Sponsored Content by Riskonnect

Integrate Data to Harness its Risk Management Power

Risk managers should take the lead in implementing an integrated data system for all parts of their organization.
By: | February 17, 2017 • 5 min read

Risk management isn’t what it used to be.

Risk managers, CFOs and corporate boards no longer have the luxury of focusing on a defined, static set of risks. Global risks proliferate in number, type and complexity, and the risk environment is changing at an ever-faster pace.

In this environment, organizations must preempt if they can, and be able to adapt and react quickly if they can’t. Efficiency and proactivity aren’t just desirable, they’re essential.

“The approach to risk management needs to change. In addition to responding quickly as events unfold, risk managers need to have the tools to see what’s coming, and the voice to get the attention of senior leaders,” said Quin Rodriguez, Vice President, Strategic Marketing, Riskonnect.

Often, businesses already have what they need to speed up their reaction time and whittle out inefficiencies in risk management: data. Data can provide insight into a company’s key vulnerabilities, and clues for effective risk management strategies. The problem is that the data is siloed in separate administrative systems. Sharing data among different teams and corporate functions allows an organization to take a more integrated approach to risk management. Risk managers just need the tools to do it.

“Integrated Risk Management involves converging data from different sources within the business to provide the C-suite with a strategic view of its exposures. It’s opening windows in the silos to create communication channels and enable data-sharing,” Rodriguez said.

When data is presented in an integrated way, it reveals the totality of risk exposure and provides a top-down view of operational risk data including claims and incidents, which may allow executives and senior managers to identify systemic, organization-wide risks that previously went unrecognized due to departmental silos.

To understand the full scope of risk, organizations need data from all business units and risk and compliance functions, as well as from business partners, suppliers and outsourced vendor services.

“It’s hard to see and appreciate the impact of any risk, much less do anything about it, when you’re only looking at them individually and over a short period of time,” Rodriguez said. “Integrated data enables strategic, real-time decision making with the long view in mind.”

A Platform for Data Sharing

Gartner defines Integrated Risk Management as “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.”

Quin Rodriguez Vice President, Strategic Marketing

Despite the benefits of streamlining data systems and sharing information across an organization, a 2015 survey conducted by Gartner revealed that nearly 40 percent of its clients were not using software for governance, risk and compliance, or what is now referred to as IRM. Sixty-five percent of clients were not even familiar with the term GRC. And yet, a separate survey of global executives revealed that 65 percent of execs saw investment in risk management as “falling behind.”

Why aren’t more organizations investing in updated risk management practices and taking an integrated approach? Rodriguez said there are shortfalls in both organizational cultures of risk awareness, and in the availability of enabling technologies.

“The technology hasn’t quite been there,” Rodriguez said. “Many vendors have built one-off and niche solutions to meet demands as they arise, resulting in different apps for claims management, safety reporting, internal audit, etc. But there has been no one solution where the data is all accessible at once.”

Riskonnect offers the platform and data services that can unify these separate and siloed solutions. Consolidating claims data, safety reporting, training documents, compliance reports, and other risk management information under one unified hierarchy eases data-sharing without compromising data integrity. It allows risk managers to see the full impact of each risk and understand them in context.

Take the example of a fast food restaurant. A patron comes in for lunch and discovers a bone in his chicken sandwich, which is a safety risk for the customer and a liability risk for the restaurant. The customer complains to the manager, who files an incident report. Then the unhappy customer goes home and shares his experience on social media, denigrating the restaurant for its poorly prepared food. Now that bone is a reputational risk that could affect other restaurant locations as well.

“What we’re seeing is these risk managers are having greater visibility into these risks, and they’re starting to ask us for more information,” Rodriguez said. “They want to be able to see the operational impact of a reputational risk and determine how to mitigate it.”

Rodriguez described another client who was seeing a lot of claims tied to environmental health and safety, but couldn’t determine where the common vulnerability was that was allowing things to slip through the cracks. Part of the problem was that the claims management team and the safety team weren’t communicating.

