Technology is an important tool for risk managers. Sue Copeman highlights eight areas where established and new technologies could be crucial in 2009
1 Information management
We’ve all got information running out of our ears. So much comes in; how do we manage it, get into a format that everyone can access, prioritise and store it for future use? And how do we safeguard the confidential stuff that we do not want anyone else to see?
Some major companies view information management as a non-core activity, which means that they’re outsourcing, says Steve Wright, information security specialist at PricewaterhouseCoopers LLP.
As well as delivery of what you want when and how you want it, a key consideration for risk and IT managers is data security. Outsourcing a function does not mean that you have outsourced the risks, as some UK government agencies have found to their cost in recent months.
Information management systems can do some pretty smart things. Capturing business critical data which comes in multiple inconsistent formats and transforming it to enhance specific business processes is clearly helpful. Xenos' recently launched Enterprise Server gets all the information integrated, sorted, archived and indexed. It also allows customers, employees and trading partners to share previously inaccessible strategic information.
Says Jeff Mills, managing director, Xenos EMEA, ‘Understanding the ROI (return on investment) value of information is based on the accessibility and reusability of IT information relative to the cost of acquiring and maintaining it. A superior return on information is achieved when an organisation is able to acquire, maintain, reuse and repurpose existing information resources as often and as effectively as possible. The more efficiently and cost-effectively that can be done, the higher the return.’
Another company, Recommind, has introduced a facility to help organisations explore, preserve and collect electronically stored information to prepare for and comply with litigation, regulatory oversight and investigations. Simon Price, Recommind’s UK director, predicts that the current economic crisis will lead to M&As continuing to be prevalent, and believes that the issue of information management has the potential to make or break the success of deals.
‘Failure to take into account all the valuable and sensitive information stored within both organisations can leave staff without the necessary information to do their jobs, and can also incur hefty financial penalties for breach of compliance regulations.’
Outsourcing is going to get bigger in today’s economic climate, according to David Hobson, managing director of Global Secure Systems. He believes that the continuing effects of the credit crunch will drive companies towards the benefits of ‘cloud computing’ (accessing programs online on a pay-as-you-go basis rather than buying a licence). ‘While this is not a totally bad thing, as it eases cashflow and allows anywhere-anytime access to the files, companies still need to review their IT security resources before migrating to a cloud-based data storage system,’ he says.
Hobson also warns that the traditional approach of firewall + anti-malware + network monitoring does not apply. ‘You are moving into a situation where the integrity of data is in the hands of a third party and, as such, should be checked and verified before that data is used or moved back – even on a temporary basis – inside the company network perimeter, or on to mobile computing device such as a laptop or PDA. We recommend implementing some form of end point security, as well as close adherence to corporate governance rules, which may require the company to impose certain service level agreements on the cloud computing service provider, most notably when it comes to where in the world your company data is being stored.’
2 Fraud prevention
Many fraud prevention programs are directed at financial institutions and transactions. For example, Actimize in conjunction with Fidelity National Information Services recently launched what they describe as ‘an enterprise fraud risk management solution’ to connect and investigate identified and suspected fraudulent activities across organisations, replacing traditional information silos and other disconnected approaches. ValidSoft specialises in authentication and transaction verification solutions, and DigiLog provides risk and fraud detection, primarily based around voice risk analysis technology and processes.
But while the big banking frauds may make the headlines, risk managers in organisations that face a lot of public liability and motor third party claims know that they too have a problem. ‘Legal firms have done a significant amount of work recently in the area of claims analysis,’ says Paul Hopkin, technical director, AIRMIC.
For example, UK legal firm Hill Dickinson offers Netfoil, a counter fraud claims screening database. Users and data providers share claims data in a confidential format to protect commercial interests while at the same time enabling detection of fraudulent claims activity. Netfoil is accessible via the internet, allowing users to screen claimants and their details to identify whether they have a claims history, or are associated with previous fraudulent claims activity. The database captures 160,000 new claims each month.
3 IT security
“The cost of adopting an enterprise wide system means that it's essential to get it right
There are a range of products and providers that can protect your IT systems against viruses, hackers and malware in general.
According to to the latest ScanSafe research, the top five industries most at risk of web-delivered malware are: energy and oil; pharmaceutical and chemical; engineering and construction; transportation and shipping, and travel and leisure. Mary Landesman, ScanSafe’s senior security researcher, says the company was concerned to find that the industries consistently encountering the highest rate of web-delivered malware are those that can have critical bearing on infrastructure and intellectual property rights. ‘Given the sensitive nature of these industries and the serious risks posed … it is rather unnerving to see energy and oil positioned in the top three most at risk sectors,’ she states.
Stonesoft also stresses the growing need for companies to ensure the security of their virtualised environments against increasingly sophisticated attacks.
However, to give Wright the final word here: ‘Technology is now a critical function to nearly 95% of business, but that doesn't mean security should be modelled around technology. In fact the opposite is the case. Like technology, security can be business enabling or enhancing, provided it is designed in and integrated from the outset.’
The laptop is a ‘must have’ for many executives, but the portability which is its main benefit also poses the greatest risks. A number of solutions are available.
