Tag Archives: resilience

The Key to Survival in Wild West of Cyber

Today, the question is not will my organization experience a cyber attack, but when, and how. In our digital and connected business world, companies seeking cost efficiency, speed and better customer experience are rapidly connecting more processes, infrastructure and information to the internet. At the same time, the complexity and frequency of cyber attacks continue to rise. You only need to look at the list of recent high-profile attacks to see that companies across industries, from Wall Street banks to healthcare to entertainment, and government entities are being assailed.

This brave new cyber world exposes organizations to a different category of risks and associated liability issues, including the need to cover themselves for loss or exposure of commercially valuable intellectual property or consumer data; misappropriation of trade secrets; privacy violations; losses via third-parties; costs associated with breach notification, forensics, credit monitoring, outside incident response providers, technical remediation, PCI assessments; business interruption costs and system failure; legal proceedings and defending against regulatory actions – to name a few. On top of this, while companies suffering under the weight of a breach understandably feel like victims, it is not always seen that way by the authorities, the marketplace or the media. While dealing with the fallout of an incident, companies often face the additional challenge of defending their actions, protecting their brands and getting claims settled and paid. In this context, long before an event occurs, proper cyber risk mitigation is a best practice for all organizations.

Just like in the Wild West, organizations dealing with cyber risk are operating in a fast, continuously shifting threat landscape, governed by its own set of evolving laws and rules. Even knowing the bandits are out there, organizations continue to be caught off guard by new criminal tactics and attack vectors. Hackers continue to hone their techniques, whether that means obtaining access through the Internet of Things, masterminding more sophisticated social engineering methods or attacking information sources and manipulating data. What is more, the delay between a cyber criminal penetrating a network and being discovered can be considerable: it might take a hacker only eight days to attack a network, but it typically takes six or more months to detect the incident. Financial firms take an average of 98 days to detect a data breach, and retailers can take as much as 197 days, according to the Ponemon Institute and IBM Cost of Data Breach Study. That’s a wealth of time for attackers to inflict significant damage, and it doesn’t look good to regulators, customers and other stakeholders.

See also: Actuaries Beware: Cyber Is Treacherous  

Against this backdrop, cyber insurance is an essential component of a company’s risk management strategy. Even while companies tend to view the likelihood of a loss as higher for information assets than for property, plant and equipment (PP&E) assets, they are more adept at protecting physical assets, with approximately 51% of PP&E assets covered by insurance to only 12% of information assets covered on average, according to the Ponemon Institute’s 2015 Global Cyber Impact Report. One reason for this is that insureds and cyber insurance providers alike struggle with accurately assessing and quantifying cyber risk; despite paying significant premiums, companies remain under-insured. According to the CEO of Lloyd’s of London, cyber-related losses for businesses worldwide were valued at $400 billion in 2015, yet ABI Research estimated that global gross written premiums for cyber insurance that year only totaled around $2 billion.

The lack of data on which to quantify cyber risk means insurers feel they are often writing policies on the back of incomplete information. Unlike in other risk areas such as flood insurance – where historical data means that companies can quantify risk almost to the dollar – developing a strategy to assess and insure against cyber risk is altogether different. And for the insured, selecting a policy is taxing: all policies are not available to all companies, all policies are not equal, and, on top of this, companies are required to demonstrate the existence of sound cyber risk management policies and programs to be eligible for a policy and to claim benefits. These challenges posed by the burgeoning cyber insurance market, and the fact that companies cannot expect to transfer all their cyber risk, mean that they must take a broader, more holistic approach to assessing and reducing exposure.

It is easy for organizations to lose perspective on how to best to manage cyber risk, particularly as it affects multiple stakeholders in an organization, from the CISO to the risk manager, the board, IT, the C-suite and even HR. Everyone will have their own ideas about which programs should be mandated and which technology is the latest “holy grail” in cybersecurity. However, this siloed approach is not effective. Cyber attackers are simply too well-motivated, -resourced and diverse. But it’s not time to throw in the towel. Knowing they will be attacked does not leave companies powerless; in fact, this certainty can empower a far better approach to cyber security. The key to managing risk – and avoiding chaos and significant loss in the wake of an attack – is achieving cyber resilience. Adopting a cyber resilient mindset serves the interests of all stakeholders trying to defend an organization and provides assurance to insurers that companies are prepared in the event of an attack.

