Tag Archives: risks

How to Mitigate Cloud Computing Risks

Of late, cloud computing adoption has gained such traction enterprise-wise that it is rightly called the new normal. The 2019 State of the Cloud report by RightScale shows that 94% of organizations use cloud, shifting their corporate workload there. High costs are for now the greatest concern for cloud adopters, but organizations work on tackling it, either on their own or with the help of Google, Microsoft or AWS consulting specialists.

Despite being welcomed by most, cloud computing is still associated with plenty of complications and threats that haunt adopters and skeptics alike. As a result of persisting misconceptions, some enterprises adapt ill-suited cloud policies and practices, while others abandon cloud migration at early stages or steer clear of it altogether. 

This article will take a closer look at the top five cloud software risks and examine the ways enterprise decision-makers can contain and manage them.

Data security loopholes

Security concerns are the main reason why cloud computing becomes a no-go option for some companies. This consideration particularly inhibits industries handling sensitive customer data: Banks, medical facilities and such can’t afford a single data breach and therefore by default opt for on-premises software.

But these fears are exaggerated. The strength of security boils down to the measure introduced into a corporate environment. Cloud security provisions indeed differ from on-premises ones, but, when enforced correctly, they render the system impregnable.  

See also: Cloud Computing Wins in COVID-19 World  

At the same time, the cloud beats on-premises systems when it comes to compliance with data privacy and security regulations. Since cloud solutions must adhere to every legislative change, the vendors make the effort to update their software timely. On-premises security measures, on the other hand, are taken by each enterprise individually and may be insufficient or timed poorly. Therefore, cloud software can facilitate full compliance for businesses required to follow the GDPR, HIPAA and other regulations.

The prohibitive cost of ownership

Enterprises tend to adopt cloud computing to optimize costs but do not necessarily achieve the desired results. Cloud software is commonly known as a cheaper option because the adopter does not incur implementation, maintenance and security costs. In reality, hidden incremental costs do pile up. 

So, how to estimate whether a cloud solution will indeed be cost-effective?

First off, the responsible parties should factor in the enterprise expansion in the foreseeable future. Because SaaS, PaaS and IaaS licenses directly depend on the number of users, the workforce growth will force subscription prices upward. 

Availability of IT resources is another significant part of the equation. When the company employs a full-time development and support team, then the maintenance of on-premises software should not become a large cost component. If this is not the case, cloud software is a more reasonable option. An outsourced cloud-savvy team can easily cover the demands of initial customization and occasional support, while the updates and patches will be the cloud vendor’s responsibility entirely.  

The final consideration is the time gap between the project kickoff and the moment the software starts bringing value. For companies looking for quick ROI, cloud solutions offer a much shorter time to market compared with traditional on-premises setups.

Software discontinuation

Another of cloud adopters’ fears is that a vendor may all of a sudden go out of business, taking along the product. The possibility of software discontinuation indeed exists, but this is not as common an occurrence as one may think. Oftentimes, companies abandon the software, either cloud-based or on-premises, that grew outdated in the modern technological context and therefore ceased to be valuable to its users. In this case, the customers are alerted well in advance and given enough time to find a substitute. 

To mitigate the risks of possible cloud platform shutdown, companies need to take precautions against vendor lock-in and associated disruptions:

  • Map out an exit strategy before subscribing to a cloud-based product.
  • Study the contract carefully to clearly understand vendor obligations.
  • Maintain data in easily exportable formats.

Management complexity

Hybrid and multi-cloud environments are notorious for bringing confusion into the enterprise setting. As companies take more and more of their workload to the cloud, they sooner or later find themselves unable to fully govern the spiraling infrastructure and ensure its security. This can result in the failure to realize the full potential of the infrastructure, as well as in performance botches, security lags and above-budget spending. 

However, proper planning undertaken way ahead of multi-cloud adoption can greatly mitigate such downsides. Starting from the solution architecture and network topology to interoperability mechanics, the environment should be laid out by experts.

Apart from this, a cloud management platform can provide better visibility across multiple accounts, along with cost and security control. 

Weak connection and network failure

Ironically, the very thing that makes the cloud possible — internet connection — causes most problems in a cloud environment. Cloud outages strike enterprises large and small and cause data and money losses — in 15% of cases, over $5 million per hour of server downtime. These connectivity issues have a particularly damaging impact on hybrid cloud adopters, which rely on unhindered connectivity for unlimited data transmission between different cloud platforms and enterprise data centers.  

