While cybersecurity is already a major concern for businesses of all shapes and sizes, it can become even more problematic if it’s solved for in isolation, and not considered within the context of enterprise risk management.
The Problem With Cybersecurity
Cyber incidents are undoubtedly a big risk for companies today. If you read any “Top Risks for Businesses” report, cyber incidents will more than likely make an appearance.
For instance, according to the Allianz Risk Barometer Report for 2018, 40 percent of survey respondents cited cyber incidents as their top risk—making it the second most concerning risk on the list, right behind business continuity. And this is just one well-known industry report.
The estimated costs associated with cyber incidents varies widely, but a 2017 Lloyds of London report, co-authored with risk-modeling firm Cyence, estimates a major global cyber attack could trigger $53 billion dollars in economic losses. As it currently stands, the Equifax Inc. breach, which compromised 147 million customers’ personal data in 2017, could be the most expensive breach in history.
The credit reporting bureau posted $164 million in pre-tax costs during the second half of 2017, and costs related to the breach are supposed to increase by another $275 million this year—putting total costs at $439 million, according to an Equifax earnings call in March.
Cybersecurity is A problem, Not THE Problem
Based on the increasing frequency and heightened costs of cyber incidents, they certainly seem to be a massive problem. And they are. They just aren’t the only problem.
Just like all the emerging risks that came before cyber, and all the emerging risks that will come after cyber, cyber incidents are not isolated. Therefore, if you attempt to solve cyber risks in a vacuum, you will actually expose your organization to a whole host of other risks.
This is why enterprise risk management as a part of your integrated risk management approach is so important. Integrated Risk Management requires an organization to look across its many departments and its many business challenges, and understand how they all connect.
It’s not just a matter of finding all the risks across an organization and then solving for them independently. Instead, it’s really digging in to see how particular risks and particular solutions could affect the next risk, the next department down the hall, or the next business process.
Even on its own, cybersecurity is a complex problem—driven by multiple other challenges like increasing numbers of adversaries wanting to penetrate any organization’s network; application overload within organizations; and rampant IT personnel shortages.
However, if weaving cybersecurity into your ERM or integrated risk management program sounds like a head-spinning exercise, or if adopting the NIST cybersecurity framework sounds equally daunting, it doesn’t have to be that way. Investing in the right risk management technology can help.
Integrated Risk Management is the Answer
First and foremost, the right risk management technology will serve as an integrated risk management solution that spans across a variety of departments and business challenges—aiming to be a single source of truth across the enterprise.
Cloud-based integrated risk management technology, in particular, can surface your relevant risk information—from wherever it’s hiding in your organization—analyze it, connect it with other internal and external data, and normalize it securely in the cloud. All this will allow you to easily answer critical business questions and focus your attention where it’s most needed—ultimately helping your organization to execute on ERM.
But beyond helping you meet more lofty ERM goals, such technology can also help with the more focused effort to reduce the number of digital applications your organization uses, which can actually improve security.
In fact, integrated risk management technology can oftentimes replace the following solutions (and more) that are singular offerings from some vendors:
Less time spent managing multiple applications can create tremendous efficiencies for the IT department, and allow more time devoted to cybersecurity. Plus, fewer applications likely means less risk of one or a multitude of those applications causing a breach or falling out of compliance.
And, speaking of compliance, the right risk management technology can also replace Compliance and Regulatory Management Systems—helping you to conform with all the requirements you are mandated to meet or have voluntarily instituted, even those related to cybersecurity. The technology allows for consistent oversight, automatic updating and extensive reporting so you can identify and monitor the full range of these requirements.
Despite the benefit of integrated risk management technology’s ability to ease compliance woes—whether for cybersecurity or anything else, it’s important to remember that is only the tip of the iceberg in terms of what the technology can do. It’s just a small piece of the puzzle … just like cyber risks are a small piece of the risk management puzzle.
As organizations aim to get out ahead of cyber risks and incidents, it’s important they don’t fall behind in assessing and addressing other emerging risks. With the right mindset, and the right technology in place, it’s easier to take the holistic approach to risk and effectively address multiple risks at one time for better security.
