Risks Ahead

RIMS 2014 Annual Conference & Exhibition Denver

 The RIMS 2014 Annual Conference & Exhibition, held in Denver on April 27 to 30, provided an opportunity for attendees to learn what steps they can take to protect their organizations against both established and emerging risks. Topics discussed ranged from cyber security to supply chain risks, terrorism and the role of the risk professional.

INTERCONNECTED CYBER RISKS

It is not news that cyber risks are increasing, but the issue has the potential for much further implications than previously seen, Dan Riordan, CEO of Zurich Global Corporate North America, said during a press conference at the RIMS 2014 Annual Conference & Exhibition in Denver.

“What is different is just how quickly the cyber risk landscape is changing,” Riordan said in releasing reports detailing risk management insights for seven key industry sectors and business areas.

These reports expand on Risk Nexus: Beyond Data Breaches: Global Interconnections of Cyber Risk, the product of a year-long study by Zurich Insurance Group and international think-tank, the Atlantic Council. The sector reports are for automotive, construction, health care, information technology, larger corporations, small and mid-sized entities (SMEs), and governments.

Jason Healey, report author and director of the Atlantic Council’s Cyber Statecraft Initiative, recommended looking beyond the usual suspects – data breaches, fraud and identify theft – and exploring what the next big cyber risks could be in two, three or five years time.

“As risk managers and cyber security professionals, we tend to look at risk as if it’s self-contained within our own organization,” Healey said. But as the recent Heartbleed incident illustrated, it is clear “that we are critically vulnerable to something that none of us had ever really heard about, because it was laid outside of the four walls of the company, outside of corporate control.”

The sector-specific reports delve into the global interconnections of risk. “It struck us that the way we look at cyber risk today is extremely similar to how we looked at financial risk prior to 2008,” he said, namely one risk at a time, that things are not correlated and a cascade of effects is not possible.

Recommendations for managing risk include some combination of the following actions:

• shifting from protection to resilience;

• improving basic cyber security;

• embracing new technology, but carefully managing the risks;

• implementing incident response and business continuity planning;

• focusing on interconnection risks;

• pushing out the risk horizon and looking beyond its four walls; and

• practising board-level risk management.

These changes may appear daunting to SMEs that unlikely have the resources that larger companies do. Healey argues, however, that SMEs should consider their advantages. “They’ve got more agility; they’ve got more personal relationships that they can draw on than a big company,” he told Canadian Underwriter.

SMEs will need to use the cloud and leverage IT wherever they can. “So, absolutely do cloud, do the rest of it, but at least be thinking about the security aspects of it. Ask the questions,” he said.

“It is going to be more secure and resilient over the longer term to go to the cloud,” Healey noted. That said, should something go awry, it is essential to “have some kind of back-up, have some kind of manual workaround.”

SMEs face the same issues as larger firms, Riordan noted in an interview.

It is “the same issues of resiliency, encouraging that resiliency, improving that resiliency over time on a smaller scale,” he pointed out. There is “the same need to prepare, to have business continuity planning, to identify it as a holistic issue for the entire company, not just for the IT guy,” Riordan emphasized.

Healey added that cyber security issues need to be considered right down the line. “Everybody is outsourcing further and further,” he said, in some sectors to much smaller players. “We know the classic service providers and the rest, but who do they outsource to?”

SUPPLY CHAIN FEARS ON THE RISE

Supply chain failures, data breaches and political instability are among the issues weighing on the minds of executives for businesses in the United States and Canada with plans to expand operations overseas this year, note survey results released at RIMS 2014 by the Chubb Group of Insurance Companies.

Representing the top overseas business threat, supply chain failure was cited by 19% of respondents to the 2014 Chubb Multinational Risk Survey. Findings are based on a survey of 300 senior executives, done by JLA Strategic Research.

Rounding out the top four issues for respondents was a data breach/cyber event, cited by 15%; government/regulatory investigation and political instability, each cited by 13%; and natural catastrophe, cited by 12%.

Survey findings also show that 52% of polled businesses plan to increase overseas activity in 2014, 27% of respondents expect to increase overseas travel, 27% expect to introduce new products in foreign markets, and 26% expect to increase employee headcount abroad.

As companies large and small “expand their international business operations, companies need to take a more holistic or global approach to managing risk,” says Kathleen Ellis, senior vice president and worldwide manager for Chubb Multinational Solutions. “They increasingly are being confronted by political and economic turmoil, natural and man-made disasters, and regulatory hurdles.”

Of concern is that just 56% of polled companies have a business continuity plan that addresses overseas risks, and 22% of companies with a plan have never tested it. “Companies are left exposed to significant supply chain failures and associated business interruption costs that can undermine their financial results and stability,” Ellis cautions.

TERRORISM/SABOTAGE UNDERRATED

The majority of surveyed executive and non-executive directors of captive insurance companies that Aon manages agree that as the Terrorism Risk Insurance Act (TRIA) expiration approaches, terrorism should be ranked higher.

The survey, results of which were released by Aon Risk Solutions at RIMS 2014, are detailed in the 2014 Underrated Threats report. The report highlights concerns over the top 50 key risk ranking in Aon’s 2013 Global Risk Management Survey (GRMS), which gathered input from 1,415 respondents in 70 countries.

More than half of respondents to the web-based underrated risks research reported a ranking of 46 in the GRMS was too low for terrorism risk, given the pending expiration of TRIA. “It is barely conceivable that a little over a decade after one of the most impactful risk events in recent world history, the ranking for terrorism is so low,” the report states.

In June, the Senate Banking Committee in the United States approved a bill to extend the TRIA program for another seven years, although questions remain.

Aon research indicates that if TRIA was not renewed, many industries would be at a high risk: health care, transportation, real estate and financial institutions. “Preparing ahead of the expiration deadline becomes crucial for companies that may be facing several challenges at this renewal, such as the impact on embedded TRIA coverage, standalone terrorism pricing and TRIA captive placements.”

RISK MANAGEMENT UNDER-UTILIZED

The vast majority of C-suite respondents taking part in the 11th annual Excellence in Risk Management Survey say that risk management is playing a more strategic role within organizations, but its full potential is not being realized.

The survey, released jointly by Marsh and RIMS during RIMS 2014, was compiled from online responses received in February from almost 600 risk prof essionals, C-suite executives and others involved in risk-related functions.

In all, 93% of C-suite respondents indicated risk management carries either some or significant impact on setting their organization’s business strategy. But only 20% of C-suite respondents reported their organizations use the risk management function to its fullest abilities.

Brian Elowe, a managing director at Marsh, noted that “if used properly, data and analytics can help organizations make better business decisions while at the same time, increase the profile of risk management within the organization.”