In the current business environment organizations have no choice but to address risk issues and integrate risk management practices into their systems and operations. Enterprise risk management (ERM) must be factored into routine decision making and performance management.

However, there is also the need for continuous innovation in ERM to ensure it keeps pace with ever emerging challenges.

Rob Quail is the Senior Manager of Enterprise Risk Management at Hydro One. He will be a speaker as well as the chairman at the marcus evans Enterprise Risk Management Canada Conference taking place in Toronto on August 30-31.

Rob has been involved with ERM at Hydro One since 1999. From 1999 to 2003 Rob ran the Risk Management group of Hydro One, and during this time he conducted over 150 risk assessments and workshops covering every organizational unit and major initiative in the company.  The group was highly successful in embedding risk management into the core management processes and attitudes in the company, and late in 2003 he recommended that the Risk Management Group be dissolved as a full-time work group; Rob went on to other assignments within Hydro One. Early in 2011, Rob was asked to return to doing ERM full-time at Hydro One, with the specific objective of rejuvenating the company’s ERM practices. 

Quail sat down with Maeve McGovern from marcus evans as he explains that ERM’s role within an organization is to understand and deal with uncertainty. All responses represent the view of the Mr. Quail and not necessarily those of Hydro One.

What role should ERM play in an organization and who ultimately has responsibility for it?

Rob Quail: ERM is about the process of dealing with uncertainty. The role of ERM is to equip an organization so they can benefit from uncertainty and mitigate loss in order to be prepared for what can happen unexpectedly to a business. Ultimately ERM must be owned and executed by the line decision makers in a business and not by a functional group. It is not all that distinct from the other core management functions related to operating a company.

It’s also not all that different from governance or strategy; it’s part and parcel of those things. Understanding key risks to the achievement of an organization’s objectives is central to this and accepting the risks that are tolerable. Prudent action is also needed in cases where there is intolerable risk that a company is exposed to.

How will employing sound ERM practices improve a company’s financial profile?

RQ: There are two ways that this can happen. The first is the reduction in volatility and uncertainty. As we understand and put limits on uncertainty that should yield more predictable financial performance. The other most important and perhaps overlooked benefit of sound ERM practices is that it allows a company to take more risk. It’s very much like the role of brakes in a race car – a car with good brakes can drive faster as it is in better control. Having a good understanding of risk allows an organization to consciously accept risk and allocate resources to high priority areas of risk. It should and will yield better financial results for the enterprise.

What advice can you give for embedding risk management into the core management processes and attitudes of a company?

RQ: In my view a critical step in embedding risk management into the culture of an organization is to establish clear defined risk tolerances. The whole process of taking objectives as a company and translating those into tolerances is of great value on two fronts; it allows decision makers throughout a company to know that the judgements they are making about tolerability of risks are consistent with overall corporate instruction and it stress tests your corporate objectives.

Most complex, large organizations go through some kind of formal planning process to land on strategy. When you translate that strategy into risk tolerances and then apply those tolerances to mitigate risk, you are in effect operationalizing the strategy. When you make decisions about theories of investment, where to apply control or how to apply resources based on risk tolerances, you are effectively strengthening the implementation and awareness of corporate strategy. That’s the key component of embedding risk management into the management culture of a company. As far as management processes, at Hydro One we’ve done that in two key ways. The first is that all our business planning exercises include express descriptions of areas of risk exposure and of how resources are being applied to mitigate or exploit those risks. It’s embedded in our business planning process. The other core business planning process is having all our capital and maintenance expenses justified based on their value in mitigating risk exposure.

How can ERM practices be adapted and sustained as a positive value for an organization?

RQ: The key is continuous evolution and innovation. I am struck with how little the world view of ERM has evolved in the past number of years. There really has not been a lot of innovation in our discipline globally. People are talking now more about Black Swans and also trying to find ways to define risk appetite and risk tolerances. Beyond that there really hasn’t been much advancement in this field. Within an organization it is crucial for ERM practitioners to continually bring forward new ideas and approaches to help line managers solve problems and understand their risk exposures. If as a discipline we stay as static as we have been in recent years, there’s a real concern that the interest corporate global leadership has shown in ERM will wane; it will fade as the latest forgotten management “fad.” We really need to keep innovating.

According to Standard & Poor’s, the international ratings agency, ERM is now more important but is still no panacea. Would you agree and if so what more can be done?

RQ: Of course it’s important, and as our world gets increasingly integrated and complex, obviously the understanding of enterprise risk exposure and its integration into decision making becomes more and more important. And the conscious acceptance of risk is an important part of earning a return for any enterprise. But I can’t imagine that anyone would agree that ERM is an answer to all problems. We will always be limited in our ability to foresee and model risk. ERM is just concerned with the modelling, acceptance, or mitigation of business risk exposure as we understand it today. In my view, the next great frontier of ERM is to improve that understanding by marrying the most useful aspects of the more qualitative view of ERM such as we have been applying at Hydro One, with some of the quantitative methodologies that have long been used to model financial market and credit risk.

