Best of 2014

Risk Management Insights Financial Institutions

Data breaches can pose

huge risks for bank
directors and officers

Data breaches can pose huge risks

for bank directors and officers
News reports that the FBI recently has begun investigating data security
breaches at several banksincluding some large financial institutions
are stark reminders that no commercial entity can fully shield itself from
cyber criminals.1

Introduction
Shareholders within several companies recently victimized by data security breaches have
launched lawsuits against the enterprises boards, claiming that executive management
breached its fiduciary duty by failing to ensure that the companies implemented
adequate security measures. What could be a developing legal trend raises the specter
that no less than their personal wealth is at stake for directors and officers who do not
exercise appropriate oversight of their organizations cyber risks. Citing a litany of alleged
information technology missteps, negligence and shortsightedness, the shareholders
argue that the defendants lack of attention to data security made their organizations
particularly vulnerable to data thieves.
Always hunting for new litigation opportunities, the plaintiffs bar very well could view
these lawsuits as templates for shareholder actions against other organizations targeted
by cyber criminals. With studies showing that the number and cost of cyber attacks
against commercial enterprises are risingand more so in the financial institutions and
banking sector than in othersdirectors and officers at banks today cannot afford to
ignore these developments.
Executive management at banks, however, also can use this shareholder litigation to their
advantage. Those lawsuits provide directors and officers some clear guidance on the level
of data security protection they should be pressuring their own organizations to adopt to
protect themselves against cyber criminals.

The numbers behind the risk

Banks walk a very high tightrope with customer data, but it is a dangerous act that the
market demands they perform if they are going to be competitive. Customers demand
24-hour access to their accounts through multiple channels, such as ATMs, home and
work computers and their smartphones while out in public.
Greater convenience for customers, however, can also mean increased opportunities for
cyber criminals.

1. D. Yadron, E. Glazer, D. Barrett. FBI Probes

Possible Hacking Incident at J.P. Morgan.
Aug. 28, 2014. The Wall Street Journal.
online.wsj.com
2. 2014 Cost of Data Breach Study: Global
Analysis. May 2014. Ponemon Institute.
securityintelligence.com
3. The Global State of Information Security
Survey 2014. PricewaterhouseCoopers, CIO
magazine, CSO magazine. pwc.com

Organizations that suffer data security breaches already face the expense of restoring
their data security, reconstituting corrupted data and, as statutes in 47 other states
plus the District of Columbia mandate, notifying their customers and clients that their
personal information has been compromised. In addition, although they generally are not
legally required to do so, these organizations typically provide credit monitoring services
to their customers in an effort to maintain, or regain, their goodwill.
Overall, according to the Ponemon Institutes 2014 Cost of Data Breach Study: Global
Analysis, the average cost of a corporate data breach is $3.5 million, a 15 percent
increase compared to Ponemons findings in 2013.2
A significant factor that is driving up those costs is the growing volume of data
security incidents. That number is exploding, according to a survey conducted by
PricewaterhouseCoopers in cooperation with magazines CIO and CSO.3 In that survey,

Data breaches pose huge risks for bank directors and officers

9,681 corporate executives from companies of all sizes in 115 countries reported that
each of their organizations faced 3,791 security incidents on average over the 12 months
prior to February 2013. That is more than 10 incidents every day and reflects a nearly 27
percent increase from the number reported in the year-earlier survey and a 48 percent
jump from the 2012 survey results. Those events included any adverse incident that
threatens some aspect of computer security, not only successful major data breaches,
the studys authors explain.
The numbers were even worse for financial institutions. Those survey respondents
reported not only a 22 percent higher rate of incidents4,628 annually on average, or
nearly 13 incidents each daybut also an alarming 169 percent increase over the prior
years results.
Among the financial institution respondents, 42 percent were from North America. Some
43 percent of the respondents represented either mid-sized or small organizations, and 41
percent represented large institutions. The size of the remaining respondents was unknown.

