Category Archives: Regulatory Risk

Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

Resiliency in 2018: Q&A With BCI’s David Thorp

Posted on by

Organizational resiliency is a focus of the Business Continuity Institute (BCI) and executive director David Thorp. It was the theme of this year’s annual Business Continuity Awareness Week, which Risk Management Monitor covered in May, and was the focus of BCI’s updated manifesto.

We reached out to Thorp to get his insight on organizational resiliency, how businesses can improve their continuity plans and for ways to better incorporate them into their culture.

Risk Management Monitor: What companies have best demonstrated resilience?

David Thorp: A few examples of organizations that have displayed a high level of resilience are Apple, TomTom, and PostNL.

Apple displayed resilience when they reemployed Steve Jobs to reshape the company.

TomTom started by making software for Palm computers. It has dealt with a rapidly changing marketplace and over the years it has:

  • produced navigation software for PDAs (personal digital assistant)
  • produced its own navigation devices
  • developed live traffic information
  • acquired a digital mapping company
  • developed navigation software for smartphones
  • struck up deals with car manufacturers

PostNL (formerly TNT) has had to adapt to the decline in regular mail as well as tapping into the requirement to deliver more packages (outside working hours) as a result of an increase of web shops.

RMM:  What do organizations most commonly overlook in their continuity planning?

DT: Two most commonly overlooked aspects are keeping plans up to date and exercising/testing.

Business continuity management is often initiated as a project, usually assisted with external expertise. Internal personnel frequently have this role in addition to their “normal” functions. As the organization changes, these plans often get overlooked. After one or two exercises have been carried out, the focus on exercising quickly diminishes.

Unfortunately, these two aspects have a large impact on the ability to recover as planned. It could be argued that this is an indication of a lack of management commitment.

RMM: Why do so many companies overlook their continuity planning and emergency preparedness?

DT: The biggest reason is that it is not a requirement for many organizations. When not required by a regulator or a customer, the organization must:

  1. know about continuity planning and emergency preparedness
  2. understand their risk
  3. understand its value before there is a possibility of it being implemented

By not having done a risk or impact analysis, it is also easy for organizations to think that a disruptive event will not happen to them and therefore not worth the hassle and investment.

RMM: How much time and effort does creating and initiating a business continuity plan take?

DT: This depends on the size and complexity of the organization, the ambition level and the resources available. For small organizations, it is possible to create and exercise plans within a month—but this would typically take a little longer as the required people will also have other tasks. For a large and more complex organization, it may take two-to-three years to reach the desired maturity level.

RMM: What advances would you like to see the global risk management community achieve with regard to planning and preparedness?

DT: I would like to see a better understanding of each other’s disciplines and a better collaboration between them. There is much overlap between the two disciplines and with better collaboration, we can more efficiently and effectively minimize risks and improve the continuity. We are currently working on better understanding how we achieve synergy between business continuity and risk management. We see this as being a prerequisite for achieving organizational resilience. Collaboration with other disciplines is also necessary.

RMM: We’ve seen examples of reputation crises that have in some cases forced companies to close. How can organizations avoid these pitfalls?

DT: A major factor in managing the extent of the reputation damage is the quality of the crisis communication. How well and honestly you inform those affected and of course how you deal with social media makes the difference in how you are perceived. The subsequent actions need to be in line with the messages communicated.

RMM: What has changed in the BCI’s Manifesto for Organizational Resilience that risk professionals should know about?

DT: The manifesto is built on the simple premise that resilience is not the responsibility of one part of the organization—it is the responsibility of discipline within an organization working closely together toward a common purpose. Risk Management, emergency planning, disaster recovery, security, facilities management, business continuity management, supply chain management, IT management, HR management…all have an equal role to play in delivering resilience.

The manifesto contains our undertaking to seek out alliances with other professional bodies along the spectrum of what might be termed “resilience disciplines” in order to work collaboratively. This would make organizations more resilient than if we each work within our own silo.

National Safety Month Targets Preventable Deaths

Posted on by

Hazardous work zones, insufficient planning, prescription and illegal drugs and distracted driving continue to affect the careers and companies of employees in the United States. According to the National Safety Council’s (NSC) Injury Facts, the lifetime odds for the top three accidental causes of death are motor vehicle crashes (1 in 102), opioid and painkiller use (1 in 109) and falls (1 in 119).

