In this challenging environment, board members and management executives are striving to maintain their tight grip on costs while maintaining a proper focus on enterprise-wide risk.

Jack S. Dybalski is Vice President and Chief Risk Officer at Xcel Energy. He will be a key speaker at the marcus evans 5th Annual Enterprise Risk Management Conference taking place in from March 19-21, 2012 in Chicago, IL.

Jack Dybalski is the Vice President and Chief Risk Officer of Xcel Energy based in Denver, Colorado.  He is responsible for key risk assessment, commodity and credit risk management as well as generation modeling, asset risk management, risk analytics, sales forecasting, load research, and compliance for trading.

Mr. Dybalski answered a series of questions written by marcus evans to discuss the role of a CRO within a company. All responses represent the view of the Mr. Dybalski and not necessarily those of Xcel Energy. (Note that the responses have been approved by Xcel Energy.)

What would be a more collaborative structure which may help companies to manage risk better alongside performance?

JD: The specifics will vary significantly from organization to organization and will also depend on the types of risks that are predominant in the organization.  Four things have evolved over the years at Xcel Energy that have led to an increasingly successful program.

i)             We have developed governance processes whereby risk management review and assessment is required prior to execution of material transactions and key projects.

ii)           The business functions have developed a high degree of risk consciousness

iii)          The risk management function is integrated with the strategy and planning actions of the organization

iv)          The Board of Directors takes a strong interest in risk management issues and receives a review of the company’s “Key Risks”

What would you say the differences between risk and uncertainty?

JD: Uncertainty is only one piece of risk.  Uncertainty needs to be applied to multiple risk parameters such as “earnings impact”, “timing”, “controllability’, impact of external drivers” and “interaction with other risks” to get a full flavor of the risk involved.  Uncertainty needs to be placed in the perspective of the business and in the perspective of executive management to have meaning.

What is the exact role of the Chief Risk Officer in an organization?

JD: This will vary widely from organization to organization and will likely evolve over time as the organization changes.  Flexibility and willingness to absorb tasks that need doing are key traits.  So any CRO looking for an exact definition from the perspective of specific tasks may very well be unsuccessful.  Certain tasks can be defined via policy as needed but are really the small part of the role.  An overarching role is to understand the key issues facing the organization, creatively challenge business processes by asking what can go wrong …then working to plug the potential holes.  Communicate the risks to executive management and the Board.  Perform from the perspective of “what can be?” rather than “what is it now?”  Gain the trust and collegial interaction amongst company peers to achieve the optimal level of risk and reward consistent with the Company’s stated strategies.

What would be the possible areas of risk ownership for the CRO?

JD: Again, this can and will vary widely from organization to organization.  At Xcel Energy, the specific areas of risk ownership have evolved over many years.  Many of them were items that simply needed doing for the business.  Some came about because of the particular highly analytic skill sets within the risk management organization.  Regardless of who actually performs the specific tasks, the key is full transparency and consistency of measurement/assessment techniques as much as possible for use by executive management.  One key role for risk management is the communication of how to think about risks and how to portray them for full understanding by all. If that can be accomplished, then the organization is well on its way to comprehensive risk views.

The marcus evans 5th Annual Enterprise Risk Management Conference will take place March 19-21, 2012 in Chicago, IL

For further details on the upcoming conference, please contact:
Michele Westergaard
Marketing/PR Coordinator
marcus evans
Telephone: 312 540 3000 ext 6625 Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

About marcus evans

marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually, ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.

Let’s get one thing straight: it’s no longer possible to deny that your personal life in the physical world and your digital life are one and the same. Meaning, while you are present here on the ground, you continue existing online, whether you know it or like it or not.

 Coming to terms with this reality will help you make better decisions in many aspects of your life.

1. Get device savvy: Whether you’re using a laptop, desktop, Mac, tablet, mobile, wired Internet, wireless, or software, learn it. No excuses. No more, “My kids know more than I do,” or, “All I know how to do is push that button-thingy.” Take the time to learn enough about your devices to wear them out or outgrow them.

2. Get social: One of the best ways to get savvy is to get social. By using your devices to communicate with the people in your life, you inevitably learn the hardware and software. Keep in mind that “getting social” doesn’t entail exposing all your deepest, darkest secrets, or even telling the world you just ate a tuna sandwich. Proceed with caution here.

