Companies can create a powerful risk culture without turning the organization upside down.

By Alexis Krivkovich and Cindy Levy for McKinsey & Company Insights & Publications

Most executives take managing risk quite seriously, the better to avoid the kinds of crises that can destroy value, ruin reputations, and even bring a company down. Especially in the wake of the global financial crisis, many have strived to put in place more thorough risk-related processes and oversight structures in order to detect and correct fraud, safety breaches, operational errors, and overleveraging long before they become full-blown disasters.

Yet processes and oversight structures, albeit essential, are only part of the story. Some organizations have found that crises can continue to emerge when they neglect to manage the frontline attitudes and behaviors that are their first line of defense against risk. This so-called risk culture¹ is the milieu within which the human decisions that govern the day-to-day activities of every organization are made; even decisions that are small and seemingly innocuous can be critical. Having a strong risk culture does not necessarily mean taking less risk. Companies with the most effective risk cultures might, in fact, take a lot of risk, acquiring new businesses, entering new markets, and investing in organic growth. Those with an ineffective risk culture might be taking too little. Read more >

Aon’s 2013 Global Risk Management Survey report is part of this process, capturing the latest risk trends and priorities facing companies around the world. The report unveiled the top 10 risks now and three years in the future.

Conducted in Q4 2012, the web-based survey gathered input from 1,415 respondents — a 47 percent increase in respondents from the 2011 survey — from 70 countries in all regions of the world and was conducted in 10 languages. Here are the top 10 risks ranked in the report:

In addition to identifying the top risk concerns facing companies today, the survey findings also cover the following topics:

• How companies identify and assess risk
• Approach to risk management and board involvement
• Risk management functions
• Insurance markets
• Risk financing
• Global programs
• Captives Read more >

Download report

“Across the globe, hives of honeybees are dying off in a phenomenon known as colony collapse disorder. Among the proposed culprits are pesticides called neonicotinoids, which are supposed to be less harmful to beneficial insects and mammals than the previous generation of chemicals.

Debate over neonicotinoids has become fierce. Conservation groups and politicians in the United Kingdom and Europe have called for a ban on their use, but agricultural organizations have said that farmers will face hardship if that happens. Next Monday, European governments will take a crucial vote on whether to severely restrict or ban three neonicotinoids.” Read more >

The economic crisis in Spain has led to an increased awareness among senior executives of how risk must be managed globally. Read more >

Leer más >  (en espagñol)

Source: Strategic Risk

A framework in development

By Ed Mallens and Jack P. Kruf

The International Organization for Standardization (ISO) has worked on the ISO 31000 as referential framework for risk management in organizations. The setting has been outlined by ISO very clearly:

“Risks affecting organizations can have consequences in terms of economic performance and professional reputation, as well as environmental, safety and societal outcomes. Therefore, managing risk effectively helps organizations to perform well in an environment full of uncertainty.”

The framework is still very young, published in 2009, and is  in a stage of further  development. PRIMO concludes that despite this the framework is complete in its essence. The ISO has elaborated Principles and guidelines, a vocabulary as well as risk assessment techniques. All united in the risk management toolbox. ISO 31000 describes the principles and guidelines to identify, analyze and treat uncertainties in relevant business processes. With its framework it describes in headlines how goals can be reached successfully and the hereto related management can be secured in an organisation. It is a useful document for employees, managers, and directors in public organizations. It’s a practical and easy to read document.

Knight (2010), chairman of the committee ISO 31000, who worked on the standards and guidelines:

“Risk is all about uncertainty or, more importantly, the effect of uncertainty on the achievement of objectives. This new definition is clearly different from existing guidelines on the management of risk in that the emphasis is shifted from something happening – the event – to the effect of uncertainty on objectives. Every organization has objectives – strategic, tactical and operational – to achieve and, in order to achieve these objectives, it must manage any uncertainty that will have an effect on their achievement. The really successful organization … work on understanding the uncertainty involved in achieving their objectives and ensuring they manage their risks so as to ensure a successful outcome.”

