112004396 Financial Insitutions

Risk Management Insights – Financial Institutions

Best of 2014

Data breaches can pose huge risks for bank directors and officers

2Data breaches pose huge risks for bank directors and officers

Data breaches can pose huge risks for bank directors and officers

Introduction

Shareholders within several companies recently victimized by data security breaches have launched lawsuits against the enterprises’ boards, claiming that executive management breached its fiduciary duty by failing to ensure that the companies implemented adequate security measures. What could be a developing legal trend raises the specter that no less than their personal wealth is at stake for directors and officers who do not exercise appropriate oversight of their organizations’ cyber risks. Citing a litany of alleged information technology missteps, negligence and shortsightedness, the shareholders argue that the defendants’ lack of attention to data security made their organizations particularly vulnerable to data thieves.

Always hunting for new litigation opportunities, the plaintiffs’ bar very well could view these lawsuits as templates for shareholder actions against other organizations targeted by cyber criminals. With studies showing that the number and cost of cyber attacks against commercial enterprises are rising—and more so in the financial institutions and banking sector than in others—directors and officers at banks today cannot afford to ignore these developments.

Executive management at banks, however, also can use this shareholder litigation to their advantage. Those lawsuits provide directors and officers some clear guidance on the level of data security protection they should be pressuring their own organizations to adopt to protect themselves against cyber criminals.

The numbers behind the risk

Banks walk a very high tightrope with customer data, but it is a dangerous act that the market demands they perform if they are going to be competitive. Customers demand 24-hour access to their accounts through multiple channels, such as ATMs, home and work computers and their smartphones while out in public.

Greater convenience for customers, however, can also mean increased opportunities for cyber criminals.

Organizations that suffer data security breaches already face the expense of restoring their data security, reconstituting corrupted data and, as statutes in 47 other states plus the District of Columbia mandate, notifying their customers and clients that their personal information has been compromised. In addition, although they generally are not legally required to do so, these organizations typically provide credit monitoring services to their customers in an effort to maintain, or regain, their goodwill.

Overall, according to the Ponemon Institute’s “2014 Cost of Data Breach Study: Global Analysis,” the average cost of a corporate data breach is $3.5 million, a 15 percent increase compared to Ponemon’s findings in 2013.2

A significant factor that is driving up those costs is the growing volume of data security incidents. That number is exploding, according to a survey conducted by PricewaterhouseCoopers in cooperation with magazines CIO and CSO.3 In that survey,

News reports that the FBI recently has begun investigating data security breaches at several banks—including some large financial institutions—are stark reminders that no commercial entity can fully shield itself from cyber criminals.1

1. D. Yadron, E. Glazer, D. Barrett. FBI Probes Possible Hacking Incident at J.P. Morgan. Aug. 28, 2014. The Wall Street Journal. online.wsj.com

2. 2014 Cost of Data Breach Study: Global Analysis. May 2014. Ponemon Institute. securityintelligence.com

3. The Global State of Information Security Survey 2014. PricewaterhouseCoopers, CIO magazine, CSO magazine. pwc.com

http://online.wsj.com/articles/fbi-probes-possible-computer-hacking-incident-at-j-p-morgan-1409168480

http://www.securityintelligence.com/media/2014-cost-of-data-breach-study-ponemon/#.VCWc5rl0xok

http://www.pwc.com/gx/en/consulting-services/information-security-survey/


9,681 corporate executives from companies of all sizes in 115 countries reported that each of their organizations faced 3,791 security incidents on average over the 12 months prior to February 2013. That is more than 10 incidents every day and reflects a nearly 27 percent increase from the number reported in the year-earlier survey and a 48 percent jump from the 2012 survey results. Those events included “any adverse incident that threatens some aspect of computer security,” not only successful major data breaches, the study’s authors explain.

The numbers were even worse for financial institutions. Those survey respondents reported not only a 22 percent higher rate of incidents—4,628 annually on average, or nearly 13 incidents each day—but also an alarming 169 percent increase over the prior year’s results.

Among the financial institution respondents, 42 percent were from North America. Some 43 percent of the respondents represented either mid-sized or small organizations, and 41 percent represented large institutions. The size of the remaining respondents was unknown.

Financial institutions, like all organizations, could face even greater challenges in mitigating cyber risk in the near future. A U.S.-like law that would impose notification responsibilities on organizations that suffer data security breaches but also impose stiff financial penalties on those deemed lax in their efforts to safeguard data likely will be in place in the European Union by 2016.4 But the law would reach far beyond Europe, because it would apply to all organizations operating there, not just those headquartered within its borders. Moreover, many other countries are in the process of enacting or likely will adopt comparable measures to maintain their trading status the European Union, suggests broker executive Christopher Keegan, a senior managing director at Beecher Carlson in New York, and law firm Baker Hostetler, which has studied data privacy laws around the world.5

Shareholder derivative-action lawsuits

With their increased exposure to headline-grabbing cyber attacks, the banking sector is heavily exposed to reputational and brand risk, regulatory actions and monetary losses. Depending on the resulting financial hit the institution takes, any and all of that fallout could trigger derivative-action lawsuits and even securities class actions.

In a derivative-action lawsuit, shareholders sue directors and officers on behalf of the organization, typically demanding that they implement new or modified procedures or protocols designed to protect the entity from specified risks. In these types of cases, shareholders do not seek damages for themselves. But they do in securities class-action lawsuits, which typically are filed following a significant drop in share price after an organization discloses a significant problem.

That litigation risk seems to be manifesting.

In separate derivative-action lawsuits, shareholders are demanding that two companies that lost their customers’ and clients’ personal data to cyber criminals shoulder additional costs to harden the organizations’ data security systems.6 7 In those cases, filed against the boards of a major retailer and a hotel/resort chain, the plaintiffs allege the companies’ data security systems as well as the organizations’ responses to major attacks against those systems left customer data unreasonably vulnerable.