From the onset, hospitals and healthcare organizations have been risky environments—home to life and death situations on a daily basis, even if you discount the growing number of risks we face in our modern world.
That being said, the turmoil so many businesses experience today is exponentially magnified in hospital and healthcare environments. Many of these risks are explored in the recent white paper “Critical Risks Facing the Healthcare Industry,” published by Chubb.
According to the white paper, the top critical issues facing hospital leadership, include:
Preparedness for Pandemics
Violent Incidents in Hospitals and Healthcare Settings
These challenges align with what we’re hearing from our clients and here’s why:
Greater reliance on technology and the shift to electronic health records has left the healthcare industry increasingly exposed to cyber risk. In fact, the healthcare industry has seen an 18 percent increase in breaches since 2015, when the U.S. Department of Health and Human Services Office for Civil Rights started publishing major breaches it was investigating.
Not only do hospitals and healthcare organizations have to consider how they protect their data, they also need to be concerned with how they remain compliant with regulations in the event of a breach—like those requirements regarding how and when to notify patients or parties affected by a breach.
Healthcare workers are at an increased risk for workplace violence. According to information from OSHA, “from 2002 to 2013, incidents of serious workplace violence were four times more common in healthcare than in private industry on average.”
And in 2013, there were 7.8 cases of serious workplace violence per 10,000 full-time employees in the “healthcare and social assistance sector,” versus two cases per 10,000 full-time employees in other large sectors like construction, manufacturing, according to the same OSHA information.
To protect against violence at hospitals and healthcare organizations, it’s extremely important to assess potential risks by tracking data and incidents; develop, communicate and enforce policies that disallow workplace violence, as well as encourage the reporting of it; and educate and train personnel on how to guard against workplace violence.
Preventing the spread of infectious diseases in a healthcare setting—among both healthcare professionals and the patient population—is also becoming increasingly important to hospitals and healthcare organizations.
Increased likelihood of pandemic outbreak can be explained by more frequent global travel among people; population crowding; increased flooding, which can spread disease; and inadequate numbers of healthcare providers to treat an infected population.
Naturally, concerns regarding pandemic outbreak filter down to healthcare organizations as they are the first line of defense. Adequate disaster planning, appropriate and accessible protective equipment, disease containment and training and education are necessary for mitigating risk in a healthcare setting.
How Healthcare Risk Management Technology Can Help
Hospitals and healthcare organizations that want to manage through these emerging risks, of course, would be well-suited to think through the unique challenges each one presents. However, those organizations that see these risks—as well as all other risks—as interrelated, will likely see the most success.
By integrating risks, hospitals and healthcare organizations can instead solve for any underlying issues causing multiple risks, as well as factor in the potential upsides of risks that could actually create value—like expanding provider types or care settings to generate revenue.
For example, while a pandemic outbreak might sound entirely different than a cyber attack, each issue requires attention to incident reporting, communication, training, compliance, root cause analysis and more. To realize their commonalities, though, it’s critical that stakeholders from across the entire organization are engaged in the risk management process and have access to the same reliable institutional data.
This is where Integrated Enterprise Risk Management technology becomes a necessity. Not only does it capture and automate the many processes associated with managing any type of risk, it also generates data and analytics to further inform and evolve your integrated ERM program—all from one place.
The right technology vendors will be familiar with Integrated ERM processes—and not just bells and whistles technology—helping ensure the system models your hospital or healthcare organization’s Integrated ERM framework for consistency and effectiveness during implementation.
When selecting a software vendor to help with your healthcare organization’s integrated ERM needs, take into account their security, scalability, performance and integration capabilities to ensure you’re partnering with the best service and software provider.
Institutional policies and processes are a part of doing business … and a critical component of governance risk and compliance (GRC). That being said, it’s not always easy to manage policies. Yet, doing it right is important and so is having the integrated technology to help you.
Flawed policy management processes can result in non-compliant, unauthorized or inaccurate policies. This can then lead to costly liability issues for organizations — whether in the form of penalty fines for non-compliance or legal battles.