The PwC financial

institutions survey respondents
reported a 22 percent higher
rate of incidents, an average
of 13 incidents each day.8

Financial institutions, like all organizations, could face even greater challenges in
mitigating cyber risk in the near future. A U.S.-like law that would impose notification
responsibilities on organizations that suffer data security breaches but also impose stiff
financial penalties on those deemed lax in their efforts to safeguard data likely will be
in place in the European Union by 2016.4 But the law would reach far beyond Europe,
because it would apply to all organizations operating there, not just those headquartered
within its borders. Moreover, many other countries are in the process of enacting or likely
will adopt comparable measures to maintain their trading status the European Union,
suggests broker executive Christopher Keegan, a senior managing director at Beecher
Carlson in New York, and law firm Baker Hostetler, which has studied data privacy laws
around the world.5

Shareholder derivative-action lawsuits

With their increased exposure to headline-grabbing cyber attacks, the banking sector is
heavily exposed to reputational and brand risk, regulatory actions and monetary losses.
Depending on the resulting financial hit the institution takes, any and all of that fallout
could trigger derivative-action lawsuits and even securities class actions.

4. EU Data Protection Directive.

epic.org
5. 2014 International Compendium of Data
Privacy Laws. 2014. Baker Hostetler
bakerlaw.com
6. Maureen Collier, derivatively on behalf of
Target Corp. vs. Gregg W. Steinhafel, et al.
U.S. District Court for Minnesota.
January 2014.
7. Dennis Palkon, derivatively on behalf of
Wyndham Worldwide Corp. vs. Stephen P.
Holmes, et al. U.S. Diestrict Court for New
Jersey. May 2, 2014.

In a derivative-action lawsuit, shareholders sue directors and officers on behalf of the

organization, typically demanding that they implement new or modified procedures
or protocols designed to protect the entity from specified risks. In these types of cases,
shareholders do not seek damages for themselves. But they do in securities class-action
lawsuits, which typically are filed following a significant drop in share price after an
organization discloses a significant problem.
That litigation risk seems to be manifesting.
In separate derivative-action lawsuits, shareholders are demanding that two companies
that lost their customers and clients personal data to cyber criminals shoulder additional
costs to harden the organizations data security systems.6 7 In those cases, filed against
the boards of a major retailer and a hotel/resort chain, the plaintiffs allege the companies
data security systems as well as the organizations responses to major attacks against
those systems left customer data unreasonably vulnerable.

8. PricewaterhouseCoopers

Data breaches pose huge risks for bank directors and officers

The list of plaintiffs allegations include that one or both of the companies:
Failed to take reasonable measures to prevent a security breach by, among other
things, failing to comply with the PCI Data Security Standard.
Relied on computer servers with an operating system that was so badly out-of-date
that its security software had not been updated for three years. As a result,
customers credit card information was stored unencrypted.
Had no internal controls designed to either detect a security breach or report it in a
timely manner.
Immediately after the attack, issued false and misleading statements about the
significance of the security breach. It initially denied, but later admitted, that
customers debit card PIN numbers had been stolen. It also suggested the security
breach affected far fewer customers and over a shorter period that it actually did.
Damaged its reputation by hiding the true extent of the attack in order to prevent
scaring away customers, causing a drop-off of holiday-season revenue.
Gave customers a false sense of security and further harmed them by failing
to provide the timely information they needed to mitigate the risk to their
personal information.
Created more bad will and further harmed customers by bungling its offer of aid
after finally alerting customers and offering credit-monitoring services. In attempting
to generate favorable public relations by disclosing how it was providing these
services, the company created an opening for other identity thieves to scam the
companys customers. In emails, the identity thieves posed as the company and
obtained the customers payment card information.
Understood, because of the findings of a well-known independent 2007 report on
data security, the risk and likely ramifications of a massive security breach.
The shareholders are demanding that the defendants reimburse their companies for the
harm the executives allegedly caused and that the companies harden their data security
systems. Specifically, the plaintiffs demand that the defendants directors and officers
cover their organizations remediation costs, including the cost of notifying affected
customers and clients and establishing credit-monitoring services for them, as well as the
organizations costs to investigate the breaches internally and to respond to the resulting
regulatory inquiries and consumer class-action lawsuits.
In addition, the plaintiffs are asking for the disgorgement of compensation paid to the
individual directors and officers and payment of plaintiffs attorney fees.
A retailers data security breach highlights the importance of directors and officers also
ensuring that their organizations have solid vendor management controls in place.
Financial institutions can help to mitigate vendor risks through a combination of contract
provisions and insurance.
In addition, many federal regulatory agencies have opined on vendor risk and how banks
can manage it, including the:

Data breaches pose huge risks for bank directors and officers

 Federal Reserve Board, in its December 2013 guidance, Managing Outsourcing Risk.
Office of the Comptroller of the Currency, in its October 2013 guidance on thirdparty relations.
Federal Financial Institutions Examination Council, in its October 2012 discussion on
information technology service providers.
Consumer Financial Protection Bureau, in its April 2012 bulletin.

