Tag Archives: cyber risk

The New Cyber Insurance Paradigm

Across industries, many mature organizations have become acutely aware that their industrial-based business models, which strive for control, efficiency and scale, are not designed for speed, innovation or individualized customer experiences. Corporate leaders have no option but to consider using cloud-based platforms, but that introduces new vulnerabilities.

Finding an appropriate balance between cybersecurity and privacy strategy while allowing for innovation is of fundamental importance.

As all businesses will become “data companies” in the digital networked world, the cyber insurance industry needs to adapt to effectively underwrite and manage the most dynamic risk in the world. Everyone wants a piece of the action, as there are more than 70 U.S. carriers and 30 U.K. carriers that offer cyber insurance, and the supply will continue to grow rapidly.

There is, however, one fundamental flaw – there is absolutely no standardization! We don’t capture the same data points, conforming to an industry data classification, so there is no gold standard for coverage.

See also: New Approach to Cyber Insurance  

How can the industry appropriately underwrite, analyze and manage the most connected risk in the world if carriers don’t capture the same data points in their underwriting application and there is no common data classification to map toward? Each insurer is analyzing different data.

Perhaps even a greater issue is that the data is captured at a point in time, typically via checkboxes on a paper application. The data quickly becomes outdated. Unless a vulnerability assessment is mandated for some of the larger enterprises to obtain coverage, there is no true validation of the prospects’ security posture.

Insurers are not capturing contextual data to validate their insureds’ policies and controls that ultimately represent the risk. Is it enough to ask, “Do you educate or train users on information security and privacy?”, or would it help to know whether one insured does training once a year during lunch while another insured holds quarterly training meetings with randomly scheduled, unannounced phishing simulations throughout the year?

Cyber insurance needs context and validity; the industry is deficient in both!

In direct, online-to-bind insurance, some carriers only require four to six data points to underwrite the risk and present a quote in a matter of minutes. Is a company’s industry, revenue, address, number of records and a question on any previous claims I’ve had really enough to understand the risk? I understand that we need a seamless customer experience to ensure we don’t lose new business, but requiring so little data looks more like a reckless arms race to see who can capture the most SMB business more than anything else.

There is no validation of the actual inputs from the insured (major issue!) and, in terms of customer experience, we should focus on strategically important issues such as integrating cyber risk mitigation with cyber insurance under the umbrella of an organization’s cyber risk management. Customers need a holistic solution evaluating risk mitigation and risk transfer.

Anyone who has gone through risk and compliance assessments at the enterprise level will agree that they need to be streamlined, with a centralized solution that collects and analyzes information about the cyber program and that quickly reacts to identified vulnerabilities and regulatory requirements. The traditional, siloed approach, where a company completes assessments in confusing, overly detailed Excel documents specific to a regulation (i.e. PCI, HIPPA, NIST, ISO, etc.), keeps resources tied down and focuses on completing each actual assessment rather than truly understanding broad exposure. The approach unfortunately shifts the focus to defense, in complying with regulations, instead of determining actionable insights that enhance cyber maturity.

This manual, labor-intensive process does nothing to solve the snapshot problem, and a company’s cyber exposure or cyber maturity is not nearly the same on Jan. 15, 2018, as it will be on Jan. 15, 2019. Continuous, standardized insight into a company’s cyber risk is required to appropriately assess risk.

Insurers are spending thousands on isolated solutions, such as SecurityScorecard and Bitsight, yet they are only viewing cyber risk through a small prism, as these solutions only provide a snapshot of risk from what’s available on the internet and open-source databases.

What most insurers don’t realize is that successful cyber insurance underwriting comes at the intersection of insurtech and regtech. Insurers need to shift toward a digital platform that standardizes the data capture, has the data immediately available for analysis and is continuously analyzing an insured’s risk throughout the policy period. Both insurers and clients need a standardized assessment that automates the manual processes of traditional risk assessments and allows companies to automate and streamline the IT and vendor audit process by mapping to several security standards, such as NIST, ISO, HIPPA, PCI and the NY DFS Regulation, through one assessment.

In responding to market needs, companies like Cyberfense will prevail. In stealth mode for the last year, Cyberfense is now working with two of the largest cyber insurers to streamline the underwriting process while providing continuous insight into a company’s cyber maturity and mapping a company’s cyber risk to most national and global security standards. Cyberfense helps insurers manage cyber risk by analyzing an insured’s exposure and detailing recommended solutions so the client easily understands how to fill security and compliance gaps.