The marcus evans Enterprise Risk Management Canada Conference will take place in Toronto on August 30-31.

For further details on the upcoming conference, please contact:

Michele Westergaard

Marketing/PR Coordinator

marcus evans
Telephone: 312 540 3000 ext 6625
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

About marcus evans

marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually, ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.

The number of regulations affecting Global 2000 organizations can easily exceed a dozen, and it is a struggle to map multiple frameworks and specifications across configurations settings.

How do you address these challenges?

Below is a list of the responses from our LinkedIn community.

Due to the level of interest we have decided to run a webcast on this topic on August 11, 2011: http://bit.ly/o4vjil

Malware refers to malicious software, which includes computer viruses and rootkits. McAfee recently released the McAfee Threats Report: First Quarter 2011. With six million unique samples of recorded malware, the first quarter of 2011 was the most active in malware history.

In February alone, approximately 2.75 million new malware samples were recorded.  Fake antivirus software had an active quarter as well, reaching its highest levels in more than a year, with 350,000 unique samples recorded in March.

Mobile malware is the new frontier of cybercrime.

Malware no longer affects just PCs. As Android devices have grown in popularity, the platform has solidified its position as the second most popular environment for mobile malware, behind Symbian OS, during the first three months of the year.

Cybercriminals often disguise malicious content by using popular “lures” to trick unsuspecting users. Spam promoting real or phony products was the most popular lure in most global regions. In Russia and South Korea, drug spam was the most popular, and in Australia and China, fake delivery status notifications were the spam of choice. So far this year, we’ve also seen a new trend of “banker” Trojans, malware that steal passwords and other data, using UPS, FedEx, USPS and the IRS as lures in their spam campaigns.

McAfee Labs saw significant spikes in malicious web content corresponding with major news events, such as the Japanese earthquake and tsunami, and major sporting events, with an average of 8,600 new bad sites per day. In the same vein, within the top 100 results of each of the daily top search terms, nearly 50% led to malicious sites, and on average contained more than two malicious links.

Protect yourself from these and other threats.

McAfee Wave locates, locks, or wipes your phone, and even restores your data when you trade it in for a new one. If necessary, you’ll be able to lock down your service remotely or wipe out important stored data to protect your privacy. You can back up your data directly or use the web to so remotely. You can access your data online from anywhere, or locate your missing phone and plot its location on a map. If it’s lost or stolen, SIM cards and phone calls can help get it back for you.

Invest in an identity protection service. There are times when you cannot withhold your Social Security number, but an identity protection service can monitor your personal and financial data. McAfee Identity Protection provides alerts if your information is misused, credit monitoring and unlimited credit checks, and if necessary, identity fraud resolution. (For more information, visit CounterIdentityTheft.com.)

Robert Siciliano is a McAfee consultant and identity theft expert.

Over the last two years I've seen several outcries over the supposed great shortage in capable Cyber Warriors. But what does this mean, in terms of required skills? Most articles seem to ask for quite a lot; their Cyber Warriors seem to be required to be able to defend their networks (CND in military parlance), attack their adversary's network (CNA), engage in Cyber Espionage (CNE), reverse engineer malware and probably a bit more.

I found it hard to get a single answer, but SANS seems to agree with the previous list. At least, they do if you go by their Cyber Guardian program, which is essentially a group of SANS certs stacked together. But realistically: Do you really need such heavily certified people at every position? And that's not even going into the deeper issue of how capable these people actually are. After all, they may well have gotten through all these exams by just being really good studies (rather than actually understanding the material).

An article at NPR quotes a James Gosler who is, apparently a 'veteran cybersecurity specialist who has worked at the CIA and the NSA' though they don't explain what standards they used in determining his skills. In the article Gosler states that the US would need between 20.000 and 30.000 cyber warriors. Its a number that keeps coming back, but its not really elaborated on in the article.

A study done by the US Center for Strategic and International Studies (CSIS) also speaks of a human capital crisis in Cyber Security and may offer some insights that can also be used outside of the US, though of course the numbers will vary. CSIS uses roughly the same numbers as the article but mention that there are a variety of people and skills involved. From the appendix in the report we learn that CSIS found a shortage in the following roles:

High Priority
CISO's
Systems Operation and Maintenance Professionals
Network Security Specialists
Digital Forensics & Incident Response Analysts
Information Security Assessors

Medium Priority
Information Systems Security Officers
Security Architects
Vulnerability Analysts
Information Security Systems & Software Development Specialists

Low Priority
Chief Information Officers
Information Security Risk Analysts

In my opinion its a good list, though if positions such as the 'Systems Operation and Maintenance Professionals' covers job descriptions such as UNIX, Windows and Database Administrators then the 20-30.000 number is probably on the low spectrum of the scale. CSIS rightly mentions these people and its important to note that these are the backbone of any IT department, everywhere.

You'd think that there are plenty of those folks around in the IT sector, but the key word in this story is 'Capable'. During my years spent in IT I've met many people who work in IT in these positions but can hardly be called that. There are too many hacks in this game, yet many of them hold certifications that should demonstrate otherwise. This, to me, demonstrates that most of the current certification schemes out there simply don't function as well as they should.