Here are three signs that might indicate your policy management processes need to be improved:
Policies are created in silos: Policies often stem from different departments and individuals within an organization. They might also undergo separate vetting processes. Limited visibility into who is creating what and why can lead to inconsistent and misaligned policies. Without a standard template for creating policies or a standard vetting process, policies often end up being vague, unclear and even unauthorized by the appropriate organizational stakeholders. Murky or rogue policies can be a real danger in legal proceedings—a place where they often end up.
Policies are out of date: If your organization doesn’t have a well-defined process for reviewing and maintaining policies on a regular basis, your organization’s policies will likely lose their currency and effectiveness fast. In fact, they might become more of a liability and less of a means of protection if they start to fall out of compliance; if flawed version control leads to out-of-date policies being confused for the most recent policies; or if the wrong policy documents get into the wrong hands, and unauthorized individuals become privy to confidential information.
Policy creation and maintenance is inefficient: When policies change, all the relevant people need to attest to knowledge of and conformance with the policies. In addition, in a heavily-regulated business environment, organizations often need to provide evidence to regulators and lawyers that the policies have been shared and read. Ensuring policies are up-to-date, compliant and reflective of the organization’s mission or goals can be time consuming and labor intensive—especially if the process is managed primarily through paper, spreadsheets and emails.
How To Improve Policy Management Processes
Improving your organization’s policy management processes requires:
– Creating and embedding a lifecycle for managing policies within your organization
– Streamlining policy management processes
– Providing transparency into policies, and how they are developed and maintained
The right integrated risk management technology will help with all the above. That’s because truly integrated risk management technology takes GRC into account, rather than necessitating your organization invest in one-off solutions.
Policy management technology can both document and automate the prescribed workflow for your organization’s policy management processes. This means the system digitizes and preserves processes so they can be easily referenced and understood, as well as keeps the lifecycle automatically moving forward.
The right system will assign role-based tasks; trigger new tasks once other tasks have been completed; and alert stakeholders to updates and the most up-to-date, real-time version. Such automation not only creates and embeds a lifecycle for managing policies within the organization, it also helps to streamline the policy management process—eliminating manual tasks, versioning, approvals and maintenance.
Integrated risk management technology goes beyond streamlining policy management and ensuring a lifecycle for policy management exists. It also makes policies and their lifecycle more transparent— serving as a central repository to store and organize policy and procedure information.
Users can access, create, modify, review and approve digital documents globally in one centralized location, in a controlled manner. You can track each policy from origin to obsolescence, giving managers complete visibility into their policy program.
You may also easily access a variety of training programs that map to various guidance documents, policies, procedures, regulations and standards. This helps enable training and awareness of an organization’s policies and procedures
Don’t let your organization fall prey to the dangers that stem from mismanaging policies—from civil and criminal lawsuits to regulatory violations and fines. Solid policy management is entirely possible when its many moving parts are organized in one place and processes are automated. This allows for efficiency, protects against information and activity bottlenecks, and enables full transparency.
Riskonnect, a leading provider of cloud-based Integrated Risk Management technology solutions, today announced a record start to the year, driven by new customers, deeper relationships with existing customers and accelerated realization of its vision for Integrated Risk Management.
Building the Foundation of the Resilient Enterprise Riskonnect’s global growth was spurred by the addition of more than 10 new clients and over 2,500 new users. More than 110 organizations spanning the U.S., Europe and Asia began or increased their reliance on Riskonnect as the foundation for their Integrated Risk Management efforts. These include leading companies across banking, construction, education, energy, manufacturing, non-profit, telecommunication transportation and healthcare industries. Riskonnect clients now include more than 70 Fortune 1000 companies that are adopting Integrated Risk Management, 48 of which are in the Top 500.
These results highlight the key trend of organizations recognizing the need to adopt a comprehensive, holistic approach to risk management, beyond the traditional divisions of governance, risk and compliance (GRC)/enterprise risk management (ERM) and insurable risk management. With a single, fully-integrated platform, Riskonnect is the only vendor that can natively bridge this gap.
“Our success during the first quarter of 2018 is a direct result of the market’s appreciation of our continued investment in customer success. We are very excited and thankful for the new and existing clients that have chosen to partner with us in their journey toward Integrated Risk Management,” said Jim Wetekamp, Riskonnect CEO.