So, what does it mean to be cyber resilient? Resilience is the ability to withstand or recover quickly from difficult, often unanticipated conditions. In the world of cyber, resilience strategies enable companies to rapidly detect, respond to and recover from cyber attacks. The goal is to detect incidents before they become serious, respond to them vigorously and recover from them effectively. You will be attacked, but if you are resilient you are less likely to have to wear a scarlet letter when the incident occurs.

Achieving resilience

The most urgent question companies must answer is: What are the critical assets that we are trying to protect? Some organizations will find it easy to agree on a list of assets, such as customer data or Social Security numbers. Others, perhaps more complex organizations, might find it hard to come to agreement. Alignment on defining critical assets is essential and, above all, economically prudent. Cybersecurity talent is scarce and budget is finite, so prioritizing assets helps allocate money where it matters most. Knowing what needs protection, and where it is, enables organizations to focus controls on that area, directs threat detection activity and tells first responders where to look when an attack is suspected. This has the potential to shorten the gap between attack and detection, minimizing the risk of having a predator in the network for seven, eight or more months. Identifying critical assets is also a necessary first step in choosing and benefiting from cyber insurance products. It’s true you don’t need a $100 safe to protect a $1 bill, but you do need an adequate policy to protect everything that you safeguard. Of course, while focusing on protecting critical assets is essential, companies should continue to defend the full organization, maintaining a strong overall security posture.

Once critical assets are clearly defined, cyber threats and vulnerabilities can be assessed and prioritized from three distinct perspectives: the threat to mission-critical technology, the balance sheet and corporate reputation. With vulnerabilities determined, companies can sharpen defenses and deploy programs to uncover, test and remediate them. Tactics regularly used include sophisticated penetration testing and social engineering techniques, to employing ethical hackers or red teams. In the world of resilience, however, the work does not stop at identifying vulnerabilities and shoring up defenses. Resilient organizations are ready for the “during” and “after” phases of an attack, as well as the “before.” They enhance monitoring activities, develop response plans and study and practice threat detection and response processes so that they can quickly bounce back and resume normal business operations.

See also: New Approach to Cyber Insurance  

When news of an attack occurs, it is not scheduled on the day’s calendar of events. It comes as a hit. Companies will typically learn of a breach in one of three ways: The company identifies the breach itself, finding a malicious actor has been in the network for weeks, or even months; a company receives a call from law enforcement often with limited information as part of a larger compromise that has occurred; or, the worst scenario, a third party breaks the news, for example a customer, business partner or the media. Cyber-resilient organizations can adapt to any of these scenarios, take control and respond with confidence. To be prepared, companies need response plans to manage this “during” phase of an attack. Importantly, these plans need to come alive – which means that they are continually enhanced, practiced and ingrained into the workplace culture.

This response preparation and practice equates to confidence, and the degree of practice will be clear in the wake of an attack. Some organizations call this conducting table-top exercises, or simulated cyber attack exercises. This preparation involves all key stakeholders, both internally and externally, and with a well-oiled plan, when a breach call comes, each player follows the blueprint. Public relations is not relegated to a “no comment” statement; financial teams are geared up to manage insurance; lawyers are deployed; and law enforcement is called – among other actions. Ideally, companies have already contracted with a cyber insurance carrier and cyber resilience firm, and have cultivated personal relationships with primary (and even secondary) representatives.

Companies should also take steps to have incident response and forensic investigators, as well as outside counsel, on retainer, even if they have additional internal expertise to handle these aspects of an investigation. During a breach, companies need to move quickly. Entering contract negotiations and procurement processes mid-crisis will not only waste precious time but also leave companies on the back foot in price negotiations with providers. When considering who to retain, it is key to look at the firm’s experience: the number of cases a firm has been engaged on; the diversity of skillsets; the technical tools used; the references of the subject matter experts; and vertical experience. Be careful if selecting a firm that requires its own technology be used on the investigation, as this can limit the scope of its capabilities and potentially lead to conflicting motivations. Also be aware that asserting privilege over the information shared with any firm is a slippery slope, especially through in-house counsel: the strongest way to assert privilege in an investigation is through outside counsel.

