in the region, it is critical for risk professionals to be able to identify and assess all uncertainties,” said RIMS President Rick Roberts. “The report and RIMS’ forum are aimed at providing practitioners with a better understanding of the region’s risk management landscape and most pressing challenges to make informed recommendations for their organizations.

online pharmacy reglan with best prices today in the USA

Intuit Wins 2015 ERM Award of Distinction

Posted on by

CHICAGO—In recognition of its success in building a sustainable enterprise risk management (ERM) program to enable its business lines to identify and intelligently manage the most important risks, software company Intuit was presented with the 2015 Enterprise Risk Management Award of Distinction at this year’s RIMS ERM Conference.

“ERM transformed Intuit’s risk management capability requiring our leaders to think cross-organizationally and cross-functionally to understand the most significant risks and drive strategies to address them,” said Janet Nasburg, chief risk officer at Intuit.

buy bimatoprost online imed.isid.org/wp-content/uploads/2023/10/jpg/bimatoprost.html no prescription pharmacy

“ERM was instrumental in not only providing insights about the company but has also driven changes in the way we align our focus. It is a tremendous honor to be recognized by RIMS for our hard work and to share our ERM experiences with the risk management community.”

Honorable mention for this year’s ERM Award of Distinction went to VIA Rail Canada Inc., the country’s national passenger rail company.

buy tobrex online imed.isid.org/wp-content/uploads/2023/10/jpg/tobrex.html no prescription pharmacy

As a result of its ERM program, the company developed a risk appetite and tolerance framework based on measurable leading key risk indicators.

“Applying this framework to its key strategic risks strengthened VIA’s ability to assess, monitor, and respond timely to changes in its enterprise-wide risk portfolio, thereby adding value to its decision-making process and enhancing risk oversight by its board of directors” said Denis Lavoie, VIA’s director of enterprise risk management.

“RIMS is delighted to recognize the accomplishments of these two organizations and their risk professionals through the RIMS Award of Distinction,” said RIMS Executive Director Mary Roth. “The Intuit and VIA Rail programs demonstrate the tangible value that ERM brings to their respective organizations for both strategy-setting and strategy execution.

buy prevacid online imed.isid.org/wp-content/uploads/2023/10/jpg/prevacid.html no prescription pharmacy

Judging criteria for the ERM Award of Distinction includes the scope of the ERM program and how it engages different levels throughout the organization; the program’s link or connection to the company’s overall mission; and its ability to create additional value for the organization.

10 Tips to Excel in ERM

Posted on by

05a9ef2CHICAGO—For many risk managers looking to implement enterprise risk management programs, one of the biggest challenges is figuring out how to do it properly. Unfortunately, as Steve Zawoyski, ERM leader at PwC, pointed out in a session at this year’s RIMS ERM Conference, you will never find the perfect ERM program—it’s basically as mythical as a unicorn. But there are certain key steps you can take to increase your chances for a successful ERM program. Zawoyski’s top tips are:

  1. Establish ERM program objectives. One of the common stumbling blocks to a successful program is the lack of agreement as to why you are doing this in the first place. Some may be doing it in order to make better decisions around strategy while others have governance concerns in mind or are simply doing it because the board said so. Establishing proper objectives will allow you create the program that works best for your organization.
  2. Manage stakeholders. There are likely multiple parties that have a vested interest in your ERM efforts from the board to business managers to legal and audit to regulators.
    buy fildena online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/fildena.html no prescription pharmacy

    You will need to consider all of their specific needs and concerns.

  3. Align risk functions. Risk management is part of every division’s responsibility. Getting everyone on the same page will avoid allowing fatigue to set in over yet another risk management effort.
  4. Align risk and management processes.
    buy advair rotahaler online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/advair-rotahaler.html no prescription pharmacy

    It is important to understand how the business is being managed and connect to those processes in order to be in a position share information up and down the organizational hierarchy.

  5. Define risk. The traditional definition of risk denotes a hazard or a failure of some process. Make sure you organization understands that risk is merely uncertainty that can have both a positive or negative impact on objectives. It is ok to take on risk.
  6. Give credit. Different functions already have risk management capabilities and processes. Rather than reinvent the wheel, harvest the data and expertise already out there and build off that. Don’t build unnecessary steps into the process when those areas are already being addressed.
  7. Remember that risk is a four-letter word. Risk is an overused, ambiguous word with an often negative connotation. Risks are nothing more than variables that can present opportunities for greater success.
  8. Beware of risk categories. Labels like operational, financial, strategic or technology are overemphasized and not how business units think of risk.
    buy clomid online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/clomid.html no prescription pharmacy

    It is more effective to talk about risk in terms of management of hazards, compliance obligations or other uncertainties.

  9. Do your research. It is vital to develop a thorough understanding of the business and its drivers, from its capabilities to its competitive advantages to its strategic priorities and objectives.
  10. Simplify risk appetite. Risk appetite should be considered on a risk-by-risk basis and should boil down to a simple question of once risk controls and processes are in place, are you satisfied with the results?

ERM implementation can be challenging. But according to Zawoyski, it is all about keeping it simple for the stakeholders, ensuring that value is created, aligning to the business and evolving over time. By approaching your program in this way, all stakeholders will understand their role and how ERM relates to the overall strategy of the organization.