BWC Safety Congress March 8, 2017
March 8, 2017
BWC Safety Congress
ERM and Cyber Awareness and Security
CHAOS, CONFLICT AND COURAGE
BWC Safety Congress March 8, 2017
Ron Whittington
Ron Whittington has served as the Risk Manager and
Safety Administrator for the City of Dublin since 1996 and
manages Dublin’s self-insurance workers’ compensation,
property/casualty and employee safety and health
programs. Prior to that he was the Public Sector Safety
Consultant at Clemans Nelson & Associates. Ron
currently serves as President the Central Ohio Risk
Management Association (CORMA) and Treasurer of the
Ohio Public Risk Management Association (OPRIMA).
Ron is a graduate of Marshall University and received his
Masters of Science also from Marshall University in
Occupational Safety Management.
BWC Safety Congress March 8, 2017
Cathie T. Chancellor, JD, MS, CRM
Risk Manager of Ohio University for 4 years this spring, and is charged with managing OU’s commercial and
self-insurance programs; other responsibilities include management of pre-defense small claims, and
helping to implement and maintain the institution’s Enterprise Risk Management program.
15+ years of experience working as a public entity risk manager: Prior to work at OU she worked for 12 years
as risk and compliance manager of Cuyahoga County, Ohio, having direct managerial oversight of risk and
compliance management, All Risk insurance, EHS, Claims, and enterprise risk administration;
Civil-Assistant Prosecuting Attorney, primarily responsible for EHS claims & litigation.
■Including today, she has attended 4 Ohio Safety Congress conferences; and has presented on numerous
risk management topics at various conferences throughout her career.
Serves as a member or chair of one or more committees belonging to the Public Risk Management and
Insurance Association (PRIMA-OH Chapter), University Risk Management and Insurance Association
(URMIA), and the Inter-University Council Insurance Consortium (IUC-IC) organizations.
Juris doctor and master’s degrees in Law and Urban/Government studies, respectively;
Charter member and graduate of the Weatherhead School of Business Management’s Society of Professional
Fellows; and Recognized by the National Alliance of Insurance Education and Research – Certified Risk
Managers International as the first JD/CRM in the State of Ohio (1993).
Resident of Solon, Ohio, and married to Bruce Chancellor, Esq.; proud parents of two daughters, both of
whom are currently studying to become risk managers-Math/Actuarial Science major and EHS Management
major!
BWC Safety Congress March 8, 2017
Adam Maxwell, City of Westerville
Director of Administrative Services
Adam has served as the Director of
Administrative Services since 2008 and has
been with the City since 2000. He is
responsible for the human resources, labor
relations, procurement, buildings and
grounds, and risk and safety functions of the
organization.
He is the current president of OPRIMA and
Past President of CORMA.
BWC Safety Congress March 8, 2017
Todd Jackson, City of Westerville
Chief Information Officer
Todd Jackson, husband and father of 2, is a member of the
executive management team and is the Chief Information
Officer for the City of Westerville, Ohio. Todd and his team are
trusted allies; and by utilizing an 'ally' approach has helped the
City realize business value through the use of strategic
technology solutions - including the creation of the nation's first
municipally owned community data center and fiber network
branded as WēConnect.
BWC Safety Congress March 8, 2017
Enterprise Risk Management For Public Entities
BWC Safety Congress March 8, 2017
ERM | History
▪Origins - Finance industry; varies: 1920’s – 1970’s.
▪Greater need than financial survival.
▪Expands Traditional Risk Management (RM) – from pure risks, insurance/financial
derivatives to include comprehensive method of linking RM across business units.
▪Strategic, Operational Parameters involved risks requiring foresight and control.
▪Continuous Recognition of Individual & Collective Array of Risks.
▪Critics: Reactive; Partial RM; Mitigation Costs; Ranking.
BWC Safety Congress March 8, 2017
ERM | How To Implement – The Steps
1. Define what value your organization will gain from ERM
2. Research and understand different standards and frameworks
3. Inventory what your organization is already doing
4. Seek support and help
5. Keep it simple
6. Start small
7. Go for the quick wins
8. Delegate “fixes” to risk owners
9. Report on progress
10.Develop your “soft skills”
Refer to Separate Document for Additional Details
BWC Safety Congress March 8, 2017
ERM | How To Implement – The Steps (cont’d)
■“Above all, you need to be an excellent
communicator with a specific value message:
“Enterprise risk management is a discipline that
protects—and creates—value for the organization.
By implementing ERM, you personally will be able
to deliver results with both tangible and intangible
benefits.”