See also: Promise, Pitfalls of Cyber Insurance  

The eRisk hub that many insurers offer now does not provide any added value as it is simply a list of vendors that a client could Google itself. Insurers need to guide their clients with appropriate solutions as early as possible and in a manner that is not too invasive. With standardization and automation, you will then create a brokerage force that can finally understand cyber insurance and is more willing to sell the coverage and act as an adviser to their client.

This is how we effectively underwrite and manage cyber risk.

4 Keys on Cyber-Risk Accumulation

As the sale of cyber policies grows and other types of policies are extended to include cyber coverage, the industry is taking on a massive amount of new risk. Although it is true that auto, workers compensation, environmental policies and so many others were all new offerings at one time, there are some things about cyber that make it more unusual, more uncertain and more potentially dangerous for the insurance industry than new offerings of the past.

Simultaneity

It is entirely possible for hackers to plan and launch simultaneous attacks on a large number of targets. Those targets may be corporations, infrastructure such as power plants, government bodies, hospitals, or any other type of entity.

If a successful, very harmful simultaneous attack, whether ransomware, malware, or any other type of IT weaponry, was to be made on a sizeable number of entities, the losses occurring at one point in time could create serious liquidity pressures and even jeopardize solvency for an insurer.

See also: Urgent Need on ‘Silent’ Cyber Risks  

Individual insurers are modeling their aggregate exposures, but are they doing it comprehensively enough? Analysis must take into account not only the limits and reinsurance on their cyber policies (including such add-ons as contingent business interruption or other enhancements) but also what level of coverage is afforded in existing casualty and property policies as well as any other policies that may be triggered (such as D&O, E&O, reputation, etc.). In addition, correlated risks that have nothing to do with claims liabilities per se should also be considered. For example, what will they do if their contracted vendor networks, which are supposed to help insureds after a breach, are not resourced sufficiently to handle simultaneous attacks.

Ubiquity

Given the global nature of the internet, attacks may be not only simultaneous but ubiquitous. The entities affected may be all over the world. An insurer that relies on geographic diversity to protect its capital can lose the benefit of diversification when it comes to cyber.

A global event or series of events could have significant capital implications for insurers that have considered their cyber portfolio in part rather than in whole.

Unpredictability

There is scant history upon which to base underwriting and pricing decisions when it comes to cyber. The earliest policies were geared toward system failures, not cyber attacks. More recent policies were focused on data breaches and stolen data and the actual cover involved handling some of the expertise needs and certain expenses post breach. Now, cyber policies are dealing with ransomware attacks and cover business interruption and other loss. This is heady stuff when there are no historical patterns to use in predicting frequency and severity as there is with property or workers compensation. Ransomware attacks continue to escalate at a rapid pace. Who knows how much faster or greater this trend line will grow.

Some cyber attacks have been targeted while others are random. In either case, they test the ability of insurers to make predictions. This, in turn, makes it difficult for actuaries to price the product appropriately. How much business should an insurer write of a particular kind until it can be sure the business is priced correctly for the exposure?

A random attack might seem to better fit the principle of insuring against fortuitous events, however, it does mean that an insurer that relies on customer segment diversity to protect its capital can lose the benefit of such diversification. This is similar to the situation mentioned above in connection with geography.

A targeted attack will likely strike an entity (or entities) with the most money, records or other treasure worth capturing or destroying. Hence, the losses generated will be greater.

Initial attacks were focused mostly on retailers with hospitality and with banking and healthcare following. The great fear is that power and infrastructure will be next. The impact from attacks on power and infrastructure could be catastrophic in the extreme.

The flexibility to strike randomly or with fixed intent leaves underwriters in a quandary about which classes of business are riskier than others. How, then, can they manage their customer mix as do with other lines of business?

See also: What if You Had a Cyber Risk Score?  

Sponsorship

Hackers can work alone or in groups. They can also be actors for foreign governments. When Marissa Mayer spoke about the Yahoo attack, she commented on the unevenness between a company’s attempts at IT security versus an attack potentially perpetrated by a nation state. This phenomenon is something insurers must consider when parsing the words in their contracts. To what extent should there be exclusions, as there are in terrorism policies or other policies that exclude acts of war? To what extent is a future federal backstop needed?