3. Manage your online reputation: Whether you are socially active or not, whether you have a website or not, there are plenty of websites that know who you are, that are either discussing you or listing your information in some fashion. Google yourself and see what’s being said. Developing your online persona through social media and blogging will help you establish and maintain a strong online presence.

4. Get secure: There are more ways to scam people online than ever before. Your security intelligence is constantly being challenged, and your hardware and software are constant targets. Invest in antivirus, anti-spyware, anti-phishing, and firewalls. Getting security-savvy is a great way to start a new year.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.

Recently UCLA announced 16,000 patients were potential victims of identity theft because a doctor’s home office was broken into and burglarized. This is an unfortunate example of an employee taking home a laptop or storage device from the office resulting in a serious data breach. The thief may have no idea what he has in his hands, but the damage is done, the data is breached.

UCLA had to send letters to all 16,000 plus affected warning that there is a possibility their identities could be stolen. On top of that they had to hire an identity theft protection firm to cover each breached record in the hopes the service will mitigate the loss. Data loss like this may cost UCLA hundreds of thousands of dollars by the time the dust settles.

The documents stolen were birth certificates, home addresses, medical documents and numerical medical identifiers. The information breached did not include Social Security numbers or financial information. Meanwhile reports state the data was encrypted, but the password to access the encrypted data was on a piece of paper near the laptop, which hasn’t been located either.

Based on the reports, an identity thief would have a hard time actually using the data stolen to commit new account fraud or account takeover. Nonetheless UCLA’s response has been comprehensive and designed to reduce risk in any capacity.

Data breaches cost big bucks. Smart data security practices if done right are inexpensive and cost effective. Encryption in this scenario failed due to a password on a sticky note near the laptop. The lack of a home security system in the doctor’s home office contributed to the data loss. Putting layers of protection in both a business and home setting is an absolute must.

Robert Siciliano personal and small business security specialist to ADT Small Business Security discussing ADT Pulse on Fox News.

A defensive posture no longer suffices for the protection of the devices and data that have become ubiquitous in today’s digital world. Rather than simply rushing to install defenses on computers, in networks, and in the cloud, we urgently need to step back and take a broader view of the security landscape, in order to take more calculated preemptive measures.

McAfee Security Journal is a publication intended to keep security executives and technical personnel informed about various cutting edge topics in order to help them make better-informed security decisions. Regular, everyday computer users can increase their security intelligence by having a read. The report details the following highlights on the evolution of cyber threats and the necessity of a more inclusive security strategy:

The human link: There is an ever-widening disparity between the sophistication of networks and the people who use them. When direct attacks on an organization’s defenses fail, cybercriminals often use social engineering toolkits to exploit unsuspecting employees. Educating employees on secure practices is not enough—organizations need to install a proper framework to empower and encourage employees to make a habit of using these practices.

Mobile is everywhere: Mobile attacks are becoming more sophisticated every year. Instead of rendering a device unusable, hackers are now finding ways to steal sensitive personal data that can be lucratively exploited. Hackers are also broadening their target range to include less common mobile systems, such as the GPS system in your car, for example.

Cloud-based apps on the rise: The popularity of cloud-based applications has made them an attractive target for hackers and other cybercriminals. However, the cloud is also a highly efficient way to scale security and protection for a business. Leveraged correctly, the cloud both helps reduce your security costs and can actually increase your overall security posture.

Data is king: Whether it’s stored on a smartphone, in the cloud, or on a network, cybercriminals are after your data. It is crucial that organizations take proper precautions to secure this data.

Learn from mistakes: For those who take the time to study it, history is a great teacher. Analytics help identify patterns, vulnerabilities, and even motives.

Understanding these concepts can help prevent attacks in the future. For a full copy of the McAfee Security Journal: Security Beyond the Desktop, visit McAfee.com.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.

With only 4 weeks left until the Life Sciences Internal Audit Conference, February 8-9, 2012 in Philadelphia, PA, don’t miss out on your opportunity to attend the event!