Securities exposure
Data breaches also increase directors and officers exposure to regulatory action and,
potentially, securities class-action lawsuits.

Data breaches also increase

directors and officersexposure
to regulatory action and
securities class-action lawsuits.

The derivative lawsuits filed against the retailer and hotel/resort chain are instructive,
particularly their demands for reimbursement of the companies costs to respond to
various state and federal investigations. In one instance, the data breach has become the
subject of a lawsuit filed by a federal regulator. While regulatory activity is trouble enough
for a company, it oftenas was the case hereprecipitates a derivative action.
The two derivative lawsuits also spend considerable time reciting numerous privacy laws
designed to protect consumer information as well as various disclosure requirements as evidence
that the defendants were aware of the significant risk associated with a cyber breach.
As further evidence that the defendants were aware of that risk, both lawsuits point to
the companies financial statements. In those documents, the companies provide risk
disclosures on data breaches and represented that their internal controls were sufficient
to guard against them, the plaintiffs state.
The focus on disclosure is important. In October 2011, the Security and Exchange
Commissions Division of Corporate Finance issued guidance stressing that registrants
may be obligated to discuss cyber risks and incidents under a number of disclosure
requirements or when necessary to ensure that other required disclosures are not
misleading.9 The sections of the financial statement in which registrants may be obligated
to make those disclosures are:
Risk Factors, if that information would be a critical factor in investors decision making.
Managements Discussion and Analysis of Financial Condition, and Results of
Operations, if those risks and incidents were materially costly; the consequences
associated with any incident are material; that information indicates an important
trend; or those risks and incidents create significant uncertainty for the organization.
Description of Business, if an incident has affected the organizations product,
service, customer relations, suppliers or competitiveness.
Legal Proceedings.
Financial Statement Disclosures.

9. Cybersecurity. CF Disclosure Guidance:

Topic No. 2. Oct. 13, 2011. Division of
Corporation Finance Securities and
Exchange Commission.
sec.gov

Disclosure Controls and Procedures. If a cyber incident could affect the quality of
those disclosures, then management has to consider whether those disclosures have
been rendered ineffective.

Data breaches pose huge risks for bank directors and officers

The derivative lawsuits focus on financial statement disclosures about cyber risk,
allegations of insufficient internal controls, as well as the allegations of a potential
decrease in earnings could be fodder for a securities class-action lawsuit.
To raise a securities class-action claim, a plaintiff generally must allege that the defendant
knowingly, or with reckless disregard for truthfulness, made a false statement of material
fact and that the plaintiffs relied upon it, causing the plaintiffs damage. Typically, plaintiffs
allege that they purchased securities based on representations in a companys financial
statement and that the plaintiffs suffered damages when the companys share price
dropped after revelations that those representations were misleading or false.
The derivative lawsuits appear to allege all the essential elementsexcept for an actual
drop in share pricenecessary to raise a securities class-action lawsuit.
Given the increasing frequency of data security breaches and the greater emphasis on
disclosure and management of internal controls, directors and officers should expect to face
securities class-action lawsuits in the wake of a breach, if it triggers a market reaction.

Insurance protection
While directors and officers can be a driving force in their organizations efforts to fend
off data thieves, data security experts warn that cyber criminals will not be discouraged
easily. In the event of a successful attack, executive management who has demonstrated
strong oversight of their organizations cyber risk controls would have a strong argument
that they and the entity took all reasonable steps to safeguard customer data and,
therefore, should not face regulatory penalties or shareholder litigation.
Still, shareholders may sue. Even if a court eventually dismisses the case because the
board had done all it could to ensure that the organization had robust data security,
the cost of a defense could be significant. So besides ensuring that they are meeting
their fiduciary duties relating to cyber risk, executive management should ensure they
are comfortable with the amount of directors and officers liability insurance their
organizations have purchased.

