Column: Risk Management

The Risk of Lawlessness

By: | April 7, 2017 • 2 min read
Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected]

Laws at their core are intended to protect us, enforce our rights and help resolve disputes.

Laws are usually never invented overnight. Enduring laws can take centuries of precedent, research, philosophy and trials. Laws deter people from behaving in ways that can cause harm.

But every day I read about cuts in U.S. regulatory agency staffing, research, inspections and enforcement, coupled with a mandate to shed two rules for every one that is established. I hear unnerving calls for the “deconstruction of the administrative state.”

Why is this happening? Have laws unfairly oppressed or stifled us? Has innovation been stunted?

More curiously, what do we think will happen if we relax the rules around our rights, air, water, food, drugs, buildings, roads and the marketplace?

My own experience has given me insight, and fortunately solace as well, on the effect of government ceasing the regulation of business. Ironically, this deregulation was the impetus for me entering the risk management world.

Without rules, organizations that don’t self-regulate will eventually fail.

I worked in the oil and gas pipeline industry for 15 years as a chief engineer. Charged with hundreds of construction and refurbishments projects, there wasn’t an area of the industry, regulations and code books with which I was not familiar.

Advertisement




In the mid 1990s, codes started to change. This was around the time pipelines were spontaneously erupting from stress-corrosion cracking.

One thought regulators would tighten the construction rules but instead they went the other way. They wanted to shed the liability for the construction codes in the event anything went wrong.

The codes moved from being “prescriptive” to “performance” based. They now said the company could bury the pipeline as deep as they liked as long as it could be justified with a “risk assessment” — the first time I came face-to-face with the term.

With all the newfound freedom, no rules to follow and no one to say “gotcha,” we could have designed the pipeline to any inexpensive depth, and coupled it with “risk assessment” to support the decision.

Shareholders would be ecstatic, right? It would have been so easy to build to a third of the depth. But, we didn’t. Why?

We knew, call it a tacit assumption, that if we ever did cause harm, it would not be good for business. Running a safe and reliable pipeline supported our reputation.

This precious reputation was our latchkey to the backyards where we intended to run pipe, to farms whose irrigation systems we needed to disrupt and to aboriginal lands where we needed to house our equipment.

Without rules, organizations that don’t self-regulate will eventually fail. To those organizations that plan to “benefit” from the deconstruction of the administration, clearly you are also planning to fail. &

More from Risk & Insurance

More from Risk & Insurance

2017 RIMS

Cyber Threat Will Get More Difficult

Companies should focus on response, resiliency and recovery when it comes to cyber risks.
By: | April 19, 2017 • 2 min read
Topics: Cyber Risks | RIMS

“The sky is not falling” when it comes to cyber security, but the threat is a growing challenge for companies.

“I am not a cyber apocalyptic kind of guy,” said Gen. Michael Hayden, former head of the Central Intelligence Agency and National Security Agency, who currently is a principal at the Chertoff Group, a security consultancy.

Gen. Michael Hayden, former head of the CIA and NSA, and principal, The Chertoff Group

“There are lots of things to worry about in the cyber domain and you don’t have to be apocalyptic to be concerned,” said Hayden prior to his presentation at a Global Risk Forum sponsored by Lockton on Sunday afternoon on the geopolitical threats facing the United States.

“We have only begun to consider the threat as it currently exists in the cyber domain.”

Hayden said cyber risk is equal to the threat times your vulnerability to the threat, times the consequences of a successful attack.

At present, companies are focusing on the vulnerability aspect, and responding by building “high walls and deep moats” to keep attackers out, he said. If you do that successfully, it will prevent 80 percent of the attackers.

“It’s all about making yourself a tougher target than the next like target,” he said.

But that still leaves 20 percent vulnerability, so companies need to focus on the consequences: It’s about response, resiliency and recovery, he said.

The range of attackers is vast, including nations that have used cyber attacks to disrupt Sony (the North Koreans angry about a movie), the Sands Casino (Iranians angry about the owner’s comments about their country), and U.S. banks (Iranians seeking to disrupt iconic U.S. institutions after the Stuxnet attack on their nuclear program), he said.

“You don’t have to offend anybody to be a target,” he said. “It may be enough to be iconic.”

The world order that has existed for the past 75 years “is melting away” and the world is less stable.

And no matter how much private companies do, it may not be enough.

“The big questions in cyber now are law and policy,” Hayden said. “We have not yet decided as a people what we want or will allow our government to do to keep us safe in the cyber domain.”

The U.S. government defends the country’s land, sea and air, but when it comes to cyber, defenses have been mostly left to private enterprises, he said.

“I don’t know that we have quite decided the balance between the government’s role and the private sector’s role,” he said.

As for the government’s role in the geopolitical challenges facing it, Hayden said he has seen times that were more dangerous, but never more complicated.

The world order that has existed for the past 75 years “is melting away” and the world is less stable, he said.

Nations such as North Korea, Iran, Russia and Pakistan are “ambitious, brittle and nuclear.” The Islamic world is in a clash between secular and religious governance, and China, which he said is “competitive and occasionally confrontational” is facing its own demographic and economic challenges.

“It’s going to be a tough century,” Hayden said.

Anne Freedman is managing editor of Risk & Insurance. She can be reached at [email protected]