Category Archives: Governance, Risk & Compliance

Cyber Risk a Top Concern for C-Suites

Posted on by

NEW YORK—Risk managers no longer have a problem getting the attention of their company board and executives when it comes to cyber issues, according to panelists at the Advisen Cyber Risk Insights conference yesterday.

At Royal Ahold N.V., in fact, a supervisory board “insists on an annual presentation on the insurance policies,” which include cyber, said Nicholas Parillo, vice president of global insurance for the company. Giving his annual presentation to the board is made much easier, because “the person before me is the chief security officer and before that, the CIO and it’s good to know that they are saying the same things I’m saying. That’s the level this kind of risk has achieved within major corporations.

online pharmacy levofloxacin with best prices today in the USA

buy cytotec generic cytotec without prescription online

In the U.S., Ahold owns about 2,000 supermarkets—780 in the northeast, including Stop ‘n Shop and Giant Food Markets and 300 pharmacies, Parillo said. The company, which has annual revenue of $42 billion, also owns a number of chains throughout Europe.

Parillo noted that Ahold’s chief concern is the large amount of customer data needed for its goal of major online sales growth.

online pharmacy trazodone with best prices today in the USA

“Our CEO a couple of years ago established a goal of increasing our online sales from $400 million annually to $1.5 billion,” he said. “We should hit that target in the next two years or sooner. One of our big concerns in this area is fast growth in ecommerce,” and also that “good governance surrounds” that growth.

The company purchased its first cyber security insurance policy in 2007, he said, an action that was hastened by “two watershed events in retail business,” the Hannaford Bros. Co. privacy violation and the TJ Maxx case. Both of these have run into the “hundreds of millions of dollars now with a significant amount of legal fees associated,” he said, adding, “These events made my job a lot easier in terms of going to my management and saying that this could happen to us, despite the biggest and the brightest in our IT group.”

Jimmy Kirtland, vice president, corporate risk management with ING said that in the past, “trying to convince your CFO and CEO and general counsel that there really was [cyber] exposure,” was an issue. He explained that 10 or 15 years ago, “Even if you were going to look at cyber coverage you had only three brokers you could go to.”

Since then, “There has been a complete turnaround in 10 years. The market has grown tremendously and so have the brokers and it’s become much more sophisticated, which we appreciate. The C-suite has recognized that this is something that has to be looked at,” he said.

online pharmacy flagyl with best prices today in the USA

Dutch-based ING is restructuring, separating its banking and insurance operations. ING U.S. plans to rebrand as Voya Financial, a retirement, investment and insurance company, according to the company’s website. “In our case, one of the biggest concerns we had was that because of the split with our parent company, we had very little time to place our financial lines products, including cyber. So the concern is to get it right.”

The company filed an IPO in May, “and yesterday we announced we would have a secondary offering. When you don’t have the umbrella of a major global corporation anymore, you become keen on your risks and exposures,” Kirtland said.

What happens if technology fails at the company? “With us it really is out in the cloud,” Kirtland said. “Classic business insurance reimburses you for supply chain problems or if a warehouse burns down, so it’s an extra expense we have to worry about.”

To be able to stay in business in case of a technology failure, or in the case of “a system-wide blowout, we went with a time-limited type of retention. It’s a set amount based on the time you are out,” he explained.

Twitter’s Data Mining Profits Show Lesser-Known Social Media Risk

Posted on by

Data Mining

In an interview for this month’s issue of Risk Management magazine, lawyer and social media specialist Adam Cohen cautioned businesses that the risks of social networking sites extend beyond explosive posting faux pas.

“In most cases, corporations don’t realize that what they put on these social media services is all subject to the privacy policies and terms and conditions of the services,” said the eDiscovery expert and author of Social Media: Legal Risk and Corporate Policy. “Those provide a shocking amount of access by the social media services where they may take your data.”

As Twitter prepares for its much-anticipated IPO, the social media giant has released a torrent of information on its financial standing and practices. One of the most important tidbits for users concerns the site’s lesser-known side-business: data mining. In the first half of 2013, Twitter made $32 million by selling its data—namely, tweets—to other companies, a 53% increase from the year before.

So far this year, the company has raked in $47.5 million from selling user data to companies that analyze the social media posts for insights into news events and trends. Because of its real-time nature, Twitter is the primary contributor to data mining, though other social networks are frequently used in professional analysis.

This analysis is then sold to businesses for a slew of uses. “The types of ways that businesses are using Twitter data has gone deeper and deeper,” Chris Moody, the CEO of original Twitter data mining company Gnip, told Time. “We’re seeing it in supply chain and inventory management. It’s not just consumer brands that are engaging on Twitter.”The United Nations uses Twitter algorithms to pinpoint areas of social unrest. Burger chain Five Guys used “social intelligence technology” from New Brand Analytics to monitor quality in restaurants across the country and evaluate the appeal of a new fry size offering. Wall Street subscribers to one service, Dataminr, got a leg up on the S&P Index drop following the Navy Yard shooting. Five minutes before the news broke, users received an alert to take action after the company’s algorithms picked up on eyewitness reports and deduced from their timing, influence, and location that something urgent was taking place.

Clearly, there’s money to be made on both sides. According to the Wall Street Journal, the “social listening” business is booming, partially funded by millions of dollars in venture capital. Research firm IDC estimates that the entire “big data” market has grown seven times as quickly as the information technology sector as a whole, and may be valued at $16.9 billion in two years.