■Source: RIMS
BWC Safety Congress March 8, 2017
ERM | Methodology ■Risk / Heat Map An Example
BWC Safety Congress March 8, 2017
ERM |The Benefits
▪More Risk-Focused Culture
▪Defines/Aligns: Risk Appetite vs. Strategic Objectives/Mission(s)
▪Standardized Risk Reporting
▪Improved Focus and Perspective on Risk
▪Efficient Use of Resources
▪Recognition and Action Toward Opportunities
▪Effective Coordination of Regulatory/Compliance Matters
▪Improved Communications Among/Across Silos
▪Reduces Operational Surprises and Losses
BWC Safety Congress March 8, 2017
ERM |Now In Place ■Best Practices
▪Define Risk Broadly
▪Recognize Both Opportunities & Downsides of Risk
▪Develop Multi-level Risk Identifying/Evaluating
▪Look at TCOR (Total Cost of Risk)
▪Foster Board & Upper Management Collaboration
BWC Safety Congress March 8, 2017
ERM |Now In Place (cont’d)
■Action Steps. . . ▪Process to Consider Risk in Strategic Discussions
▪Designate Risk Owners
▪Require Top-level Risk Prioritization
▪Require Annual ERM Plan Reports on Risks
▪Prioritize & Re-prioritize Risks Annually
▪Look for Blind Spots (…events that create risk)
▪Manifest Risk Identification Annually
▪R-E-P-E-A-T ... R-E-P-E-A-T … R-E-P-E-A-T !
BWC Safety Congress March 8, 2017
ERM |Conclusion
■ ERM “cannot be viewed as a static one-time
process; it must be embedded in the organization,
and dynamically adapted to the changing internal
and external environment;” -this, according to the
development by a society of actuaries of an ERM
‘maturity-level’ assessment tool.
BWC Safety Congress March 8, 2017
Cyber
■ Exposure
■ Integrated risk management (IRM)
■ Cyber Defense & Mitigation ❑To error is...
■ Don’t Forget to Upgrade, Refresh & Patch... ❑Your Contracts
■ Practice
■ Coverage and Resources
BWC Safety Congress March 8, 2017
Integrated Risk Management
■ Integrated risk management (IRM) ❑Set of practices and processes
❑Supported by a risk-aware culture and enabling
technologies that improve decision making and
performance
❑Through an integrated view of how well our
organization manages its unique set of risks.
BWC Safety Congress March 8, 2017
Cyber Liability Exposures ■ Growing fiber network was another identified exposure
■ Opening the WēConnect Data Center
■ Considered risks and exposures associated with general
City operations
❑ Income tax collection
❑Utility billing
❑Public Safety (Police and Fire/EMS, & CAD
❑Advance Metering (Electric & Water)
❑Parks & Recreation On the line registration etc.
■ Protection of Sensitive Personal Information of Employees
and Customers
■ Mobility including Bring Your Own Device (BYOD)
BWC Safety Congress March 8, 2017
Risk and Exposure Mitigation
■ Determine your Level of Expertise
❑Some Services are “safer” in the cloud!
❑Double-check your requirements
■ Understand your Risks
❑Game Over
❑HTTPS://NVD.NIST.GOV
■ Password Supplementation
■Regular 3rd Party Audits
BWC Safety Congress March 8, 2017
Ripped from the Headlines
■ “Cyber attack cripples Licking County government”
Newark Advocate (2/11/17)
■ “iOS cracking tools reportedly used by FBI
released to public”
Engadget (2/3/2017)
■“Police lost 8 years of evidence in ransomware
attack”
Computerworld (1/30/2017)
BWC Safety Congress March 8, 2017
Not Just Security…Awareness
BWC Safety Congress March 8, 2017
Awareness ■ Training ❑ Internal awareness
❑KnowBe4
■ Policies ❑Advanced Auth First
■ Personal Account Checks ❑https://haveibeenpwned.com
■ Take Security Seriously ❑Spread the Attitude!
❑Share concerns with others
BWC Safety Congress March 8, 2017
Contracts
■Negotiate SaaS
contracts for
indemnification
clauses to protect
your organization
from the host’s
cyber failure.
■ Add cyber liability insurance requirements to
other standard insurance requirements in
contracts.
BWC Safety Congress March 8, 2017
Contracts
■ Check new contracts and create a plan to
review old contracts regularly.
■ Review
contracts for
Service Level
Performance
standards and
remedy
calculations.
BWC Safety Congress March 8, 2017
Key Takeaways ■ Systemic defences are great if not for “Dave”
■ Know your exposures
■ Staff Awareness
■ Training & testing
■ Have a response plan
❑ Practice Tabletop Scenarios (w/ CHARTIS?)
■ Contract signature is the start not the end
■ What’s your coverage
■ Mitigate your risk
❑ First need to accept you are vulnerable
❑ Not If but When
BWC Safety Congress March 8, 2017
Resources
■ PERRP
■ OPRIMA
■ National PRIMA
■ BWC Division of Safety and Hygiene
■ COSIA
■ OSIA
■ Excess Carriers
BWC Safety Congress March 8, 2017
Questions