Remarks
PRIMO Europe places the following remarks at the new ISO 31000 model:

• Risk management has matured to a first phase (1.0) of development by this standard. It can form a basis for public organizations in improving their approach of assessing and addressing risk
• It needs further development for true use in relation to public risk management as a whole, because of the higher complexity of this in comparison tot Enterprise Risk Management (ERM). We are convinced that politics and governing councils play a crucial role in the creation and management of public risks. The difference in the dynamics of this in relation to the ISO 31000 model is interesting and challenging.
• All kind of organizations can use the framework.
• Communication within or between organizations can be improved using the common language within the framework.
• Transparency of organizations and between politics, governing councils and management increases taking this document as a guide.
• The document can easily be used throughout the whole organization. As Kevin Knight brings forward:

“Many organizations prefer to spend time debating whether to introduce “total risk management”, or “holistic risk management”, or “enterprise risk management”, or “enterprise wide risk management”, or “strategic risk management”. Others are content to settle for a “tick and flick” compliance programme that keeps the regulators happy.”

• Benefits: local and regional government can become  more robust while using it. Less sensitive for unexpected events. They can allocate their threats more proactive en make the opportunities more profitable using the model.

Process
The risk management process demands specific attention for the context. This is important to make the evaluation and treatment of the risk effective. Knowledge of the organization, it’s structure and cultural topics support the effectiveness of risk treatment activities. Continuous communication within the organization and the stakeholders is of great value. It can be pointed out by communication and consultation.

The risk management process becomes transparant. The operation of the process and its progress are pointed out by the terms monitoring and review. This gives an clear view on the added value of the risk management process and gives an inside view of the operation of the process.

Frame
Risk management is fully a part of all the processes and activities in a (public) organization. To make this a reality, a organization wide frame is specified in this chapter. Because of the frame the risk management function can be described.

Explicitly the tasks, responsibilities and competencies of the employees who are working on risk management. The board of directors and senior management show the impact of risk management to the organisation.

The committed mandate makes the essential phases of the framework operable. This includes the validation and development of the frame. The frame is logically related to the process(es). Risk management processes can exist multifunctional because of differences in projects, locations, competences of the workers as well as the specific issues of the speciality.

Principles
They are the reference for risk management to be organized and finds its meaning for the organization. The 11 principles are subject to auditors for investigation and the communication of the board with their stakeholders. The organization must, especially to itself, clarify what has been established during a certain period of time. The Principles are input for as well the Frame as the Process. They are the soul of the risk management structure and – culture of the organisation. They make it possible to show the developments that are established.

Enterprise Risk Management
The most elaborated and generic report ERM and ISO 31000 by Airmic – the Association of Insurance and Risk Managers in Industry and Commerce -, Alarm – the Public Risk Management Association – and IRM – The Institute of Risk Management. It gives a complete overview over all aspects for steering and governing the enterprise from the perspective of risk management. The purpose of the guide:

“A successful enterprise risk management (ERM) initiative can affect the likelihood and consequences of risks materialising, as well as deliver benefits related to better informed strategic decisions, successful delivery of change and increased operational efficiency. Other benefits include reduced cost of capital, more accurate financial reporting, competitive advantage, improved perception of the organisation, better marketplace presence and, in the case of public service organisations, enhanced political and community support.”

Public Risk Management
Risk management is increasingly becoming a major focus for regional political leaders. Within more pronounced context of a search for efficiency, of diversification tools for public service and development of partnerships, risk management is a key element of public management. It is as much part of the optimization of resources as of the attainment of objectives.  Gérard Combe, Vice-President of PRIMO Europe (Public Risk Management Organisation) and founder of the UDITE (Federation of European Local Authority Chief Executive Officers), stresses in 2011 (Barcelona meeting), that:

“facing global and complex risks such as pandemics, economic or financial crises, or natural disasters, public authorities are organized for global risk governance.  However excellent vertical approaches may be, they are not enough to cope with the risks which are multiplying, intertwining and interacting with each other. Risk has invaded the heart of public management throughout Europe.”

Gérard Combe’s words took on a new and unique dimension in the context of the unprecedented crisis Japan is facing following the earthquake of March 11th 2011. Japan has developed a true risk culture on a large scale in order to deal with the frequent and severe seismic risk faced by the country. This fact has served only to increase the attention with which the international community is watching the Japanese government’s management and the role played by the civilian population in this crisis. The case of Japan speaks for itself: the sequence and combination of extremely serious risks, the proven importance of the involvement of the civilian population and the increased accountability of public power means that the position of risk management and resilience in the agendas of the different levels of public authorities can only be strengthened.   It is not possible to continue to ignore public risk management since doing nothing could prove more costly than investing in it.