Conclusion
Cyber criminals are relentless. Studies show they will attack an organizations data
security system multiple times daily in many ways from different areas of the globe in an
attempt to steal customers personal data.
In an environment in which customer data is increasingly under attack, banks must take
extraordinary steps to remain competitive and compliant with numerous regulations and
statutes. Managing cyber exposure must be a critical element of every organizations risk
management philosophy.
Moreover, directors and officers have to do more than merely trust that their
organizations will be vigilant, because shareholders demand strong board leadership on
data security.
Because its not just if an attack is going to occur, but when.

Data breaches pose huge risks for bank directors and officers

A1-112004073-A (10/14) 112004073

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures
herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to
reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein
is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. We
do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies
and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed
to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The
subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any
insurance policy.

Zurich
1400 American Lane, Schaumburg, Illinois 60196-1056
800 382 2150 www.zurichna.com
2014 Zurich American Insurance Company

WILL YOUR ROOF SURVIVE THE NEXT HAIL STORM?

Hailstorms are a pervasive problem throughout the United States and can wreak havoc
on commercial roofing systems. Understand the composition of hail-resistant roofs in
the event that repair or replacement is needed.
One of the major loss costs
of any hailstorm is a roof.
Hail damage can be traumatic
to a business operation.
Mike Cincinelli, CAT team manager,
Zurich North America

HAILS FORCE:

As hail size increases, so does its strength or impact energy

as it pelts commercial roofs. The velocity at which hail hits
a roof greatly influences damage.

Minimal to
no damage

Significant
damage

Severe
damage

COMMON SIGNS OF ROOF DAMAGE FROM HAIL

Missing, bruised, dented,

cracked or broken shingles

Loosened shingle granules that

collect in gutters or downspouts

Leaks in roof or ceiling

Dents on vents, gutters

or flashing

WHY IS HAIL DAMAGE COSTLY?

ROOF REPLACEMENT

ROOF REPAIRS

Labor costs associated with roof removal, to

make way for a new roof, can increase costs.

Leaking roofs can often damage building

interiors, spurring costs for roofing and
interior repairs.
Necessary repairs might uncover compliance
issues, like the discovery of asbestos, whereby
remediation is required and expensive.

DAMAGED EQUIPMENT
Expensive rooftop equipment like damaged
HVAC units or solar panels might need to
be replaced.

PREVENTATIVE MAINTENANCE
HVAC hail guards can
protect expensive-to-replace
condensers from damage.

Enlist a professional
roofing contractor for
an annual inspection.

Roof surface blisters can be

cut out and repaired without
overhauling entire roof.

Age matters: The younger

the roof, the more resistant
it might be to hail.

Ask your roofing contractor if the roof is rated as a Class

3 or 4 structure a standard threshold for hail-resistant
roofs that consider the following qualities:
1. Thickness: Consider the type of roof
to determine if thicker is better.
2. Substrates: A firm, dense layer
beneath any roof membrane is
needed to thwart hail damage.

Insurance Institute for Business and Home Safety, http://www.disastersafety.org/hail/protect-homes-from-damage/

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a
guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these
samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice and accordingly, you should consult
with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection
with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot
be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances The subject matter of
this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.
2014 Zurich American Insurance Company

Deciding what
opportunities to
fund, which risks
to protect
The critical role of enterprise risk
management in strategic decision making
By Linda Conrad
Director of Strategic Business Risk
Zurich Global Corporate

Table of contents
 nterprise risk management (ERM) as a strategic
E
planning and profitability tool

External and internal drivers of ERM for

todays organizations

ERM: Less business continuity, more

business resilience

Building an ERM framework

Developing a risk cultural shift toward risk

accountability

Creating a risk management policy

10

Technology support of ERM

10

Risk management and ISO 31000

11

The strategic benefits of ERM

13

Deciding what opportunities to fund, which risks to protect

Enterprise risk management as a strategic planning and

profitability tool
Taking risks is a necessary part of growing a business and adding stakeholder value. An
organization that operates too cautiously and misses product or market opportunities can
have difficulty attracting the best talent and investor capital. While the upside of risk is
the ability to strategically seize business growth opportunities, todays complex world has
also revealed the downside of risks. Fragile global supply chains, technology dependence,
increased speed of product cycles, and complicated financial models and relationships
continue to multiply the breadth and depth of risks facing organizations.

