ERM Best Practices in the Cyber World

Using ERM to assess cyber risk

If you read the news in 2011, it should be no surprise that data is more vulnerable than ever. The threats are growing more sophisticated by the day and the fallout if you suffer a data breach can cost a fortune. Risk managers need to take a more active role in this arena. It can no longer be the sole responsibility of IT.

“The volume and value of sensitive data has never been higher and the sophistication of those who want to steal it continues to increase,” said David A. Speciale, of Business Acquisition at Identity Theft 911. “All the while, the potential cost of a data breach grows ever more catastrophic in terms of financial, legal, and reputational damage. Failure to act is not an option.”

To this end, RIMS (the organization that publishes this blog) has released a new paper on how ERM can help. “ERM Best Practices in the Cyber World” discusses looking at cyber-risk as less an exercise in patching network systems and more about changing your mind-set. It’s about using ERM principles to better prioritize the actual threats and gauging how severely each could hurt the company.

The paper also provides advice on creating a better information security plan and gives an excellent, detailed overview of the many cyber-related rules and regulations that companies must abide by in 2012: HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley, the FAIR Act, the Red Flags Rule, the PATRIOT Act, the Data Protection Directive, and the many state-specific notification laws that kick in following a data breach.

“ERM Practices in the Cyber World” is free to RIMS members and $29 for non-members.

 

Brad Pitt and Enterprise Risk Management

My employer, the Risk and Insurance Management Society, today unveiled its webpage for the upcoming RIMS 2012 Annual Conference & Exhibition in Philadelphia. They brought the show to Philly a few years ago, and it was a great host city. I’m sure it will be again next April.

Moreover, they got a speaker I consider to be one of the most interesting in RIMS history: Billy Beane.

For those who don’t know, Beane is the general manager of the Oakland A’s baseball team. And because he was instrumental in revolutionizing the sport into a new era of statistical analysis, he was also the subject of this fall’s blockbuster movie Moneyball, in which he was played by Brad Pitt.

The gist of the flick is this: In the olden days, scouts, coaches and personnel execs watched players hit or pitch, scanned a few basic stats and decided whether or not they would sign them to million-dollar contracts. It was an simple and seemingly adequate, if inefficient, system. But Beane had a tiny payroll so felt he had to better allocate his resources to cut down on waste. His solution: employ better data and foster a new way of thinking throughout the ballclub.

And in last month’s issue of Risk Management, I wrote about how the success of this transformation is not so dissimilar to how enterprise risk management has begun to rise to prominence in the business world.

You can check out the full piece here, but here’s an excerpt.

Baseball had become big business. But Oakland was poor. So basing the team’s strategy solely on the gut-feel of scouts, as had been done traditionally, would be reckless. With the stakes so high, how could Beane not use this new mountain of data to inform decision making? Tens of millions of dollars were on the line — not to mention a World Series.

The stakes for businesses have been similarly raised. Companies must also embrace any concept that may improve strategy. ERM has been a quantum leap forward for risk quantification. There are now oceans of information to help companies avoid the pitfalls of risk.

Head over to RMmagazine.com to read the rest.

RIMS ERM Conference: A Q&A on the Future of ERM

What does the future hold for enterprise risk management? That’s exactly what a panel Q&A session touched on during the recent RIMS ERM Conference. Carol Fox, director of strategic and enterprise risk practice for RIMS, moderated the discussion between attendees and:

  • Ryan Egerdahl, risk manager at Bonneville Power
  • Mary Gardner, chief risk officer at Zurich North America
  • Rob Torok, risk management consultant with IBM Global Services

To kick off the discussion, Fox asked the panelists what the biggest changes in ERM were within the last 10 years?

Mary: A really big issue is going to be risk based capital. Where do we require it and where are we going to reduce our investment so we can write insurance in growing areas of the world. We want to reduce our risk so we can free up our risk capital so we can go into growing areas such as BRIC nations.

Question: Have you spent much time talking aobut enterprise content management, like records management, which I’m hearing more and more about?

Rob: One of the things we’re rigorous about is information security, with both internal data and the data that belongs to our customers and our clients. We have an enourmous amount of customer data. Because of that, there are an enourmous amount of controls IBM has put into place.

Mary: It’s an emerging risk. In fact, On October 13th the SEC indicated that all companies will be required to provide information on past breaches and what they might expect in future breaches and what impact that may have on their financial statement. That’s scary and we need to figure out what that means. It’s something to definitely consider.

Question: Having a risk taxonomy — is that effective? Does it help you manage risks? By separating them into various categories?

Mary: I would say yes. We identify risks in each business division and analyze them. It’s kind of a top down, bottom up approach. We look at the different kinds of inputs. We also use that to determine systemic risks and see where we have risks concentrated in one particular area or business.

Rob: An organization must have a standard risk taxonomy. Everybody in the organization must look at those risks and talk about how those risks affect each particular business unit. We’ve developed a template of about 150 risks. That template is a fine starting point, but don’t use IBM’s or any other company’s template — it won’t apply to you.

A client gave me a list of 504 risks and asked me to comment on it. The reason they had 504 risks was because many risks were repeated in each business unit and geography. This is because they never had a standard taxonomy. That list could’ve dropped by 40 or 50% easily if they had a standard language or taxonomy.

Mary: Companies need to think of their standard taxonomy as a living document.

Question: What do you do to help identify emerging risks?

Ryan: I’m less concerned about the unknowables. i’m concentrating on the big risks facing us now. we have enough to worry about right now in our business alone.

Rob: I haven’t got a clue what that next risk is, but allow yourself to think broadly about it.Ddon’t close your eyes to things. Don’t shoot down ideas of someone who says “hey, what about this or what about that?”

Mary: Keep it simple. We can make this ERM process so complicated sometimes. Maybe if we just get back to basics it would be much better.

Ryan: If you’re just starting the ERM journey, don’t rush into the GRC software immediately — wait until you’re mature enough in the process to get there.

Mary: Get out of the box. There are  a lot of conversations that may spur thoughts. Talking to risk managers in other industries may spark ideas.

Rob: What about your business and social network? What are they worried about? I’m not talking about things that have already occurred, but what has not happened yet in their enterprises. Use that information to help you think about risks in your own enterprise.