Risk Management Module 3
Enterprise Risk management objectives:
1. *Align Risk Appetite and strategy* - How much risk is organization willing to take on in evaluating strategic alternatives 2. *Enhance risk response decisions* - helps identity whether or not to avoid, reduce, share or accept risks 3.*Reduces operational surprises and losses* - identify potential events and establish responses 4.*Identify and manage multiple and cross enterprise risks* - facilitate effective responses and integrated responses to multiple risks 5.*Seizing opportunities* - By considering a full range of events, management is positioned to proactively identify and realize opportunities. Opportunities are the possibility that an event will occur but positively affect the organization 6. *Improve deployment or distribution of capital* 7. *Compliance or governance*
Regulatory/Compliance Risk
Part of overall operational risk stems from the requirement to comply with many regulations of federal, state, local, and industry-specific regulatory agencies, as well as compliance with accounting rules and guidelines for financial transactions and money laundering. laws and regulations that an organization is required to comply with. Regulations vary with type of business and with state/local/federal requirements
Operational Risks
Possible events and situations resulting from employee actions, core processes, and daily business activities develop out of business operations including supply chain, manufacture and distribution of products, providing service to customers and cybersecurity
Strategic risks
Possible events and situations that can affect the execution of an organization's long-term plans -uncertainty regarding an organizations strengths, weaknessess, opportunities, threats, goals and objectives
quid pro quo
Promises a benefit for sharing information.
Liquidity risk
Risk that an organization will not be able meet payment obligations. Issues with cash flow
Credit risk
Risk that organization will not be able to obtain financing for operations as well as risk that certain large customers will not be able to or willing to pay receivables owed to the organization
Inflation risk
Risk that the cost of materials, services, personnel etc in providing the organizations goods or service will increase
SEC (Securities and Exchange Commission)
an federal agency that protects the rights of investors of public companies that ensures the company must disclose known or threatened cyber incidents and the threat of cyber risks.
Phising
an online con game used to attempt to gain access to personal information - Often present in the form of website pop-ups but hackers will often send messages through email or social media which appear genuine. Generally contain the following: i) seeking to obtain personal information ii) using link shorteners or embedded links that redirect users to suspicious websites in URL's that appear legitimate. iii) incorporates threats, fear and a sense of urgency in an attempt to manipulate you into acting promptly. - In a work environment, phishing can appear to come from a CFO or anyone in authority such as directions to wire transfer money. - Relies fully on human error to be successful
Pretexting
occurs when someone deceives by pretending to be someone else Attackers focus on creating a good fabrication and manipulate targets into performing an action that enables them to exploit a weakness in the company. Example: attacker impersonates a delivery person in an attempt to have a hotel room revealed.
interest rate risk
risk of loss caused by adverse interest rate movements the risk of capital losses to which investors are exposed because of changing interest rates
Commodity Price risk
the risk of losing money if the price of a commodity changes
Bug Bounties
- An offer by a legitimate company that invites hackers to attempt to hack into companies systems for which the company will pay fees to learn further about its vulnerabilities. The danger here is the "white hat hackers" could be anybody and may turn around and sell data they are able to access to the highest bidder
Financial Risk -Cryptocurrencies
- Crypto currencies may be accepted by governments and businesses. They have risks but can give the opportunity of competitive advantage. -New technologies are being developed to make cryptocurrencies more secure such as blockchain
Reputational Risk
- Financial loss resulting whenever an event occurs that negatively impacts the publics perception about the organizations products, services or ability to safeguard personal data or well being. -a risk of loss resulting from damages to a firm's reputation, in lost revenue; increased operating, capital or regulatory costs; or destruction of shareholder value, consequent to an adverse or potentially criminal event even if the company is not found guilty.