Conclusion

This is not to say that cyber insurance should not be offered. Society has a protection need, and insurers have been answering that need since the first handshake at Lloyds. In addition, this line of business has been streaming new revenues into an industry that, in recent years, has had excess capacity. Rather, it is to say that insurers must put robust and innovative solutions in place to manage aggregation risk.

Addressing Evolving Cyber Threats

In 2015, an accountant looking at the balance sheets of a U.S. tech company noticed a $39 million hole in the figures. The accountant would have been even more dismayed to know where it had gone – a member of the financial team in an overseas subsidiary had transferred it directly to the thief. All the thief had to do was pretend to be a CEO.

It’s a kind of attack known as a CEO email attack, and just one of a broad range of hostile tactics known as social engineering attacks. These are attacks that exploit the natural weaknesses of human beings – our credulity, our naiveté, our propensity to help strangers and, sometimes, in the case of phishing attacks, just our greed – to get around security systems.

To put it in the language of 21st century cyber security: Social engineering operates on the idea that, just like any computer system, human beings can be hacked. In fact, a lot of the time they’re much easier to hack than computers. Understanding this fact, and the forms that social engineering can take, is essential to formulating a robust defense strategy. These strategies are even more important now, as the lines between the physical and digital worlds continue to blur and the assets at risk continue to multiply, thanks to the proliferation of connected technologies.

In Depth

From the serpent in the Garden of Eden, to the fake phishing emails that promise fortunes if only you’d just part with your bank details and Social Security number, social engineers have been with us for a while. But few epitomize their arcane arts quite like Frank Abagnale, whose exploits between the ages of 15 and 21 were immortalized in the Steven Spielberg film Catch Me If You Can. During those years, Abagnale posed as a doctor, a lawyer and an airline pilot and has become one of recent history’s most legendary social engineers. He now runs a consultancy, Abagnale and Associates, that aims to educate others – including government agencies such as the FBI, and numerous businesses – on how to catch people like him, as social engineering methods shift.

Abagnale asserts: “Some people used to say that I’m the father of social engineering. That’s because, when I was 16 years old, I found out everything I needed to know – I knew who to call, and I knew the right questions to ask – but I only had the use of a phone. People are doing the same things today 50 years later, only they’re using the phone, they’re using the mail system, they’re using the internet, email, cloud. There’s all this other stuff, but they’re still just doing social engineering.”

We live in an overwhelmingly digital world, and the projected 50 billion Internet of Things (IoT) devices due to be hooked up to the internet by 2020 means the already broad frontier of digital risk will only continue to grow. “I taught at the FBI for decades. There is no technology today that cannot be defeated by social engineering,,”Abagnale says. Making sure the human links that sit between this expanding set of digital nodes remain secure lies at the heart of securing the whole system; one increasingly tied up with physical as well as digital assets.

New Risks

In 2010, the Stuxnet worm, a virus believed to have been developed jointly by the U.S. and Israeli military, managed to cause substantial damage to centrifuge generators being used by the Iranian nuclear program. The virus was designed to attack the computer systems that controlled the speed that components operated in industrial machinery. By alternately speeding up and slowly down the centrifuges, the virus generated vibrations that caused irreparable mechanical damage. It was a new breed of digital weapon: one designed to not only attack digital systems, but physical systems as well.

It was physical in another way. To target this system, the virus had to be physically introduced via an infected USB flash drive. Getting that flash drive into a port, or into the hands of someone who could, required human beings to intervene. In this case, anonymous USB devices were left unattended around a facility and were then accidentally inserted by unwitting technicians.

See also: It’s Time for the Cyber 101 Discussion  

The Stuxnet worm highlights the extreme end of the dangers that lie at the overlap between digital technology, physical assets and human beings, but the risks extend well beyond that. More prosaic, for instance, are email scams that work by tricking the receiver into sharing vital information – remember the notorious “Nigerian prince” emails, where a fraudster would promise a willing helper untold riches in return for money to be released from jail?

Some of these scammers have elaborate networks that crossed countries and continents and can be worth more than $60 million. Move the concept into the organization now: Imagine receiving an email from someone purporting to be your boss, asking in an official and insistent tone for a crucial keyword or a transfer of funds. Could a typical employee be relied on to deny that request? What about a phone call? This was hacker Kevin Mitnick’s strategy. In a way, a Frank Abagnale of the digital age, Mitnick managed to make a range of high-profile attacks on key digital assets by just phoning up and asking for passwords.

