Knowledge is Power

They say that knowledge is power, data and information give one knowledge, and with power comes a tremendous responsibility to protect.  Continuing our conversation from the previous post Phishing Anyone?,  we will dive a little deeper into information and data management and the some of the risk associated with the responsibility to protect.  In this conversation, we will talk about hard copy data as well as electronic data.  The handling of paper files and information tends to get overlooked with the intense focus on securing electronic data.  As such this can be an easy target for a criminal.  We will look at five best practices for handling, storage, and disposal of hard copy sensitive information.  We will then move to protecting electronic data and discuss five best practices for protecting electronic data.  Finally, as I did in the last post, I will provide some resources to further develop your knowledge and understanding. 

Let’s begin with framing the conversation around what information and data need to be protected.  In most cases, we all have a basic understanding of what needs to be protected.  For our conversation, we are going to divide data into three categories:

Confidential Information 

“Confidential Information” is that which has been so designated by statute or by promulgated rule or regulation based on statutory authority.  Examples include Corporate Records relating to pay and the payment of benefits which are considered confidential. 

Privileged Information 

“Privileged Information” is that which is available only to authorized persons and is granted access to by one’s position. This information is not confidential pursuant to the law but is sensitive in nature.  For simplicity in management, privileged information is often subject to the same restrictions as confidential information. 

Personal Information 

“Personal Information” refers to a corporate record that contains a person’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person:   

(a) Social Security Number (“SSN”);  

(b) Driver’s license number or state-issued identification card number; or 

(c) Financial account number, or credit card or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a person’s financial account.  Personal Information does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. 

Through the daily course of business, the use of confidential, privileged and personal information is common.  Creating an awareness and developing processes to manage this information can prevent sensitive information from getting into the hands of criminals.  Below are five best practices for managing hard copy files and data.

1. Personal Information collected, received and stored should not be shared with any unauthorized party. Authorization to access such information is limited to those employees determined to need access to carry out their job responsibilities and such other persons or organizations who are legally entitled to receive such information, such as, auditors, regulators, and outside counsel.  
2. All paper records and data containing personal information should be stored in locked storage areas or containers, and access to such records and data should be limited to authorized persons.
3. Printing, transportation or duplication of personal information must be limited to the greatest extent possible.
4. Each year, inactive paper files should be purged from the active files storage location and placed into archive storage.   Archive storage should be in a locked facility with very limited access.  Unless ample space is available in the general office area, arrangements to store archive documents with a third party such as Iron Mountain can ensure secure storage with limited access.  Third Party archive storage also mitigation the risk of maintaining onsite storage for prolonged periods of time.  
5. Companies should develop an archive data management and destruction policy which outlines the storage requirements for various files and a file destruction process.

Historically, hackers seeking to steal data and money used to target primarily large corporations and government bodies. The focus has now shifted and they now direct quite a bit of attention to hacking small businesses and individuals.  This change is not surprising since larger corporations and governments may offer larger higher bank balances and jackpots of data to steal, they also have both large information-security departments and tighter relationships with law enforcement–lowering the odds of a hacker's success and increasing the chances of them getting caught and imprisoned.

With the new dynamics, it is increasingly important for small business owners, entrepreneurs considering starting a business, and people in general to cyber-protect themselves.  Here are five best practice recommendations for managing your company’s electronic data.