Financial risk- Benefits of ERM
-Reduced cost of funding and capital -Better control of CapEx approvals -Increased profitability for organization -Accurate financial risk reporting -Enhanced corporate governance
Enterprise Risk Management Framework:
-Risk Identification -Risk Analysis -Risk Assessment -Selection of Risk treatment measures and Controls -Implementation -Monitoring
Operational Risk- Supply chain
- It is impossible to eliminate risk entirely, but adequate attention to risk management matters can reduce the likelihood and magnitude of any disruption to supply. -Uncertainties in supply and demand, globalization of marketplaces, shorter product lifecycles and rapid changes in technology have led to a higher exposure to risks in the supply chain. -As many companies tend to obtain their components overseas, their risks increase.
Components of a good cyber risk management program
*Risk Identification* - Penetration testing - outside consultants attempt to breach company defenses, networks and other computer systems to identify vulnerabilities. - Determine risk events that could have high impact on the organization *Prevention* - How does the organization use its controls to protect against vulnerabilities? What oversight of controls and tests takes place. - Train employees to recognize social engineering ploys *Detection* - Being proactive in detecting threats and containing the threat *Response* - Validating the event is taking place - Putting in firewalls and stop gap measures to contain the breach - Determining when or if to notify authorities, regulators, banks, customers, the media response. Focus on minimizing the impact to brand value.
Virus
(also Trojans, worms) - Most common type of Malware. A harmful computer program that copies itself or spreads to other computers.
ERM- Compliance- financial reporting
- Periodic form 10 K- public companies are required to disclose risk factors. Risk management reports about how they with prevent them in the future. -8K- report a public company must file with the SEC within 4 days of a major event that shareholders should know about Examples are material divestitures, acquisitons, new agreements or dissolving material current agreements. Change in a Board of Director position or Executive Officer -Proxy statement SEC form 14A - required of a firm when soliciting shareholder votes. This statement is filed in advance of the annual meeting. The firm needs to file a proxy statement, otherwise known as a Form DEF 14A (Definitive Proxy Statement), with the U.S. Securities and Exchange Commission. Risk Factors of the transaction the shareholders are voting on must be detailed
How the EMV 0 Euro pay mastercard and Visa companies have handled cyber security and PCI (personal card information risk)
- They transfered their liability of pci breach to merchants by implementing a chip rather than the magnetic stripe becuase it is harder to duplicate. -However, these companies must continue with tokenization and encryption to continue to secure payment card industry (PCI) transactions -Some credit card issuers in europe have implemented the use of pins with transactions to further protect.
ERM Process: Risk Analysis - Big Data Analytics
-*Big Data Analytics*: Process of examining large and varied data sets to uncover hidden patterns, unknown correlations, market trends, customer preferences and other useful information that can help organizations make more informed risk management decisions, identify opportunities and improve operational efficiency -Organizations now attempt to "quantify risks" that are not hazard risks. Hazard risks can often be assessed and treated to an extent with insurance -Performed by data scientists, predictive modeling, statisticians -E-commerce companies, financial service firms including insurers and health care organizations have led the way to incorporating its use in risk analysis techniques once data is properly organized and structured -*Data Mining* - sifting through data sets in search of patterns and relationships -*Predictive Analysis* - building models for forecasting customer behavior and other future developments -*Machine Learning* - Tapping algorithms to analyze large data sets
Risk mitigation- Business continuity planning
-*Business Continuity Planning*- is how an organization prepares for future incidents that could jeopardize its existence. Its planning to minimize the negative impact on operations when an event occurs. Plans must be defined, documented and tested. Roles and responsibilities must be clear. -Includes *Disaster Recovery Plans* - An organization needs to understand to what degree it will be able to service customers and maintain solvency in the event of a major full or partial shutdown in operations -*Employee Retention* is critical to be able to "ramp up" back to pre-loss business levels once the interruption is over. Need to ensure continuation of critical payroll -*Liquidity* needs should be identified. What costs will be continuing during the interruption? Insurance might cover much of the business interruption loss but insurance proceeds may take time and there could be high deductibles, particularly if the loss is from a catastrophe -Plans might include restoration of critical data, alternative premises for use, outsourcing certain operations, modes of communication during the crisis, members and roles of the crisis management team, dealing with press coverage, and the role of insurance;
ERM process: Implement the program
-*Implement and Monitor the Program* - Incorporating an ERM structure, practices, and strategies to fulfill the goals of the organization. -Process is continuous and dynamic -Requires cooperation from different business segments and that is often the most difficult part -Requires making changes and adjustments due to changes in business models, regulatory changes, change in economics conditions, personnel changes, acquisitions or divestitures, change in company's financial condition -Must be supported and required by senior management. ERM will fail without senior managements full buy in. A) Determine ERM Framework - COSO II, ISO 31000, Many companies tailor there own framework and purchase ERM information systems software to manage their process. B) Implement Risk Controls C) Determine the various "risk champions" and "risk centers" D) Determine the ongoing risk communication structure E) Formulate crisis management and business continuity planning - Plans to mitigate the consequences of a risk event once it occurs.
