Download - ERM and Cyber Awareness and Security - Ohio Safety Congress · ERM and Cyber Awareness and Security CHAOS, CONFLICT AND COURAGE . BWC Safety Congress March 8, 2017 Ron Whittington

BWC Safety Congress March 8, 2017

March 8, 2017

BWC Safety Congress

ERM and Cyber Awareness and Security

CHAOS, CONFLICT AND COURAGE

http://map.norsecorp.com/#/


Ron Whittington

Ron Whittington has served as the Risk Manager and

Safety Administrator for the City of Dublin since 1996 and

manages Dublin’s self-insurance workers’ compensation,

property/casualty and employee safety and health

programs. Prior to that he was the Public Sector Safety

Consultant at Clemans Nelson & Associates. Ron

currently serves as President the Central Ohio Risk

Management Association (CORMA) and Treasurer of the

Ohio Public Risk Management Association (OPRIMA).

Ron is a graduate of Marshall University and received his

Masters of Science also from Marshall University in

Occupational Safety Management.


Cathie T. Chancellor, JD, MS, CRM

Risk Manager of Ohio University for 4 years this spring, and is charged with managing OU’s commercial and

self-insurance programs; other responsibilities include management of pre-defense small claims, and

helping to implement and maintain the institution’s Enterprise Risk Management program.

15+ years of experience working as a public entity risk manager: Prior to work at OU she worked for 12 years

as risk and compliance manager of Cuyahoga County, Ohio, having direct managerial oversight of risk and

compliance management, All Risk insurance, EHS, Claims, and enterprise risk administration;

Civil-Assistant Prosecuting Attorney, primarily responsible for EHS claims & litigation.

■Including today, she has attended 4 Ohio Safety Congress conferences; and has presented on numerous

risk management topics at various conferences throughout her career.

Serves as a member or chair of one or more committees belonging to the Public Risk Management and

Insurance Association (PRIMA-OH Chapter), University Risk Management and Insurance Association

(URMIA), and the Inter-University Council Insurance Consortium (IUC-IC) organizations.

Juris doctor and master’s degrees in Law and Urban/Government studies, respectively;

Charter member and graduate of the Weatherhead School of Business Management’s Society of Professional

Fellows; and Recognized by the National Alliance of Insurance Education and Research – Certified Risk

Managers International as the first JD/CRM in the State of Ohio (1993).

Resident of Solon, Ohio, and married to Bruce Chancellor, Esq.; proud parents of two daughters, both of

whom are currently studying to become risk managers-Math/Actuarial Science major and EHS Management

major!


Adam Maxwell, City of Westerville

Director of Administrative Services

Adam has served as the Director of

Administrative Services since 2008 and has

been with the City since 2000. He is

responsible for the human resources, labor

relations, procurement, buildings and

grounds, and risk and safety functions of the

organization.

He is the current president of OPRIMA and

Past President of CORMA.


Todd Jackson, City of Westerville

Chief Information Officer

Todd Jackson, husband and father of 2, is a member of the

executive management team and is the Chief Information

Officer for the City of Westerville, Ohio. Todd and his team are

trusted allies; and by utilizing an 'ally' approach has helped the

City realize business value through the use of strategic

technology solutions - including the creation of the nation's first

municipally owned community data center and fiber network

branded as WēConnect.


Enterprise Risk Management For Public Entities


ERM | History

▪Origins - Finance industry; varies: 1920’s – 1970’s.

▪Greater need than financial survival.

▪Expands Traditional Risk Management (RM) – from pure risks, insurance/financial

derivatives to include comprehensive method of linking RM across business units.

▪Strategic, Operational Parameters involved risks requiring foresight and control.

▪Continuous Recognition of Individual & Collective Array of Risks.

▪Critics: Reactive; Partial RM; Mitigation Costs; Ranking.


ERM | How To Implement – The Steps

1. Define what value your organization will gain from ERM

2. Research and understand different standards and frameworks

3. Inventory what your organization is already doing

4. Seek support and help

5. Keep it simple

6. Start small

7. Go for the quick wins

8. Delegate “fixes” to risk owners

9. Report on progress

10.Develop your “soft skills”

Refer to Separate Document for Additional Details


ERM | How To Implement – The Steps (cont’d)

■“Above all, you need to be an excellent

communicator with a specific value message:

“Enterprise risk management is a discipline that

protects—and creates—value for the organization.

By implementing ERM, you personally will be able

to deliver results with both tangible and intangible

benefits.”