The acquisition of cloud-based Governance Risk and Compliance (GRC) solution vendor Aruvio in late 2017 and significant new investments in R&D, such as the upcoming New Riskonnect User Experience, powered by the Force.com Lightning Platform, will further accelerate growth in 2018 and beyond. Aruvio’s implementation-ready suite of solutions provided the intellectual property, experience and capability to power Riskonnect’s rapid product expansion in the areas of ERM, GRC, Vendor Risk Management (VRM), audit management and more.
Positioning Customers for Success
Other notable customer-driven milestones and investments during the quarter include:
Introduced industry veteran Jim Wetekamp as CEO. Wetekamp has more than 20 years of product and leadership experience, most recently serving as CEO of BravoSolution, a Chicago-based cloud procurement solutions company.
Introduced key customer investments, such as Client Communities, which have streamlined and simplified the process for clients to interact and share important information with their Riskonnect client services team to result in an overall improved client service experience.
Recognized by analysts in multiple reports such as Gartner’s Competitive Landscape report on Integrated Risk Management and in Forrester Research’s in-depth evaluation of the Risk and Compliance Market via the Forrester Tech Tide: Risk And Compliance Management, Q2 2018. These placements were possible due in part to the positive experiences shared by our clients.
Debuted the New Riskonnect User Experience during RIMS 2018 to great interest and positive feedback from attendees on the modernized, more intuitive interface designed to significantly increase user productivity.
Riskonnect was named the winner of a Bronze Stevie® Award in the Best New Product or Service of the Year category for Software – Governance, Risk & Compliance Solution in The 16th Annual American Business Awards®.
“This recognition highlights the focused efforts Riskonnect took during 2017 to improve our governance, risk and compliance offerings,” said Jim Wetekamp, Riskonnect CEO. “Last year’s acquisition of Aruvio broadened our existing platform with fully developed functionality like anti-bribery and enterprise GRC at a time when enterprises across various vertical markets are facing increased rules and regulations.”
The American Business Awards are the U.S.A.’s premier business awards program. All organizations operating in the U.S.A. are eligible to submit nominations – public and private, for-profit and non-profit, large and small.
More than 3,700 nominations from organizations of all sizes and in virtually every industry were submitted this year for consideration in a wide range of categories, including Startup of the Year, Executive of the Year, Best New Product or Service of the Year, Marketing Campaign of the Year, Live Event of the Year, and App of the Year, among others.
Nominated in the Best New Product or Service of the Year category for Software – Governance, Risk & Compliance Solution, the Stevie’s panel of judges noted Riskonnect’s desire to bring innovation to an area facing tremendous growth and opportunity, calling it a “very useful service for anticipating and managing risk.”
More than 200 professionals worldwide participated in the judging process to select this year’s Stevie Award winners.
“The nominations submitted for The 2018 American Business Awards were outstanding. The competition was intense, and those recognized as Stevie Award winners should be immensely proud of this accomplishment,” said Michael Gallagher, president and founder of the Stevie Awards.
Riskonnect will receive their award during a gala ceremony in New York on June 11.
About the Stevie Awards Stevie Awards are conferred in seven programs: the Asia-Pacific Stevie Awards, the German Stevie Awards, The American Business Awards®, The International Business Awards®, the Stevie Awards for Women in Business, the Stevie Awards for Great Employers, and the Stevie Awards for Sales & Customer Service. Stevie Awards competitions receive more than 10,000 entries each year from organizations in more than 60 nations. Honoring organizations of all types and sizes and the people behind them, the Stevies recognize outstanding performances in the workplace worldwide. Learn more about the Stevie Awards at http://www.StevieAwards.com.
Third-party vendors can provide tremendous value to organizations. For example, organizations often rely on vendors to handle IT issues they may not have the internal resources to take care of on their own. However, becoming dependent on third-party vendors also has its risks, and forward-thinking executives use vendor management technology and other risk management techniques to mitigate their exposure.
To continue this example, when an organization relies on a third-party vendor for IT services, it usually requires turning over sensitive information. There is inherent risk when trusting a third-party vendor with access to your data. Organizations can, and should, reduce the risk attached with doing business with third-party vendors by:
Having sound policies and due diligence processes in place. These policies and processes should regulate all vendor-related matters. Work with vendors to find and then appropriately address gaps in security. Additionally, using vendor risk management technology that can create controls and store policies for vendors helps automate various compliance checks and activities. Clients can then more easily administer vendor training and attestation for new policies.