Common ERM Framework: ISO 31000 (international organization for standardization)
-*International Organization for Standardizartion 31000 ERM Framework* - Provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector. -Focuses on integrating ERM with organization strategy and performance. -Can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment. -Cannot be used for certification purposes, but does provide guidance for internal or external audit programs. -Organizations using it can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance.
ERM process: Risk analysis and Risk Assesment:
-*Risk Analysis and Risk Assessment* - Process to determine the cause of the risk event, the risk event itself and the potential impact of the risk event. -Risks should be *quantified*, The process of qualitatively or quantitatively determining the probability of an adverse event and the severity of its impact. -*Risk Mapping* (or heat maps or risk matrix) - Developing grids detailing potential frequency and severity of risks faced by the organization. This should include both insurable and non-insurable risks. -*Catastrophe Modeling* - estimating losses that could occur as a result of a catastrophic event. Low frequency but very high severity. Insurance Companies, Reinsurers, Government agencies and Financial Institutions will do this when evaluating earthquake, windstorm and flood risks in catastrophe prone area. Often there is reliance on an industry Service such as Risk Management Solutions (RMS) to assess and subsequently determine risk appetite on catastrophe risks -*Value At Risk Analysis* (quantitative assessment)- worst probable losses likely to occur in a given time period under the regular market conditions at some confidence level. This is similar to "maximum probable loss". This technique is best for financial risks. -*Root Cause Analysis* - Find the root cause of a potential event. Causes are either physical, human or organization processes or procedures
Encryption
-Process of converting readable data into unreadable characters to prevent unauthorized access. -means that data is encoded in such a way that you need to have another piece of information or a key, to decode and make sense of it. Encrytion makes a hackers job more difficult. Most computer operation systems have a default encryption.
Cyber insurance typically covers:
-*Security & Privacy Liability* - liability coverage that would generate out of failure to secure sensitive customer data. -*Event Management* - Costs associated with a security breach resulting in loss of confidential information including investigative and credit monitoring costs and forensics investigations, legal fees. -*Network Interruption coverage* - expenses and loss of income associated with a security system failure resulting from unauthorized access, denial of service, introduction of malicious code. Costs to recreate and restore data and systems are also covered. Can also apply to interruption from cyber extortion. -*Regulatory Action* - request for information or civil investigative demand or civil proceeding brought by or on behalf of a government agency -*Cyber Extortion or Ransom*- theft of sensitive or confidential data for the purpose of making extortion threats
Financial Risk-Block Chain technology
-Blockchain is the underlying technology behind cryptocurrencies like Bitcoin. -Crytocurrencies refer to digital assets. (Records all transactions and makes it hard to change them so that people can not send a copy and keep the original)
operational- brexit ( britain's exit from the european union)
-Brexit is likely to reduce UK's real per-capita income in the medium- and long-term. -Studies on effects that have already materialized since the referendum show annual losses of £404 for the average British household and a loss of 1.3% of UK GDP. -Brexit is likely to reduce immigration from European Economic Area (EEA) countries to the UK, and poses challenges for UK higher education and academic research. -The size of the "divorce bill", Britain's international agreements, relations with the Republic of Ireland, and the borders with France and between Gibraltar and Spain are uncertain. The precise impact on the UK depends on whether it would be a "hard" Brexit or a "soft" Brexit -Brexit goes into effect officially on March 29, 2019 however the UK and EU have agreed to a 21 month transition period. -The ability for goods, services and people to move freely between UK and EU I uncertain -Over 2.8 million EU nationals reside in the UK. If they were no longer able to stay that could create an employee and talent drain in the UK and reverse. -Trade agreements need to be negotiated as the EU is UK largest trade partner and many UK trade agreements outside the EU are through the EU. -These new agreements could have greater costs (such as tariffs) and higher trade barriers. Global firms that do business in UK and are in the planning stages in some cased plans include redeployment of talent, capital and physical property