4. EU Data Protection Directive. epic.org

5. 2014 International Compendium of Data Privacy Laws. 2014. Baker Hostetler bakerlaw.com

6. Maureen Collier, derivatively on behalf of Target Corp. vs. Gregg W. Steinhafel, et al. U.S. District Court for Minnesota. January 2014.

7. Dennis Palkon, derivatively on behalf of Wyndham Worldwide Corp. vs. Stephen P. Holmes, et al. U.S. Diestrict Court for New Jersey. May 2, 2014.

8. PricewaterhouseCoopers

The PwC financial

institutions survey respondents

reported a 22 percent higher

rate of incidents, an average

of 13 incidents each day.8

http://www.epic.org/privacy/intl/eu_data_protection_directive.html

http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/International-Compendium-of-Data-Privacy-Laws.pdf


The list of plaintiffs’ allegations include that one or both of the companies:

• Failedtotakereasonablemeasurestopreventasecuritybreachby,amongotherthings, failing to comply with the PCI Data Security Standard.

• Reliedoncomputerserverswithanoperatingsystemthatwassobadlyout-of-datethat its security software had not been updated for three years. As a result, customers’ credit card information was stored unencrypted.

• Hadnointernalcontrolsdesignedtoeitherdetectasecuritybreachorreportitinatimely manner.

• Immediatelyaftertheattack,issuedfalseandmisleadingstatementsaboutthesignificance of the security breach. It initially denied, but later admitted, that customers’ debit card PIN numbers had been stolen. It also suggested the security breach affected far fewer customers and over a shorter period that it actually did.

• Damageditsreputationbyhidingthetrueextentoftheattackinordertopreventscaring away customers, causing a drop-off of holiday-season revenue.

• Gavecustomersafalsesenseofsecurityandfurtherharmedthembyfailing to provide the timely information they needed to mitigate the risk to their personal information.

• Createdmorebadwillandfurtherharmedcustomersbybunglingitsofferofaidafter finally alerting customers and offering credit-monitoring services. In attempting to generate favorable public relations by disclosing how it was providing these services, the company created an opening for other identity thieves to scam the company’s customers. In emails, the identity thieves posed as the company and obtained the customers’ payment card information.

• Understood,becauseofthefindingsofawell-knownindependent2007reportondata security, the risk and likely ramifications of a massive security breach.

The shareholders are demanding that the defendants reimburse their companies for the harm the executives allegedly caused and that the companies harden their data security systems. Specifically, the plaintiffs demand that the defendants directors and officers cover their organizations’ remediation costs, including the cost of notifying affected customers and clients and establishing credit-monitoring services for them, as well as the organizations’ costs to investigate the breaches internally and to respond to the resulting regulatory inquiries and consumer class-action lawsuits.

In addition, the plaintiffs are asking for the disgorgement of compensation paid to the individual directors and officers and payment of plaintiffs’ attorney fees.

A retailer’s data security breach highlights the importance of directors and officers also ensuring that their organizations have solid vendor management controls in place. Financial institutions can help to mitigate vendor risks through a combination of contract provisions and insurance.

In addition, many federal regulatory agencies have opined on vendor risk and how banks can manage it, including the:


• FederalReserveBoard,initsDecember2013guidance,ManagingOutsourcingRisk.

• OfficeoftheComptrolleroftheCurrency,initsOctober2013guidanceonthird-party relations.

• FederalFinancialInstitutionsExaminationCouncil,initsOctober2012discussiononinformation technology service providers.

• ConsumerFinancialProtectionBureau,initsApril2012bulletin.

Securities exposure

Data breaches also increase directors’ and officers’ exposure to regulatory action and, potentially, securities class-action lawsuits.

The derivative lawsuits filed against the retailer and hotel/resort chain are instructive, particularly their demands for reimbursement of the companies’ costs to respond to various state and federal investigations. In one instance, the data breach has become the subject of a lawsuit filed by a federal regulator. While regulatory activity is trouble enough for a company, it often—as was the case here—precipitates a derivative action.

The two derivative lawsuits also spend considerable time reciting numerous privacy laws designed to protect consumer information as well as various disclosure requirements as evidence that the defendants were aware of the significant risk associated with a cyber breach.

As further evidence that the defendants were aware of that risk, both lawsuits point to the companies’ financial statements. In those documents, the companies provide risk disclosures on data breaches and represented that their internal controls were sufficient to guard against them, the plaintiffs state.

The focus on disclosure is important. In October 2011, the Security and Exchange Commission’s Division of Corporate Finance issued guidance stressing that registrants may be obligated to discuss cyber risks and incidents under “a number of disclosure requirements” or when necessary to ensure that other required disclosures are not misleading.9 The sections of the financial statement in which registrants may be obligated to make those disclosures are:

• RiskFactors,ifthatinformationwouldbeacriticalfactorininvestors’decisionmaking.

• Management’sDiscussionandAnalysisofFinancialCondition,andResultsofOperations, if those risks and incidents were materially costly; the consequences associated with any incident are material; that information indicates an important trend; or those risks and incidents create significant uncertainty for the organization.

• DescriptionofBusiness,ifanincidenthasaffectedtheorganization’sproduct,service, customer relations, suppliers or competitiveness.

• LegalProceedings.

• FinancialStatementDisclosures.

• DisclosureControlsandProcedures.Ifacyberincidentcouldaffectthequalityofthose disclosures, then management has to consider whether those disclosures have been rendered ineffective.

9. Cybersecurity. CF Disclosure Guidance: Topic No. 2. Oct. 13, 2011. Division of Corporation Finance Securities and Exchange Commission. sec.gov

Data breaches also increase

directors’ and officers’exposure

to regulatory action and

securities class-action lawsuits.

http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm


The derivative lawsuits’ focus on financial statement disclosures about cyber risk, allegations of insufficient internal controls, as well as the allegations of a potential decrease in earnings could be fodder for a securities class-action lawsuit.