See also: Cloud Takes a Starring Role  

Despite being such a thorny aspect, internet connection still has the status of a no-man’s land. On decision-makers’ side, connection tends to be overshadowed by other seemingly more pressing matters such as security, compliance or interoperability. What is more, there is still no consensus about who should take full responsibility for cloud outages—the owner or the service provider. While 65% of businesses rely on cloud software providers for recovery and continuity, according to the Forbes Insights and IBM survey, less than half of them have confidence that vendors would meet their SLAs in case of emergency. 

In reality, both the business and the vendor should be accountable for network connection and data recovery. While the latter has its side of the bargain to deliver on, enterprises might well take a more aggressive stance on cloud uptime provision and immediate network recovery. Thus, employing a single network manager to provide for connectivity now can spare you from hiring a whole emergency support team later.

Challenges, not risks 

Cloud computing is a very young technology that is as attractive to potential adopters as it is intimidating. However, when examined closely, cloud-related risks are reduced to surmountable challenges.

For each of the “risky” aspects — security, cost of ownership, vendor lock-in, management difficulties and connectivity maintenance — the maturing industry is coming up with appropriate solutions. Cloud service providers also recognize the imperatives and fears of today’s enterprises and work to bridge the existing gaps, be it GDPR-compliant data processing or direct connectivity in hybrid clouds. Therefore, one may expect cloud software to become a more sustainable and safer option for enterprises in all verticals.

Top 5 Risks in Specialty Insurance

To help brokers better understand the current risks in specialty insurance and assist their clients, our team at Aon Programs, which serves independent insurance brokers across the U.S. with access to a portfolio of hundreds of specialized insurance programs, identified the top five areas of risk to watch out for.

**********

Flood Risk: Apathy

Too many property owners today are blissfully ignorant to the flood risk they face. Even after the 2017 season, which saw Hurricanes Harvey, Irma and Marie cause billions of dollars of damage to the Southeastern seaboard, the public still struggles to see the value of flood insurance.

During a 30-year mortgage, a property owner is 27 times more likely to experience a flood than a fire, yet only 20% of the damage caused by Harvey was insured by flood insurance. Conversely, 90% of damage caused by the 2017 wildfires in northern California was covered by fire insurance.

After a hurricane season, people tend to think, “It was bad, but we’ll get past this. It won’t happen again.” This is the root of the struggle people have with flood insurance. They get comfortable, and they don’t think ahead, especially while the sun is shining.

Take Florida. While the Sunshine State has a higher ratio of property owners carrying flood insurance than the rest of the nation, inland cities such as Orlando have lower ratios of insured property owners. Most of these homes are outside the 100-year flood plain, and homeowners aren’t required by their mortgage company to buy flood insurance.

FEMA is remapping flood zones in much of the country. For example, Broward County is a coastal area, yet thousands of properties have been moved from A to X-zone, which sends the message that homeowners don’t need flood insurance. Brokers will play a critical role in advising clients to retain coverage.

See also: Protecting Airports From Flood Risk  

Fine Art Risk: Catastrophes

Coupled with the onslaught of wind and flood damage associated with hurricanes Harvey, Irma and Maria, the catastrophic Californian wildfires and mudslides in 2017 were truly alarming from both a personal and insurance industry perspective. In the past, there would be a lull between events, as was the case between Katrina in 2005 and Sandy in 2012. Now, weather-related severity and frequency dynamics are increasing as we face multiple, successive catastrophes in a single year.

Generally, when something gets wet or blown over it can be conserved. But, when it’s incinerated there’s no possibility of restoration, as was the case with the wildfires in California. Many homes, including those in luxurious neighborhoods, were burned to the ground, and the damage caused to art collections was devastating. For instance, one prominent private collector had his home completely burn to the ground. Nearly $10 million worth of artwork went up in smoke. For that particular family the loss was as emotional as much as it was physical – sadly, for the country, an important part of our collective cultural fabric was lost.

Meanwhile, we had another prominent collector with a waterfront home in Palm Beach that experienced hundreds of thousands of dollars of damage from Irma. Given the massive aggregation of wealth in that county, the insurance industry is fortunate that the hurricane tracked west.