Recovering from a cyber attack

Now that the attack is contained, it’s time to recover. Enter stage right, cyber insurance. The cost of a breach can be significant, not only in intangible ways but in concrete costs, particularly if companies face risk and liability via a regulatory or legal investigation. For example, the Federal Trade Commission (FTC) can launch lawsuits against organizations if it suspects them of failing to properly safeguard customer information. Such cases have the potential to span several years and can result in companies’ drowning in millions of pages of documents in response to requests and questioning, often involving executives at the very highest level. The cost of related investigations can reach millions of dollars in legal and vendor fees, not to mention the associated damage to brand and reputation.

To protect from such costs, it is critical that companies quantify the intangible damages that will occur in the event of a breach and enhance board-level understanding of the financial value of these risks to deploy capital to strengthen resilience and purchase insurance policies. When looking to transfer risk, companies must seek industry-leading terms and conditions with global carriers, often across multiple lines of business. Unlike policy options for physical assets, which are relatively standardized, the insurance industry is still ascertaining what cyber coverage looks like and, while more sophisticated teams are being assembled to effectively assess risk, evaluate preparedness and write policies, the policies still vary greatly. At its base, companies want a policy that covers “first party” types of losses, including forensics, notification costs, credit monitoring and breach coach fees. Companies will also want products to cover the third-party traditional liability costs, in case they are found liable for the incident and must pay a judgment or enter into a settlement. Insurance can also cover costs to defend against any regulatory action. Once a policy is purchased, a resilient organization has processes in place to ensure that potential losses are properly tracked in the event of a breach, which will help maximize coverage and cost recuperation. A strong personal relationship with the carrier representative is invaluable at this juncture, as is the ability to quickly and fully disclose the depth of cyber preparedness planning. This will confirm that the organization has an advocate for claim submission and approval.

In terms of the risk of a public lawsuit and legal proceeding, negligence is by far the most common reason an organization is found to be liable of cyber wrongdoing. Fortunately, class action lawsuits are not common. Bryan Cave, in its Data Breach Litigation Report, reported that in 2016 about 5% of all breach cases filed led to class action litigation, a number that has remained consistent over the past four years. One case recently decided in favor of the plaintiffs was Tampa General Hospital, where it was argued that a series of insider breaches put plaintiffs at risk for identity theft, and was the result of the hospital’s inadequately safeguarding patient data. Tampa General, in an October 2016 preliminary settlement approval, agreed to pay plaintiffs $10,000 plus as much as $7,500 toward attorney and litigation costs. Larger data breach class action settlements have reached the tens of millions, for example, in which claimants are eligible for cash payment if credit or debit card data or personal information was stolen as a result of the breach. Although it is still rare to see these allegations result in settlements, this pendulum could swing. When it swings, a sound cyber insurance product will bring protection in the form of covering part, or all, of the defense costs and resulting settlement payments.

See also: Most Firms Still Lack a Cyber Strategy

Cybersecurity is firmly entrenched as one of the most consequential issues affecting organizations across industries – no one is immune. However, acceptance that an attack is likely can be the impetus for companies to work toward becoming resilient. By putting in place better policies, people, response processes and technology, companies can position themselves in a place of power when a breach does occur. Resilient companies also put themselves in better positions when negotiating cyber security insurance rates, when claiming damages following an attack and when facing regulators, lawsuits and, importantly, embittered and disappointed consumers. Ultimately, adopting a cyber-resilient mindset serves the interests of all stakeholders and allows companies to focus on doing what they do best – running their businesses.

An Opportunity in Resilience Analytics?

In my post last month, I discussed why the insurtech revolution should be focusing more on addressing the protection gap, thereby growing the pool of insurable risks, rather than figuring out how best to eat the insurance incumbents’ lunch.

At a conference in February, Tom Bolt of Lloyd’s noted that an increase of 1% in insurance penetration can lead to a 13% drop in uninsured losses and a 22% drop in taxpayers’ share of the loss. The key to increasing penetration is lowering distribution costs to make products more affordable. That is where insurtech can come in. Many recent startups have business models looking to tackle the excessive intermediation costs that exist in the current insurance value chain.

Sadly, when a catastrophe strikes areas of low insurance penetration, those communities not only suffer from the difficulties of having to seek aid—which can take three-plus months to reach affected zones—but also face the prospect of a significant drag to economic growth. It is unsurprising, therefore, that governments in vulnerable countries are keen to improve their “resilience” and seek solutions to better prepare themselves for catastrophes by working with the likes of the World Bank, the UN and the recently established Insurance Development Forum (IDF). Interestingly, AIR Worldwide announced recently the Global Resilience Practice, which will be led by former U.S. presidential adviser Dr. Daniel Kaniewski.