Internet of Things (IoT)
-Broad term to describe devices with sensors connected to a home or business Wi-Fi systems that has little defense and can provide an attacker access to a home or business computer network. -The Internet of Things (IoT) is the name given to describe the relatively new technology that connects everyday objects and devices to the web to provide additional data or functionality. But in the race to create that next "it" product, manufacturers and users are creating dangerous side effects known as botnets. (everyday objects connected to wifi and technoligy pose a risk for hackers to steal information) Most IoT devices aren't designed with security in mind and have no way of being patched to add additional security. Many IoT's are small, innovative companies without mature cyber security controls. There are millions of devices already in use and being made and sold.
ERM Compliance Dodd Frank
-Describes in great detail the regulations banks must follow with respect to enterprise risk management. A Chief Risk Officer must exist and have direct access to the banks risk committee as well as report directly to the CEO. Studies have found Dodd-Frank has improved financial stability and consumer protection, although there is evidence it may have had a negative impact on small banks.
ERM Process: Risk Identification
-Identify loss exposures. -Methods are similar to how the Risk Manager identifies exposures to insure. - Different departments handle different risks. Operations personnel may handle supply chain risks, IT department handles cyber related risks, public relations handles reputational risks, Legal department handles compliance risk and litigation related risks. The finance department handles speculative financial risks. -Potential risk events are identified, causes to that risk event and the potential outcome if that event were to happen are identified. -Emerging risks, not just current risks should also be identified -Senior management must define the strategic goals of the organization -Tools and Techniques - similar to underwriting, use: loss histories; financial statements; interviews; risk surveys; personal inspections; social media -What are the internal and external expectations of stakeholders? -Create a Risk Register - From identifying the risk event, identifying potential causes, assigning risk owner, determine the likelihood of the risk event (low, medium, high), determine consequences or severity, determine possible financial impact and determine the proper risk treatment or controls SWOT Analysis: - Strengths (helpful attributes) - Weaknesses (harmful attributes) - Opportunities (external helpful attributes) - Threats (external harmful attributes)
The General Data Protection Regulation (GDPR)
-Mandates a baseline set of standards for companies that handle EU citizens' data to better safeguard the processing and movement of citizens' personal data -standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents -There are many essential items in the regulation, including increased fines, breach notifications (as low as 72 hours), opt-in consent and responsibility for data transfer outside the EU. -As a result, the impact to businesses is huge and will permanently change the way customer data is collected, stored, and used. -GDPR applies to all organizations holding and processing EU resident's personal data, regardless of geographic location. Many organizations outside the EU are unaware that the EU GDPR regulation applies to them as well. If an organization offers goods or services to, or monitors the behavior of EU residents, it must meet GDPR compliance requirements. -Fines for noncompliance are large. They can be as high as €20 million or 4% of a company's total global revenue, whichever is larger for a second offense, half of that for a first offense.