IoT: The Convergence of the Physical and Cyber Worlds

“Humans are the weakest link in any security program,” says Dennis Distler, director, cyber resilience, Stroz Friedberg, an Aon company. In fact, it’s us, rather than computer systems’ weaknesses or failures, that lie at the heart of around 90% of cyber breaches. Social engineering attacks can come in various forms, and the risk from them will never be fully mitigated. But while full mitigation is impossible, you can limit your exposure – that strategy begins at the individual level. Humans are the targets, so the first line of defense has to be from humans. “You certainly remind people that you have to be smarter, whether you’re a consumer or CEO. You have to think a little smarter, be proactive, not reactive,” Abagnale says.

While social engineering has a focus on financial loss, the focus of cyber risk is shifting to tangible loss with the potential for property damage or bodily injury arising out of IoT devices. Historically, cyber risk has been associated with breaches of private information, such as credit cards, healthcare and personally identifiable information (PII). More and more, however, the IoT – the web of connected devices and individuals – will pose an increased risk to physical property as breaches in network security begin to affect the physical world. Having a better understanding of vulnerabilities and entry points – both at the individual as well as device level – will be critical for organizations in 2017 and beyond.

Organizational Mitigation

While security awareness training and, to a lesser extent, technology can prevent successful attacks – whether IoT-related, human error or stemming from actual social engineering – the risk from them will never be fully mitigated. Organizations can take a number of steps to protect themselves. Distler of Stroz Friedberg, highlights a number of key steps a company can take to minimize exposure to social engineering risk:

  • Identify what and where your organization’s crown jewels are. A better understanding of your most valuable and vulnerable assets is an essential first step in their protection.
  • Create a threat model to understand the types of attacks your organization will face and the likelihood of them being exploited. From email phishing to physical breaches, the threat model can help teams prioritize and prepare how to best respond.
  • Create organization-specific security awareness training addressing what types of attacks individual employees could expect, how to detect them and what the protocols for managing and reporting them are. Consider instituting a rewards program for reporting suspected attacks to further encourage vigilance.
  • Provide longer and more detailed training for high-valued or vulnerable targets, such as members of the C-suite and their executive support staff, or members of IT, finance, HR or any other employee with access to particularly sensitive information. This training could vary from account managers to mechanical engineers working on major operational projects. These enhanced training procedures could include red-teaming exercises, which test the ability of selected staff to respond to these breaches in real time.
  • Create well-defined procedures for handling sensitive information and provide routine training on these procedures for employees who handle sensitive information.
  • Conduct routine tests (recommended quarterly at a minimum) for the most likely social engineering attacks.

Preparing for Tomorrow’s Breaches

The term “cyber threat” is becoming more and more complex. No longer is it a threat posed to digital assets by viruses and malware or a financial threat posed to individuals and financial institutions. Now, cyber risk encompasses a broad range of risks with the potential to harm assets, from property to brand and reputation.

And at the center of all of these interactions are people. Almost every breach begins with a human being. By understanding how such threats can manifest, and how to deal with them when they do, risks can be mitigated ahead of time. Bringing together various functional groups within an organization will be crucial as teams prepare for the more multifaceted risks of our increasingly connected future.

A ‘Credit Score’ for Your Cyber Risk?

It’s safe to say that the vast majority of companies can, and probably should, be doing a lot more to improve the security posture of their business networks.

What most organizations probably do not realize is that there is an entity paying very close attention to just who is consistently following security best practices—and who isn’t.

That entity is BitSight Technologies, a six-year-old risk assessment vendor that does this by analyzing a variety of sources that monitor which companies regularly update encryption certificates, patch system vulnerabilities in a timely manner and generally adhere to other best security practices.

Keeping tabs on security

BitSight goes through all of this trouble to assign a security rating to each company it reviews. Ranging from 200 to 900, a BitSight security rating is much like a credit score. BitSight has issued security ratings for some 80,000 companies, and is adding 500 more each week.

Why does BitSight do this, and, perhaps more importantly, why should any organization care about a BitSight security rating? Two reasons: third-party partnerships and cyber insurance.

See also: Urgent Need on ‘Silent’ Cyber Risks  

First of all, BitSight’s primary customers are large enterprises that factor security ratings into decisions on which third-party suppliers they will choose to do business with, says Jake Olcott, vice president of business development at BitSight.