See also: InsurTech Need Not Be a Zero-Sum Game  

As well as providing low-cost distribution models in new markets, a related opportunity I see for insurtech is working together with the insurance industry in the growing field of resilience analytics. As Robert Muir-Wood recently pointed out on RMS’ blog, the claims data gathered by insurers — which historically has been used for the pricing and managing of risk — have the potential to also be used to reduce the potential for damage before the event. Insurtech companies could work with government authorities to pool this claims data, leveraging it with other key data from external sources and then using the results to influence urban resilience strategies. There are inevitable doubts over the willingness of insurers to share their data, but agile and thoughtful startups are likely better placed to be able to find insights in a world of abundant unstructured data than the more technologically challenged incumbents.

The current size of the protection gap is a failure of the insurance industry, and any companies that can help address it will not only be first movers in new markets but will also be adding social value and much-needed resilience to vulnerable communities all over the world.

Risk Management: Off the Rails?

First, there was science…

Some sources suggest probability theory started in gambling and maritime insurance. In both cases, the science was primarily used to help people and companies make better decisions and, hence, make money. Risk management used the mathematical tools available at the time to quantity risk, and their application was quite pragmatic.

Banks and investment funds started applying risk management, and they, too, were using it to make better pricing and investment decisions and to make money. Risk management at the time was quite scientific. In 1990, Harry M. Markowitz, Merton H. Miller and William F. Sharpe won a Noble Prize for the capital asset pricing model (CAPM), a tool also used for risk management. This doesn’t mean risk management was always always accurate — just see the case of LTCM — but managers did apply the latest in probability theory and used quite sophisticated tools to help businesses make money (either by generating new cash flows or protecting existing ones).

Then, risk management became an art…

Next came the turn of non-financial companies and government entities. And that’s when risk management started becoming more of an art than a science.

Some of the reasons behind the shift were, arguably:

  • Lack of reliable data to quantify risks — Today, certainly, there is no excuse for not quantifying risks in any type of an organization.
  • Lack of demand from the business — Many non-financial organizations of the time were less sophisticated in terms of planning, budgeting and decision making. So, many executives didn’t even ask risk managers to provide quantifiable risk analysis.
  • Lack of qualified risk managers — As a result, many risk managers became “soft” and “cuddly,” not having the skills or background required to quantify risks and measure their impact on business objectives and decisions.

Many non-financial companies quickly learned which risks to quantify and how. Other companies lost interest in risk management or, should I say, never saw the real value.

Today, it’s just a mess…

What I am seeing today, however, is nothing short of remarkable.

Instead of being pragmatic, simple and focused on making money, risk management has moved into the “land of buzz words.” If you are reading this and thinking, “Hold on, Alex. Risk velocity is important; organizations should be risk resilient; risk management is about both opportunities and risks; risk appetite, capacity and tolerances should be quantified and discussed at the board level; and inherent risk is useful,” then, congratulations! You may have lost touch with business reality and could be contributing to the problem.

See also: Risk Management, in Plain English  

I have grouped my thinking into four problem areas:

1. Risk management has lost touch with the modern science.

These days, even the most advanced non-financial organizations use the same risk management tools (decision trees, Monte Carlo, VaR, stress testing, scenario analysis, etc.) created in the ’40s and the ’60s. The latest research in forecasting, modeling uncertainty, risk quantification and neural networks is mainly ignored by the majority of risk managers in the non-financial sector.

Ironically, many organizations do use tools such as Monte Carlo simulations (developed in 1946, by the way) for forecasting and research, but it’s not the risk manager who does that. The same can be said about the latest development in blockchain technology, arguably the best tool for transparent and accurate counterparty risk management. Yet blockchain is pretty much ignored by risk managers.

It has been years since I saw a scientist present at any risk management event, sharing new ways or tools to quantify risks associated with business objectives. That can also be said about the overall poor quality of postgraduate research published in the field of risk management.

2. Modern risk management is detached from day-to-day business operations and decision making. 

Unless we are talking about a not-for-profit or government entity, the objective is simple: Make money. While making money, every organization is faced with a lot of uncertainty. Luckily, business has a range of tools to help deal with uncertainty, tools like business planning, sales forecasting, budgeting, investment analysis, performance management and so on.