To raise a securities class-action claim, a plaintiff generally must allege that the defendant knowingly, or with reckless disregard for truthfulness, made a false statement of material fact and that the plaintiffs relied upon it, causing the plaintiffs damage. Typically, plaintiffs allege that they purchased securities based on representations in a company’s financial statement and that the plaintiffs suffered damages when the company’s share price dropped after revelations that those representations were misleading or false.

The derivative lawsuits appear to allege all the essential elements—except for an actual drop in share price—necessary to raise a securities class-action lawsuit.

Given the increasing frequency of data security breaches and the greater emphasis on disclosure and management of internal controls, directors and officers should expect to face securities class-action lawsuits in the wake of a breach, if it triggers a market reaction.

Insurance protection

While directors and officers can be a driving force in their organizations’ efforts to fend off data thieves, data security experts warn that cyber criminals will not be discouraged easily. In the event of a successful attack, executive management who has demonstrated strong oversight of their organization’s cyber risk controls would have a strong argument that they and the entity took all reasonable steps to safeguard customer data and, therefore, should not face regulatory penalties or shareholder litigation.

Still, shareholders may sue. Even if a court eventually dismisses the case because the board had done all it could to ensure that the organization had robust data security, the cost of a defense could be significant. So besides ensuring that they are meeting their fiduciary duties relating to cyber risk, executive management should ensure they are comfortable with the amount of directors and officer’s liability insurance their organizations have purchased.

Conclusion

Cyber criminals are relentless. Studies show they will attack an organization’s data security system multiple times daily in many ways from different areas of the globe in an attempt to steal customers’ personal data.

In an environment in which customer data is increasingly under attack, banks must take extraordinary steps to remain competitive and compliant with numerous regulations and statutes. Managing cyber exposure must be a critical element of every organization’s risk management philosophy.

Moreover, directors and officers have to do more than merely trust that their organizations will be vigilant, because shareholders demand strong board leadership on data security.

Because it’s not just if an attack is going to occur, but when.

Zurich1400 American Lane, Schaumburg, Illinois 60196-1056 800 382 2150 www.zurichna.com

©2014 Zurich American Insurance CompanyA1-

1120

0407

3-A

(10

/14)

112

0040

73

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.

WILL YOUR ROOF SURVIVE THE NEXT HAIL STORM?

Hailstorms are a pervasive problem throughout the United States and can wreak havoc on commercial roofing systems. Understand the composition of hail-resistant roofs in the event that repair or replacement is needed.

Roof surface “blisters” can be cut out and repaired without overhauling entire roof.

Ask your roofing contractor if the roof is rated as a Class 3 or 4 structure – a standard threshold for hail-resistant roofs that consider the following qualities:

1. Thickness: Consider the type of roof to determine if thicker is better.

2. Substrates: A firm, dense layer beneath any roof membrane is needed to thwart hail damage.

As hail size increases, so does its strength or “impact energy” as it pelts commercial roofs. The velocity at which hail hits a roof greatly influences damage.

HAIL’S FORCE:

Minimal to no damage

Severedamage

Significantdamage

“One of the major loss costs of any hailstorm is a roof. Hail damage can be traumatic to a business’ operation.”

Mike Cincinelli, CAT team manager, Zurich North America

COMMON SIGNS OF ROOF DAMAGE FROM HAIL

WHY IS HAIL DAMAGE COSTLY?

Missing, bruised, dented, cracked or broken shingles

Loosened shingle granules that collect in gutters or downspouts

Leaks in roof or ceiling Dents on vents, gutters or flashing

PREVENTATIVE MAINTENANCE

HVAC hail guards can protect expensive-to-replace condensers from damage.

Enlist a professional roofing contractor for an annual inspection.

Age matters: The younger the roof, the more resistant it might be to hail.

Insurance Institute for Business and Home Safety, http://www.disastersafety.org/hail/protect-homes-from-damage/

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to re�ect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances The subject matter of this publication is not tied to any speci�c insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.

© 2014 Zurich American Insurance Company

DAMAGED EQUIPMENT

Expensive rooftop equipment like damaged HVAC units or solar panels might need to be replaced.

ROOF REPLACEMENT

Labor costs associated with roof removal, to make way for a new roof, can increase costs.

ROOF REPAIRS

Leaking roofs can often damage building interiors, spurring costs for roofing and interior repairs.

Necessary repairs might uncover compliance issues, like the discovery of asbestos, whereby remediation is required and expensive.

By Linda Conrad Director of Strategic Business Risk

Zurich Global Corporate

Deciding what opportunities to

fund, which risks to protect

The critical role of enterprise risk management in strategic decision making

2 Deciding what opportunities to fund, which risks to protect

Table of contents

Enterprise risk management (ERM) as a strategic planning and profitability tool

External and internal drivers of ERM for today’s organizations

ERM: Less business continuity, more business resilience

Building an ERM framework

Developing a risk cultural shift toward risk accountability

Creating a risk management policy

Technology support of ERM

Risk management and ISO 31000

The strategic benefits of ERM

3

4

6

7

9

10

10

11

13

3Deciding what opportunities to fund, which risks to protect

A study by FERMA in 20121 found that firms with “advanced” risk management practices exhibited stronger EBITDA and revenue results over the past five years than did those with “emerging” risk cultures.

Enterprise risk management as a strategic planning and profitability tool

Taking risks is a necessary part of growing a business and adding stakeholder value. An organization that operates too cautiously and misses product or market opportunities can have difficulty attracting the best talent and investor capital. While the upside of risk is the ability to strategically seize business growth opportunities, today’s complex world has also revealed the downside of risks. Fragile global supply chains, technology dependence, increased speed of product cycles, and complicated financial models and relationships continue to multiply the breadth and depth of risks facing organizations.