Data is mined for a variety of purposes – ones your company may even want to explore – but while there are benefits to the ends, the means translate into cyber exposures of which you may never know the details or depth. While the reputational risk of social media garners a lot of the attention – and rightfully so – there are increasingly tremendous exposures that lay in the forms just to sign up. With Twitter going public, there will only be further incentive to maximize revenue by selling user data, and more reason to approach corporate social media with caution.

RMORSA Part 4: Risk Monitoring, Control & Action Plans

Posted on by

The fourth step of ORSA implementation, risk monitoring, control, and action plans illustrates the importance of adhering to best practices when executing risk culture and governance, identification and prioritization, and risk appetite and tolerances.

With the necessary structure in place to track and collect risk intelligence, the next step involves orchestrating a plan for improvement. Why is a plan for improvement so critical? Besides limiting the risk exposure of your organization, consider that under the SEC Rule Proxy Disclosure Enhancements, boards of directors and executive leadership can be found negligent for having inadequate or ineffective ERM programs. Having a demonstrable plan for improvement, however, can greatly reduce or even exempt companies from penalties under the Federal Sentencing Guidelines.

The Right Way to Monitor Control Activities

Boards and CEOs are depending on risk managers to monitor key risk indicators at the business process level. This can be accomplished one of two ways: testing or business metrics.

Testing provides a high level overview of whether a control is occurring, usually in the form of a simple pass/fail. Testing does not, however, provide actionable steps to take in order to improve a mitigation activity. The result is that many organizations are only testing compliance with internal policies, which may or may not tie back to the specific risks that the policies were designed to mitigate.

Here’s an example: an insurance organization with an online customer service system is experiencing unacceptable downtimes, and the appropriate staff members never seem to be available to fix the problem. The organization implements what would appear to be a reasonable control activity, by insisting that every member of the support team be trained to refresh the system.

The company tests internal compliance with this policy by tracking whether the online training has been completed. Unfortunately, even if everyone takes the training, the company has no idea whether this control is fulfilling its purpose.

In testing compliance to the policy, the organization has lost sight of the risk. If they had tracked a business metric, like system downtime, however, they would have realized that the controls in place made no difference to the impact or likelihood of system failure. Business metrics may have indicated that the system was going down during peak usage hours, like lunch, when staff was unavailable. With no business metric tracking, the organization continued with a Band-Aid approach when money might have been better spent upgrading system memory.

Developing the Action Plan

To avoid this common pitfall, your key business metrics need to be aligned not only with the control activities you’ve designed, but the risks they were designed for. Keeping track of these linkages can be impossible with two dimensional spreadsheets, but is critical to monitoring the risks you’ve identified so that your action plans and control activities are meaningful and measurable.

As a risk manager, approach process owners in need of assistance with mitigation plans geared toward their most severe risks. As you develop actionable plans for improvement, don’t lose sight of the end goal or fall into the trap of testing controls rather than monitoring risks.

Interested in the best way to monitor or audit your risk management program?

buy tadalista online medilaw.com/wp-content/uploads/2015/03/jpg/tadalista.html no prescription pharmacy

Check out the RIMS Risk Maturity Model Audit Guide, also available through the RIMS Risk Maturity Model.

California Town Must Improve Risk Management or Lose Insurance Coverage

Posted on by

Insured City

One southern California town has officially been warned that their insurance will be cut off if city officials do not adopt risk management policies.

Irwindale’s insurer, the California Joint Powers Insurance Authority, issued a performance improvement plan on August 28 and said city liability and workers compensation insurance will be terminated if it does not adopt the measures. Allegations of corruption have cast a pall over the police department and local government, and the city has been forced into almost $2 million in settlement payouts over the past five years, according to the Pasadena Star News.

“They’re on notice that they need to improve their risk management practices within the city’s operations, specifically in the police department, to maintain their insurance coverage with our agency,” JPIA’s risk management program manager Bob May told the paper.

Irwindale has been mired in controversy over the past few years.

Of 24 police officers, three are on paid administrative leave and the department is conducting 14 internal affairs investigations. A local woman recently filed a $20 million lawsuit against the city, alleging that an officer sexually assaulted her during a traffic stop. Police Lt. Mario Camacho has been accused of retaliation by an officer under his command and of sexual harassment by a female cadet. Four city officials are charged with of misappropriation of public funds, embezzlement and conflict of interest resulting from a series of lavish trips to New York City that utilized over $200,000 of public funds.

Under the guidelines from JPIA, the city must hire a permanent human resources manager and council members must complete training on council relations and cooperation. If they do not complete the improvement plan, they risk losing coverage and will have to go to the open market or self-insure.

In September 2011, the JPIA issued a similar warning to the city of La Puente, Calif. As part of the “healthy members program” criteria, which outlines what members should do to stay within risk management guidelines, Insurance Journal reported that the town’s performance improvement plan required that La Puente “hire a permanent city manager, give notice of any harassment and retaliation complaints, and send council members to etiquette classes to learn how to get along.” The city recently completed the program and remains insured.

buy tamiflu online https://silvermancare.com/wp-content/uploads/2023/10/jpg/tamiflu.html no prescription pharmacy

So far, the only town to be officially cut off by the California Joint Powers Insurance Authority is Maywood. The city was dropped in 2010 and the lack of insurance forced the local government to lay off almost all of its employees and disband the police department.