To demonstrate that “knowing the odds is the first step in beating them,” the NSC launched its No 1 Gets Hurt campaign as part of National Safety Month, which begins June 1.
“Preventable injuries are the third leading cause of death for the first time in United States history,” NSC president and CEO Debbie Hersman told Risk Management Monitor. “Sadly, our national opioid epidemic and the sudden recent increase in motor vehicle deaths have propelled preventable injuries past chronic lower respiratory disease and stroke in terms of how many lives are lost each year. Every single unintentional injury could have been prevented.”

The numbers tell the story. In 2015 there were 214,008 injury-related deaths in the U.S., 69% of which were unintentional.

buy ocuflox online www.delineation.ca/wp-content/uploads/2023/10/jpg/ocuflox.html no prescription pharmacy

Slightly more than half of those unintentional deaths occurred at home, while the remainder were classified as motor vehicle nonwork (24%), public (22%) and work-related (3%). Although the latter had the smallest number – 4,190 – that still equates to nearly 11.5 preventable work-related deaths per day.

NSC data also indicates that, on average, an additional 12,100 at-work injuries occur each day.

buy aricept online www.delineation.ca/wp-content/uploads/2023/10/jpg/aricept.html no prescription pharmacy

The cost of these injuries was estimated at nearly $142.5 billion in 2015, equivalent to 15 cents of every dollar of corporate dividends to stockholders, 7 cents of every dollar of pretax corporate profits and exceeds the combined profits reported by the nine largest Fortune 500 companies.

NSC statistics indicate that since 1900, death rates in the U.

buy hydroxychloroquine online www.delineation.ca/wp-content/uploads/2023/10/jpg/hydroxychloroquine.html no prescription pharmacy

S. have decreased by 71.1%. Preventable causes of death are also down by nearly 45% in the same time period but have been steadily increasing since 1992, which marked its lowest point (60.5%).

No 1 Gets Hurt aims to identify safety risks and prevent the leading causes of injuries and deaths at work and at home. Each week in June will focus on a different overarching cause of injuries and fatalities in the U.S.:

  • Emergency Preparedness
  • Wellness
  • Falls
  • Driving

“This year’s theme, No One Gets Hurt, encourages everyone to make at least one change for safety during June,” Hersman said. “Small actions—creating an emergency escape plan, avoiding using your phone while walking, or wearing your seat belt, for example—can make all the difference.”

To help accomplish thus, tip sheets and articles are available in English and Spanish. NSC members will also have access to other materials, including checklists, 5-Minute Safety Talks, games and best practices. As with other safety-themed campaigns, NSC encourages employers to use these resources during the designated weeks, or create a schedule that works best for their organization.

The NSC made these suggestions to keep workers, families, and communities thinking about safety in June and beyond.

  • Distribute the downloadable National Safety Month materials
  • Create bulletin boards, newsletters or blog posts
  • Encourage others to take the SafeAtWork pledge at nsc.org/workpledge
  • Share posts on your social media channels using #No1GetsHurt
  • Provide safety training
  • Host a safety fair, lunch ‘n learn, trivia contest or celebratory luncheon

“Employers look to NSC for resources to help employees understand safety risks, and we are committed to helping them provide that education—not just in June, but year-round,” Hersman said.

Are You Prepared for GDPR?

Posted on by

If your work involves personal data, you probably already know the European Union’s (EU) General Data Protection Regulation (GDPR) enforcement date is May 25.

buy vidalista online pelmeds.com/wp-content/uploads/2023/10/jpg/vidalista.html no prescription pharmacy

While penalties for noncompliance can be stiff, the sky may not be falling just yet.

GDPR focuses on personal data originating from the EU, which reaches well beyond the EU’s borders into organizations around the world that collect, process, use and store that data. As a regulation focused on data protection and privacy, GDPR’s impact may extend far outside the EU. For example, there are signs that Latin American countries may be considering a regulation that mirrors GDPR. With the recent Facebook/Cambridge Analytica data privacy fallout, several pieces of privacy-related legislation in the U.S. are currently being considered by federal lawmakers.

Privacy is a risk-based problem. Organizations should assess which risks exist and determine their risk tolerance. With data privacy, these risks are typically financial (such as fines and lawsuits) and reputation (bad press and negative perceptions).

buy tobradex online pelmeds.com/wp-content/uploads/2023/10/jpg/tobradex.html no prescription pharmacy

GDPR also introduces a newer risk into the risk landscape – one related to activist groups potentially using GDPR as a springboard to flood a target organization with data subject requests.