Failure to either anticipate growth opportunities or plan for negative events can have serious consequences on business operations, including loss of customers, inadequate asset protection, failure to meet regulatory requirements, lower profitability and share price. How can the senior management of an organization be more aware of their potential risks — both the upside and downside? Recently, there has been an intensifying interest in enterprise risk management, or ERM, as a tool to enable organizations to consider the potential impact of all types of risks on their processes, products, services, activities and stakeholders. In short, an effective ERM approach can help an organization make the most efficient use of its capital. By determining what growth opportunities to fund, and what potential risks need budget support, an organization can better ensure it will meet its business objectives today and into the future.

Financial results show that a robust risk culture can be the basis for improved profitability. A study by FERMA in 20121 found that firms with “advanced” risk management practices exhibited stronger EBITDA and revenue results over the past five years than did those with “emerging” risk cultures. Review of over 800 firms in 20 countries concluded that:

• 75% more firms with “advanced” risk management practices had EBITDA growth of over 10%

• 62% more firms with “advanced” risk management practices showed revenue growth of 10%

The study validates that creating an active risk culture can directly correlate to stronger financial results, as the entire firm becomes more aware and accountable for the potential obstacles standing in the way of success.

The wide array of economic, geopolitical, environmental, technological, supply chain and other risks of the last decades have heightened the call for a more rigorous risk management approach to business resiliency by organizations. Events like Enron and BP, the recent credit crisis, and catastrophes like the Asian tsunami, the Thai floods or Superstorm Sandy have led to the emphasis on the need to embed and enhance risk management practices. A renewed focus on enterprise resilience can help in prioritizing capital toward optimizing the risk/reward balance. This requires applying a risk “lens” and techniques to both minimizing disruptions and maximizing growth. A resilient enterprise is better able to anticipate surprises, recover from disruptions, adapt to changing conditions and leverage emerging opportunities. The goal is simple: funding the right amount of the right risks at the right time, to help turn risk into results. How to attain this goal is the business objective of Enterprise Risk Management.

1FERMA Risk Management Benchmarking Survey 2012, “Keys to Understanding the Diversity of Risk Management in a Riskier World”. www.ferma.eu


The goal is simple: transforming risk into results.

2“Strengthening Enterprise Risk Management for Strategic Advantage” Committee of Sponsoring Organizations of the Treadway Commission 2009, www.coso.org

3“Progress Report: Integrating Enterprise Risk Management Analysis into Corporate Credit Ratings” Standard & Poors Ratings Direct www.standardandpoors.com/ratingsdirect July 2009.

External and internal drivers of ERM for today’s organizations

Enhancing an organization’s growth opportunities, improving financial and operational performance, and reducing losses are some of the internal drivers that spark the development of an ERM framework within organizations today. However, there are significant external drivers — primarily regulatory and legal — that are challenging organizations to formalize their risk management processes. In short, it’s just becoming good business practice.

Corporate boards, facing heightened regulatory and ratings scrutiny, are beginning to insist that management provide sophisticated reports linking risks to their impact on an organization’s objectives. Many boards are also more engaged in the oversight of management’s risk monitoring processes to determine whether the risks assumed to meet performance objectives are embraced throughout the organization and within established limits. Also of interest to boards is how management’s response to existing risks have either helped or hurt the long-term strategies of the organization.

As early as 2001, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) began efforts to develop a framework that could be used by corporations to evaluate and improve their organizations’ enterprise risk management. As defined by COSO, “enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”2

In 2004, the New York Stock Exchange issued corporate governance rules that require audit committees of listed corporations to discuss risk assessment and risk management policies. Executive compensation arrangements are a key area of regulatory attention because there is concern that these arrangements may have encouraged excessive risk-taking in the past, where there has been an undue emphasis on performance without due consideration of risks.

In 2008, Standard and Poor’s (S&P) began assessing ERM processes as part of its corporate credit ratings analysis. S&P reports that in their reviews with rated issuers in U.S. and Europe, they have discovered a wide range in the level of adoption, formality and engagement of ERM3. In particular, S&P noted that:

• “Silo-based” risk management, focused only at the operational managers’ level, continues to be prevalent.

• Companies with a true enterprise-wide approach to ERM appreciate the importance of going beyond only quantifiable risks and increasingly understand the importance of emerging risks.

• Companies often facilitate their ERM execution via separate structures, with associated roles and responsibilities clearly defined.

In July 2009, the SEC proposed rules that would require management to increase its disclosures of information that describe the overall impact of compensation policies on risk-taking. The proposed rules would also require disclosure in a proxy statement about the board’s role in the company’s risk management process, and the effect that this has on the way the company has organized its leadership structure. The SEC believes that


4ISO 31000 Risk Management – Principles and guidelines, International Organizations for Standardization, 2009. www.iso.com

5Standard and Poor’s M and G release – North America dated May 17, 2013

disclosure should provide information about how a company perceives the role of its board and the relationship between the board and senior management in managing the risks facing the company. SEC Chairman Mary Schapiro stated, “I want to make sure that shareholders fully understand how compensation structures and practices drive an executive’s risk-taking. The Commission will be considering whether greater disclosure is needed about how a company — and the company’s board in particular — manages risks, both generally and in the context of setting compensation.”

Sen. Charles Schumer, D-N.Y., introduced the Shareholder Bill of Rights Act of 2009 that would require corporations to establish a risk management committee comprised of independent directors. Additionally, the U.S. Treasury Department is considering requiring compensation committees of public financial institutions to disclose strategies for aligning compensation with sound risk management. While this focus is on financial institutions, the link between compensation structures and risk-taking has implications for all organizations. Ratings agencies and analysts have also taken a keener interest in governance efforts.