If there was an injury, the safety team would file a report, but the claims team did not have access to their system and thus could not see the report. They would not know about the incident until the injured employee filed a workers’ compensation claim.

“Safety reporting should be tied to claims, which should be tied to safety auditing,” Rodriguez said. “The injury report should be filed in the same system as claims so that the claims team can identify that report as a potentially insurable risk. When data is integrated, they know what’s coming.”

“Any time you can break down the silos and create common sources of data, normalize them, and ease communication, you achieve an integrated risk management approach that ultimately helps to create efficiency and mitigate losses,” Rodriguez said.

Implementing Integrated Risk Management

Switching to one unified system works best when there is support from all departments. Managers of different business units will need to expand their view outward and look to synchronize their data collecting and reporting with their counterparts throughout the organization.

But there are also needs to be an appetite for integration at the executive and board level, Rodriguez said.

“We have clients that use five, six, seven different solutions of ours and may not have the required appetite to really normalize that data at the C-suite level. There needs to be a desire at that level to really put data to work and develop a purpose for it,” he said. “Otherwise, they’re just going to get another dashboard.”

This is where risk managers can take a leading role and elevate their strategic contribution to their organization.

“Risk managers already collect so much information, but with an integrated risk management approach they can bring better data to their bosses that has a clear purpose,” Rodriguez said. “Harnessing shared data can get risk managers a seat at the table.”

To learn more about integrated risk management solutions, visit https://riskonnect.com/.

SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Riskonnect. The editorial staff of Risk & Insurance had no role in its preparation.




Riskonnect is the only global provider of Integrated Risk Management technology solutions. Built on the world’s leading cloud platform, Riskonnect finally allows you to break down the silos and unite your entire organization.

Cyber Liability

Fresh Worries for Boards of Directors

New cyber security regulations increase exposure for directors and officers at financial institutions.
By: | June 1, 2017 • 6 min read

Boards of directors could face a fresh wave of directors and officers (D&O) claims following the introduction of tough new cybersecurity rules for financial institutions by The New York State Department of Financial Services (DFS).

Advertisement




Prompted by recent high profile cyber attacks on JPMorgan Chase, Sony, Target, and others, the state regulations are the first of their kind and went into effect on March 1.

The new rules require banks, insurers and other financial institutions to establish an enterprise-wide cybersecurity program and adopt a written policy that must be reviewed by the board and approved by a senior officer annually.

The regulation also requires the more than 3,000 financial services firms operating in the state to appoint a chief information security officer to oversee the program, to report possible breaches within 72 hours, and to ensure that third-party vendors meet the new standards.

Companies will have until September 1 to comply with most of the new requirements, and beginning February 15, 2018, they will have to submit an annual certification of compliance.

The responsibility for cybersecurity will now fall squarely on the board and senior management actively overseeing the entity’s overall program. Some experts fear that the D&O insurance market is far from prepared to absorb this risk.

“The new rules could raise compliance risks for financial institutions and, in turn, premiums and loss potential for D&O insurance underwriters,” warned Fitch Ratings in a statement. “If management and directors of financial institutions that experience future cyber incidents are subsequently found to be noncompliant with the New York regulations, then they will be more exposed to litigation that would be covered under professional liability policies.”

D&O Challenge

Judy Selby, managing director in BDO Consulting’s technology advisory services practice, said that while many directors and officers rely on a CISO to deal with cybersecurity, under the new rules the buck stops with the board.

“The common refrain I hear from directors and officers is ‘we have a great IT guy or CIO,’ and while it’s important to have them in place, as the board, they are ultimately responsible for cybersecurity oversight,” she said.

William Kelly, senior vice president, underwriting, Argo Pro

William Kelly, senior vice president, underwriting at Argo Pro, said that unknown cyber threats, untested policy language and developing case laws would all make it more difficult for the D&O market to respond accurately to any such new claims.

