Category Archives: Enterprise Risk Management

Игроки всегда ценят удобный и стабильный доступ к играм. Для этого идеально подходит зеркало Вавады, которое позволяет обходить любые ограничения, обеспечивая доступ ко всем бонусам и слотам.

Q&A: 2019 Risk Manager of the Year Luke Figora

Posted on by

Luke Figora, senior associate vice president and chief risk and compliance officer at Northwestern University, was named the RIMS 2019 Risk Manager of the Year today.

With annual revenues of approximately .

5 billion (reported in 2018) and nearly $700 million in sponsored research annually, Northwestern is among the country’s leading research universities. Figora has risen quickly through the ranks at Northwestern, where his enterprise risk management (ERM) framework has elevated its risk culture across three campuses—two in Illinois and one in Qatar.

Figora spoke with Risk Management Monitor about his experience as one of the youngest stakeholders among Northwestern’s leadership, his process of customizing an ERM matrix and his reaction to the recent college admissions scandal.

Risk Management Monitor: You and your department created an ERM matrix in the past year that united Northwestern’s compliance owners and that may even set a precedent in higher education. What went into its creation?

Luke Figora: We spent a lot of time defining risk appetite statements and tried to make our program a little more outcome-based and actually show how we’re moving the needle on uncertain key risks for Northwestern. And we avoided spending too much time aligning perfectly to one of the ERM frameworks like COSO or ISO. So I think if someone looked at our program from the outside, it might not check all the boxes from a typical model perspective, but it’s driving action here at Northwestern and it seems to be the right level for engagement with our stakeholders.

I think one of the biggest challenges for ERM at Northwestern—and maybe this is true across the industry—is that we don’t necessarily have one strategy right now. We have some pillars and values that Northwestern follows, but we’re ultimately a very decentralized institution that has a number of schools, and a number of units in each one of those have slightly different objectives and goals.

RMM: It seems that there is a degree of transparency, but not full transparency.

LF: Right. For example, athletics and the School of Medicine have very different risk profiles and neither one of them should know the other’s risks or operations. And it would be hard for someone in athletics to speak about the risks of animal research within the School of Medicine. I think that’s where our risk office plays a role in right-sizing the expectations and taking the feedback from all the units, but trying to do some triage through that.

RMM: Many of your colleagues are several years your senior—how has that impacted your work?

LF: I am probably the youngest person on the leadership team across the institution, but it has probably been beneficial. I have tried to bring different ideas and update the ways in which we think about risk. I’m not jaded by the insurance industry, and I think people are receptive because of that.

RMM: Since arriving at Northwestern nearly five years ago, you moved up the ranks relatively quickly, although you’ve maintained that was not your goal. How would you advise young risk professionals as they get their feet wet?  

LF: I think all of us at early stages in our careers can’t wait to be a manager and want that vertical growth and the chance to lead a team, but the bigger driving factor for me has been horizontal growth and expanding the portfolio. After that, I believe the other opportunities will come. That is a belief I try to hammer home in my work and when I make industry presentations.

RMM: The college admissions system is a hot topic due to the major scandal that broke in March. How might that have affected where the admissions process is on Northwestern’s risk register?

LF: Last year at this time, fraud in the admissions cycle wouldn’t have been one of our top 10 enterprise risks. But when things like this break, there is a tendency to go into reaction mode and examine whether we have similar issues. I always try to keep people level-headed and remind them that just because this hit doesn’t mean it moves to number one on our crisis management list for the year. It is worth doing a deep dive into the question or topic that’s in the news, but whenever scandals hit, I think we’ve tried to approach them with a rational view.

RMM: It sounds like the knee-jerk reaction is to go into crisis communication mode, even though it’s not your crisis.

LF: We know we’re going to get questions from our trustees, so there’s an initial all-hands-on-deck mentality. You have to make sure you have talking points that outline how we’ve thought about it because we know we’re going to get questions from the media. We do focus on crisis communications, but it becomes more about knowing if we have the right controls that could protect the institution from something like this happening to us.  

Figora was also the special guest on this week’s RIMScast, which you can download here.

NCSA and NASDAQ Advise Risk Managers to Look ‘Beyond IT’ Following a Breach

Posted on by

NEW YORK — “Incident Response and Recovery” was the theme of the National Cyber Security Alliance (NCSA) and Nasdaq Cybersecurity Summit on April 17. Security and risk professionals from the Department of Homeland Security (DHS) and various companies and organizations convened at the Nasdaq Marketsite to discuss methods that focus on resilience and recovery following a cyber attack or data breach.

NCSA Executive Director Kelvin Coleman led the fireside chat with Matthew Travis, deputy director for the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). The timing of Travis’ appearance was unique, considering that Kirstjen Nielsen–formerly the secretary of Homeland Security and Travis’ director–recently resigned from her post on April 7. While that announcement grabbed widespread attention due to her involvement with the humanitarian and immigration crisis at the U.S.-Mexico border, it also has major impacts for the country’s efforts to counteract cyberrisk and data breaches. Last September, Nielsen announced the formation of the National Risk Management Center (NRMC), an initiative focused on defending critical infrastructure from cyberattacks and providing a single point of access to the full range of government activities to defend against cyber threats.