Also in 2009, a new international standard was published, ISO 310004, that clarifies and builds on the risk principles set out in the Australia and New Zealand standards developed in 2004 (AS/NZS 4360:2004). The ISO 31000 defines the application of a risk management framework as a “set of components that provide the foundations and organizational arrangement for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization.” The ISO 31000 standard and risk management organizations such as RIMS or the IRM also offer step-by-step guidance for establishing or expanding an ERM framework to assist organizations in improving risk oversight to help protect profitability.

In May 2013, S&P announced an update on their efforts with the following announcement: “Elements of enterprise risk management that we highlighted as important in our ratings on non-financial companies more than five years ago has now completed a migration to our broader assessments of management and governance (M&G). Following new M&G criteria published on November 13, 2012, we have not completed an assessment process across our global portfolio of almost 4,000 non-financial companies worldwide. “S&P uses the management and governance score to modify its evaluation of an enterprise’s business risk profile, a key component of its credit rating. Worldwide, Standard & Poor’s assigned management and governance scores to 3,868 companies: only 8% were “strong”, and 32% were “satisfactory”, while 57% were “fair”, and 3% “weak”5.

Clearly, the need to create a robust ERM framework is something no senior executive team can ignore today. Risk management has moved beyond just the purview of the CFO, accounting, or legal department to become an enterprise-wide responsibility. Today, a limited approach to identifying, assessing and monitoring risks is not enough.


ERM: Less business continuity, more business resilience

It has also been established that during periods of down economies, construction of risk management is often used as a synonym with business continuity management. While the two processes share much in common and similar methods, they are different concepts. As defined in this paper, risk management identifies risks that may or may not be threatening to the continued effective operation of an organization, paying equal attention to those identified as “good” risks when associated with growth opportunities.

Business continuity management deals with factors that may cause significant business disruption or may damage the organization’s reputation. It emphasizes preparing the organization for and bringing the organization back from a threatening event. In other words, business continuity management is an application of risk management in the context of threatening risks and emphasizing a timely recovery after an incident.

Enterprise risk management, on the other hand, sets down a structured framework for the organization to identify, rank, and control all the risks concerned. The purpose of this broader assessment is to create a more resilient business — one that is better prepared to adapt to changing conditions and leverage emerging opportunities, as well as anticipate surprises and recover from disruptions. Effective enterprise risk management goes hand in hand with a business resilience process by creating a proactive infrastructure for dealing with risks systematically, holistically and successfully.

• Do you know the critical risks which threaten the continuity of your business?

• If it happens, would you know how to recover?

• Do you know what activities should take priority?

• Are your employees and your organization well prepared?

Figure 1: Visualization of a typical business interruption as loss of productivity vs. time.

Prod

uctiv

ity

TimeWillingness of

customer to wait

1

2

3

4

Normality

Emergency

Salvage and Restoration

“Business Recovery”

with Business Continuity Management

123

4

Event

Enterprise risk management sets down a structured framework for the organization to identify, rank, and control all the risks concerned.


Building an ERM framework

Effective risk management today requires an enterprise approach that views risk from all angles – a strategic, 360-degree view supported by tactical, holistic solutions. Achieving this broad view helps ensure business resilience, reduce total cost of risk, and protect profitability by improving a corporation’s ERM framework. See Figure 2 the Enterprise Risk Management Wheel that divides risks into five main categories.

As this wheel demonstrates, an organization with a holistic, 360-degree view of risk can better uncover and manage its business challenges, including operations and procedures, management styles and strategies, industry issues, emerging risks and more. ERM can provide the framework for identifying both threats and opportunities across the enterprise, assessing them in regards to probability and possible impact, developing a response strategy and monitoring the achievement of objectives.

Figure 2: Enterprise Risk Management Wheel by Zurich Strategic Risk Services.

UN

DER

STA

ND

ING

YO

UR

BU

SIN

ESS

UNDERSTANDING RISK ACROSS YOUR BUSINESS

KEEPIN

G Y

OU

R B

USIN

ESS


A 360-degree ERM process can help organizations meet these strategic objectives:

• Protecting the capital base – An ERM review can potentially drive meaningful financial benefits including reduced cost of servicing debt, improved access to capital and cost of capital.

• Enhancing value creation and contribute to optimal risk return profile – ERM can increase probability of the upside, and decrease the probability of a downside.

• Supporting corporate decision-making process – For senior management, ERM can demonstrate its incorporation of risk information as a decision-making process, especially for rated companies that need to score well on the S&P ERM assessment.

• Protect reputation and brand by promoting a sound culture of risk awareness – ERM can increase investor confidence through proven management accountability for risk.

Zurich’s report on applied risk management developed for risk managers after the credit crisis summarized the lessons learned from the failures of those companies that did not perform a strategic, risk management process:

1. Understanding individual risks are not enough – Organizations must account for inter-linkages and remote possibilities

2. Extreme events must be factored in – The world does not follow a normal, even distribution, and “Black Swans” can appear at any time

3. Determine the corporate risk appetite – The strategic function of ERM is to guide corporations in determining their choice of trade-offs between risk and reward

4. Quantitative models are important, qualitative judgments are imperative – The arsenal of risk management tools is lengthy, but models cannot replace judgment

5. A risk culture starts at the top – To entrench risk management across an organization takes a strong, top-down approach applied across the organization


Developing a risk cultural shift toward risk accountability

Turning risk into a competitive advantage requires accountability. We cannot deploy an effective and consistent approach to managing risk and opportunity until we understand how we address risk as individuals and teams. Failing to tackle issues of risk management head-on can expose your firm to “the blindside of risk,” potentially costing you money and causing you to miss growth opportunities in critical areas such as:

• Mergers and acquisitions

• Private equity portfolio management

• Expanding global footprint

• Corporate downsizing

• Change in leadership

• Corporate reorganization and rebranding

• Enterprise risk management

• Cloud computing/cyber security and privacy

• Sale of business units

• Business continuity, crisis response and safety

Turning risk into a competitive advantage may require a cultural shift toward greater risk accountability. A cultural shift may be needed to improve the understanding and management of risk throughout your organization, and to drive critical corporate communication between the C-Suite and Board and employees. Failing to address issues of risk management head-on can expose your firm to “the blindside of risk,” potentially costing you money and causing you to miss growth opportunities in critical areas.