“Insurers will need to account for the increased exposures presented by these new regulations and charge appropriately for such added exposure,” he said.

Going forward, said Larry Hamilton, partner at Mayer Brown, D&O underwriters also need to scrutinize a company’s compliance with the regulations.

“To the extent that this risk was not adequately taken into account in the first place in the underwriting of in-force D&O policies, there could be unanticipated additional exposure for the D&O insurers,” he said.

Michelle Lopilato, Hub International’s director of cyber and technology solutions, added that some carriers may offer more coverage, while others may pull back.

“How the markets react will evolve as we see how involved the department becomes in investigating and fining financial institutions for noncompliance and its result on the balance sheet and dividends,” she said.

Christopher Keegan, senior managing director at Beecher Carlson, said that by setting a benchmark, the new rules would make it easier for claimants to make a case that the company had been negligent.

“If stock prices drop, then this makes it easier for class action lawyers to make their cases in D&O situations,” he said. “As a result, D&O carriers may see an uptick in cases against their insureds and an easier path for plaintiffs to show that the company did not meet its duty of care.”

Advertisement




One area that regulators and plaintiffs might seize upon is the certification compliance requirement, according to Rob Yellen, executive vice president, D&O and fiduciary liability product leader, FINEX at Willis Towers Watson.

“A mere inaccuracy in a certification could result in criminal enforcement, in which case it would then become a boardroom issue,” he said.

A big grey area, however, said Shiraz Saeed, national practice leader for cyber risk at Starr Companies, is determining if a violation is a cyber or management liability issue in the first place.

“The complication arises when a company only has D&O coverage, but it doesn’t have a cyber policy and then they have to try and push all the claims down the D&O route, irrespective of their nature,” he said.

“Insurers, on their part, will need to account for the increased exposures presented by these new regulations and charge appropriately for such added exposure.” — William Kelly, senior vice president, underwriting, Argo Pro

Jim McCue, managing director at Aon’s financial services group, said many small and mid-size businesses may struggle to comply with the new rules in time.

“It’s going to be a steep learning curve and a lot of work in terms of preparedness and the implementation of a highly detailed cyber security program, risk assessment and response plan, all by September 2017,” he said.

The new regulation also has the potential to impact third parties including accounting, law, IT and even maintenance and repair firms who have access to a company’s information systems and personal data, said Keegan.

“That can include everyone from IT vendors to the people who maintain the building’s air conditioning,” he said.

New Models

Others have followed New York’s lead, with similar regulations being considered across federal, state and non-governmental regulators.

The National Association of Insurance Commissioners’ Cyber-security Taskforce has proposed an insurance data security model law that establishes exclusive standards for data security and investigation, and notification of a breach of data security for insurance providers.

Once enacted, each state would be free to adopt the new law, however, “our main concern is if regulators in different states start to adopt different standards from each other,” said Alex Hageli, director, personal lines policy at the Property Casualty Insurers Association of America.

“It would only serve to make compliance harder, increase the cost of burden on companies, and at the end of the day it doesn’t really help anybody.”

Advertisement




Richard Morris, partner at law firm Herrick, Feinstein LLP, said companies need to review their current cybersecurity program with their chief technology officer or IT provider.

“Companies should assess whether their current technology budget is adequate and consider what investments will be required in 2017 to keep up with regulatory and market expectations,” he said. “They should also review and assess the adequacy of insurance policies with respect to coverages, deductibles and other limitations.”

Adam Hamm, former NAIC chair and MD of Protiviti’s risk and compliance practice, added: “With New York’s new cyber regulation, this is a sea change from where we were a couple of years ago and it’s soon going to become the new norm for regulating cyber security.” &

Alex Wright is a U.K.-based business journalist, who previously was deputy business editor at The Royal Gazette in Bermuda. You can reach him at [email protected]