1. Understand that you are a target. Educating employees and creating a general awareness of the importance of caution and vigilance can be a good defense.  Employees who believe that criminals want to breach their computers and phones act differently than those who don't understand this reality.
2. Store all sensitive data in an encrypted format. If you have doubts as to whether something is sensitive enough to warrant encryption, err on the side of caution and encrypt.
3. Conventional wisdom is to require complex passwords for all systems.  Inevitably, that leads to people writing down passwords or using the same password for multiple log-ins.  The new best practice is to ask employees to select combinations of words, numbers, and proper names (e.g., "investing9goats2Starbucks"), or create a passphrase (“My1dog2is3George”). For extremely sensitive systems, consider stronger forms of authentication such as biometrics or multi-factor authentication.
4. Inappropriate social media posts can cause many problems–such as leaking sensitive information, violating compliance rules, and assisting criminals to carry out attacks. Implement technology to ensure social media does not become a problem.  Do not rely on simply telling people not to make particular types of posts on Facebook or Twitter–history tells us that many people simply do not realize when they are making such posts, and even those who do, may inadvertently leak data when posting from a smartphone that "auto-corrects" a misspelled word to a sensitive, internal term.
5. If your company uses the internet for eCommerce, or if your company falls under state or federal requirements for handling information and data, make sure that you be sure to comply with all regulations. This sounds very basic, but in a world of a myriad of requirements and regulations, electronic data management should be a focus. 

For additional information on how you can protect yourself and your business from criminal activity and data loss, below are several good resources I have discovered. 

National Cyber Security Alliance - The National Cyber Security Alliance (NCSA) builds strong public/private partnerships to create and implement broad-reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems and their sensitive information safe and secure online and encourage a culture of cybersecurity.

Microsoft - Internet Safety for Enterprise & Organizations offers tools to help your employees learn the skills they need to work more safely online and better defend company and customer data and their own personal information.

Norton by Symantec - Norton Small Business Resources offers information on scams, IoT, family safety and more.

Federal Trade Commission - The FTC, has created a webpage that has information on scams targeting small businesses, and tips to help avoid them. It also includes cybersecurity articles and videos to help small business owners protect the networks and systems and their employees’ and customers’ sensitive data.

Until next time, stay safe and be kind to one another.

Phishing anyone?

Digital Treat Management, eCrime, Cyber Security; all terms associated with one of the fastest growing areas of risk facing business operations.  Today, criminals do not need to break through network firewalls to have access to a company’s private information.  In most cases, access through network security can be provided by unsuspecting computer and mobile device users.  In a recent report by APWG (an international coalition of governments, law enforcement sectors, and NGOs to combat cybercrime) the volume of cyber-attacks has continued to increase.  These attacks are most often carried out through phishing scams.

In this post, we will discuss a general overview of phishing and five ways to protect yourself and your firm from a phishing scam.  We will also look at malware and ransomware (usually the result of falling prey to a phishing scam), and five ways to protect against a ransomware attack.  Finally, we review a couple of good resources to get some additional information about cybercrime.

What is Phishing?

Phishing is when someone uses fraudulent emails, texts or copycat websites to get valuable user information or to gain access to your computer or company network.  Once inside the network, these people can install programs like ransomware that will lock out users from important files.  Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or co-worker.

In a 2017 survey conducted by Wombat Security, 70% of the working Americans surveyed knew what a phishing scam was, but only 37% of the same group knew about ransomware.  Education is the best defense against phishing since phishing requires the user to take some sort of action.  While awareness will allow the user to recognize a potential threat and take the appropriate precautions, here are five other things you can do to protect against a phishing scam. 

1. Be suspicious of any email or communication (including text messages) with urgent requests for personal financial information.
2. Avoid clicking on links. Instead, go to the website by typing the Web address directly into your browser or by searching for it in a search engine. Calling the company to verify the legitimacy of a request is also an option.
3. Don’t send personal financial information via email and avoid filling out forms in an email that ask for your information.
1. You should only communicate information such as credit card numbers or account information via a secure website or telephone if you have called the company requesting the information.
4. Use a secure website (https:// and a security “lock” icon) when submitting credit card or other sensitive information online.
1. Never use public, unsecured WiFi for banking, shopping or entering personal information online, even if the website is secure.
2. When in doubt, 3/4G or LTE connection is always safer than using public WiFi.  Most computer security software programs will offer a virtual private network (VPN) option for mobile devices, or they will recommend a VPN app. 
5. Typically, phisher emails are not personalized, but they can be. Messages from the bank and eCommerace institutions are usually personalized. When in doubt, call the company directly to see if the email is in fact from them.