It starts by mapping each individual’s pre-disposition to risk, and then aligning it with the corporate goals. Ownership and accountability of risk can be increased through proven management and behavioral science strategies. The process can then be made continuous through a living risk culture dashboard, aligned to your strategic and operational objectives.

An embedded and open risk culture can improve collaboration and encourage dialog that can help you establish key risk indicators tied directly to key growth and performance metrics. This positive risk culture can help you better understand your risk landscape and build an ERM framework that addresses risk proactively to improve business resilience and profit potential.

How can you deal with the risks that you may not even know exist? Can you efficiently prioritize and budget resources for critical strategic and operational risk mitigation? What is the true risk appetite of your organization? It is challenging to incorporate risk considerations into strategic planning, budgeting, supply chain management, business continuity or other operational activities. A company must evaluate the risk/reward balance and also ensure risk management culture is consistent and effective across your enterprise.

Turning risk into a competitive advantage may require a cultural shift toward greater risk accountability.


Creating a risk management policy

What’s clear from these lessons is that the important tasks of determining corporate risk appetite and deploying qualitative judgments must be sanctioned by those at the very top — senior management and the board. In order to provide this type of “top-down” guidance, many organizations issue a risk management policy each year. The benefits are many to creating this type of policy, but include keeping the overall risk management approach in line with current best practice, focusing on the intended benefits for the coming year, identifying the risk priorities and ensuring that appropriate attention is paid to emerging risks.

In a report, “A structured approach to ERM and the requirements of ISO 31000,” issued by the Public Risk Management Association in the U.K. in early 2010, a risk management policy structure was included that can help corporations ensure their ERM approach is updated and disseminated throughout the organization each year. The following sections were recommended in developing an ERM policy:

• Risk management and internal control objectives (governance)

• Statement of the attitude of the organization to risk (risk strategy)

• Description of the risk aware culture or control environment

• Level and nature of risk that is acceptable (risk appetite)

• Risk management organization and arrangements (risk architecture)

• Details of procedures for risk recognition and ranking (risk assessment)

• List of documentation for analyzing and reporting risk (risk protocols)

• Risk mitigation requirements and control mechanisms (risk response)

• Allocation of risk management roles and responsibilities

• Risk management training topics and priorities

• Criteria for monitoring and benchmarking of risks

• Allocation of appropriate resources to risk management

• Risk activities and risk priorities for the coming year

Technology support of ERM

For many organizations, the top-down commitment required of an ERM program can be the difficult aspect to embed. Effective utilization of technology can support this objective, and while it cannot replace a good process, it can serve as an invaluable support tool.

Complex organizations often attempt to utilize common spreadsheet applications to bolster their enterprise risk management effort, with the result being a frustrating lack of functionality. Despite significant efforts to manage risk holistically, many companies fail to integrate software that can fully support ERM objectives. Utilizing ERM software can enable a company to amplify its risk management efforts and magnify its insights

For many organizations, the top-down commitment required of an ERM program can be the difficult aspect to embed.


without creating the need to scale resources accordingly. ERM-specific software is designed to support the user through each distinct stage of the ERM cycle (including establishment of context, risk identification, risk analysis, risk evaluation, risk treatment, monitoring and review).

A software solution can support this growth by providing a solid foundation in the early stages, while including more advanced functionality to be used as appropriate along the journey. Overtime, software will enable a company to more closely align its risk appetite with its corporate strategy. In addition, it enables the company to optimize its capital allocation and reduce its total cost of risk.

Perhaps the biggest advantage ERM software has over traditional tools is the capability to monitor and track risks within its built-in risk register. This risk register is capable of distinguishing between corrective and preventative controls, enabling the user to compare and explore combinations of various options. The tool may also be capable of displaying the residual risk that remains after a control has been implemented, and instantly reporting on the status of a company’s risk profile in a dynamic way. Since a variety of user groups need to access risk reports, ERM software can provide a multitude of ways to make use of data depending on the strategy setting.

When choosing a software program to facilitate an ERM initiative, it is imperative that it can be seamlessly integrated into an organization. Therefore the configuration of the software must be adaptable to the company’s operating structure. The foundational ERM framework should be modeled after the ISO 31000 or similar standard, utilizing the following inputs: contexts, risks, consequences, preventative and corrective controls, triggers, and mitigation activities. While it may seem insignificant, using the appropriate terminology may be the first major step towards an effective ERM program. Additional considerations when choosing an ERM software application are:

• Ease of use – can the frontline utilize the interface with minimal training?

• Relevant analysis – will the software produce impactful information?

• Prioritization – can the company’s risk identification process be incorporated?

• Notification – will the software actively alert users as appropriate?

In this era, companies face substantial pressure to be transparent about risk. This becomes increasingly difficult as globalization creates a complex environment of interdependency. The trend of risks becoming more difficult to manage will certainly continue, so implementing a software tool capable of growing with the needs of the company at an early stage is critical to a valuable ERM program.

Risk management and ISO 31000

On November 15, 2009, the International Organization for Standardization (ISO) published the ISO 31000:2009, Risk Management – Principles and Guidelines. ISO 31000 is the first of the ISO 31000 series of risk management standards to be published by ISO. Also in this family of standards is:

1. ISO Guide 73:2009 Risk Management – Vocabulary. This standard provides the definitions of generic terms related to risk management and aims to encourage a consistent understanding of, and a coherent approach to, the description of activities related to risk management as well as terminology.


2. ISO/IEC 31010, Risk Management – Risk Management Techniques. This is a supporting standard for ISO 31000 offering guidelines on the selection and application of systematic techniques for risk assessment.