The UK’s Risk and Regulation Advisory Council defines public risk as ‘those risks that may affect any part of the society and for which government is expected to respond.’  This definition implies increased responsibility on the part of the authorities, who must account for their own decisions and actions as well as for the activities developed within their area of responsibility. It is for this reason that our study on the governance of public risks also takes into account the companies providing basic public services.

New opportunities
Risk management presents an opportunity for the improvement of all aspects relating to public governance:

• Strategies and decision-making
• Public service activities
• Processes
• Functions
• Major projects
• The reputation of the organisation
• Protection of goods and persons

Former President of the European Federation of Local Authority Chief Executive Officers and former Chief Executive of Cardiff Council, Byron Davies:

“One of the major advantages of risk management is the improvement of the decision-making process and the capacity to reach objectives. This is an advantage that is increasingly decisive in the current context where it is necessary to prove the optimisation of resources, a better quality public service, and increasing trust in partnerships.”

According President of PRIMO Europe, Jack P. Kruf, there is a true challenge in tailoring the ISO 31000 for not only public organisations but also for the public governance and management of our communities and cities as a whole:

“We need to examine – in cooperation with politicians, governing councils, managers, citizens and stakeholders how to outline this regulation in the light of the experience, accounts, and good practices that our representatives in the European public sector have informed us of. This is truly challenging. It is more than that: it is necessary! A task for the years to come.” Ω

The air traffic crisis provoked by the Icelandic volcano eruption, with its accompanying economic and societal effects, is analyzed through the lens of the ISO 31000 risk management standard by the leader of the group of ISO experts who developed it.

The cloud of ash from the Icelandic volcano which has wreaked havoc on passengers and airports across Europe has also had significant global effects. The International Air Transport Association estimates that the ash crisis has led to the cancellation of hundreds of thousands of flights and cost the world’s airlines many billions of dollars. Some airlines may not recover from the losses incurred.

Surprisingly such an event does not appear to have featured as a risk that airlines and many other companies needed to manage. Apart from the airlines, the closure of the European airspace has impacted on everything from tourism to the flower and fresh vegetable producers in Africa, the garment manufacturers in Bangladesh and the electronic component makers in the Far East.

The eruption of the ash and its subsequent blanketing of much of Europe is a classic example of a low probability, severe consequence event that tends to be overlooked by management when examining potential risk to corporate objectives.

Given knowledge of the activity of the Icelandic volcano and the impact on aviation of past eruptions in Asia, it is surprising that no plans were in place to manage such a disruption-related risk.

Ever-changing risks
The ash cloud is just another example of the ever-changing risks that must be managed in an increasingly global economy with greater reliance on “just in time” delivery. One has to wonder just how seriously, if at all, top management participate in planning and testing of disruption-related risk scenarios.

Some would suggest that the havoc was caused by a failure of risk management, rather than the failure of Boards and top management to effectively manage risk. However organizations with a strong management of risk culture, such as United Parcel Service (UPS) quickly redirected air freight bound from Asia to Europe to Istanbul and then loaded it onto trucks for delivery to its final destination.UPS was one of the exceptions as most sat and wondered when the ash would blow away and aircraft would resume flying.

Without risk, there is no reward or progress, but unless risk is managed effectively within an organization, the opportunities will not be maximised and the threats minimised.

Risk is all about uncertainty or, more importantly, the effect of uncertainty on the achievement of objectives. On 15 November 2009, ISO published ISO 31000:2009, Risk Management – Principles and guidelines, to help industrial, commercial and public sector organizations to confidently address such risks.

ISO 31000:2009 is clearly different from existing guidelines on the management of risk in that the emphasis is shifted from something happening – the event – to the effect of uncertainty on objectives. Every organization has objectives – strategic, tactical and operational – to achieve and, in order to achieve these objectives, it must manage any uncertainty that will have an effect on their achievement.

ISO 31000:2009 sets out principles, a framework and a process for the management of risk that are applicable to any type of organization in public or private sector. It does not mandate a “one size fits all” approach, but rather emphasises the fact that the management of risk must be tailored to the specific needs and structure of the particular organization.