Hackers
-People who try to get access to your computer without your permission in order to steal information which they could use for malicious or criminal purposes. -can steal a variety of sensitive information once they have access to an organizations network. -Can install monitoring tools to capture traffic on networks -can install "back door" software (Trojan horse) giving them ability to enter your PC without your knowledge.
Protecting Information
-User Names and Password. -In the future multi-factor authentication will be more common, as technologies exist to bolster credentials beyond a user name and password such as a fingerprint. - Password requirements may often be enhanced such as requiring at least one of a capital letter, non-capital letter, number, alphanumeric character and being at least 8 characters. -Limiting permissions -Encryption -Limit public wifi use- not secure -Firewalls -Tokenization -Ensure that all vendors and third parties that have access to confidential data have proper practices and protections. -Non-insurance risk transfer - ensure vendors have updated audited controls report, reliable cyber liability insurance and include strong indemnification provisions in agreements.
Social Engeneering
-Using trickery or manipulation to get someone to perform certain actions or share confidential information. Social engineers rely on human behavior more than technical hacking to help them carry out exploits. Examples: 1) It appears that your bank sends an email that they need to update online account information and directs you to click on a link. This is an attempt to capture banking log-in and a social security number 2) Clicking on certain links in social media to see pictures and you get a message you need to update your Adobe Flash. You click on the link and harmful software gets installed. 3) Pop-up message to donate to a charitable cause 4) Voice message or text urging you to update accounts or provide personal information 5) Social media mining - gaining information through social media about a company, then showing up on premises posing as a repairman or IT service provider to gain access to systems or networks
Human Resource risk- Wage and hour
-Wage & Hour litigation (legal action claims) has increased over 400% since the year 2000. -These claims are time consuming and expensive to defend. Often allege violations of federal or state Fair Labor Standards Act. -There are limited off-shore insurance products available but these are expensive, have very high (retentions) and often will cover only defense costs.
Payment care industry security standard
-Widely accepted set of policies and procedures intended to optimize security of credit, debit and cash card transactions and protect card holders against misuse of personal information. Must Address these six Areas: 1. A network with firewalls must be maintained in which transactions are conducted 2.Cardholder information must be protected when stored (encrypted) 3. Systems should be protected against activities of malicious hackers with anti-malware solutions 4.Access to system information needs to be restricted and controlled 5. Network must be constantly monitored and regularly tested 6. Security policy must be defined, maintained and followed
Dark web
-a group of websites that are publicly available but make illegal activity and information sharing possible by hiding who owns the websites and where the websites are hosted. - Encrypted web-sites generally dealing in illegal goods or services and catering to criminals and social deviants. Often do business in "bitcoins" or other cryptocurrency which is tough to track
Enterprise Risk Management
-a process used by a company to identify its risks and develop responses to them that enable it to be reasonably assured of meeting its goals -An Enterprise Risk program combines into a single unified treatment program all major risks faced by the organization. By packaging risks together, an organization can often offset one risk against another.
supply chain risk
-any potential disruption that threatens the supply chain's efficient and effective operations -Risks associated with interruptions of valuable suppliers, providers, consultants to the organizations operations.
Cyber insurance
-insurance that protects companies from losses and liability to customers caused by cyber attacks -Cyber policies contain "first" party and "third" party coverages. - Loss of Reputation or impact to brand value are generally not insurable risks. -Commercial General Liability policies most likely will exclude liability arising from a data breach. New exclusions have been introduced in ISO forms excluding electronic data and media related activities -Property insurance policies will generally exclude business interruption losses from non-physical damage. Only costs to recreate data are likely to be covered. -Crime policies are generally limited to theft of money and securities not data.
Cyber risk- operating consequences if breached
-loss of business or customers; -loss of credibility or goodwill; -cash-flow problems; -reduced quality of service; -inability to pay staff; -backlog of work or loss of production; -loss of data; -financial loss; -loss of customer account information; -loss of financial controls.