For example, UK’s Bracknell Forest Borough Council activated ComputraceOne from Absolute Software on its laptops. The software is used to manage mobile devices, and in the event of a device being lost or stolen, to track and recover it and 'self destruct' any sensitive data to stop it being used for malicious purposes. Richard Dawson, the council’s IT services manager, comments that, ‘In the last three months alone, we have been able to deactivate and remove all data from three decommissioned laptops as well as recover a stolen laptop.’
Alcatel-Lucent’s Nonstop Laptop Guardian allows enterprises to overcome the 'mobile blind spot', defined as a condition where enterprises have no visibility or control over the location, use or configuration of employee laptops. Blind spots increase the risk of government fines, harm to company reputation and hampering of day-to-day operations. The technology gives organisations 24/7 access to employee laptops – enabling them to automatically enforce policies for compliance and deliver software patches and upgrades even if laptops are turned off.
5 Risk management information
Most organisations that want to apply technology to risk information begin with claims, according to Hopkin. Claims management systems can be fairly basic or may be expanded to include additional information.
Some enterprises may prefer to outsource their claims handling to a specialist. UK law firm Hugh James offers Streamline 21, an online claims handling service for corporates, which has been proved to reduce their total claims cost. The system is geared to assist risk analysis and early resolution of claims.
Governance, risk and compliance (GRC) systems are often viewed as essential for embedding enterprise risk management (ERM) across an organisation, marrying auditing, risk and business data to allow a holistic approach. Although, as Hopkin warns, feeding in all the data can be ‘very time consuming’, organisations that choose this route see some clear benefits.
Dominik Geller, head of corporate risk management, F Hoffmann - La Roche AG, which uses Strategic Thought’s Active Risk Manager, sees the greatest value of a good ERM system as being a simple way of recording, prioritising and tracking the perceived risks over time across the organisation. ‘This provides transparency and accountability and fosters the rigour of follow-up. ERM is not about the most sophisticated model, but a comprehensive assessment which brings the key points to the management agenda – unavoidably. To achieve this, an ERM system has to allow analysis of risks, using different metrics depending on the nature of the risk, to accommodate all the different risks in mutual perspective and it must be easily operated globally while allowing the proper security,’ he adds.
Open Pages, which offers an operational risk management (ORM) system, believes that today’s economic crisis has brought renewed focus on ensuring business performance while protecting investors and the corporate brand. ‘Executives are being prompted to re-prioritise the importance of operational risk management within their organisations.’
Risk Decisions specialises in developing and implementing enterprise solutions and services that enable risk to be managed more effectively on large capital projects as well as helping users to meet strategic business objectives and achieve compliance with corporate governance obligations. Features include: the risk hierarchy tree, combined threat and opportunity risk impact grids and automated schedule risk analysis.
“Information management systems can do some pretty smart things
The cost – not just financial but in time as well – of adopting an enterprise wide system means that it is essential to get it right. Gupton Marrs International (GMI) stresses that it is not a vendor of traditionally packaged GRC systems, but focuses on helping firms worldwide in designing and implementing innovative approaches to performance and risk management. ‘We work collaboratively with our clients to implement integrated GRC solutions that ensure that business objectives (for example, revenue enhancement, cost reduction, operational excellence, capital efficiency, etc) are met and that loss events are minimised.’
Finally in this category are niche products, designed to deal with a specific risk or need. Examples are:
Country-Check, a fully customisable country risk management tool for 243 countries and territories worldwide, recently launched by World-Check, which claims it is the most comprehensive ranking index of its kind.
Datix claims management for the healthcare sector
EPIQSM (Environmental Prospective Identification and Quantification) from Willis Group Holdings to generate credible loss distributions for environmental risks
Marsh Accepted Captive RatioAnalysis (MACRA) to allow captive owners to benchmark the performance of their captives against the rest of the industry using comprehensive data
Up and coming...
The categories so far have encompassed some fairly established areas which I believe will continue and grow in importance in 2009. Now for two types of technology which may get onto the risk management radar for the first time.
6 Invasive technology
The age of the über machine is with us. Some developments, such as furnaces tracking how hot they get to indicate whether linings are breaking down are clearly helpful. Others – vehicles that ‘know’ when something’s wrong or that they need a service, checking the driver’s diary and booking themselves into a service station, or systems that monitor workers’ productivity, competence and stress levels and then alert the boss – might seem a shade too far. According to a recent UK BBC radio 3 debate on privacy, we’ll all be able to track each other on CCTV via Google in 10 years. Lots of risks and opportunities here!
7 Radio frequency identification (RFID)
RFID is getting hot. We are all used to tagging in the shape of bar codes on products that we buy in the supermarket. But tagging has some other commercial risk management applications, particularly when applied to paper to safeguard confidential information and intellectual property, or to protective clothing for workers entering a construction site. Watch this space!
My last technology category is one that has been around for a long time – but I believe it is going to get a huge boost in 2009 and beyond.
8 Video conferencing
OK, it’s not sexy, we’ve all been there, done that, but … organisations today are under huge pressure externally to reduce their environmentally damaging footprint and internally to cut costs, which includes the time and expense of travelling. Forget the coffee, video/telephone conferences are the way ahead.
Sue Copeman is editor, StrategicRISK