Most individuals chose not to carry standalone flood insurance. Fortunately, specialty fine art insurance policies typically do not exclude the peril of flood, so it’s definitely in the financial interest of wealthy individuals with art collections to obtain this essential protection, particularly because homeowners’ policies exclude flood coverage.

Home Health Risk: Malpractice

With the aging of the baby boomer generation has come rapid growth in the home healthcare market. People today do not want to live in nursing homes. They prefer to remain in their residence, where they’re more comfortable living independently and costs are lower.

To meet this demand, home healthcare agencies provide skilled and unskilled services. In addition to nursing care, they provide non-medical custodial care with home health aides and companions who support activities of daily living including: cooking, cleaning and assistance driving patients to appointments. Unfortunately, with the high number of residents needing home healthcare, these agencies are having a hard time keeping up with the demand.

With the overburdening of home care agencies comes malpractice claims. Recently a home health aide took an elderly client shopping— and lost her in the mall. The woman was found the next day outside, having died from exposure to the elements. The result was a malpractice lawsuit that settled close to policy limits.

Common malpractice claims involve helping patients with the support of daily activities, like bathing. Lifting patients adds to the exposure. Brokers should be aware of their home health clients’ exposures, including professional liability and hired/non-owned auto to ensure they have the proper coverage in place.

Special Events Risk: Bodily Injury

Special events cover a wide variety of potential exposures, from a one-day fair at a local church to a week-long art festival at a university, to a musical concert that travels across the country for a year. The venues for each will require your client to provide a certificate of insurance showing general liability coverage.

One of the most common bodily claims we see arises from the use of golf carts. Organizers will use golf carts to run entertainers or staff members from spot to spot on the event grounds. Recently, we settled a claim that exceeded $500,000 at a large fairground where an employee who was headed to the parking lot offered an elderly woman a ride. He made a sharp turn, causing the woman to fall from the cart and suffer a head injury.

If someone were to walk into your office with a special event, you might be intimidated when looking at the venue contracts, especially if the event involves fireworks or liquor liability.

Nonprofit Risk: Cybercrime Notification

Cyber is a top concern for organizations in a multitude of industries, including nonprofits. It is imperative that nonprofits be aware of their own specific cyber situation, especially any geographic-specific legislation with which they need to comply. For example, a primary concern in Florida is the privacy data breach statute, known as the Florida Information Protection Act. The provisions of the law are not very well known in the insurance community, particularly when insuring community associations.

See also: Don’t Risk a Lot for a Little  

Here are the primary provisions of the statute:

  • Any commercial or governmental entity that stores personal information is subject to the law
  • The entity is responsible for taking reasonable measures to protect the data in its care, such as names, email addresses and Social Security numbers
  • Persons affected by a breach must be notified within 30 days from the time it is discovered
  • Violations are subject to a $1,000-a-day fine up to 30 days, and $50,000 fine for each subsequent 30-day period, not to exceed $500,000

Most cyber liability policies will provide some assistance complying with Florida’s notification requirements. The challenge is that there is no standardization within the industry. Many liability policies offer as little as a $25,000 or $50,000 cyber sublimit.

It is important for brokers to make sure their client is receiving coverage for first-party and third-party claims. The IHG D&O policy for community associations provides coverage up to the full limits of the policy for third-party liability claims and $100,000 for first-party expenses such as notification costs.

**********
Staying abreast of emerging risks in the specialty insurance marketplace can help brokers recommend the appropriate coverage to their clients, and minimize their chances of experiencing an errors and omissions claim.

Future of Insurance: Risk Pools of One

In a recent New York Times story, New Gene Test Poses Threat to Insurers, reporter Gina Kolata describes how data transparency and availability are disrupting underwriting for long-term-care insurance. Kolata discusses how this product, challenged for years by inaccurate claims forecasting and sky-high pricing, faces further threat of adverse selection — as a consequence of innovation.

The article highlights challenges that have potential to affect other insurance lines, as well. Carriers should take note.

Companies like 23andme create data asymmetry between a policy buyer and the carrier, with the advantage flipped from the historical norm, where the carrier had the upper hand. With a $199 investment, all of us can now make more informed decisions about which risk pools we may fall into based on the odds, at some point in our lives, of being afflicted by one of 10 diseases covered so far (the company has regulatory support to expand its offering).

The availability of predictive insights into future medical conditions at an affordable retail price signals that we are entering a world where we will be able to prioritize, with more knowledge than ever before available, where to put our insurance premium dollars. We will have more data to assess which risk pools are worth joining.