What I like about the list is the mention of CISO's and CIO's. In my opinion they are also listed in the right positions, as many CIO's are completely clueless when it comes to the IT sector they are supposedly serving. For some reason unbeknownst to me, IT is the only area where C-level management is chosen based mostly on what their alma mater is and what fraternity they were a member of. When is this going to stop? Why don't CEO's have the common sense to realize that most of their organization runs on its IT infrastructure and it needs a capable manager to run it? Here in the Netherlands, this problem was acknowledged by the Nyenrode Business University and they developed an IT aspect to their well-respected MBA program. It is my belief that more of such initiatives should be taken to create better CIO's.

Another worrying trend is using CISO's as firemonkeys; a CISO gets hired to improve security but doesn't get the authority or the budget to actually change things. When a hack does occur and heavy damage is taken, the CISO takes the blame and finds himself fired. A new CISO is hired and the cycle begins anew. The CIO, who really deserves the blame for not taking security to the board of directors where it belongs, is comfortably staying put. Small wonder that there's a shortage of CISO's, right? I'd also like to note that hiring new CISO's will do little good if this practice is kept in place.

Looking at the list provided by CSIS, I can only draw the conclusion that the bigger problem isn't the lack of 'Cyber Warriors' but the lack of capable "regular" IT staff. Oh im sure that know-it-all, superhero-grade Cyber Warriors are needed, but I sincerely doubt that we need as many as some people seem to fear. I also wonder if governments would be willing to pay for such expensive certifications (SANS is probably the most expensive on the market) or even the wages these experts should be getting. As you can see, there are questions all around and not many definitive answers. If you have some, please feel free to let me know.

Crossposted from ArgentConsulting.nl
Follow Argent Consulting on Twitter: @argentconsultin

One in five online consumers has been a victim of cybercrime in the past two years. Social networking is a direct link to the problem. While social networks allow you to keep in touch with family and friends, there are issues to be concerned about.

Most concerns revolve around online reputation management, identity theft, or physical security issues. Social networking creates a risk of posting content that will be damaging to yourself, your profile being hacked or your credentials being compromised, or inviting burglars to your home by publicizing your whereabouts.

Facebook faces a security challenge that few companies, or even governments, have ever faced: protecting more than 500 million users of a service that is under constant attack. I’m a huge proponent of “personal responsibility,” and that means that you are ultimately responsible for protecting yourself.

Keep your guard up. Cybercriminals target Facebook frequently. Every time you click on a link, you should be aware of the risks.

Be careful about making personal information public. Sharing your mother’s name, your pet’s name, or your boyfriend’s name, for example, provides criminals with clues to guess your passwords.

Technology can help make social networking more secure. The most common threats to Facebook users are links to spam and malware sent from compromised accounts. Consumers must be sure to have an active security software subscription, and not to let it lapse.

Get a complimentary antivirus software subscription from McAfee. Simply “like” McAfee’s Facebook page, go to “McAfee 4 Free,” and choose your country from the dropdown menu to download a six-month subscription to McAfee’s AntiVirus Plus software. The software protects users’ PCs from online threats, viruses, spyware, other malware, and includes the award-winning SiteAdvisor website rating technology. After the six-month McAfee AntiVirus Plus subscription period, Facebook users may be eligible for special discount subscription pricing.

Robert Siciliano is a McAfee consultant and identity theft expert.

FFIEC is the Federal Financial Institutions Examination Council which is a government body empowered to prescribe uniform principles, standards and report forms for the federal examination of financial institutions by and for numerous other government, public, private and financial entities.

If there is a “good” place for your tax dollars to head, it’s to the FFIEC. And very recently the FFIEC has issued updated guidelines for financial institutions in regards to their cyber security and new threats your bank needs to counter.

Over the past decade as we have all (mostly) have banked and bought stuff online, criminals have formed organized web mobs to sniff out transactions and take over existing accounts and in some cases open up new accounts.

The FFIEC has certainly pointed this out and at the same time has made additional security recommendations since the last time they did in 2005 based on new kinds of criminal hacking and new technologies to combat it.

Hacking in its many forms involves compromising a system from numerous vantage points. A network can be hacked from the inside by an employee or former employee with credentialed access or from the outside by seeking vulnerabilities in a networks technology. But more often hacking takes place when an account holders access such as username and passwords are compromised.

To defend against all of these hacks the FFIEC recommends to financial institutions what’s called a “layered approach” of anti-fraud tools and techniques to combat crime. Meaning it’s not simply a matter of applying a firewall and having anti-virus to protect the network, but going much deeper in protecting many interaction points within the banking site (not just login) and using a variety of proven fraud prevention solutions.

That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website. The FFIEC has recognized complex device identification strategies as a viable solution that’s already proven strong at very large financial institutions. ReputationManager360 by iovation leads the charge with device reputation encompassing identification and builds on device recognition with real-time risk assessment, uniquely leveraging both the attributes and the behavior of the device.

Robert Siciliano, personal security and identity theft expert contributor to iovation.