“There is no doubt [Nielsen] was the most cyber-savvy secretary the department’s ever had. She brought real bonafide domain expertise in cybersecurity to the department,” Travis said. He added that the creation of CISA is her legacy and that the relationship with Kevin McAleenan, the new acting secretary of homeland security, has been harmonious.   

Travis reminded attendees that its partnerships with the private sector were crucial and that CISA regularly monitors national critical functions such as elections, electrical grids and financial transactions, which he said are the “big things that drive our economy.” He also said that companies can leverage CISA resources immediately after a breach as a supplement to the FBI’s criminal investigation.

“We’re going to help you understand exactly what happened and help you recover the data and mitigate some of the impact. The private sector firms do that very well, but the difference is that…

online pharmacy cytotec with best prices today in the USA

[CISA] is free,” he said. “That is where we would like to work with owners and operators, when there is an event, to help them get back on their feet as soon as possible.”

Additionally, Coleman and Travis discussed that though CISA is not part of the intelligence community, it does have access to the intelligence collection and monitors trends that can be used to warn private sector companies of cyberrisks. He cited the recent Domain Name System (DNS) infrastructure hijacking campaign that CISA warned about in February—in which at least 40 different organizations across 13 different countries were compromised—as an example of the agency taking steps to alert both the public and private sectors.   

“When we issue technical alerts or emergency directives,” Travis said, “[we] communicate to our stakeholders what to look out for.”

How to Reduce Uncertainty After A Breach  

In the next session, panelists agreed that even when companies use new technologies to remedy security flaws and migrate data to cloud storages, new vulnerabilities occur. Dr. Michael Siegel, principal research scientist and director of cybersecurity at the Sloan School of Management at the Massachusetts Institute of Technology (MIT), said that the old adage of risks being rooted in people continue to be prophetic.

“It’s always been about people and things that sit in our systems for a long time,” he said. “You’ve heard this since the 2000s and it’s still true, and even more true today.”

Should a business find itself in a situation where ransom is being demanded for intangible assets and information, Siegel advised that then is not the time when stakeholders should first decide whether they’d be willing to pay.

“They should know whether they’d pay ransomware because they have [presumably] done tabletop exercises…that will be absolutely essential because any time you wait and indecision will be [catastrophic],” he said. “You have to have practiced it in advance. You can build a scenario-generator and run it through a classroom.”

Companies can also learn from breaches, if tracking is implemented within their code, noted Tyler Shields, vice president of strategy for Sonatype, and open source governance platform. “The ability to track your code from creation to deployment—that entire life cycle—needs to be instrumented so that when a breach occurs you know what component was affected, where it came from, who implemented it and what protections were in place.”

Incident Response Recovery Beyond IT

The final session panelists agreed that holistic approaches were essential for successful responses and recovery periods. Internal and external communications should be well thought-out and designating a person or team to handle them sets the appropriate company precedent. Lisa Plaggemier, chief evangelist at Infosec and NCSA board member said that, for example, while a company’s lawyers are critical during these times, they might not be the best communicators.

“Lawyers, when they write for communications, tend to sound more scary than reassuring,” she said.

online pharmacy arava with best prices today in the USA

“You want to have collaborations and have that communications person in the room with them.”   

Photo courtesy of the National Cyber Security Alliance

When it comes to crisis communication, Plaggemeir advocated that employees—especially those who detected the incident—should be armed with talking points for traditional and social media outlets to avoid data leakage.

“We want to make sure we equip those people so that the rumor mill doesn’t start flying and we don’t end up with communications that are out of our control,” she said.

online pharmacy chloroquine with best prices today in the USA

buy penegra online https://royalcitydrugs.com/penegra.html no prescription

Dovetailing on that notion, moderator Andrew Derboben, senior director of security operations at Nasdaq was quick to mention reputation risk. He said another way to reduce data leakage and misrepresentations in the media—which can further harm a company’s reputation in the aftermath of a breach—is to arm all company employees with a brief script on what to say to anyone, even just passersby making small talk.

“Don’t even have them say ‘no comment,’” Derboben said. “Point them to the experts who have all the data. Because if we’re missing a key piece of information and it’s not communicated properly it could determine how an article will be written.”

RIMS Report: Making Sense of AI

Posted on by

The risk of not adopting some form of artificial intelligence (AI) can be much greater than the potential risks of implementation according to the new RIMS Professional Report: Making Sense of Artificial Intelligence and Its Impact on Risk Management.

Authored by RIMS Strategic and Enterprise Council member and director, Microsoft Enterprise Risk Management Tom Easthope, the report explores forms of AI available to organizations, common implementations scenarios for risk professionals to consider, as well as opportunities for those professionals to advance their careers in light of the emergence of AI technologies.