Yet, instead of integrating all the tools, risk managers often choose to go their separate ways, creating a parallel universe that is specifically dedicated to risks (which is very naive, I think). Examples include:

  • Creating a risk management framework document instead of updating existing policies and procedures to be aligned with the overall principles of risk management in ISO31000:2009;
  • Conducting risk workshops instead of discussing risks during strategy setting or business planning meetings;
  • Performing separate risk assessments instead of calculating risks within the existing budget or financial or project models;
  • Creating risk mitigation plans instead of integrating risk mitigation into existing business plans and KPIs;
  • Reporting risk levels instead of reporting KPI@Risk, CF@Risk, Budget@Risk, Schedule@Risk; and
  • Creating separate risk reports instead of integrating risk information into normal management reporting.

Risk management has become an objective in itself. Executives in the non-financial sector stopped viewing risk management as a tool to make money. Risk managers don’t talk, many don’t even understand business language or how decisions are being made in the organization. Risk analysis is often outdated, and by the time risk managers capture it, important business decisions are long done.

3. Risk managers continue to ignore human nature.

Despite the extensive research conducted by Noble Prize winners Daniel Kahneman and Amos Tversky (psychologists who established a cognitive basis for human errors that are the result of biases) and others, risk managers continue to use expert judgment, risk maps/matrices, probability x impact scales, surveys and workshops to capture and assess risks. These tools do not provide accurate results (to put it mildly). They never have, and they never will. Just stop using them. There are better tools for integrating risk analysis into decision making.

Building a culture of risk awareness is critical to any organization’s success, yet so few modern risk managers invest in it. Instead of doing risk workshops, risk managers should teach employees about risk perception, cognitive biases, fundamentals of ISO31000:2009 and how to integrate risk analysis into day-to-day activities and decision making.

4. Risk managers are too busy chasing the unicorn

Instead of sticking to the basics and getting them to work, many are busy chasing the latest buzzwords and innovations. Remember how “resilience” was a big thing a few years ago? Before that, there was “emerging risks,” “risk intelligence,” “agility,” “cyber risk” — the list goes on and on. It seems we are so busy finding a new enemy every year that we forget to get the basics right.

See also: Key Misunderstanding on Risk Management

Lately , consultants seem to have too much say in how modern risk management evolves. The latest installment was the new COSO:ERM draft, created by PwC and published by COSO this June.  The authors sure did “innovate” — among other “useful ideas,” they came up with a new way to capture risk profiles. That is nice, if risk profiling was the objective of risk management. Sadly, it is not. Risk profiling in any form does little to help executives and managers make risky decisions every day. For more feedback on COSO:ERM, click here.

To be completely fair, the global team currently working on the update for the ISO31000:2009 also has a few consultants who have a very limited understanding about risk management application in day-to-day decisions and in helping organizations make money.

I think it’s time to get back to basics and turn risk management back into the tool to help make decisions and make money.

I am interested to hear your thoughts. Please share and like the article and comment below.

How to Understand Your Risk Landscape

This is part two of a series of five on the topic of risk appetite and its associated FAQs.

The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized in terms of their comprehension of the links between risk and strategy. This is achieved either through painful and expensive crises or through the less expensive development of a risk appetite framework (RAF). Understanding risk appetite is very much a work in progress for many organizations. The first article made a number of observations of a general nature based on experience in working with a wide variety of companies. This article describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management.

The Risk Landscape

Lessons learned following the great financial crisis (GFC) include the importance of establishing an effective risk governance framework at the board level. In essence, two key questions must now be addressed by boards.

First, do boards express clearly and comprehensively the extent of their willingness to take risk to meet their strategic and business objectives?  Second, do they explicitly articulate risks that have the potential to threaten their operations, business model and reputation?

To be in a position to provide credible answers to these fundamental questions, we must first seek to understand the relationship between risk and strategy.

It is RMI’s experience that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. Such consideration needs to take place throughout the execution of strategy. Consequently, it is vital that due regard is given to risk appetite when strategy is being formulated

Crucially, risk is now defined as “the effect of uncertainty on objectives.”