What is Ransomware?

Even with education and vigilance, there is still the chance that your computer or company network will receive malware.  Malware (malicious software) is any program or file that is harmful to a computer user. Malware includes computer viruses, worms, Trojan horses, and spyware. There are ever increasing news reports about a type of malware called ransomware.  Ransomware is a type of malware that accesses a victim’s files, locks and encrypts them and then demands the victim to pay a ransom to get them back. Cybercriminals trick users to click on attachments or links that appear legitimate but contain malicious code to attack the system. Under a ransomware attack, the victim has a certain amount of time to pay to get “the code” that will unlock and release the files.  Even if the victim pays, there is almost never a code provided that will unlock the files.  Any individual or organization can be a potential ransomware target.

Education and awareness are the best defense against a ransomware attack, but combining an awareness with the steps below can help mitigate the risk.

1. All critical software, including computer and mobile operating systems, security software and other frequently used programs and apps, should be running the most current versions.
2. Back up all files, photos, music and other digital information by making a copy and storing it in the cloud or on a removable device or both. 
3. As a departure from traditional password schemes, use a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember.
4. Links in email, are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
5. If you use USBs and other external devices to share files, or if you use email to attach and share files, these can all be infected by viruses and malware. Use your security software to scan them before downloading files onto your computer.

Resources

There are a number of great resources centers to get a better understanding of cybercrime and how to protect your business from any malicious attacks.  

Anti-Phishing Working Group, Inc. (APWG) - APWG is the international coalition unifying the global response to cybercrime across industry, government and law-enforcement sectors and NGO communities. 

STOP. THINK. CONNECT. - STOP. THINK. CONNECT.™ is the global online safety awareness campaign to help all digital citizens stay safer and more secure online. The message was created by an unprecedented coalition of private companies, non-profits and government organizations with leadership provided by the National Cyber Security Alliance (NCSA) and the APWG.

Associated with these organization are a number of private companies that can provide additional resources in the protection against cybercrime. Cybercrime is a rapidly changing and evolving risk to individuals and businesses.  The more we know, the better we can be vigilant and protect. 

Until next time, stay safe and be kind to one another.

Risk Management Strategy

Congratulations!  You have successfully navigated the process of identifying your risk appetite and tolerance; you have identified the potential risk that can have an impact on your business, and you have analyzed and prioritized these risks. 

Now what?  Do you:

• Avoid the risk?
• Accept the risk?
• Mitigate the risk?
• Transfer the risk?

But before we get into the post, I want to give you a little explanation about the photograph I chose.  It is a picture of the board game Risk.  Probably my most favorite board game growing up.  I would analyze and rank the different scenarios to my conquering the world and would plan my different strategies for success.   I loved it and was excited about this week so I could use this photo. 

OK, on to the task at hand, in this post we will review each of the strategies mentioned above and weigh the benefits.  How do you determine which is the right course?  The right course will depend on your risk appetite, your analysis and prioritization of the risk you have identified.  You will use these tools to determine your risk management strategy.

All too often, we see one or more of the following methods used as a risk management strategy:

• Pretend the risk does not exist.
• Pray the risk will sort itself out so you will not have to deal with it.
• Acknowledge the risk, but deny that it will have any impact on operations. 

These approaches are not risk management or good strategies.  In the first case, if a risk is not acknowledged, acting as if the risk does not exist is not a realistic approach, and only forces one to deal with the risk once it becomes a crisis.  Second, I cannot recall a situation where a risk has sorted itself out.  And finally, in my experience, though you can control the impact the risk will have, I have not come across a situation where simply denying that a risk will impact operations has been a successful strategy.