See also: 3 Key Steps for Predictive Analytics  

This is one more development overturning the business model for life, health and other products. $199 is a good deal when deciding whether to purchase a policy that might cost thousands of dollars in annual premium. The two million people who have already purchased a test kit would likely agree.

Usage-based insurance (UBI) products, such as those offered by Metromile, Progressive and Allstate surface knowledge about an individual that helps the carrier with more precise underwriting, allowing the tailoring of a policy to an individual’s driving behavior. UBI also disrupts traditional risk pool principles. And, it is hard to imagine that UBI won’t hurt those with less favorable profiles. The full consequences to society may not be examined or understood until out into the future, but they are brewing.

The 23andme model exploits personalized data, but from the opposite direction. It puts personalized data in the hands of the individual, off limits from the carrier. The power shifts to the individual, and, because he is under no obligation to share what he knows, now the carrier faces a greater disadvantage.

Carriers can withdraw from markets, skim the beset customers or advocate for the creation of high-risk pools. Let’s hope the insurance sector will also look itself in the mirror and recommit to its purpose as it relates to making it possible for a community to pool resources to protect individuals in an hour of need. The question is: Will insurers find a path to sustain their purpose under rewritten assumptions?

The floodgates demanding reinvention are open. Any insurance player who thinks “this too will pass” or regulations will provide protection may be able to buy time for a while. But chances are his business is already being affected by what data is available to whom and when, by what will be growing data asymmetry working against the traditional insurance model and necessitate a redefinition of how to create and manage risk pools.

Back in the 1990s, businesses began to recognize that the World Wide Web would change the way companies across all sectors engaged with everyone — customers, employees, vendors and all of their other constituents. The notion of individuals, not companies, having greater control over what products and services they chose to buy and use was new. For those of us who were at least young adults at the time, the impact of anyone with connectivity gaining access to information via an act as simple as typing a query into the Google search bar took a while to digest.

The insurance sector is a self-confessed laggard when it comes to internalizing and getting out in front of the implications of the Internet. The underlying business model has been relatively stable for a long time. There is evidence of risk pools going back 5,000 years, when shippers devised pools to protect against loss of cargo and crew at sea. The sheer complexity of managing an insurance business made it of lower interest to startups, at least until the last couple of years.

See also: Let’s Get Rid of Risk Altogether!  

Certainly while insurance companies have introduced countless products, brands have come and gone, and distribution, sales, regulation, automation and every other aspect of the business has evolved, the basics have not changed – the creation and management of a risk pool that is sufficiently durable to pay claims over time, and engagement of a broad community of individuals to feel that their interests are served by participating.

Typically, over the summer, companies on a fiscal calendar year engage in strategic planning processes where leaders take a look out into the future and project the implications of big trends on their long-term financial outlook. It’s a good time to take out a white piece of paper and consider:

  • Recommitting to their purpose as players in the insurance ecosystem
  • Acknowledging what is different, and how to see threat as opportunity
  • Prototyping alternative business models, including product, client interaction, distribution, servicing, underwriting and claims management – in other words, the major operating levers of the business
  • Engaging in serious experimentation to chart paths that are feasible given the changes that are no longer theoretical – they are here.

Top 10 Emerging Social Risks in 2015

Risk managers make many decisions – building valuation, vendor management, employment issues, budget allocation, to list a few. However, in our rapidly changing society, managing risk is more than simply choosing the best insurance package or retention level. We must monitor our world to watch for emerging societal risks that can abruptly increase our day-to-day challenges.

What is an emerging risk? I’m going to borrow a definition from Donald Donaldson of LA Group in Montgomery, Texas. He defines emerging risk as: “A new loss exposure for which a risk treatment has not been identified, or an existing exposure that is evolving and becomes difficult to quantify.” The Organization for Economic Co-operation and Development (OECD) describes “emerging constructs” as “major trends or new and persistent threads of behavior driven by a particular alignment in incentives or a technological innovation.” Whether you define societal risks as emerging risks or constructs, many challenges lie ahead for today’s risk managers.

Using my education, which includes a master’s degree in sociology, and my experience as a risk management professional, I forecast 10 social risks emerging — in some cases swiftly — in 2015 and beyond.