Significant commitment

ISO 31000 requires significant commitment of Board and top management attention, as well as sufficient resources to translate commitment into action.It calls for a serious mandate and commitment from the Board, along with management leadership, to ensure it is woven into the organizational fabric and culture across the organization.

Many organizations prefer to spend time debating whether to introduce “total risk management”, or “holistic risk management”, or “enterprise risk management”, or “enterprise wide risk management”, or “strategic risk management”. Others are content to settle for a “tick and flick” compliance programme that keeps the regulators happy.

The really successful organizations, like UPS, work on understanding the uncertainty involved in achieving their objectives and ensuring they manage their risks so as to ensure a successful outcome.

About the author

Kevin W. Knight AM* is Chair of the ISO working group that developed the new ISO 31000 risk management standard and the revision of ISO/IEC Guide 73, and a founding member of the Standards Australia/Standards New Zealand Joint Technical Committee OB/7– Risk management.

He is well known through his very active work in the development of risk management standards and has been active in furthering the risk management profession and the professional development of its practitioners, both worldwide and throughout the Asia-Pacific Region in particular, over the past 25 years.

He can be contacted at: P.O. Box 226, NUNDAH Qld 4012, Australia. E-mail kknight@bigpond.net.au

* Member of the General Division of the Order of Australia.

Original article by permission by Kevin Knight published on PRIMO Europe website

By PricewaterhouseCoopers

Government and the global CEO: A new contract between business and the state

72% of government and public sector CEOs are somewhat or extremely concerned that fiscal deficits have risen.

Each year, PwC’s Annual Global CEO survey gives business leaders, governments and the world’s business community a unique insight into the vision and decisions of the global CEO. As in past years, we have extended and deepened the research for PwC’s 16th Annual Global CEO Survey by including a selection of interviews with senior decision-makers in governmental organisations across the world.

So, what are we exploring this year? Change and complexity are a constant challenge. Disruptive events, both ‘black’ and ‘grey’ swan, seem to be happening faster than ever and are changing the nature of risk which needs to be managed, in both the public and private sectors.

This report sets out how businesses are adapting their approaches in these uncertain times, including their priorities for government, and discusses in turn how governments can:

• deal with uncertainty and create the conditions for good growth and jobs;
• build resilience by becoming more agile; and
• shift the mindset and engagement of public sector and business leaders from co-existence to mutual collaboration.

Deal with uncertainty
Uncertainty in the global economy continues to influence business confidence and investment. Last year, four out of five CEOs were concerned about uncertain or volatile economic growth and two thirds of CEOs were concerned about fiscal deficits, including countries not undertaking major austerity measures. This year, concerns about uncertain or volatile economic growth have stayed at the same high level, but concerns about fiscal deficits have risen further, with 71% of CEOs surveyed somewhat or extremely concerned. Read more >

Insurance: Confident outlook

Insurance CEOs are upbeat about their companies’ prospects – nearly 90% are confident about revenue growth.

But the survey raises some questions about whether their organisations are moving quickly enough to keep pace with the accelerating and potentially disruptive changes in the marketplace, many of which are being originated and shaped outside the sector. Only 16% are planning the fundamental strategic shifts that are likely to be required.

Industry in transformation
As our Insurance 2020 analysis highlights, insurance is undergoing a transformation in customer expectations. This is reflected in our CEO survey, with 58% of industry leaders expressing concerns about the shift in consumer spending and behaviour.

As the changes in customer expectations reshape the key competitive battlegrounds and business opportunities within the industry, nearly 90% of insurance CEOs are planning to change their strategies for managing customer growth, loyalty and retention (nearly 40% are anticipating major changes). Building the customer base and improving customer service are the top two priorities for investment.

Developments in technology are also changing how products are designed, underwritten and distributed and could open the door to new entrants. More than 80% of insurance CEOs are planning to increase investment in technology and more than 60% plan to develop their capacity for innovation. Perhaps surprising, most industry leaders say they are not concerned about the speed of technological change or the threat from new entrants. Read more >

New flood defences will be built around the country, Owen Paterson, the Environment Secretary has announced, but concerns remain over whether enough money has been allocated to protect homes from the increasing risk of extreme weather.