Why GDPR matters and to whom it applies
GDPR applies to personal data originating from the EU. GDPR gives individuals (aka “data subjects”) control and ownership over their personal data. This includes personally identifiable information (PII), IP addresses, biometric data, social identity, along with health, economic, cultural and genetic data. There are two reasons this has gotten so much attention:

  • The GDPR represents the EU’s most sweeping changes to privacy regulations in decades. It requires organizations to be transparent about which data is collected and how it will be used. All data collected must have a purpose and be kept accurate and up to date. Individuals (aka data subjects) now have the power to access their data, fix errors, restrict usage, move data and demand that their data be deleted.
  • The penalties for noncompliance are unprecedented. The law sets out penalties of up to four percent of global revenue or €20 million, whichever is greater. It is not clear at this point how and when these fines will be applied or if they are even enforceable outside the EU. However, the significant size of the potential fines and potential risk of noncompliance captured the attention of organizations around the world.

Large data-driven organizations have been working toward GDPR compliance since the regulation was passed in 2016. A significant number of organizations may not be ready, however. In fact, a flash poll conducted by Baker Tilly during a recent GDPR webinar revealed that 90% of attendees do not have the necessary controls in place to be GDPR-compliant.

What to do today
Preparing for GDPR compliance is a matter of preparing for privacy in general. Whoever you are and wherever you are in the world, consider these steps in your compliance journey:

  1. Identify potential data and systems affected by GDPR: Put a process in place to understand what data you collect and why. Know where it is coming from and where it is stored. You will want to know where you have “data pools” with GDPR relevance and you’ll want to know the scope. Is it one record or one million? Where are the gaps in compliance?
  2. Understand existing data privacy controls: Review your existing data protection controls and assess GDPR compliance. Do you have written security protocols in place? What is your risk exposure? Depending on the type of organization you represent, you may actually be closer to compliance than you think. For example, organizations compliant with NIST, ISO, HIPAA, PCI DSS, Privacy Shield or other frameworks, may be well on the way to GDPR compliance.
  3. Lead from the top and educate: The news cycle is now dominated by the questionable use of personal information and it appears the shift to a data subject-centered environment may very well be here to stay. This issue goes beyond risk management and IT. Marketing, legal, government affairs, HR and communications are just a few of the functional areas touched by privacy issues. They all need to be as committed to data protection as the chief privacy officer.
  4. Be clear about how you will deal with data-subject requests: Once you have a clear picture of the data you possess, it is essential to design, implement and document your processes to correct, transfer and delete that data if required or being able to provide a valid, legal reason for retaining the data.
  5. Determine whether you need a data privacy officer: The GDPR requires that a data privacy officer (DPO) be appointed in most situations. Proactive organizations should consider the organization’s position and strategy. Is privacy an essential piece of the business model (as it is for a bank) or the brand (as it is for Apple)?
    buy imodium online pelmeds.com/wp-content/uploads/2023/10/jpg/imodium.html no prescription pharmacy

    The answer may well influence whether or not you define a new area of leadership and accountability.

Looking ahead
There is a shift taking place. People used to accept (or not know) that their online data and personal information were being tracked and used by others. Many people seemed to think this was simply the price of being online. Now, people are questioning how their data is being used and governments are starting to listen. GDPR is the likely first step toward far more widespread change.

This is not about solving every single detail today. Most experts believe that a well-documented plan and clear effort to comply with the GDPR will make conversations with supervisory authorities significantly easier. Do the homework ahead of time, know your landscape, get your systems in place, be transparent and be ready to pivot when necessary. Do that, and you will be miles (or kilometers) ahead of everyone else next time a new law or regulation goes into effect.

Implications of Flood Risk

Posted on by

Across the vast geography of the United States, flood is no stranger to any of the states. From the March 2018 Nor’Easters that slammed the East Coast to the numerous storms and hurricanes that have swept across the country, both coastal and non-coastal regions are all at risk of flood.