The following methods are risk management strategies for addressing risk:

Risk Avoidance

The first strategy is to avoid the risk altogether.  The benefit is by doing so your business is not exposed.  The downside is that by avoiding, you may not achieve the goal or accomplishment this potential risk is associated with.  For example, you might not gain the profits associated with the business venture you choose to avoid.  When considering risk avoidance as a strategy, you need to really understand the full impact of the decision.  Usually, this approach is considered for a risk that has a low impact on operations or if the organization’s goals can still be achieved without confronting the risk.   

Risk Acceptance

By accepting the risk, you determine that the risk will not have a significant impact to operations, the benefit of the goal is greater than the risk, or the risk is infrequent enough that it is worth the gamble to accept it in order to achieve the goal.

Risk Mitigation

Even though you have made the decision to accept the risk where a program or activity has a high-risk impact,  there are steps or actions that you can take to reduce the exposure or to mitigate the possible financial risk or impact to operations.  You’ll want to explore detective and preventative actions before you introduce the activity on a larger scale.

• Detective action involves identifying the points in a process where something could go wrong, and then putting steps in place to fix the problems promptly if they occur.
• Preventative action involves aiming to prevent a situation from happening. It includes activities such as health and safety training and firewall protection on corporate servers.

Risk Transfer

The last strategy is to transfer identified risk to another party.  The two main mechanisms for this approach include:

• Contractual risk transfer (transfer the risk to another party through a contract).  With this method, we can transfer the liability for damages caused by a subcontractor’s work, or by the goods and services purchased from a vendor.
• Risk financing. This is otherwise known as insurance.  By purchasing an insurance policy, we are effectively transferring our risk to an insurance company.  They, in turn, accept the risk for a price.

With any strategy or combination of strategies, you must continuously monitor your strategies, measure their effectiveness, and adjust as necessary.  During the 1990s, I attended several workshops by a scholar and management consultant by the name of Dr. Edward Deming (https://en.wikipedia.org/wiki/W._Edwards_Deming)  his teachings in continuous process improvement resonated and I began to apply them regularly.  Plan-Do-Check-Act is a four-stage approach for continually improving processes, and for resolving problems. It involves systematically testing possible solutions, assessing the results, and implementing any changes to the process to continue toward the goal.

The four phases are:

Plan: identify and analyze the problem and decide a strategy (or combination of strategies) to implement.

Do: test the potential solution, ideally on a small scale, and measure the results.

Check/Study: study the result, measure effectiveness, and decide whether the strategy is effective or not.

Act: if the strategy is successful, implement it.  Continue to monitor the performance for any changes.

Risk management strategies are like any other business strategy and involve monitoring key performance indicators and adjusting the strategy as necessary to ensure the greatest success. 

We now have the basic tools for developing and implementing a more formalized risk management process which can be as simple or complex as you have the time to manage.  As I said in an earlier post, you are probably doing some of these activities already but perhaps now you can better see your activities as part of an overall risk management strategy for your firm where you can embrace risk and use it to your advantage.

Until next time, stay safe and be kind to one another.

Risk Analysis

In a previous post, we discussed Risk Identification.  We discussed seven areas in an operation where foreseeable risk can exist, and we outlined four methodologies that can be used to identify foreseeable risk.  Next, we need to determine the probability that each risk event will occur and a measurement of the impact the event will have on operations.  

In this post, we will look at:

• the probability of an event occurring
• the measured impact the event could have on operations.
• an assessment to determine if the level of risk is acceptable based on appetite and tolerance.
• finally, prioritization based on the level of impact to operations. 

Probability

Oh no, here comes that nervous twitch and the flashbacks to college statistics!  Not to worry we are not about to start calculating the standard deviation from the mean of anything. 

For the purposes of this post, we are going to define probability as the likelihood that an event will occur. In its basic form, probability assumes that all possibilities must be equally likely to occur. Since we know this is not likely, we factor in a frequency variable which means that over time, a risk event has the likelihood of occurring x number of times (where x is the frequency of the event).  This is based on the collection of historic data and experience and is not an absolute. Although you cannot know the exact value of a probability, you can estimate it by observing how often similar events have occurred in the past. A common example that uses frequency interpretation is weather forecasting. If the forecast calls for a 60 percent chance of rain, it means that under the same weather conditions, it will rain in 60 percent of cases. This approach can be difficult and requires some individual judgment and credible historic data.