“Today, if you’re a first party doing business with a third party, the idea of doing cyber diligence prior to entering into a business relationship is certainly on your mind,” Olcott told me, when we met at the RSA cybersecurity conference recently.

Monitoring business partners

Olcott says, “Once you’ve decided to enter into that business relationship, you also care about the cybersecurity performance of that third party during the lifetime of the business relationship. That’s really why a lot of folks are using our ratings today—to continuously monitor their critical third parties mostly throughout the lifetime of the business relationship.”

I asked Olcott if third-party suppliers were clued in to this trend, and thus finding themselves compelled to improve their security postures in order to earn higher security ratings.

“We’re absolutely seeing that,” he says. “Organizations want to represent good cybersecurity hygiene to their customers, and one way to do that is by showing a quantitative, objective measurement of their cybersecurity posture.”

The second reason BitSight’s security ratings are gaining traction is because of the rapidly emerging cyber insurance market. Allied Market Research projects that the cyber insurance market is on track to climb to $14 billion by 2022, representing a compound annual growth rate of 28% during its forecast period of 2016-2022.

Help for insurance companies

Clearly, a lot of companies would love to offset rising cyber exposures by purchasing a cyber liability policy. However, cyber risks are unlike any other business risk to come down the pike previously. Cyber risks are complex, constantly evolving and seemingly impossible to quantify. BitSight is in the vanguard of security vendors focused on solving that problem, something that’s necessary for the cyber insurance market to fully bloom.

“Seven of the 10 largest cybersecurity insurance companies are using BitSight ratings to underwrite cybersecurity insurance policies,” Olcott says. “An insurance company will collect information from the applicant about their cybersecurity posture, and also look at a BitSight security rating. Taking those data points together, they will come to a premium assessment for the applicant and issue a policy.”

See also: Protecting Institutions From Cyber Risks  

I asked Olcott to explain how a good vs. poor rating actually affects premium prices and policy coverages. He said:

“I would say a good rating in our system would be 700 and above, and I would look at it this way: An organization that we rate a 500 or lower is actually five times more likely to experience a breach than an organization that we rate a 700 or above. So if you’re an insurance company, it’s not that you wouldn’t underwrite a policy for an organization that is a 500 or lower. It’s that you want to understand the risk that you’re taking. You don’t want your entire book of business to be of companies that are performing below a 500.”

This post originally appeared on ThirdCertainty.

Risk Management: Off the Rails?

First, there was science…

Some sources suggest probability theory started in gambling and maritime insurance. In both cases, the science was primarily used to help people and companies make better decisions and, hence, make money. Risk management used the mathematical tools available at the time to quantity risk, and their application was quite pragmatic.

Banks and investment funds started applying risk management, and they, too, were using it to make better pricing and investment decisions and to make money. Risk management at the time was quite scientific. In 1990, Harry M. Markowitz, Merton H. Miller and William F. Sharpe won a Noble Prize for the capital asset pricing model (CAPM), a tool also used for risk management. This doesn’t mean risk management was always always accurate — just see the case of LTCM — but managers did apply the latest in probability theory and used quite sophisticated tools to help businesses make money (either by generating new cash flows or protecting existing ones).

Then, risk management became an art…

Next came the turn of non-financial companies and government entities. And that’s when risk management started becoming more of an art than a science.

Some of the reasons behind the shift were, arguably:

  • Lack of reliable data to quantify risks — Today, certainly, there is no excuse for not quantifying risks in any type of an organization.
  • Lack of demand from the business — Many non-financial organizations of the time were less sophisticated in terms of planning, budgeting and decision making. So, many executives didn’t even ask risk managers to provide quantifiable risk analysis.
  • Lack of qualified risk managers — As a result, many risk managers became “soft” and “cuddly,” not having the skills or background required to quantify risks and measure their impact on business objectives and decisions.

Many non-financial companies quickly learned which risks to quantify and how. Other companies lost interest in risk management or, should I say, never saw the real value.

Today, it’s just a mess…

What I am seeing today, however, is nothing short of remarkable.

Instead of being pragmatic, simple and focused on making money, risk management has moved into the “land of buzz words.” If you are reading this and thinking, “Hold on, Alex. Risk velocity is important; organizations should be risk resilient; risk management is about both opportunities and risks; risk appetite, capacity and tolerances should be quantified and discussed at the board level; and inherent risk is useful,” then, congratulations! You may have lost touch with business reality and could be contributing to the problem.