Malware
-malicious software that is intended to damage or disable computers and computer systems. -Can disrupt system functionality and cause operating systems to fail. Example: is when a hacker induces an employee to download something they should not. Advertising ads on the internet are a common source of malware
cyber-extortion or Ransomware
-threatening to harm a company or a person if a specified amount of money is not paid. -Stealing valuable data with the objective of offering it back to the victim or victim company for a "ransom". -Criminals will "encrypt" the data stolen. A "ransom" may be demanded for a code to unencrpt the data. -Threat to alter, destroy, damage or corrupt data -Threat to prevent access to computer systems -Threat to introduce malicious code into computer systems -Threat to publicly disclose personal identification information or other confidential data -Criminals will often require payment in bitcoins or other cryptocurrency -Paying a ransom is not guarantee to resolving the problem. Data may have already been corrupted, the code to uncrypt data may not work and the criminals may use the stolen data anyway.
Enterprise Risk Management terms:
1. *Risk Appetite* - manner in which an organization collectively perceives, assesses and treats risk 2.*Risk Tolerance* - requires a company to consider in quantitative terms exactly how much of its capital its prepared to put at risk. 3.*Risk Optimization* - better understanding threats and opportunities to make well informed business decisions. Upside and downside outcomes or risk taking activities are considered. 4.*Risk Register* - Beginning in the Risk Identification phase, steps to take and track in the Risk Identification phase leading to how the risk gets treated. 5.*Risk Architecture* - Defines lines of communication for reporting on risk management issues and events 6.*Chief Risk Officer (CRO) *- Position that often will oversee the Enterprise Risk Management function of an organization and report directly to the CEO. More common in financial and energy sectors
Board of Directors Responsibilities
1. Establish clear lines of authority for cybersecurity reporting 2. Ensure that a comprehensive data security plan and incident response plan is established 3. Ensure the company has the appropriate resources in place to address risks identified. This includes approving upgrades to infrastructure and staffing 4. Review regulatory compliance reports from the Chief Information Officer 5. Review SEC or cybersecurity disclosures -It is very common for the Board of Directors to be sued if a company experiences a material breach. Need to ensure that the D&O Liability policy does not exclude such claims.
What generates wage and hour claims ?
1. Not paying overtime 2. Classifying an employee as exempt (salaried) when they should be non-exempt. Non-exempt employees are generally entitled to overtime 3. Not paying for meal or rest breaks 4. Withholding tips or gratuities from employees 5. Not paying a minimum wage 6. Classifying someone as an independent contractor when they should be an employee 7. Differences in pay due to gender - 8. Unpaid (or stipends) for interns
What are cyber crimonals after?
1. PII- Personal identifiable information: -ss number -drivers licesnce # -email addresses -dob -ip addresses -U.S. privacy laws protect personal data. -breach notification laws 2. Sensitive information at work -company financial and audit reports -trade secrets -strategic business reports -customer credit card numbers 3. Confidential information- if stolen it could seriously and negatively impact an organization. Ex. trade secrets, intellectual propertey and market information. 4. PCI- personal card information- credit card numbers or identifying card data. 5. PHI- protected health information - health records of individuals -info about diagnosis -conditions -perscription drug usage
Cyber risk: Types of events/ exposures
1. Privacy/loss of confidential data 2. Loss of reputation 3. Malicious Acts 4. Third Party Liability 5. Business Interruption 6. Errors and malfunction 7. Regulatory fines and penalties 8. Cyber risk from third party vendor theft or data breach 9. Cyber terrorism or extortion 10. Loss of intellectual property
Enterprise Risk management Covers the following risks:
1. Pure risks 2. operational risks 3. Regulatory risks/ compliance risks 4. Reputational Risks 5. Financial Risks 6. Supply chain risks
Why Enterprise Risk Management? ( ERM)