Assessing the risks posed by shared infrastructure between your company and the vendor. Risk management technology providers that connect seamlessly with the Unified Compliance Framework, like Riskonnect does, offer ready-made compliance templates and risk assessment questionnaires that greatly facilitate this process. Having a user-friendly vendor management system to actively monitor and regularly audit your vendor’s performance and security is of great importance.
Training staff in proper security practices and insisting that your vendors also engage in regular training. For example, educate staff in anti-bribery practices and require that vendors also go through stringent, ongoing compliance training. This practice helps provide assurance that everyone is on the same page about new regulations and requirements.
Ensuring your company has strong incident detection and response systems in place. Service provider risk is not a one-time threat or possibility so simply having these capabilities is not enough. You must then test them on a regular basis in order to confirm the sophistication of the system is evolving to meet the ongoing evolution of the ways organizations are being attacked.
Investing in the right risk management tool. Having a single, integrated system that allows you to monitor, manage and mitigate all vendor risks, including the tasks mentioned above is essential. It greatly reduces the probability of errors and it’s no secret that the cost of a breach is too high to avoid this vital business practice.
For the fifth year, Riskonnect was recognized by the Atlanta Business Chronicle as one of the 100 fastest growing private companies in the Atlanta metropolitan area. The company was honored at the 23rd annual Pacesetter Awards, held April 26.
“Atlanta remains a great source for the talent that allows us to achieve our business goals and continue to deliver groundbreaking technology solutions,” said Jim Wetekamp, Riskonnect CEO. “This award is a testament to how Atlanta remains the location for us to disrupt the integrated risk management software market.”
Conducted annually, the Atlanta Business Chronicle Pacesetter Awards examines the fastest growing private companies in the metro Atlanta area. To qualify, companies must have experienced a two-year growth in sales of more than 50 percent as well as achieve revenues between one and $300 million. Evaluation criteria for the 2018 award examined corporate growth from 2015-2017, with companies ranked by the percent change during this time period.
Internal audit functions are under increasing pressure to prove their relevance—a feat which is nearly impossible without the right integrated risk technology in place.
Exceeding great expectations
Internal audit departments have traditionally been viewed as a governance and compliance-driven function meant to ensure that the organization’s risk management, governance and internal control process are operating effectively in order to comply with regulations and standards affecting their businesses.
Integrated risk management technology helps efficiently develop innovative ways to provide better strategy enabling internal auditors to effectively focus their efforts on predicting risk and protecting their organizations.
Data can be entered, normalized and reviewed in real-time—all in one place. Accurate information and insights are readily available and up-to-date, rather than locked away in emailed spreadsheets with old data that is no longer relevant. Cloud-based and automated systems encourages information sharing across the organization and provides real time data and real-time analytics. Instant visual or graphical depictions of data, cuts down the time-consuming report-building and allows you to improve audit strategies, accelerate audit cycles, reduce audit cost and enhances auditor productivity.
Why internal audit needs to make the shift from checking boxes to innovating
The need to be relevant is often the main driver for internal audit departments trying to shift from compliance-based functions to transformative operations—a concept that is certainly familiar to external auditing firms also vying to be relevant and provide value to their clients.
For auditors, themselves, moving from a compliance-driven role to an innovative role is obviously going to be more professionally satisfying. But businesses, too, reap very real financial rewards from thinking of compliance in a way that is “out of the box” instead of as “checking boxes.”
But what does innovation by way of internal audit departments actually look like? According to the Institute of Internal Auditors, “pulse of the profession” study, it requires internal audit departments to transforms their operations and improve their responses to constantly evolving business disruption. Simplified, it means they must identify and mitigate harmful risks in advance of disruption, as well as realize the upside of risk, so management can make informed decisions to protect and add value to the business.
If this sounds impossible, it’s not…at least for those organizations willing to invest in the right technology. According to PwC’s annual “State of the Internal Audit Profession” study, 56 percent of of internal audit leaders believe technology adoption impacts internal audit’s value to the organization.