FEMA reports that 98% of the U.S. counties have been impacted by a flooding event in the past, and 2016 and 2017 are examples of both the frequency and severity that the peril poses. According to Munich Re’s Geo Risks Research, there were more floods in the U.S. in 2016 than any year on record. Hurricane Harvey, the eighth named storm in the 2017 Atlantic hurricane season, caused large flood losses and is reported as the second costliest hurricane in U.S. history after Hurricane Katrina. Major losses from Katrina were caused by flooding due to levee failure.

The National Flood Insurance Program (NFIP) was enacted by Congress with three main pillars: affordable insurance, floodplain management and flood mapping.  Since its inception, the program has helped thousands of home owners with total claims exceeding $65 billion. The NFIP’s role in aiding homeowners was evident during the weeks and months following Hurricane Harvey. According to FEMA, as of January 2018, more than 91,000 NFIP policyholders had filed claims for Hurricane Harvey, and FEMA has paid more than $7.6 billion in losses to those policyholders. the economic losses of Hurricane Harvey, however, are likely to reach $85 billion. Even after considering the commercial insured losses, the gap between the insured and economic losses, known as the “protection gap,” is huge.

Based on events like Hurricane Harvey and Superstorm Sandy it is likely that as many as 80% of the homes in Houston were not insured for flood. In fact, according to the Insurance Information Institute, only about 12% of the home owners in the United States purchase flood insurance; this statistic is even lower in inland states. The number of NFIP policies in the Mississippi River states (which excludes Louisiana) is about 5% of the total NFIP program. Using current building stock data from Homes.com, this would make the purchase rate for flood insurance in the Mississippi states at less than 2%.

Why is there such a large protection gap and why is it important to narrow this gap?

A Floodzonedata.us study by the New York University (NYU) Furman Center found that there are about 6.9 million housing units within the 100-year flood plain as defined by FEMA. According to a February 2018 scientific study in IOPscience, however, “Estimates of present and future flood risk in the conterminous United States,” the actual number of exposed houses could be as high as 15.4 million. In addition, a September 2017 audit by the Department of Homeland Security Office of Inspector General noted that, as of December 2016, only 42% of FEMA’s flood maps are up to date and valid. Both Superstorm Sandy and Hurricane Harvey demonstrated several instances of FEMA maps being inadequate to evaluate the extent of flooding.

Extreme events like Harvey should be viewed as an opportunity for resilience initiatives.  Jeffrey Heberg, Chief Resilience Officer for New Orleans, notes that the key to resilience is insurability. In fact, studies highlight the importance of high insurance penetration and the correlation to strong resilient countries.

The stark contrast in the insurance penetration between Chile, Haiti and New Zealand provides an example of the impact the insurance industry can have towards financing the losses from major catastrophes. Following earthquakes in 2010, New Zealand and Chile showed faster recovery due to high insurance penetration and thus the ability to absorb losses, whereas Haiti went through a very slow recovery process due to the lack of catastrophe (re)insurance.

While insurance is an important factor, financial resilience through insurance is not enough. There is a further need for a comprehensive approach to mitigate severe natural catastrophes. This is when public private partnerships (P3s) play a crucial role. In New Zealand, the government-owned earthquake commission, with reinsurance in the global market, resulted in insurance penetration of up to 80%. A similar example of P3 in the United States is the reinsurance protection sought by FEMA to reinsure the NFIP against extreme events.

Public private partnerships rely on the government’s ability to ensure adequate loss prevention, build physically resilient structures and implement forward-looking municipal planning (such as futuristic view of flood maps and flood plain management). If people reside in and build more resilient structures, not only can it help save lives, but the cost of insurance could be less, and the probability of loss and recovery time will be less for communities.

It is not only important to focus on building resilient communities to help protect them from natural catastrophes, it is now becoming a crucial requirement for cities and states.  Standard & Poor’s emphasizes the importance of disaster insurance arrangements on sovereign financial resilience. The September 2015 Standard & Poor’s Rating Report notes that a lack of insurance coverage for significant catastrophic events could negatively impact sovereign ratings resulting in a downgrade. As recent as November 2017, Moody’s reported the incorporation of climate change into its credit ratings for state and local bonds. This would mean that communities, cities and states may get downgraded unless they show sufficient adaptation and loss mitigation strategies.

The time for resilience is now. As geographic regions that were once sparsely populated are now filled with burgeoning cities there is so much more at risk from today’s extreme weather events. Insurance can play a role in helping communities recover. Insurance alone, however, is only a partial solution. We also need to build resilient communities to help mitigate the damage caused by flood.