A study by FERMA in 20121

found that firms with
advanced risk
management practices
exhibited stronger EBITDA
and revenue results over
the past five years than did
those with emerging risk
cultures.

Failure to either anticipate growth opportunities or plan for negative events can have
serious consequences on business operations, including loss of customers, inadequate
asset protection, failure to meet regulatory requirements, lower profitability and share
price. How can the senior management of an organization be more aware of their
potential risks both the upside and downside? Recently, there has been an intensifying
interest in enterprise risk management, or ERM, as a tool to enable organizations to
consider the potential impact of all types of risks on their processes, products, services,
activities and stakeholders. In short, an effective ERM approach can help an organization
make the most efficient use of its capital. By determining what growth opportunities to
fund, and what potential risks need budget support, an organization can better ensure it
will meet its business objectives today and into the future.
Financial results show that a robust risk culture can be the basis for improved profitability.
A study by FERMA in 20121 found that firms with advanced risk management practices
exhibited stronger EBITDA and revenue results over the past five years than did those
with emerging risk cultures. Review of over 800 firms in 20 countries concluded that:
75% more firms with advanced risk management practices had EBITDA growth
of over 10%
62% more firms with advanced risk management practices showed revenue
growth of 10%
The study validates that creating an active risk culture can directly correlate to stronger
financial results, as the entire firm becomes more aware and accountable for the
potential obstacles standing in the way of success.
The wide array of economic, geopolitical, environmental, technological, supply chain
and other risks of the last decades have heightened the call for a more rigorous risk
management approach to business resiliency by organizations. Events like Enron and
BP, the recent credit crisis, and catastrophes like the Asian tsunami, the Thai floods or
Superstorm Sandy have led to the emphasis on the need to embed and enhance risk
management practices. A renewed focus on enterprise resilience can help in prioritizing
capital toward optimizing the risk/reward balance. This requires applying a risk lens and
techniques to both minimizing disruptions and maximizing growth. A resilient enterprise
is better able to anticipate surprises, recover from disruptions, adapt to changing
conditions and leverage emerging opportunities. The goal is simple: funding the right
amount of the right risks at the right time, to help turn risk into results. How to attain
this goal is the business objective of Enterprise Risk Management.

FERMA Risk Management Benchmarking

Survey 2012, Keys to Understanding the
Diversity of Risk Management in a Riskier
World. www.ferma.eu
1

Deciding what opportunities to fund, which risks to protect

External and internal drivers of ERM for todays organizations

Enhancing an organizations growth opportunities, improving financial and operational
performance, and reducing losses are some of the internal drivers that spark the
development of an ERM framework within organizations today. However, there are
significant external drivers primarily regulatory and legal that are challenging
organizations to formalize their risk management processes. In short, its just becoming
good business practice.

The goal is simple:

transforming risk
into results.

Corporate boards, facing heightened regulatory and ratings scrutiny, are beginning to
insist that management provide sophisticated reports linking risks to their impact on
an organizations objectives. Many boards are also more engaged in the oversight of
managements risk monitoring processes to determine whether the risks assumed to meet
performance objectives are embraced throughout the organization and within established
limits. Also of interest to boards is how managements response to existing risks have
either helped or hurt the long-term strategies of the organization.
As early as 2001, the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) began efforts to develop a framework that could be used by
corporations to evaluate and improve their organizations enterprise risk management.
As defined by COSO, enterprise risk management is a process, effected by an entitys
board of directors, management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.2
In 2004, the New York Stock Exchange issued corporate governance rules that require
audit committees of listed corporations to discuss risk assessment and risk management
policies. Executive compensation arrangements are a key area of regulatory attention
because there is concern that these arrangements may have encouraged excessive risktaking in the past, where there has been an undue emphasis on performance without
due consideration of risks.
In 2008, Standard and Poors (S&P) began assessing ERM processes as part of its
corporate credit ratings analysis. S&P reports that in their reviews with rated issuers in
U.S. and Europe, they have discovered a wide range in the level of adoption, formality
and engagement of ERM3. In particular, S&P noted that:
Silo-based risk management, focused only at the operational managers level,
continues to be prevalent.
Companies with a true enterprise-wide approach to ERM appreciate the importance
of going beyond only quantifiable risks and increasingly understand the importance
of emerging risks.
Companies often facilitate their ERM execution via separate structures, with
associated roles and responsibilities clearly defined.