Five years ago I wrote a short article entitled, “Public and Private Sector Risk Management: Is There a Difference?”  In that article I stated that while there is strength to the argument that ‘management is management’ and that leadership in any type of organization calls on common knowledge, skills and abilities, there are distinctions and these distinctions make it difficult to conclude that improving public sector risk management is simply a matter adopting private sector practices. A lot of water has flowed under the ‘public sector bridge’ since 2007, and I would like to offer something of a restatement of my original thesis.

We need to be careful about specifying public-private distinctions because there is a set of widely-held beliefs about differences that do not hold up on closer inspection.  For example, the idea that politics is an exclusive characteristic of the public sector is simply untrue.  Further, like private firms, public organizations also are driven by short- as well as long-term considerations.  Additionally, some private organizations are very process-oriented and some public entities emphasize outputs. Finally, over thirty years of experimentation in outsourcing, privatization, and public/private partnerships has led to numerous situations where it is difficult to say whether we are looking at a public or private endeavor.  What would we call, for instance, an arrangement where a state government creates a public corporation that then establishes a joint venture with public and private institutions—as well as a host of private sector technical vendors and consultants–to support complex scientific research, partly on behalf of a national governmental agency but also for private business?  Therefore, let us recognize that there are many similarities between management in the public and private sectors, and many situations where it really is not helpful to even attempt to draw distinctions.

So much for similarities; to consider the distinctions let us refocus on risk management. There are several things that might serve as distinguishing differences, but I would like to argue that the essential distinction between public and private risk management rests on the idea of ‘public risk.’  I should first stipulate that public risk (as opposed to private risk) is not a rigid concept.  Irrespective of the actual substance of any risk, societies can confer the status of public risk on nearly any risk—and indeed—once conferred that status may remain, change, or even disappear over time.  But, to the extent we can describe public risks, they tend to be characterized as risks producing widespread (some might say indiscriminate) potential effects; or that cannot be handled privately, or that have an impact on broad political/legal concepts like rights or obligations, and/or that tend toward high levels of both complexity and potential impact.  Climate change, threats to global economic systems, terrorism, and natural disasters have all variously been described as public risks.

The characteristics of these public risks present a set of risk management issues not fully present in the private sector, including:

a. Inability of a government body to avoid responsibility for risks within its purview.

b. Frequent inability to use markets as a risk management tool.

c. Complexity of the scope and substance of risks, which limit the ability of single bodies to fully address such risks.

d. The interaction of risks with governmental purposes such as assurance of constitutionally guaranteed rights.

e. A government’s constitutional, legislated, and legal basis for existence, leading to distinct risk exposure issues (such as—Who ‘owns’ a governmental entity and therefore is legally responsible for its actions?).

 

Let me briefly elaborate on these points.  A government’s involvement in public risks very commonly arises when individuals (and private markets) are deemed unable to deliver a good or service efficiently, if at all, or to manage the associated risks.  Indeed, although we know there are degrees of government intervention in response to public risk (ranging from monitoring a risk to government-controlled management of that risk), governments tend to intervene precisely because of “market failure.”  That is, almost by definition, public risks cannot be managed privately without some degree of public sector involvement.  Also, the effects of these risks may call into question matters of fairness and social adequacy and thus tests of economic efficiency may not be politically and legally relevant.

We also need to establish that public risks not only have different properties, the nature of government and its authority and responsibility is different. As a result, a government might privatize refuse collection, or a health care delivery, or prisons, a government’s, but responsibility and authority for those activity areas remains with the government. Put slightly differently, if a risk is deemed to be public, government avoidance of the responsibility for that risk is not possible.  Efforts to privatize and outsource public activities have produced varying results, but two consistent findings are: 1) the outsourcing entity loosens its controls on the management of risks, but because it still retains responsibility 2) the government incurs unexpected costs in monitoring the privatized management of risk (interestingly, research shows that feasibility studies for privatization or outsourcing consistently ignore ongoing risk management monitoring costs).

Stepping back from the previous comments, we could make a broader claim, which is that governments exist to manage risks—primarily what we might call social risks such as public safety, access to health care, equal protection under the law, maintenance of safe infrastructure, and regulation of markets.  In order to address those risks, governments are authorized to create structures, processes and systems that—in turn—generate what we would call organizational or operational risks; risks of fires, accidents, employee harm, law suits, equipment malfunctions, and so on.  These risks are similar to private organization/operation risks, but owing to the distinct legal nature of public entities, their impacts and implications are different.  In any event, any description of risk management within public entities must be organized around a wide-ranging understanding of the full scope of public risks the organization encounters—some of which are organizational/operational, some of which are social.  This more comprehensive approach to interpreting the public risk manager’s scope of responsibility—by the way—fits quite neatly with modern risk management thinking, which emphasizes holistic, integrated and approaches to assessing and addressing risks.