1. Europe, Asia and North America face increased risk of “sleeper cell” terrorist attacks. As attacks increase, so will hate crimes against all Muslims. In response to such attacks, formerly moderate Muslims may become increasingly radicalized. Houses of worship will become much more difficult to insure as hate crimes increase.

2. U.S. police forces will face pressure. They will come under increased scrutiny by the public because of societal tensions, social media and a general distrust of authority. The use of body cameras and ramped-up training will increase, in part to satisfy the demands of insurers, which bear the brunt of adverse claims actions.

Increased terrorism may cause police departments to devote more resources to tracking down and isolating suspects. This may, for a time, tip the scales in favor of police forces. However, an increased focus on terror training leaves police with fewer resources to investigate property and day-to-day crime that we now rely on them to handle expeditiously. Losses will increase and further erode the public’s confidence in the police. The belief that the police are here to protect only the rich and powerful may spread, adding to the public’s growing distrust of authority.

Homeowners’ carriers may find themselves facing unusual risks as more homeowners arm themselves or buy personal protection dogs. Zdenek Blabla, owner of Alpine K-9, imports Czech Border Patrol protection dogs for his clients. “In the past year, I’ve sold several German shepherd dogs to special forces combat officers who don’t want to leave their families without protection during their activation,” he says. “They understand probably better than anyone the dangers we face in today’s society.”

3. Policing agencies across the nation will face increased recruitment and retention difficulties because of a less robust candidate pool and the need for officers who are better-qualified to interact with diverse communities. For years, U.S. police chiefs complained of their inability to attract highly qualified recruits. According to one textbook on policing tactics, “Poor recruitment and selection procedures result in hiring or promoting personnel who cannot or will not communicate effectively with diverse populations, exercise discretion properly or perform the multitude of functions required of the police.” It is clear that today’s U.S. police forces face significant and growing challenges.

4. Schools will focus more on instructing schoolchildren how to protect themselves in risky situations. Examples include how to cooperate with the police in a routine traffic stop or other police intervention, what to do in a hostage situation and “duck and cover” exercises for students in newly emerging earthquake zones. This increased focus on situational awareness will drain resources from already depleted public school funding, ultimately reducing the time spent for the actual education of students.

5. Corporations that rely heavily on suppliers both here and abroad will closely analyze their supply chain risk. With political disruptions likely to increase supply line disruptions, risk managers must analyze sole-source and global suppliers and ensure the organization’s insurance will respond appropriately to these unique risks. As recently as 2014, one major university referred to supply chain disruption from civil unrest as “not a major concern.” Given the recent disturbances in Oakland, CA, New York City and Ferguson, MO, civil unrest is a growing concern for risk managers worldwide in 2015.

6. Employers will realize the need to increase security while also purchasing kidnap and ransom coverage for employees who travel abroad or face domestic terrorism threats. The Charlie Hebdo massacre starkly revealed that Stéphane Charbonnier’s bodyguard was completely unprepared for that brutal attack. Business owners will face the need for improved security measures at their homes and businesses, as well as when their family members travel.

7. Communities will experience an increase in social unrest, driven by social media “flash mob” actions or spontaneous reactions after incidents with racial or equality overtones. Other controversial issues, such as environmental measures and other governmental actions, will trigger increased public discord and civil disruption.

8. Continued weather swings will result in property damage and loss of life from natural disasters. With more money allocated to fight the new wave of terrorism both at home and abroad, fewer federal dollars will be available to help weather-ravaged communities. As we saw after Hurricane Katrina, civil unrest follows when authorities cannot provide adequate protection.

9. Poverty, income disparity, unemployment and dissatisfaction among today’s youth will increase globally. Expect corporate leaders, including top insurers, to more candidly discuss poverty and income disparity, unemployment and dissatisfaction among today’s youth in America, the Middle East and Europe. Graham E. Fuller, author of The Future of Political Islam, discussed this concept in 2003: “The great question for most Middle Eastern societies is who will be able to politically mobilize this youth cohort most successfully: the state, or other political forces, primarily Islamist?” We must not underestimate the ways that unemployment and poverty may lead to the radicalization of youth both here and abroad.

10. Pandemics will threaten local medical resources’ ability to provide adequate medical care. Flu epidemics, tuberculosis, measles and other contagious diseases will make medical management much more onerous. An aging population with chronic conditions will place additional stress on available medical resources. According to the World Health Organization, there is an “emerging global epidemic of diabetes.”