Strengthening Enterprise Risk Management

for Strategic Advantage Committee of
Sponsoring Organizations of the Treadway
Commission 2009, www.coso.org
2

Progress Report: Integrating Enterprise Risk

Management Analysis into Corporate Credit
Ratings Standard & Poors Ratings Direct
www.standardandpoors.com/ratingsdirect
July 2009.
3

In July 2009, the SEC proposed rules that would require management to increase its
disclosures of information that describe the overall impact of compensation policies on
risk-taking. The proposed rules would also require disclosure in a proxy statement about
the boards role in the companys risk management process, and the effect that this has
on the way the company has organized its leadership structure. The SEC believes that

Deciding what opportunities to fund, which risks to protect

disclosure should provide information about how a company perceives the role of its
board and the relationship between the board and senior management in managing the
risks facing the company. SEC Chairman Mary Schapiro stated, I want to make sure
that shareholders fully understand how compensation structures and practices drive an
executives risk-taking. The Commission will be considering whether greater disclosure
is needed about how a company and the companys board in particular manages
risks, both generally and in the context of setting compensation.
Sen. Charles Schumer, D-N.Y., introduced the Shareholder Bill of Rights Act of 2009
that would require corporations to establish a risk management committee comprised
of independent directors. Additionally, the U.S. Treasury Department is considering
requiring compensation committees of public financial institutions to disclose strategies
for aligning compensation with sound risk management. While this focus is on financial
institutions, the link between compensation structures and risk-taking has implications
for all organizations. Ratings agencies and analysts have also taken a keener interest in
governance efforts.
Also in 2009, a new international standard was published, ISO 310004, that clarifies
and builds on the risk principles set out in the Australia and New Zealand standards
developed in 2004 (AS/NZS 4360:2004). The ISO 31000 defines the application of a risk
management framework as a set of components that provide the foundations and
organizational arrangement for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the organization. The ISO 31000
standard and risk management organizations such as RIMS or the IRM also offer
step-by-step guidance for establishing or expanding an ERM framework to assist
organizations in improving risk oversight to help protect profitability.
In May 2013, S&P announced an update on their efforts with the following
announcement: Elements of enterprise risk management that we highlighted as
important in our ratings on non-financial companies more than five years ago has now
completed a migration to our broader assessments of management and governance
(M&G). Following new M&G criteria published on November 13, 2012, we have not
completed an assessment process across our global portfolio of almost 4,000 nonfinancial companies worldwide. S&P uses the management and governance score to
modify its evaluation of an enterprises business risk profile, a key component of its credit
rating. Worldwide, Standard & Poors assigned management and governance scores to
3,868 companies: only 8% were strong, and 32% were satisfactory, while 57%
were fair, and 3% weak5.
Clearly, the need to create a robust ERM framework is something no senior executive
team can ignore today. Risk management has moved beyond just the purview of the
CFO, accounting, or legal department to become an enterprise-wide responsibility. Today,
a limited approach to identifying, assessing and monitoring risks is not enough.

ISO 31000 Risk Management Principles and

guidelines, International Organizations for
Standardization, 2009. www.iso.com
4

Standard and Poors M and G release North

America dated May 17, 2013
5

Deciding what opportunities to fund, which risks to protect

ERM: Less business continuity, more business resilience

It has also been established that during periods of down economies, construction of
risk management is often used as a synonym with business continuity management.
While the two processes share much in common and similar methods, they are different
concepts. As defined in this paper, risk management identifies risks that may or may not
be threatening to the continued effective operation of an organization, paying equal
attention to those identified as good risks when associated with growth opportunities.

Enterprise risk management

sets down a structured
framework for the
organization to identify,
rank, and control all the
risks concerned.