If credible historic data is not available, we can determine probability through subjective interpretation.    This approach is often used in situations where there is very little direct evidence. There may only be indirect information, educated guesses, or intuition, to consider. The probability of an event occurring is based on what an individual believes in the likelihood of occurrence. Different people assess probabilities differently, based on opinion or evaluation. One disadvantage of this approach is that it is often hard for people to estimate the probability, and the same person can end up estimating different probabilities for the same event using different techniques.  If this occurs, review the steps in each of the techniques and try to determine what caused the differences.  If you are unable to, in my opinion, take an average of the probabilities and use that. 

Measured Impact

After determining the probability of a risk event, we need to assign a value to the impact this will have on operations.   Knowing the probability of the event occurring, we multiply this by the amount it will cost operations if it happens.  With historical data, the probability and cost projections easier to determine. Without historical information, the estimates must be based on experience. 

This gives you a value for the risk:

Risk Value = Probability of Event x Cost of Event

As a simple example, imagine that you've identified a risk that when the water in a nearby retention pond rises to five feet, the basement of your business floods.

You think that there's an 80 percent chance of this happening because it has been an unusually wet winter and in past winters with similar amounts of rain and snow, you have experienced the flooding nearly every time. If this happens, it will cost your business an extra $25,000 in clean-up costs and lost income.

So the risk value of the flooded basement is:

0.80 (Probability of Event) x $25,000 (Cost of Event) = $20,000 (Risk Value)

Applying this analysis to each event allows you to rank the risk based on a value.  If the value data is not available, another option is to use an impact/probability chart. 

A risk probability/impact chart is a tool I have used often as it is a quick and easy way to visually plot the probability of an event occurring and the impact that event will have on operations.  This chart is most useful when subjectively determining the probability and impact of risk. 

To most effectively use this chart

1. Assess the probability of each risk occurring and assign it a rating from 1-10. Assign a score of 1 when a risk is extremely unlikely to occur and use a score of 10 when the risk is extremely likely to occur. In the example above, there is an 80% probability of flooding occurring, therefore you would assign a value of 8 to the risk.
2. Estimate the impact of the risk occurring. Again, using a 1-10 scale, assign it a 1 for little impact and a 10 for a huge, catastrophic impact. In the above case maybe a flooded basement is a nuisance, but it does not significantly impact operations so you assign it a “5”
3. Map out the ratings on the Risk Impact/Probability Chart.
4. Develop a response to each risk, according to its position in the chart. Remember, risks in the bottom left corner can often be ignored, while you will want to focus your attention on the risks in the upper right quadrant.

Assessment of the risk

Recalling the post about Risk Appetite and tolerance, we now evaluate the identified risk as falling inside or outside of tolerance based on your risk appetite statement.  This will allow you to determine a target risk value to review or on the Risk Impact/Risk Probability chart, a point above which you will review and rank the risk.    

Using the flooded basement example again.  Assume your company’s risk tolerance statement was something to the effect “XYZ Company cannot afford the cost associated with a single flooded basement event”.  Since you estimated an 80% probability of a flood event occurring based on the weather patterns this winter, this would rank pretty high for risk to review.