And here, we come to an interesting conundrum arising from the difference between public and private risk management.  The ‘thing’ (responsibility for the management of public risks) that distinguishes public from private risk management is something that we actually don’t do very well.  As we have witnessed over the past five years, there is very little evidence the public sector has done a good job in adopting a more consistent and strategic approach to managing organizational and social risks (pick your example; the global economy, the natural environment, multilateral relationships, public health and safety).

I am not naïve about the institutional, even philosophical, barriers to creating comprehensive approaches to managing public risks.  In modern democratic systems, efficiency is sometimes a threat as well as a solution—this is why we have separation of powers written into constitutions.  And politics plays a role too, which explains why responding to, say, natural disasters is always more fully supported after an event than before.  So, I do think there are difficulties—indeed, limits—to the public sector’s ability to fully integrate and expand risk management.

Still, I have described in a nutshell the essential problem/challenge/opportunity for public risk managers—and, indeed, the essential distinction between public and private risk management.  Improving the quality of public risk management requires a wider-ranging, more integrated approach to assessing and addressing all public risks.  Can we possibly move our current practices in that direction?  And if so, how can we imagine that happening?

We contributed to this relevant survey to get a better scope of and insight in what is actually going on within organizations regarding cyber related risks. We know from our members that cyber related risks seem to be under-estimated. The risks can hardly be quantified and measured. They seem a bit of  far away, like the Misty Mountains.

On the other hand there are many smaller cyber incidents and more and more larger ‘accidents’ occur. Some on enterprise level, some hardly noticed by management.  So they are actually not so far away. It is still a litte bit of unknown territory, which in our view should be discovered as soon as possible, before large accidents can happen. In the Global Risk Report 2013 is expressed that a majority of the CEO’s fears a cyber-attack on their organization or relevant infrastructure. Well,  time to focus on this, we think. Therefor our swift and positive cooperation on this survey.

The participation in this research we think is a major first step to share our knowledge and experiences as well as to create a common awareness of the true problem. We know by heart that underestimating something is a risk on its own. We have to meet the cyber risk challenge before us.

Many companies and governments still do not devote sufficient attention to cyber risks, despite an increase in frequency, scope, and sophistication – and harsher penalties for lack of regulatory compliance and loss of sensitive data.

This finding comes from research conducted in association with the Federation of European Risk Management Associations (FERMA) by Harvard Business Review Analytic Services, corporate insurer Zurich.

Executive Summary

The enormous expansion in the availability of information presents opportunities and challenges for business and government. Keeping their own data secure is a major task for organizations that face threats from competitors and others who may find their proprietary information too tempting not to try to steal.

At the same time, tightening laws and regulations and the demands of customers, citizens, suppliers, their own employees, and others with whom they interact make it imperative that they carefully control access to data about those outside parties. Accordingly, more than three out of four respondents to a recent Harvard Business Review Analytic Services survey sponsored by Zurich said information security and privacy have become more significant areas of concern in the past three years.

• Cyber risk comes in a bewildering variety of forms. More than one in four survey respondents mentioned each of the following as being among the most serious information security concerns for their organizations: malware and other viruses, administrative errors, incidents caused by data providers, malicious employee activity, attacks on Web applications, theft or loss of mobile devices, and internal hackers.

• Concerns about regulation and compliance appear to be driving much of organizations’ planning around cyber risk. While survey respondents most frequently placed business income loss and the cost to restore crucial proprietary electronic information among their top five concerns, the next three were all related to legal liability: legal defense and settlement costs from third-party claims, costs to comply with regulatory settlements, and costs to defend against regulatory investigations.

• Top executives often tend to regard themselves as doing a great job controlling cyber risk. But too often, responsibility remains concentrated with the chief information officer (CIO) or head of technology. Only 16.3 percent of companies have designated a chief information security officer to oversee cyber risk and privacy, according to the survey.