1. Risks have become more complicated-Organizations are realizing the importance of managing all risks and their interactions not just familiar risks easier to quantify 2. External Pressures- Company boards and senior management are under greater pressure to take responsibility to manage risks on an enterprise wide scale. This is very apparent now with cyber or technology related risks. Pressure comes from regulators, rating agencies, institutional investors, shareholders and customers 3. Portfolio- There is growing tendency to view risks with a recognition that it must be managed with the total portfolio in mind 4. Quantification- Organizations are attempting more than ever to quantify risks as advances in technology and expertise make this easier to accomplish. ( figure out the cost of risks)
Cryptocurrency Risks
1. The value of many cryptocurrencies is highly volatile or unpredictible and liable to change. 2. Its uses are still limited. The top credit card issuers all currently ban it 3. Uses either a "contract address" or "private key" which can be hacked into and stolen by cybercriminals 4. Validating transactions can take much longer than credit card use 5. Organizations that use it need to be familiar with anti money laundering regulations
To minimize the possibility of fraud the following controls can be implemented
1. improve recruitment processes - You hire your problems. Follow through on criminal background checks, reference checks and drug screening; 2.reduce the motive for fraud - treat employees fairly; 3. reduce the number of assets worth stealing 4. Minimize the opportunity to steal - install cameras, minimize access to high value property 5. Increase the level of supervision - 6. Improve financial controls and management systems - minimize potential for "shrink" by keeping proper track of inventory 7. improve detection of fraud; 8. improve record keeping.
ERM process: Selection of risk treatment measures/ Controls
1.*Risk Financing* - Insurance - Transferring risk to a third party insurer or captive - Retention - transferring risk while "retaining" some of it or all of it - Non-insurance transfer - transferring risk to a third party generally via contract - Sharing the risk, such as with a joint venture 2. *Risk Control* - Loss Reduction - Techniques to the severity of loss that might occur - Loss Prevention - Techniques to reduce the probability of loss - Avoidance - Not doing activities that might lead to the risk event (removing or reducing the risk source) - Separation - Separating exposures to minimize loss from an event at a single location - Duplication - Redundancies to aid recovery in the event of a loss to exposures - Increasing risk to pursue an opportunity
Risk Management Framework
A set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, review and continually improving risk management throughout the organization
Risk heat map or Risk Matrix
A visual tool that helps in seeing the results of a risk assessment. Risks are usually positioned on the map based on two dimensions: the likelihood of the risk and the severity of the risk (should it materialize).
"Spear" Phising
Attacking a specific victim by using personal or organizational information to gain victims trust. Victim is lured into providing sensitive and confidential information. a phishing expedition in which the emails are carefully designed to target a particular person or organization to seem more real.
Common ERM Framework: COSO- committee of sponsoring organizations
Committee Of Sponsoring Organizations (COSO) ERM Framework - Geared to achieving Corporate objectives focusing on four risk categories: 1. *Strategic* - high level goals of the organization must be aligned and support its mission 2. *Operations* - organization deploys its resources effectively and efficiently 3.*Reporting* - Reporting needs to be reliable and accurate. Focus is often on SOX compliance 4.*Compliance* - with applicable laws and regulations
Cyber Incident Response Plan
Establishes procedures to address cyber-attacks against an organizations information system(s). Loss Reduction Techniques - Pre-planning on how an incident will be handled. The following should be covered: 1) Team members involved with coordinating the response 2) Outside counsel that will be utilized 3) Actions to contain the breach 4) Public notification triggers 5) Coordination with law enforcement 6) Public relations strategies to minimize brand impact
Financial risk- Fraud
Fraud occurs when there is opportunity to undertake the theft of fraud, Ex. Assets worth stealing, a motive for undertaking the fraud and lack of adequate controls.
What is the difference between ERM and governace risk and compliance ?
Governance Risk and Compliance focuses on compliance as a separate activity for each business unit, however ERM does include governance and compliance.
Distributed Denial of Service (DDoS)
Hackers launch and attack from a victims PC against another organizations website so it receives so much traffic it cannot operate. These are often describes as botnets An attack where a firm's computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site's use. DDoS attacks are often performed via botnets.