Prioritization of risk

Finally, you will want to prioritize the list.  This can be done based on the importance of the risk to operations, or (if you can determine at this point) you can prioritize the list based on the amount of resources it will take to manage risk.  In either event, this allows you to break down the list into manageable pieces.  This also will help to determine a strategy or how you will manage each of the risk. Here is an example of three risks identified by XYZ Company:

1. There is a proposal from an engineer that says in order to solve for the flooded basement, you need to enlarge the retention pond and redirect the run-off.  The cost of this project is $60,000 but will potentially save $20,000+ if there is a wet winter. Additionally, the flooded basement impacts production as some of the production equipment has to be shut down every time the basement floods to protect the equipment.
2. You have a proposal from a web-design firm to expand and enhance your online presence.  The cost of the project is $25,000. This new design will not only allow you to interact with customers through a customer service portal and social media, you will now have the ability for online retail sales.  This webpage can really broaden your market presence and potentially boost sales and revenue significantly.  You will need to hire a full-time employee to manage the webpage, and if sales go as projected, you will need to expand your production and shipping capabilities.
3. The equipment used in your production process is getting old and showing signs of wear.  You have a proposal to update your equipment. It is a two-year upgrade process that will allow you to continue current production pace, but there is no room for increased production until after the updates are completed. The cost of the upgrades is $40,000 each year for a total of $80,000. 

So here are three risk scenarios, how would you prioritize them?

While we can't avoid risk altogether, there are often steps we can take to better cope with risk.  Risk analysis helps us determine the right steps to take, in the right order. 

Until next time, say safe and be kind to one another.

RUN. HIDE. FIGHT. — Surviving an Active Shooter Event

“Planning to have a plan is not a plan. There’s a need for leadership. It’s important that we take the appropriate steps to ensure our people are prepared and put the plan in motion.”

Jeremiah Hart, lead instructor and senior analyst at the Force Training Institute

The incredibly tragic events of this week serve as a stark reminder that while most would like to believe this sort of thing can never happen to them; the new reality is, it can.  Attached is a short video that was published by the City of Houston called “RUN, HIDE, FIGHT: Surviving an Active Shooter Event.”  This is a widely recommended reaction to teach employees in the event of an active shooter 

This is not a long post because the video should be the focal point.  I do want to make a broader point about the importance of having an emergency plan and training your employees to that plan.   Nearly every business I have interacted with is committed to safeguarding the interests of their employees, visitors, and contractors in the event of an emergency, disaster, or crisis.    

Responses to emergencies, disasters, and crises can be categorized into three main phases:

1. Preparation - development of a plan, training, gathering supplies, etc. This video could be a training tool for a defensive mode response to a crisis.
2. Defensive mode - immediate response; usually someone is“caught off guard”. Such incidents could include fires, explosions, active shooters and lightning strikes.  The response is immediate in nature. 
3. Offensive mode - can be taken before and/or after the incident; usually, someone is “braced” or have more time to calculate their responses. Such incidents can include hurricanes, northeasters, and floods. 

An emergency plan contains predetermined responses and guidelines to ensure the safety, health, and welfare of the employees. Ideally, the plan is developed in partnership with first responders, and in cooperation with community and local agencies.  A training program should be developed to educate employees on the plan.  The plan should be easily accessible and reviewed annually by team members and community partners.  There are a lot of resources available to help develop an emergency plan.  Local first responders and community organizations may have templates and may be willing to assist in the development of your plan.  Another good resource I go to often is Ready.gov "Make a Plan"  https://www.ready.gov/make-a-plan  This website has a lot of great resources, tools, and checklists you can use to build your plan.  

Planning to have a plan is not a plan.  You owe it to yourself and your employees to make the time to develop an emergency plan and train to that plan.

Until next time, stay safe and be kind to one another.

Risk Identification

This week we will revisit the conversation about the different components of a risk management plan. As a refresher, in a previous post What’s Risk and Why do I want to Manage it?, I referred to a definition of  Risk Management as “The identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks. An organization may use risk assumption, risk avoidance, risk retention, risk transfer, or any other strategy (or combination of strategies) in proper management of future events.”  http://www.businessdictionary.com/definition/risk-management.html.  Additionally, we looked at the six basic process components.

1. Identify
2. Analyze
3. Prioritize
4. Control
5. Measure
6. Adjust

After laying the foundation for a good risk management program through the discovery of your risk appetite and tolerance, and by memorializing these in writing. You are now ready to identify the risk that can impact your pursuit of value, or prevent you from achieving your goals.  Here, we’ll focus on two key points. First, what types of risk are you are looking to identify, and second, what are some methods you can use to identify these risks.