“While the discussions about the long-term impacts of artificial intelligence on society are important to understand and track, the more pressing issue is to understand the impacts on your industry, your organization and, ultimately, your career,” Easthope said.

buy antabuse online www.urologicalcare.com/wp-content/uploads/2023/10/jpg/antabuse.html no prescription pharmacy

“Risk professionals should find ways to participate in strategic discussions around AI and educate themselves on the world of possibilities it offers them and their organizations.”

The report explores AI’s foundational concepts, such as data and algorithms. It also discusses forms of AI, such as artificial general intelligence, (often referred to as “thinking machines” along the lines of C-3PO from the “Star Wars” films) and artificial narrow intelligence (ANI) which focuses on tasks that have major business impacts, including image recognition, credit card fraud detection and speech recognition. Citing research that AI-derived business value will be worth $3.9 trillion in the next three years, ANI presents risks and opportunities for risk professionals and their companies.

And while the report suggests that changes introduced by AI innovation and automation will impact jobs and tasks in the risk, compliance and insurance industry, it also presents methods to keep professionals less expendable, if they’re willing to embrace the technology.

buy rybelsus online www.urologicalcare.com/wp-content/uploads/2023/10/jpg/rybelsus.html no prescription pharmacy

“But while change is inevitable, it does not mean that your risk career must end,” the report said. “Essentially, if you understand the organization’s strategy and how it can enhance its operations with ANI or the context around data, then you have something to offer.”

RIMS Strategic and Enterprise Risk Management Council (SERMC) is organized to provide leadership on strategic and enterprise risk management research, practices, topics and issues, in alignment with RIMS’ vision, affiliations and partnerships. SERMC comprises RIMS members, academics, strategists, consultants and other practitioners who are experienced with strategic and enterprise risk management and related issues.

buy robaxin online www.urologicalcare.com/wp-content/uploads/2023/10/jpg/robaxin.html no prescription pharmacy

The report is currently available exclusively to RIMS members. To download the report, visit RIMS Risk Knowledge library at www.RIMS.org/RiskKnowledge. For more information about the Society and to learn about other RIMS publications, educational opportunities, conferences and resources, visit www.RIMS.org.

Seven Qualities of an Impactful Risk Register

Posted on by

You might have resolved to tidy up some processes and press the “reset” button on your risk register in the new year. Whether you’ve started a new position, want to improve your company’s operations or just overhaul your existing register, the basic foundations are out there.

Demonstrating their altruistic nature, many RIMS members have been offering their insight to those seeking suggestions – even going so far as to send their Excel sheet registers. Here are some criteria for your X and Y axes, culled from the OPIS network and existing resources on Risk Knowledge. While they are by no means a finite list, they can act as building blocks for your new template or register.

buy keflex online desiredsmiles.com/wp-content/uploads/2023/10/keflex.html no prescription pharmacy

  1. Exposure. Define the imminent or possible risk event.
    buy lipitor online desiredsmiles.com/wp-content/uploads/2023/10/lipitor.html no prescription pharmacy

    Examples could be a data breach or earthquake.

  2. Risk Category. Itemize by who or what was affected by the exposure. Employees, property, locations, and systems are some examples.
    buy trazodone online desiredsmiles.com/wp-content/uploads/2023/10/trazodone.html no prescription pharmacy

    If the exposure was public-facing, be sure to include your customers and shareholders.

  3. Cause of Loss. In addition to simply entering the risk origin, also detail whether it was on the radar or completely unforeseen. You might choose to add subcategory (or row) if necessary to document the specifics.
  4. Consequences (Primary and secondary). While many exposures impact the bottom line, it might also include damages to systems, infrastructure, and absences. There are other consequences that are tougher to quantify, such as reputation and employee morale. Subcategories for secondary (and tertiary, and possibly beyond) might be necessary.
  5. Target Risk Level. Driven by each company’s risk appetite level, the target risk level should be the mitigated level. “For example, risk appetite for strategic can be 4 (out of 5), operations 3 and safety 2,” wrote one member on an OPIS thread. “Therefore, any risk should be mitigated to the acceptable risk appetite level within each risk category – hence, a safety risk of 4 needs to be mitigated to a 2 level.”
  6. Expected Losses and Gains. Establish value to the projected outcome. There is certainly a downside risk to natural disasters, particularly where injuries, casualties, and property damage are concerned. But not all risks will be negative; selecting a new cybersecurity system, for example, may have costs but also estimated savings.
  7. Assignee. Just because you are the risk manager does not mean you are responsible for solving all the problems or having all the answers to each risk. A data breach would typically be assigned to the IT leader. However, depending on the size and structure of your organization, you might be the de facto authority on certain exposures, such as emergency preparedness and natural disasters. In those cases, enter your own name and get ready to act.

As stated earlier, these qualities are just starting points as you build your register – you should customize it to your organization and personal preferences.

When reflecting upon the makings of the risk register, one member said that the most critical issue was not the format, but rather “the dialogue that surrounds the register,” adding that “the discovery and discussions were what made that part of the ERM activity useful. Of course, having a nice means of communicating it makes it easier to focus the dialogue.”

RIMS also offers suggestions for ERM programs. Visit the OPIS network to get feedback from members and Risk Knowledge for resources such as the ERM Starter Risk Log Template.