The time is now
Since the integrated technology is now available to assist internal auditors in making the shift from box-checkers to proactive innovators, they are realizing how their role in the organization can elevated. This is an important advancement in their careers, which allows senior management to see them as strategic partners in achieving the organization’s overall risk management goals.
The call for internal audit departments to innovate and show their value to their organizations is real and imminent. As tomorrow’s risks become yesterday’s news—faster than any of us can comprehend—it’s critical to deploy the tools necessary to not only keep our departments relevant, but our organizations relevant, too.
The annual RIMS conference is always one of the best places to get a pulse on what is most important to risk management professionals, and this year’s event was no different. Here is a look at the top three topics that surfaced during three days in San Antonio with the best and brightest in the industry:
Enterprise Risk Management There was an overwhelming increase in interest in ERM this year, highlighted by the number of sessions dedicated to the topic as well as the depth and breadth of the aspects that were covered. Some areas of focus were how ERM plays into the global supply chain and how to incorporate strategy into your ERM program. Monitoring and mitigating financial, strategic and operational risks is just as important as risks associated with more traditional, insurable risks such as accidental losses. The ongoing elevation of the risk management function to a key role in organizational management and senior level team members having greater visibility into their organizational risks is proof.
Cyber Risk Protecting your digital assets is more important than ever in today’s age of hacking. Educational sessions centered on tactical ways to increase cyber security efforts as well as discussing the risks your organization faces if a breach does occur, such as reputational damage. The threat of ransomware is also top of mind for many IT risk professionals as there has been an uptick in these types of attacks and proper training has become essential. Additionally, monitoring the impact third-party vendors have on an organization’s cyber risk footprint continues to increase in importance. The market is seeing significant demand for technology that can assist in managing this risk seamlessly.
Read: Adopt, maintain a data security framework using risk management technology
Emerging risks This broad category encompasses a range of risks that have recently gained industry attention. Some of the topics covered during RIMS included cannabis and the workplace. For example, how is the increase in states legalizing the use of marijuana affecting workers’ compensation? Another session surrounded the growth in popularity of drones. These can present both physical and privacy risks that organizations are trying to navigate, and can be done through an ERM program. The risks and opportunities of diversity and inclusion were also presented as well as a related look at how to protect your employees and enterprise against the hidden threats of workplace bullying.
Riskonnect, unique in offering its integrated approach to global safety, risk and compliance management solutions on the world’s leading cloud platform, is unveiling its new user experience at RIMS 2018. Inspired by feedback from customers and partners and leveraging the significant investments made in the force.com platform, Riskonnect designed the new user experience to accelerate user adoption, improve usability and increase productivity.
“Riskonnect revolutionized the risk management industry when we launched the first cloud risk management solution in 2007. We’re continuing to innovate with our new user experience, which provides business users with a modern, intelligent experience across every device,” said Roger Dunkin, vice president, product and development and co-founder. “Harnessing the massive investments made in Lightning within the force.com platform and critical end-user and practitioner input, this market-defining improvement enabled us to dramatically increase self-service capabilities for administrators and offer up to 40 percent increases in productivity for users.”
In addition to overall improvements such as a cleaner and more modern user interface, enhanced navigation, and increases in information accessibility, the new user experience offers Riskonnect users specific benefits:
Pathways make it easy for you to quickly see—and take—next steps to keep your critical workflow processes moving forward. Highlighting key fields provides you with helpful links, tips and other information so you know what to do next.
Visualize and optimize your workflow on the fly with Kanban View. Like sticky notes on a whiteboard, you can drag and drop records, group activities and tasks, and seamlessly create and edit lists.
Riskonnect’s already great Global Search just got better. Get top results and records faster.
Favorites let you quickly access important records, lists, groups, dashboards, and other frequently used pages in Salesforce. Similar to bookmarks in a web browser, your Riskonnect favorites will always be available to you, no matter where you access them.
Riskonnect already reduces mouse clicks. Now you can do away with them altogether with Keyboard Shortcuts.
The new user experience will be available in the fall release. Existing clients will have multiple options for activation—when desired—at no additional subscription cost.