See also: Risk Management, in Plain English  

I have grouped my thinking into four problem areas:

1. Risk management has lost touch with the modern science.

These days, even the most advanced non-financial organizations use the same risk management tools (decision trees, Monte Carlo, VaR, stress testing, scenario analysis, etc.) created in the ’40s and the ’60s. The latest research in forecasting, modeling uncertainty, risk quantification and neural networks is mainly ignored by the majority of risk managers in the non-financial sector.

Ironically, many organizations do use tools such as Monte Carlo simulations (developed in 1946, by the way) for forecasting and research, but it’s not the risk manager who does that. The same can be said about the latest development in blockchain technology, arguably the best tool for transparent and accurate counterparty risk management. Yet blockchain is pretty much ignored by risk managers.

It has been years since I saw a scientist present at any risk management event, sharing new ways or tools to quantify risks associated with business objectives. That can also be said about the overall poor quality of postgraduate research published in the field of risk management.

2. Modern risk management is detached from day-to-day business operations and decision making. 

Unless we are talking about a not-for-profit or government entity, the objective is simple: Make money. While making money, every organization is faced with a lot of uncertainty. Luckily, business has a range of tools to help deal with uncertainty, tools like business planning, sales forecasting, budgeting, investment analysis, performance management and so on.

Yet, instead of integrating all the tools, risk managers often choose to go their separate ways, creating a parallel universe that is specifically dedicated to risks (which is very naive, I think). Examples include:

  • Creating a risk management framework document instead of updating existing policies and procedures to be aligned with the overall principles of risk management in ISO31000:2009;
  • Conducting risk workshops instead of discussing risks during strategy setting or business planning meetings;
  • Performing separate risk assessments instead of calculating risks within the existing budget or financial or project models;
  • Creating risk mitigation plans instead of integrating risk mitigation into existing business plans and KPIs;
  • Reporting risk levels instead of reporting KPI@Risk, CF@Risk, Budget@Risk, Schedule@Risk; and
  • Creating separate risk reports instead of integrating risk information into normal management reporting.

Risk management has become an objective in itself. Executives in the non-financial sector stopped viewing risk management as a tool to make money. Risk managers don’t talk, many don’t even understand business language or how decisions are being made in the organization. Risk analysis is often outdated, and by the time risk managers capture it, important business decisions are long done.

3. Risk managers continue to ignore human nature.

Despite the extensive research conducted by Noble Prize winners Daniel Kahneman and Amos Tversky (psychologists who established a cognitive basis for human errors that are the result of biases) and others, risk managers continue to use expert judgment, risk maps/matrices, probability x impact scales, surveys and workshops to capture and assess risks. These tools do not provide accurate results (to put it mildly). They never have, and they never will. Just stop using them. There are better tools for integrating risk analysis into decision making.

Building a culture of risk awareness is critical to any organization’s success, yet so few modern risk managers invest in it. Instead of doing risk workshops, risk managers should teach employees about risk perception, cognitive biases, fundamentals of ISO31000:2009 and how to integrate risk analysis into day-to-day activities and decision making.

4. Risk managers are too busy chasing the unicorn

Instead of sticking to the basics and getting them to work, many are busy chasing the latest buzzwords and innovations. Remember how “resilience” was a big thing a few years ago? Before that, there was “emerging risks,” “risk intelligence,” “agility,” “cyber risk” — the list goes on and on. It seems we are so busy finding a new enemy every year that we forget to get the basics right.

See also: Key Misunderstanding on Risk Management

Lately , consultants seem to have too much say in how modern risk management evolves. The latest installment was the new COSO:ERM draft, created by PwC and published by COSO this June.  The authors sure did “innovate” — among other “useful ideas,” they came up with a new way to capture risk profiles. That is nice, if risk profiling was the objective of risk management. Sadly, it is not. Risk profiling in any form does little to help executives and managers make risky decisions every day. For more feedback on COSO:ERM, click here.

To be completely fair, the global team currently working on the update for the ISO31000:2009 also has a few consultants who have a very limited understanding about risk management application in day-to-day decisions and in helping organizations make money.

I think it’s time to get back to basics and turn risk management back into the tool to help make decisions and make money.

I am interested to hear your thoughts. Please share and like the article and comment below.