■Source: RIMS


ERM | Methodology ■Risk / Heat Map An Example


ERM |The Benefits

▪More Risk-Focused Culture

▪Defines/Aligns: Risk Appetite vs. Strategic Objectives/Mission(s)

▪Standardized Risk Reporting

▪Improved Focus and Perspective on Risk

▪Efficient Use of Resources

▪Recognition and Action Toward Opportunities

▪Effective Coordination of Regulatory/Compliance Matters

▪Improved Communications Among/Across Silos

▪Reduces Operational Surprises and Losses


ERM |Now In Place ■Best Practices

▪Define Risk Broadly

▪Recognize Both Opportunities & Downsides of Risk

▪Develop Multi-level Risk Identifying/Evaluating

▪Look at TCOR (Total Cost of Risk)

▪Foster Board & Upper Management Collaboration


ERM |Now In Place (cont’d)

■Action Steps. . . ▪Process to Consider Risk in Strategic Discussions

▪Designate Risk Owners

▪Require Top-level Risk Prioritization

▪Require Annual ERM Plan Reports on Risks

▪Prioritize & Re-prioritize Risks Annually

▪Look for Blind Spots (…events that create risk)

▪Manifest Risk Identification Annually

▪R-E-P-E-A-T ... R-E-P-E-A-T … R-E-P-E-A-T !


ERM |Conclusion

■ ERM “cannot be viewed as a static one-time

process; it must be embedded in the organization,

and dynamically adapted to the changing internal

and external environment;” -this, according to the

development by a society of actuaries of an ERM

‘maturity-level’ assessment tool.


Cyber

■ Exposure

■ Integrated risk management (IRM)

■ Cyber Defense & Mitigation ❑To error is...

■ Don’t Forget to Upgrade, Refresh & Patch... ❑Your Contracts

■ Practice

■ Coverage and Resources


Integrated Risk Management

■ Integrated risk management (IRM) ❑Set of practices and processes

❑Supported by a risk-aware culture and enabling

technologies that improve decision making and

performance

❑Through an integrated view of how well our

organization manages its unique set of risks.


Cyber Liability Exposures ■ Growing fiber network was another identified exposure

■ Opening the WēConnect Data Center

■ Considered risks and exposures associated with general

City operations

❑ Income tax collection

❑Utility billing

❑Public Safety (Police and Fire/EMS, & CAD

❑Advance Metering (Electric & Water)

❑Parks & Recreation On the line registration etc.

■ Protection of Sensitive Personal Information of Employees

and Customers

■ Mobility including Bring Your Own Device (BYOD)


Risk and Exposure Mitigation

■ Determine your Level of Expertise

❑Some Services are “safer” in the cloud!

❑Double-check your requirements

■ Understand your Risks

❑Game Over

❑HTTPS://NVD.NIST.GOV

■ Password Supplementation

■Regular 3rd Party Audits

HTTPS://NVD.NIST.GOV


Ripped from the Headlines

■ “Cyber attack cripples Licking County government”

Newark Advocate (2/11/17)

■ “iOS cracking tools reportedly used by FBI

released to public”

Engadget (2/3/2017)

■“Police lost 8 years of evidence in ransomware

attack”

Computerworld (1/30/2017)

http://www.newarkadvocate.com/story/news/local/2017/01/31/county-government-computers-phones-shut-down-virus/97324126/

https://www.engadget.com/2017/02/03/ios-cracking-tools-fbi-released/




http://www.computerworld.com/article/3163046/security/police-lost-8-years-of-evidence-in-ransomware-attack.html






Not Just Security…Awareness


Awareness ■ Training ❑ Internal awareness

❑KnowBe4

■ Policies ❑Advanced Auth First

■ Personal Account Checks ❑https://haveibeenpwned.com

■ Take Security Seriously ❑Spread the Attitude!

❑Share concerns with others

https://haveibeenpwned.com

https://haveibeenpwned.com


Contracts

■Negotiate SaaS

contracts for

indemnification

clauses to protect

your organization

from the host’s

cyber failure.

■ Add cyber liability insurance requirements to

other standard insurance requirements in

contracts.


Contracts

■ Check new contracts and create a plan to

review old contracts regularly.

■ Review

contracts for

Service Level

Performance

standards and

remedy

calculations.

https://sites.google.com/westerville.org/servicecatalog/home

https://sites.google.com/westerville.org/servicecatalog/home


Key Takeaways ■ Systemic defences are great if not for “Dave”

■ Know your exposures

■ Staff Awareness

■ Training & testing

■ Have a response plan

❑ Practice Tabletop Scenarios (w/ CHARTIS?)

■ Contract signature is the start not the end

■ What’s your coverage

■ Mitigate your risk

❑ First need to accept you are vulnerable

❑ Not If but When


Resources

■ PERRP

■ OPRIMA

■ National PRIMA

■ BWC Division of Safety and Hygiene

■ COSIA

■ OSIA

■ Excess Carriers


Questions