• In fact, bringing together all of the organization’s stakeholders in cyber security is key to designing an effective process for forestalling cyber risk and responding when an event occurs. During a November 2012 Harvard Business Review webinar, Julia Graham, FERMA board member and chief risk officer (CRO) of DLA Piper, noted that aside from the CIO or the IT department, cyber security is also the business of the human resources manager, for example, in managing confidentiality agreements in people’s contacts.

• Organizations’ success at creating organization-wide plans to address cyber risk is mixed, however. Almost two-thirds of survey respondents said their organization has formally assigned roles and responsibilities to key individuals as part of an incident response plan. But less than half said they have a strategy for communication to the general public in case of a cyber risk incident.

• Three out of four organizations, however, have introduced new IT infrastructure, and more than two of three now regularly update their antivirus software, while a similar proportion have introduced secure configurations for network devices such as firewalls, routers, and switches. But a sizable minority— more than 20 percent—say their company’s budget for activities to maintain information security and privacy is inadequate, while nearly 10 percent said they don’t know whether it is or not.

• The solutions need not be highly complex. Much can be accomplished simply by regularly training and educating employees and taking commonsense measures such as not letting sensitive information be copied onto unencrypted memory sticks. This is especially the case in an age when much work is done on mobile devices and by employees working offsite.

• Communication, then, is key. Avoid technospeak, and bring in highly credible outside experts to deliver the message to the board.

• Traditional insurance policies, like commercial general liability insurance, do not cover cyber crime and security and information risks. Yet few organizations—less than 20 percent, according to survey respondents—have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy-related issues. More than 60 percent said their company has no plans at all to purchase coverage.

“Less than one in five organisations (19%) have insurance specifically designed to cover against cyber attacks, despite the fact that over three-quarters (76%) have become more concerned about information security and privacy over the past three years.

Research undertaken by Zurich in association with Ferma and PRIMO also revealed that just 16% of companies have a designated chief information security officer to oversee cyber risk and fewer than half (44%) have increased their budget to tackle the problem.

Respondents to the survey highlighted malicious employee activity as one of the most serious information security concerns, however, just one-third (36%) said their organisation provides information security and risk training for employees and less than half (46%) said the training occurs either annually or biannually.

The research suggested regulation and compliance concerns appear to be driving much of organisations’ planning around cyber risk, after three of the top five concerns surrounded legal liability.

Zurich chief risk officer for general insurance Steve Wilson said: “Cyber risk comes in a bewildering variety of forms for organisations and we hope this research will provide risk managers with important insights into this critical issue.

“As the survey shows, it is essential that organisations do not fall into the trap of a top-down approach, taking a holistic approach which engages all employees to meeting this challenge.”

News article on FERMA website

FERMA board member Julia Graham who led FERMA’s participation in the project said: “Too often I have seen well embedded principles and practices associated with risk management and risk financing discarded when the subjects of information security and specifically cyber security are considered.”     More than three-quarters (76%) of survey respondents said that information security and privacy had become more significant areas of concern in the past three years. A majority also indicated that board involvement is growing in their organisation.

“They must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance,” the final report from HBR and Zurich concludes.

“Information security is a classic enterprise risk,” commented Julia Graham. “It is not solely a subject for the domain of the chief information officer or the chief information security officer.”

In any case, only 16% of companies covered in the survey have designated a chief information security officer to oversee cyber risk and privacy, and less than half (49%) agree they have a strategy for communication to the general public in case of a cyber risk incident.

Just 19% of respondents have purchased security and privacy insurance specifically designed to cover exposures associated with information security and privacy issues, and only 44% said their company’s budget for these risks has grown.

The sheer number of ways in which data can be lost, stolen, or misappropriated illustrates the prevalence of the threat. Respondents highlighted the following threats to the information security and confidentiality:

1. malware and other viruses
2. administrative errors
3. incidents caused by data providers
4. malicious employee activity
5. attacks on web applications
6. theft or loss of mobile devices
7. internal hackers

Regulation and compliance concerns appear to be driving much of organisations’ planning around cyber risk. Survey respondents most frequently placed business income loss and the cost of restoring crucial proprietary electronic information among their top five concerns. The next three concerns all related to legal liability:

• Legal defence and settlement costs from third party claims
• Costs of regulatory settlements
• Costs of defending regulatory investigations.