Risk identification is a process that can be used at different levels in the organization.  It can be used at a tactical level to determine the viability for the success of a specific project.  Similarly, risk identification can be used at a strategic level when shaping company goals. There is foreseeable risk and unforeseeable risk.  Unforeseeable risk is that which cannot be accurately predicted before it occurs.  On the other hand, foreseeable risk can be more accurately predicted given defined circumstances.  Here we want to discuss that which can be predicted and which you can plan for. We’ll discuss seven areas where foreseeable risk can exist and have a significant impact on your ability to achieve your goals.

1. Economic – Market condition change, such as stock market fluctuations, interest rate changes, or non-availability of funding.  (These can have a positive impact on your business)
2. Human – The human element to any business is a risk.  There could be the lack of skilled labor available, Illness, death, injury, or loss of key individuals, or labor disputes, organized or otherwise.
3. Natural – Weather, natural disasters, or disease interrupting operations either directly or indirectly through vendors and suppliers.
4. Operational – Breakdown in communications, failures of accountability, internal systems, or controls, or from fraud, and disruption to distribution chains.
5. Political – Changes in tax rates, public opinion, government policy, or foreign influence. (These can also have a positive impact on your business)
6. Reputational –A declining reputation as a result of practices or incidents that are perceived as dishonest, disrespectful or incompetent. 
7. Technical – Advances in technology, a lack of required technology, or from technical failure.

While this list discusses seven areas, it is by no means an inclusive list.  The risk facing your business is broad, so we want to begin to provide a framework for the process. 

When I was working for my first real estate development and property management company after retiring from the military, I was a member of a risk management team comprised of internal and external stakeholders.  Annually, we would hold a two-day off-site summit where we would develop our goals for the upcoming year, identify the risk surrounding those goals, and put together an action plan to mitigate the risk and to achieve the goals.  These goals and the action plan were presented to the organization’s senior leadership and something the team was held accountable for.  Every month the team would schedule a call to review the action items and measure our progress.  Identifying the risk that could impact the achievement of our goals was primarily a brainstorming effort and proved to be a successful tool in our case.  While brainstorming is an effective tool, there are several other methods that can be equally if not more effective.  You can also use a combination of different methods.  The key is to select the single or combination of tools that work best for your group.  A few other examples of tools are:

1.        SWOT Analysis - SWOT Analysis is a useful technique for understanding your strengths and weaknesses, and for identifying both the opportunities open to you and the threats you face. If you are not familiar with how to conduct a SWOT analysis, there is a great tutorial following this link at Mindtools.com.
2.        Delphi technique – This is a multi-session data gathering technique where a team of experts is consulted anonymously. A list of questions are sent to experts, their responses are compiled, and results are sent back to the same group for further review until a consensus is reached.  Additional information on how to use the Delphi technique in risk identification can be found at this link on Montools.com.
3.        Failure Mode and Effects Analysis (FMEA) – This is a method I am somewhat familiar with from military days spent identifying and analyzing risk in operations.  By looking at all the things that could possibly go wrong during the planning phase, you can avoid any potential problems that would otherwise take vast effort and expense to correct.
4.     Brainstorming – I find this a great method to be creative, imaginative and engaged in problem-solving or generating ideas.  This method also provides an environment that supports collaboration and participation from the whole group where there is never a “bad idea” during brainstorming. The method brings people’s individual strengths and perspectives into play. Some additional information for brainstorming tips can be found at this link on Mindtools.com.

You have your foundation for a risk management plan with your risk appetite and tolerance statements.  Above we’ve discussed seven areas where you can look to identify risk and four different risk assessment methods you can use either solely or in combination, depending on what works best for your group.  In the next post, we will address the risk that you have identified by learning how to analyze and prioritize your risk.

Until next time, stay safe and be kind to one another.