Are these predictions exaggerated? I don’t think so. That advanced degree I mentioned earlier tells me that I have not overstated these predictions; they are credible and approaching quickly. As societies become more complex, yet increasingly related, breakdowns anywhere in the global chain can cause disruptions worldwide.

As risk management professionals, we must do more than simply purchase a coverage portfolio to protect our assets. We must understand and prepare for the societal risks that present unlimited challenges to America’s organizations.

The Right Way to Enumerate Risks

In my experience, there are a number of traps that organizations fall into when they are identifying the risks they face. The traps make it very difficult to manage the risks.

#1 – The Broad Statement

Some organizations fall into the trap of capturing “risks” that are broad statements as opposed to events or incidents. Examples include:

• Reputation damage;
• Compliance failure;
• Fraud
• Environment damage

These terms tell us nothing and cannot be managed – even at a strategic level. Knowing that you might face, say, reputation damage doesn’t help you understand what might hurt your reputation or how you prevent those incidents from happening.

#2 – Causes as Risk

The most common issue I see with risk registers is that many organizations fall into the trap of capturing “risks” that are actually causes as opposed to events/incidents.

The wording that indicates a cause as opposed to a risk include:

• Lack of …. (trained staff; funding; policy direction; maintenance; planning; communication).

• Ineffective …. (staff training; internal audit; policy implementation; contract management; communication).

• Insufficient …. (time allocated for planning; resources applied).

• Inefficient …. (use of resources; procedures).

• Inadequate …. (training; procedures).

• Failure to…. (disclose conflicts; follow procedures; understand requirements).

• Poor….. (project management; inventory management; procurement practices).

• Excessive …. (reporting requirements; administration; oversight).

• Inaccurate…. (records; recording of outcomes).

These “risks” also tell us very little and, once again, cannot be managed. Knowing that you might face a lack of training, for instance, doesn’t tell you what incidents might occur as a result or help you prevent them.

#3 – Consequences as Risk

Another trap that organizations fall into when identifying risk is capturing “risks” that are actually consequences as opposed to events or incidents. Examples include:

• Project does not meet schedule;

• Department does not meet its stated objectives

• Overspending

Once again – these are not able to be managed. Having a project not meet schedule is the result of a series of problems, but understanding the potential result doesn’t help you prevent it.

So, if these are the traps that organizations fall into, then what should our list of risks look like? The answer is simple – they need to be events.

I look at it this way – when something goes wrong like a plane crash, a train derailment, a food poisoning outbreak, major fraud .etc. it is always an event. After the event, there is analysis to determine what happened, why it happened, what could have stopped it from happening and what can be done to try to keep it from happening in the future. Risk management is no different – we are just trying to anticipate and stop the incident before it happens.

The table below shows the similarities between risk management and post-event analysis:

farrar-table

To that end, risk analysis can be viewed as post-event analysis before the event’s occurring.

The rule of thumb I use is that if the risk in your register could not have a post-event analysis conducted on it if it happened – then it is not a risk!

If you apply this approach to your list of risks events, you will:

• Reduce the number of risks in your risk register considerably; and (more importantly)

• Make it a lot easier to manage those risks.

Try it with your risk register and see what results you get.

A Risk Is a Risk

Commonly, people talk of different types of risk: strategic risk, operational risk, security risk, safety risk, project risk, etc.  Segregating these risks and managing them separately can actually diminish your risk-management efforts.

What you need to understand about risk and risk management is that a risk is a risk is a risk — the only thing that differs is the context within which you manage that risk.

All risks are events, and each has a range of consequences that need to be identified and analyzed to gain a full understanding. For example;

You have a group identifying hazard risks, isolated from the risk-management team (a common occurrence), and they tend to look at possible consequences in one dimension only – the harm that may be caused. Decisions on how to handle the risk will be made based on this assessment. What hasn’t been done, however, is to assess the consequence against all of the organizational impact areas that you find in your consequence matrix.  As a result, the assessment of that risk may not be correct; for instance, there may be significant consequences in terms of compliance that don’t show up as an issue in terms of safety.

If you only look at risk in one dimension, you may make a decision that creates a downstream risk that is worse than the event you’re trying to prevent. For instance, you may mitigate a safety-related risk but create an even greater security risk.

The moral of the story: Managing risk in silos will diminish risk management within your organization.

In about 80% of cases, you can’t do anything about the consequences of the event; what you are trying to do is stop the event from happening in the first place.