It is clear, therefore, that effective corporate governance is strategy- and objective-setting on the one hand, and superior execution with due regard for risks on the other. This particular landscape is what we in RMI refer to as the interpolation of risk and strategy. For this reason, RMI describes board risk assurance as assurance that strategy, objectives and execution are aligned. Alignment is achieved through operationalization of the links between risk and strategy, which will be described in the final article in this series.

Before further discussion, however, we would like to draw attention to observations based on our practical experience that give cause for concern, namely:

1.  Risk appetite: While we now have a globally accepted risk management standard3 and sharper regulatory definition of effective risk management for regulated organizations, there is as yet much confusion, and neither a consensus nor an internationally accepted guidance, as to the attributes of an effective risk appetite framework.

2.  Risk reporting: In relation to risk reporting, two significant matters arise:

Risk registers that are primarily generated on the basis of a compliance-centric requirement, as distinct from an objectives-centric4 approach, tend to contain lists of risks that are not explicitly associated with objectives. As such, they offer little value in terms of reporting on risk performance.

Note: RMI supports the adoption of a board-driven, objectives-centric approach5 to reporting and monitoring risks to operations, the business model and reputation.

Risk registers and other reporting tools detail known risks and what we know we know. They tend not to detail emerging or high-velocity risks that have the potential to threaten the business model. As such they tend to be of limited value in terms of reporting or monitoring either unknown knowns6, or unknown unknown7 risks. This is a matter that should give boards cause for concern given pace of change, hyper-connectivity and the disruptive nature of new technologies.

3.  Risk data governance: The quality, rigor and consistency in application of accounting data that is present in well-managed organizations does not equally exist in those same organizations in the risk domain.

The responsibility of directors to use reliable accounting information and apply controls over assets, etc. (internal controls) as part of their legally mandated role extends equally to information pertaining to risks that threaten financial performance. The latter is not, however, treated in an equivalent fashion to accounting data. Whereas the integrity of accounting data is assured through the use of proven and accepted accounting systems subject to audit, information pertaining to risks typically relies on the use of disparate Excel spreadsheets, word documents and Power Points with weak controls over the efficacy of copying and pasting of data from one level of report to another.

Weaknesses and failings in risk data governance can be addressed in much the same way as for other governance requirements.

For example:

a.    Comprehensive training for business line managers and supervisors on:

  •  (Risk) Management Processes,
  •  (Risk) Vocabulary,
  •  (Risk) Reporting,
  •  Board (Risk) Assurance Requirements

b.    Performance in executing (risk) management roles and responsibilities included in annual performance appraisals,  

c.   System8 put to process through the use of database/work flow solutions, providing an evidence basis of assurance that:

  • The quality, timing, accessibility and auditability of risk performance data is as rigorously and consistently applied as that for accounting data,
  • Dynamic management of risk data (including risk appetite/tolerance/criteria) can be tracked at the pace of change
  • Tests can be applied to the aggregation of risks to objectives at the pace of change and prompt interdictions applied when required,
  • Reports, or notification, of significant risks are escalated without delay, and without risk to the originator of information.

4.  Lack of understanding of the nature of the risks that need to be mastered in the boardroom:

Going back to our definition of risk as the effect of uncertainty on objectives: There are many types of objectives — for example, economic, financial, political, regulatory, operational, customer service, product innovation, market share, health safety, etc. — and there are multiple categories of risk. But what is uncertainty?

Uncertainty9 is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or its likelihood.

There are essentially two kinds of uncertainty:

1.   Measurable uncertainties: These are inherently insurable because they occur independently (for example, traffic accidents, house fires, etc.) and with sufficient frequency as to be reckonable using traditional statistical methods.

Measurable uncertainties are treated individually through traditional (risk) management supervision, and residually through insurance.

Measurable uncertainties are funded out of operating profits.

2.   Unmeasurable uncertainties:  These are inherently un-insurable using traditional methods because of the paucity of reliable data. For example, whereas we can observe multiple supply chain and service interruptions, data breaches, etc. they are not sufficiently similar or comparable to be soundly put to a probability distribution and statistically analyzed.

Un-measurable uncertainties are treated on a broad basis through organizational resilience. For the top 5-15 corporate risks10 that are typically inestimable in terms of likelihood of occurrence, the organization seeks to maintain an ability to absorb and respond to shocks and surprises and to deliver credible solutions before reputation is damaged and stakeholders lose confidence.