Caveat Emptor - Let the Buyer Beware

When I was attending navy basic qualification courses for my specialty (logistics) a lot of the material was pretty heavy and frankly not very captivating.  To keep the class engaged and attentive, one instructor used to insert “action photos” (pictures of navy jets, warships, and submarines) into the presentation, as a mental break.  For this post, I am using that idea as inspiration and offering my version of an “action” item.  

Five things to look for or ask about when reviewing your insurance policies. 

An insurance policy is a legal agreement between you (the insured) and the insurance company (the insurer).  Understanding the contents of the agreement is the responsibility of you, the insured; caveat emptor.  But really, who has the time to read all of their insurance policies?  

To start here is a basic policy roadmap:

Declarations-Provides basic coverage and limit information

Insuring Agreements-Provides coverage details, such as the perils that are covered

Exclusions-Lists items that are not covered.

Endorsements-Lists changes to the policy

Policy Conditions-Provides the rules for the policy


The five pointers I am going to share will give you oversight without having to digest an entire policy.

1. Who is the insured(s) on the policy?
2. What are the coverage limits? Are they what you expected?
3. Have you met the policy conditions?
4. Are the endorsements you require or expect there?
5. What are the exclusions and the exceptions to the exclusions?

1. Who is the insured(s) on the policy? This is easy if your organization is the only insured listed on the policy and if there are not any dba or subsidiary affiliations. You should make sure the business entity and address are correct on the policy.  If you have several insureds listed, or if there are any dba or subsidiary relationships, you’ll want to be sure they are all listed and the names are correct.  The named insured, if only one, will be on the declarations page (first pages of the policy).  If there are many named insureds, there will be a named insured endorsement.  This endorsement is usually located at the beginning of the document.

2. What are the coverage limits? Are they what you expected? The coverages, limits, sub-limits, and deductibles are also usually found on the declarations pages.  In some cases, you may have contractual obligations that require you to carry certain coverage, limits or maximum deductibles.  You should make sure your policy meets the obligations.

3. Have you met the policy conditions? An insurance company will bind a policy on the condition the insured will provide certain documentation and/or meet certain requirements during the course of the policy.  You should understand these requirements and ensure you can meet them.

4. Are the endorsements you require or expect there?  The policy consists of insurance coverage defined by the agreement and the endorsements.  Every policy includes a list of endorsements.  You can scan the list to see where you should focus.  You’ll first want to focus on any endorsement that includes the word “exclusion” in the title.  After that you’ll want to focus on other key endorsements, depending on your operation.  A couple of endorsement examples are as follows:

Additional insured. These are insureds added to your policy in addition to the named insureds.  As we said above, your contracts may obligate you to add certain coverage to your policies and naming one or more additional insureds is a common requirement. 

Schedule of covered locations. You’ll find these endorsements when there is more than one location.  If you have only one location, it will most likely be shown in the policy declarations.  If you have multiple locations, you’ll want to review the endorsement to make sure all locations are scheduled.  In the event of a loss, the insurance company will review the schedule of covered locations to verify coverage.  If the location is not listed, there is a good chance the insurance company will deny coverage.

5. What are the exclusions and the exceptions to the exclusions?  You will find exclusions in the insurance agreement and also in the endorsements, discussed above.  In my experience reviewing exclusions has been the most difficult task to master.  In this case, your broker can be your friend and help explain any confusing concepts.  Some of the exclusions also list exceptions to the exclusions.  Remember in school those math class word problems “If a train leaves the station headed east at…” Deciphering policy language can be similar to figuring out those math problems. I often find it helpful to write down what is included, what is excluded and any exceptions to the exclusions to help understand what coverage is actually provided.

Reading an insurance policy can be quite daunting, but with the help of your insurance broker and remembering these five key points, you can feel more informed and confident about the coverage and limitations in your insurance policies. Caveat Emptor - Let the Buyer Beware!

Until next time, stay safe and be kind to one another.