Financial Risks
Identification, analysis and treatment of speculative financial risks
ERM- Compliance
Important compliance areas that can result in regulatory fines and restrictions if not adhered to: 1.*Foreign Corrupt Practices Act (FCPA)* - Prohibits payment of bribes to foreign officials to assist in obtaining or retaining business. Applies to publicly traded companies including their third party agents or consultants. The Securities Exchange Commission and the Department of Justice enforce this act. Penalties and sanctions can be significant. Ex: The biggest U.S. penalty for foreign corruption was a $965 million payment imposed on Sweden's telecoms company Telia Company AB after it accepted that it paid hundreds of millions of dollars in bribes to a government official in Uzbekistan. 2.*Health Insurance Portability and Accountability Act (HIPAA)* - Protects personal medical information and recognizes the rights to relevant medical information of family caregivers and others directly involved in providing or paying for care. Sets standards for protection of certain health information including permitted use and disclosure of health information as well as requires communication to individuals on how health information may be used. 3.*Sarbanes-Oxley Act (SOX)* - designed to protect investors of publicly held companies from fraudulent and negligent accounting activities by the corporation. Recognizing the COSO ERM framework, establishes internal controls and procedures for financial reporting to reduce the possibility of fraud. Management must assess the effectiveness of the internal controls and the external auditor must attest to and report on managements assessment of its controls. -SOX is time consuming and expensive. It is a factor when a company decides to go public or stay public who view compliance as over burdensome -Focus is on the accuracy of financial reporting not the achievement of risk management standards
Baiting
Like Phishing but also promises an item of value if login credentials are provided to a certain site, such as an offer of free music downloads if you log in.
ERM process: Monitor the program
Monitoring involves managing up and down the organization including follow up on risks at various levels of management. An organizations internal audit function is an example.
ERM compliance - OSHA= Occupational Safety and Health Act
Occupational Safety & Health Act (OSHA) - Part of the Department of Labor, its mission is to assure safe and healthful working conditions for working men and women by setting and enforcing standards for training and providing outreach and education resources. -Companies in most industries must maintain OSHA logs during the calendar year that show there "recordable incidents" or incidents where medical attention was provided Fines and penalties can be substantial. - OSHA inspectors can shut down a work-site for safety reasons. -OSHA visits are often unannounced.
Tailgaiting
Someone with improper credentials lying to get into a restricted area, then hacking into onsite computer of a user already logged in.
Tokenization
The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. - substituting a sensitive data element (such as PII information) with a non sensitive element that has no value or meaning
How to avoid being hacked
Train employees on basic security practices: 1) Do not open email attachments from untrusted sources. -Contact the person directly if unsure 2) Do not accept offers from strangers 3) Lock your session when away from your computer 4) Look for URL's with https:// rather than http:// to do business with a picture of a lock to the left of it 5) Limit access to personal data and sensitive information
Botnet
a group of compromised computers or mobile devices connected to a network -means a group of internet-connected devices controlled by a central system. -But the term is most often used in conjunction with a particular type of malicious hacking, especially Distributed Denial of Service Attacks (DDoS attacks). In this case, a hacker uses a large botnet group of internet-connected devices to flood a website or network resource with fake requests so that legitimate users cannot access it. Ex. In October of 2016, a botnet comprised of an estimated 100,000 unsecured IoT devices took an integral Internet infrastructure provider, Dyn, partially offline. As a result, many high-profile and high-traffic websites, including Netflix and Twitter, disappeared from the Internet for a short time. By using a botnet with hundreds or even thousands of devices, all with their own unique IP addresses, the hacker makes it almost impossible to stop the attack or distinguish legitimate users from fake ones.
Pure Risk
a risk that presents the chance of loss but no opportunity for gain
Firewalls
hardware, software, or both designed to prevent unauthorized persons from accessing electronic information - A security system of rules to control incoming and outgoing network traffic. A barrier between a trusted and untrusted network. Only traffic defined in the firewall policy can enter the network