Un-measurable uncertainties are funded out of the balance sheet.

The hyper-connected and multispeed world in which we live today has driven the effect of un-measurable uncertainties on company objectives to unprecedented, heights, and so amplified the risk potential enormously.

5.  Urgent need to recognize the mission-critical importance of building  and preparing management to always be prepared to offer credible solutions in the face of unexpected shocks and surprises  Figure 1 below describes the evolution of risk management as depicted within the red dotted line11 and the next stage of the evolution (resilience) as envisioned by RMI.

RMIFINAL

Figure 1: Evolution of risk and the emergence of “resilience” as the current era in the evolution of 21st century understanding of risk  

Resilience was the theme that ran through the World Economic Forum: Global Risks 2013, Eight Edition Report.  Resilience was described as capability to

  1. Adapt to changing contexts,
  2. Withstand sudden shocks, and
  3. Recover to a desired equilibrium, either the previous one or a new one, while preserving the continuity of operations.

The three elements in this definition encompass both recoverability (the capacity for speedy recovery after a crisis) and adaptability (timely adaptation in response to a changing environment).

The Global Risks 2013 Report emphasized that global risks do not fit neatly into existing conceptual frameworks but that this is changing insofar as the Harvard Business Review (Kaplan and Mikes12) recently published a concise and practical taxonomy that may also be used to consider global risks13.

The report advises that building resilience against external risks is of paramount importance and alerts directors to the importance of scanning a wider risk horizon than that normally scoped in risk frameworks.

When considering external risks, directors need to be cognizant of the growing awareness and understanding of the importance of emerging risks.

Emerging risks can be internal as well as external, particularly given growing trends in outsourcing core functions and processes.

table3

It is also interesting to observe the diversity in understanding of emerging risk definitions. For example:

  • Lloyds: An issue that is perceived to be potentially significant but that may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting,
  • PWC: Those large-scale events or circumstances beyond one’s direct capacity to control, that have impact in ways difficult to imagine today,
  • S&P: Risks that do not currently exist,

The 2014 annual Emerging Risks Survey (a poll of more than 200 risk managers predominantly based at North American re/insurance companies) reported the top five emerging risks as follows:

  1. Financial volatility (24% of respondents)
  2. Cyber security/interconnectedness of infrastructure (14%)
  3. Liability regimes/regulatory framework (10%)
  4. Blowup in asset prices (8%)
  5. Chinese economic hard landing (6%)

Maintaining business defense systems capable of defending the business model has become an additional fiduciary requirement for the board, alongside succession planning and setting strategic direction15.

References:

Influenced by COSO (Committee of Sponsoring Organizations of the Threadway Commission, Enterprise Risk Management (ERM)  Understanding and Communicating Risk Appetite, by Dr. Larry Rittenberg and Frank Martens

2 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard.

3 The new globally accepted risk management standard (ISO 31000) is not intended for the purposes of certification. Rather, it contains guidance as to risk-management principles, a framework and risk management process that can be applied to any organization, part of an organization or project, etc. As such, it provides an overarching context for the application of domain-specific risk standards and regulations — for example, Solvency II, environmental risk, supply chain risks, etc.

4 Risk Communication Aligning the Board and C-Suite: Exhibit 1 Top Challenges of Board and Management Risk Communication by Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD) and Oliver Wyman

5  The Conference Board Governance Centre, Risk Oversight: Evolving Expectations of Board, by Parveen P. Gupta and Tim J Leech

6 An unknown known risk is one that is known, and understood, at one level (e.g. typically top, middle, lower level management) in an organization but not known at the leadership and governance levels (i.e. executive and board levels)

7An unknown unknown risk is a so called black-swan (The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb)

8 Specified to the ISO 31000 series

9 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard

10 More than 80% of volatility in earnings and financial results comes from the top 10 to 15 high-impact risks facing a company: Risk Communication Aligning the Board and C-Suite, by the Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD), and Oliver Wyman

11 Source: Institute of Management Accountants, Statements on Management Accounting, Enterprise Risk Management : Frameworks, Elements and Integration

12 Managing Risks: A New Framework

13 Kaplan and Mikes’ third category of risk is termed “external” risks, but the Global Risk 2013 report refers to them as “global risks.” They are complex and go beyond a company’s scope to manage and mitigate (i.e. they are exogenous in nature).