ISO 31000 is designed to help organizations build an ERM framework that can:• Increase the likelihood of achieving objectives

• Encourage proactive management

• Be aware of the need to identify and treat risk throughout the organization

• Improve the identification of opportunities and threats

• Comply with relevant legal and regulatory requirements and international norms

• Improve financial reporting

• Improve governance

• Improve stakeholder confidence and trust

• Establish a reliable basis for decision making and planning

• Improve controls

• Effectively allocate and use resources for risk treatment

• Improve operational effectiveness and efficiency

• Enhance health and safety performance, as well as environmental protection

• Improve loss prevention and incident management

• Minimize losses

• Improve organizational learning

• Improve organizational resilience

Although ISO 31000 provides generic guidelines, it is not the intention of the standard to promote uniformity of risk management techniques across all organizations. Rather, it is to promote the adoption of consistent processes so as to ensure the risk is managed effectively, efficiently and coherently across organizations.

The ISO 31000 standard will be useful to:• Those responsible for implementing risk management within their organizations

• Those who need to ensure that an organization manages risk

• Those needing to evaluate an organization’s practices in managing risk

• Developers of standards, procedures and instructions relating to managing risk


The strategic benefits of ERM

The benefits of developing a new ERM framework, or improving upon an existing, more basic one include:

A study of hundreds of organizations by The Conference Board6, a leading global not-for-profit management research organization, showed that a strong ERM program is a factor in increasing revenue and shareholder value. According to the survey respondents, the incorporation of a sophisticated risk management program yielded increased management accountability, smoother governance practices, increased profitability, reduced earnings volatility and better informed decisions based on risk intelligence.

Clearly, managing risk can no longer be left to one person such as a Chief Risk Officer or siloed into one department, but demands a transparent approach to strategic decisions and daily operations. ERM can encourage resilience and protect profitability in an ever-changing business climate. Applied robustly across all areas of an organization, a strategic ERM process will efficiently manage available capital — funding the appropriate growth opportunities, while budgeting for potential risks.

6“From Risk Management to Risk Strategy” Report #1363 The Conference Board www.conference-board.org

The Conference Board study showed that a strong ERM program is a factor in increasing revenue and shareholder value:

• 80%Increasedmanagement accountability (shareholder confidence)

• 79%Smoothergovernance practices

• 59%Increasedprofitability

• 62%Reducedearnings volatility (less volatility)

• 86% Better informed decisions (learn from risk information and mistakes)

• Minimizing barriers to achieving objectives and maximizing strategic growth opportunities

• Reducing variability in expected business outcomes to enhance value creation advantage

• Generating superior business intelligence to enable improved strategic decision making

• Decreasing total cost of capital through optimizing the balance of risk and opportunity

• Identifying key exposures, quantifying critical activity, and solidifying value chains

• Demonstrating the benefit of increased risk transparency across your organization

• Using additional risk information to improve risk transfer and decrease negative events

• Protecting tangible and intangible assets to minimize impact on bottom line profitability


Sources:• “Enterprise Risk Management: Complacency is No Longer an Option, But a Practical

Start Is” 2006, KPMG www.kpmg.com

• “Effective Enterprise Risk Management starts with a Conversation” American Institute of Certified Public Accountants, September 2009 www.aicpa.org

• ISO 31000 Risk management – Principles and guidelines. International Organization for Standardization, 2009. www.iso.org

• “Strengthening Enterprise Risk Management for Strategic Advantage” Committee of Sponsoring Organizations of the Treadway Commission 2009, www.coso.org

• “Progress Report: Integrating Enterprise Risk Management Analysis into Corporate Credit Ratings” Standard & Poors Ratings Direct www.standardandpoors.com/ratingsdirect July 2009

• Christina, Diana. “Dissecting the Anatomy of ISO 31000,” www.dianechristina.wordpress.com/2010/02/05/dissecting-the-anatomy-of-iso-31000/

• Committee of Sponsoring Organization of the Treadway Commission. “Enterprise Risk Management – Integrated Framework: Executive Summary” Sep 2004

• Good Practice Guidelines 2008. Business Continuity Institute

Strategic Risk Services - Zurich Services CorporationZurich’s Strategic Risk Services helps organizations improve their business performance through an Enterprise Risk Management approach to strategic, operational and financial exposures. This broad, 360° view helps businesses ensure resilience, reduce total cost of risk, protect profitability, and enhance capital efficiency.


Zurich

1400 American Lane, Schaumburg, Illinois 60196-1056 800 382 2150 www.zurichna.com

The information in this publication was compiled from sources believed to be reliable for informational purposes only.

All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances.

The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.

©2013 Zurich American Insurance CorporationA1-

1120

0163

2-A

(06

/13)

112

0016

32

Click here to view web page

https://esolutions.zurichna.com/s3/ERM-healthcheck

Five Tips for EveryBusiness to Become

Tornado-Aware

2Five Tips for Every Business to Become Tornado-Aware

Five tips for every business to become tornado-aware

Unlike hurricanes, which can be tracked days in advance of making landfall, tornadoes can appear suddenly, allowing only a few hours for warnings of deadly storm conditions to be issued. Occasionally, tornadoes develop so rapidly that little, if any, advance warning is possible. And while the path of a tornado is far narrower than that of a hurricane, tornadoes can be more destructive to homes and businesses.

The peak wind speed of a Category 5 hurricane rarely exceeds 180 miles per hour, while an EF5 tornado has estimated wind speeds in excess of 200 miles per hour by definition — and can generate maximum wind speeds of greater than 250 mph. EF5 tornadoes can be powerful enough to strip the bark from a tree!1

Fortunately, companies can take steps to help protect people, property and business income. The key factors are preparedness, vigilance and rapid response to dangerous conditions.