Join key speakers, including: Andy Weintraub, Director, Group Internal Audit at AstraZeneca David Bolton, Internal Audit Manager at Biomet, Inc. Tami McLaine, Director, Audit at Baxter International Katie McCormick, Senior Manager, Corporate Analysis & Control at Boston Scientific Corporation Jeffrey Antoon, Director, Corporate Internal Audit at Johnson & Johnson Rosemary Scardaville, Audit Director at Merck Robert Scala, Senior Director, Corporate Ethics and Compliance at Eisai, Inc. And many, many more!

 This practical, hands-on event will enable delegates to benchmark their Internal Audit strategies against their peers, and is a “must-attend” conference for industry leaders to discuss best practices on approaching internal audit compliance to increase effectiveness while decreasing cost and time.

 Hear What Past Delegates Have to Say About the Internal Audit Conference Series:
”Great selection & breadth of speakers. Uniformly high quality presentations. Intimate nature of meeting provided excellent opportunities for networking” – Abbott Laboratories

 “One of the best meetings I’ve attended. Excellent organization, topics and speakers. Overall extremely well done.” – Sanofi Aventis
For more information or to RECEIVE A DISCOUNTED RATE, contact Michele Westergaard at This email address is being protected from spambots. You need JavaScript enabled to view it. or 312-540-3000 ext. 6625.

History is said to be a good indicator of what might come in the future. If you follow trends in how things are done and what tends to gain momentum then you can get a pretty good idea of what’s ahead.

McAfee Labs™ is made up of security professionals who spend all their waking hours observing and combating threats to our digital identifies. If anyone is in a position to give us a window into the future on information technology threats, it’s these guys and gals. Here’s what they are predicting we should watch out for in 2012:

-   Attacks on critical infrastructure and utilities— Attackers from all over the world have set their focus on critical life supporting utilities such as water and power to hold those utilities hostage for payment or to disable them to cause terror. This is the kind of industrial threat that many consumers fear. Unfortunately, many industrial and national infrastructure networks were not designed for modern connectivity, making them vulnerable.

-   Political hacktivism—Hactivism is the use of computers or computer networks to protest or promote political change. “Anonymous” is the group which was active last year doing high profile activities such as briefly taking down New York Stock Exchange’s website in support of the Occupy Wall Street protests.

-   Spam, spam, and more spam—Spam is getting easier and cheaper based on the U.S.’ CAN-SPAM Act. Shady, for profit, advertisers are making a mint selling lists to spammers, as advertisers are not required to receive consent before sending advertising.

-   Mobile malware—PCs are still the low hanging fruit. But as more mobiles are used for mobile commerce (mCommerce), virus makers are creating malware designed take over your phone or to deliver a variety of ads or even send expensive text messages from your phone.

-   Hacked cars, GPS and any wireless equipment—Cybercriminals are now targeting embedded operating systems or even hardware to gain control of everything from cars to global positioning system (GPS) trackers and medical equipment.

-   Cyberwar—Not trying to create fear here, just from observation, McAfee Labs has seen an increase in high-tech spying and other “cyber” techniques to gain intelligence.

As technology evolves and our use of the Internet and mobile devices becomes more complex, cybercriminals are also evolving and honing their skills with new types of attacks. But although some of the threats may seem scary, the reality is many offer new takes on old forms of attack and with a little bit of foresight and preparedness we can guard against them.

Robert Siciliano is a McAfee Online Security Evangelist. See him discussing attacks on our critical infrastructure on Fox News

Experian’s Chris Ryan addressed five major questions about compliance with the FFIEC’s recent guidance on banking authentication. What follows are his responses, summarized:

• What does “layered security” actually mean?

“‘Layered security’ refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.”

• What does “multi-factor” authentication actually mean?

“A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.”

• Who does this guidance affect? And does it affect each type of credit grantor/ lender differently?

“The guidance pertains to all financial institutions in the US that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an on-line environment, it’s clear that the overall approach advocated by the FFIEC applies to authentication in any environment.”

• What will the regulation do to help mitigate fraud risk in the near-term and long-term?

“The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system. Fraud tactics evolve constantly and the tools that combat them have to evolve as well. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly.”

• How are organizations responding? 

“Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations. Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions. Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, ‘layered’ approach that the guidance is seeking.”

To learn more, watch Experian and iovation’s webinar, titled Ensuring Optimal Efficacy and Balance with Out-of-Wallet Questions and Device Identification, dedicated to discussing the recent FFIEC guidance and taking a defense-in-depth approach to fraud prevention.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association.