14 Audit and Risk, 21 July 2014, Matt Taylor, Protiviti UK,

15 The Financial Reporting Council has determined that it will integrate its current guidance on going concern and risk management and internal control and make some associated revisions to the UK Corporate Governance Code (expected in 2014). It is expected that emphasis will be placed on the board’s making a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment, the board will be expected to consider the likelihood and impact of these risks materializing in the short and longer term;

Risk and Strategy: How to Find the Links

This is the first paper of a series of five on the topic of risk appetite. Understanding of risk appetite is very much a work in progress in many organizations. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized and comprehend the links between risk and strategy. This is achieved either through painful and expensive crises, or through the less expensive development of a risk appetite framework (RAF).

Paper 1 makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between them and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy.

Paper 1: Introduction

Since the global financial crisis (GFC), regulators, investors and boards have become determined to avoid a repetition of such a cataclysmic event and have increased demand for more effective risk management. As financial risk reporting failed to predict the GFC, there is growing recognition of the need to build organizational resilience through effective mapping of risks and to demonstrate the capability to manage low-probability, high-impact events. Concern is also growing over the increase in cybercrime and over digital risk.

Some observations:

1. Directors and senior managers need a globally accepted guide on the attributes of an effective risk appetite framework.

2. Emphasis is shifting globally from risk management to building resilience. Risk optimization is achieved when risk and strategy are aligned with corporate objectives. Achieving this requires that both the board and executives master strategic, emerging and external/global risks through robust (risk) horizon scanning, proofing and testing.

3. “Strategic risks” are those that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” is “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action [when problems arise]. Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that requires  the time and attention of executive management and the board of directors’’1

RMI thus defines board risk assurance as assurance that strategy, objectives and execution are aligned.

4. That alignment is achieved through operationalizing the links between risk and strategy. This involves:

  • Strengthening the strategic planning process through organizational integration of the risk and strategy functions/processes, with authority derived directly from the board and CEO’s office,
  • Establishing an effective risk appetite framework,
  • Understanding, and improving, the organizational level of risk maturity,
  • Building organizational resilience,
  • Proofing and testing management’s ability to offer credible solutions when both exploiting and defending operations, the business model and reputation.

5. The risk appetite framework (RAF)2 is to the board what risk management3 is to the rest of the organization. As such, there is a direct correlation between the efficacy of the RAF and the efficacy of the risk management framework4. The audit committee of the board and the risk subcommittee must have charters that provide a risk governance framework that mandates:

  • Direct CEO oversight of an integrated risk and strategy capability,
  • Board risk subcommittee oversight of:
    • The risk appetite framework,
    • Advancing and maintaining risk maturity, which can deliver value through:
      • Access to capital at lower cost than that achieved by less mature competitors,
      • More favorable credit ratings than those achieved by less mature competitors,
      • Optimization of risk transfer through both traditional and modern self-insurance methods.
  • Risk data governance maintained to standards of rigor and consistency like those that apply for accounting data,
  • Perpetual proofing and testing of management’s readiness to offer credible solutions when both opportunity strikes and abnormal and adverse events occur.

We agree with Peter Bernstein, author of Against the Gods: The Remarkable Story of Risk, when he says, “In the absence of certainty. . . [we must] focus on excellent execution and demonstrable resilience at the same time whilst taking as much acceptable risk as is reasonably possible.” We likewise agree with Robert S. Kaplan, author of Risk Management and the Strategy Execution System, who says: “Risk management. . . is about identifying, avoiding and overcoming the hurdles that the strategy may encounter along the way. Avoiding risk does not advance the strategy; but risk management can reduce obstacles and barriers that would otherwise prevent the organization from progressing to its strategic destination.”

References

1Source: Harvard Law School Forum on Corporate Governance and Financial Regulation: Strategic Risk Management: A Primer for Directors Aug 2012

2The RAF is the ‘’overall approach including the policies, controls and systems, through which risk appetite is established, communicated and monitored.’’

3Risk management: coordinated activities to direct and control an organization with regard to risk Source: ISO Guide 73 Risk Management – Vocabulary

4Risk management framework: set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout  the organization

    • NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk.
    • NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and  activities.
    • NOTE 3 The risk management framework is embedded within the organization’s overall strategic and operational policies and practices.

(Source: ISO Guide 73 risk management vocabulary)