How to help minimize injuries, property damage and business losses

1. Plan in advance to protect people.Preparedness is essential to helping protect people in an emergency situation. Some of the key elements of a tornado safety program include:2

• Identifying the safest areas in a building so employees know where to congregate in the event of a warning;

• Designating the roles and responsibilities of supervisors and employees, including the appointment of a tornado warden (typically the same person as the fire warden);

• Practicing for an event with tornado drills; and

• Posting signs in public buildings to direct customers and visitors to safe areas.

The safest areas for employees to seek shelter typically include basements, hallways, interior stairwells and small internal first floor rooms. For businesses in tornado-prone areas, consider constructing a tornado-hardened safe room.

2. Take actions to help minimize property damage.Few structures can survive a direct hit by an EF5 tornado, but most tornadoes are far less powerful, and much of the damage is caused by debris hurled by the storm rather than direct damage from high winds in the vortex. Some practical steps to help minimize property damage from a tornado include:3,4

• Securing outdoor gear and outbuildings to prevent them from becoming airborne missiles;

• Reinforcing vulnerable areas of a building, such as adding supports to garage doors and bracing and strapping the roof;

• Housing servers and other vital equipment in protected areas of a building, preferably in tornado-resistant server rooms; and

• For new construction, working with an architect or contractor to incorporate wind mitigation techniques and high wind-rated products.

1. Jonathan Erdman, “F/EF5: The Most Violent Tornadoes,” The Weather Channel www.weather.com

2, 4. “Steps to Reduce the Risks of Tornado Damage in Commercial Structure,” Insurance Institute for Business and Home Safety, www.disastersafety.org

3. “Simple Tips to Reduce High Wind, Tornado Damage,” FEMA, www.fema.gov

The safest areas for employees to seek shelter typically include basements, hallways, interior stairwells and small internal first floor rooms.

3Five Tips for Every Business to Become Tornado-Aware

3. Prepare in advance to help maintain business continuity.Continuity and disaster recovery planning is essential to help businesses bounce back after any sort of catastrophe, not just tornadoes. However, the potential for total destruction of an individual property from a tornado, combined with likelihood of severe damage to local infrastructure, makes a well-conceived continuity and disaster recovery plan all the more essential.

Specific elements of continuity and disaster recovery plans will vary by size and type of business, but questions to address typically include:

• How employees will communicate;

• Where employees will work;

• How manufacturing and other critical business operations will continue until a damaged building is repaired or replaced;

• How data and information technology will be restored; and

• How supply chain logistics will be maintained.

4. Monitor the weather when threatening.Forecasters can sometimes identify potentially deadly weather systems forming more than a day in advance of tornadoes being spawned, and Doppler radar significantly can improve the timeliness and accuracy of spotting tornadoes that have formed or are in the process of forming. However, advance warnings are not helpful if they are not heard and heeded. The National Weather Service provides local weather broadcasts over a radio network called NOAA Weather Radio from over 1,000 different transmitters nationwide. Businesses should buy a NOAA Tone Alert Weather Radio, and the tornado warden or other designated employee should monitor information from the National Weather Service as well as from local radio and television stations.

5. Take warnings seriously and act quickly.Most often, the aftermath of a tornado warning is a funnel cloud producing little or no damage, or sometimes even no tornado at all. As a result, many people become complacent and underestimate the danger inherent in a severe weather situation. Weather service officials in some areas are now enhancing warning communications to convey a sense of urgency for extreme events. For example, one warning in advance of a powerful EF3 tornado proclaimed: “This is a life-threatening situation. You could be killed if not underground or in a tornado shelter.”5 But even in the absence of enhanced communications, every warning should be taken with the utmost seriousness, and appropriate measures should be taken immediately to protect lives and property.

Insurance

Most property insurance policies provide insurance protection for tornado damage to both real and personal property. These policies also may cover costs to remove, clean up and dispose of debris after a tornado. Companies also should consider time element coverages, especially Business Interruption and Extra Expense, which cover lost business profits and the additional expenses to keep a business running while insured property is being restored or replaced. Civil Authority and Ingress/Egress coverages cover lost business profits due to disruptions caused by the inability of customers or employees to access a building.

5. Manny Fernandez and Matt Flegenheimer, “100 tornadoes, 5 deaths: New early warning puts Midwest towns on notice to take care,” New York Times, April 16, 2012 www.twincities.com

Every warning should be taken with the utmost seriousness, and appropriate measures should be taken immediately to protect lives and property.

Even if a company is undamaged by a tornado, its business still may be disrupted if suppliers are damaged and unable to deliver goods to the company, or customers are damaged and are unable to receive goods. Contingent Business Interruption coverage can provide insurance protection for this scenario. Companies should work closely with their brokers to identify their tornado-related exposures, and to assure they have enough of the right coverages.

Conclusion

Tornado damage can cripple or even destroy a company, but businesses are not helpless in the face of even the most powerful twister. Advance preparation can help business owners and executives rest assured that both lives and property will be preserved to the greatest extent possible, and continuity and disaster planning can contribute to a rapid and complete rebound in the aftermath of a catastrophic event. Advance preparation, however, can be undermined by failing to react effectively to an imminent threat. Companies need to monitor developing weather conditions and respond quickly and decisively as soon as severe conditions materialize. Insurance protection also is essential, and companies should work with their brokers to guarantee they have traditional property insurance policies that cover loss to tangible property, as well as time element coverages that help businesses remain financially viable after a catastrophe.

Advance preparation can help business owners and executives rest assured that both lives and property will be preserved to the greatest extent possible.

Zurich1400 American Lane, Schaumburg, Illinois 60196-1056800 382 2150 www.zurichna.com

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.

Insurance coverages are underwritten by individual member companies of Zurich in North America, including Zurich American Insurance Company. Certain coverages are not available in all states. Some coverages may be written on a nonadmitted basis through licensed surplus lines brokers.

©2014 Zurich American Insurance CorporationA1-

2095

6-B

(03

/14)

112

0028

06