Business continuity management deals with factors that may cause significant business
disruption or may damage the organizations reputation. It emphasizes preparing the
organization for and bringing the organization back from a threatening event. In other
words, business continuity management is an application of risk management in the
context of threatening risks and emphasizing a timely recovery after an incident.
Enterprise risk management, on the other hand, sets down a structured framework for
the organization to identify, rank, and control all the risks concerned. The purpose of this
broader assessment is to create a more resilient business one that is better prepared to
adapt to changing conditions and leverage emerging opportunities, as well as anticipate
surprises and recover from disruptions. Effective enterprise risk management goes hand in
hand with a business resilience process by creating a proactive infrastructure for dealing
with risks systematically, holistically and successfully.

Do you know the critical risks which

threaten the continuity of your business?

Do you know what activities should

take priority?

If it happens, would you know how

to recover?

Are your employees and your

organization well prepared?

Event

Productivity

1
2

Normality

Business Recovery

Emergency
Salvage and
Restoration
with Business
Continuity
Management

3
Willingness of
customer to wait

1
2
3

Time

Figure 1: Visualization of a typical business interruption as loss of productivity vs. time.

Deciding what opportunities to fund, which risks to protect

Building an ERM framework

Effective risk management today requires an enterprise approach that views risk from all
angles a strategic, 360-degree view supported by tactical, holistic solutions. Achieving
this broad view helps ensure business resilience, reduce total cost of risk, and protect
profitability by improving a corporations ERM framework. See Figure 2 the Enterprise Risk
Management Wheel that divides risks into five main categories.

KEEPING YOUR BUSINESS

UNDERSTANDING YOUR BUSINESS

As this wheel demonstrates, an organization with a holistic, 360-degree view of risk

can better uncover and manage its business challenges, including operations and
procedures, management styles and strategies, industry issues, emerging risks and
more. ERM can provide the framework for identifying both threats and opportunities
across the enterprise, assessing them in regards to probability and possible impact,
developing a response strategy and monitoring the achievement of objectives.

UNDERSTANDING RISK ACROSS YOUR BUSINESS

Figure 2: Enterprise Risk Management Wheel by Zurich Strategic Risk Services.

Deciding what opportunities to fund, which risks to protect

A 360-degree ERM process can help organizations meet these strategic objectives:
Protecting the capital base An ERM review can potentially drive meaningful
financial benefits including reduced cost of servicing debt, improved access to
capital and cost of capital.
Enhancing value creation and contribute to optimal risk return profile ERM
can increase probability of the upside, and decrease the probability of a downside.
Supporting corporate decision-making process For senior management, ERM
can demonstrate its incorporation of risk information as a decision-making process,
especially for rated companies that need to score well on the S&P ERM assessment.
Protect reputation and brand by promoting a sound culture of risk
awareness ERM can increase investor confidence through proven management
accountability for risk.
Zurichs report on applied risk management developed for risk managers after the credit
crisis summarized the lessons learned from the failures of those companies that did not
perform a strategic, risk management process:
1. Understanding individual risks are not enough Organizations must account
for inter-linkages and remote possibilities
2. Extreme events must be factored in The world does not follow a normal, even
distribution, and Black Swans can appear at any time
3. Determine the corporate risk appetite The strategic function of ERM is to guide
corporations in determining their choice of trade-offs between risk and reward
4. Quantitative models are important, qualitative judgments are imperative The
arsenal of risk management tools is lengthy, but models cannot replace judgment
5. A risk culture starts at the top To entrench risk management across an
organization takes a strong, top-down approach applied across the organization

Deciding what opportunities to fund, which risks to protect

Developing a risk cultural shift toward risk accountability

Turning risk into a competitive advantage requires accountability. We cannot deploy an
effective and consistent approach to managing risk and opportunity until we understand
how we address risk as individuals and teams. Failing to tackle issues of risk management
head-on can expose your firm to the blindside of risk, potentially costing you money
and causing you to miss growth opportunities in critical areas such as:
Mergers and acquisitions
Private equity portfolio management
Expanding global footprint
Turning risk into a
competitive advantage
may require a cultural
shift toward greater risk
accountability.

Corporate downsizing
Change in leadership
Corporate reorganization and rebranding
Enterprise risk management
Cloud computing/cyber security and privacy
Sale of business units
Business continuity, crisis response and safety
Turning risk into a competitive advantage may require a cultural shift toward greater
risk accountability. A cultural shift may be needed to improve the understanding and
management of risk throughout your organization, and to drive critical corporate
communication between the C-Suite and Board and employees. Failing to address issues
of risk management head-on can expose your firm to the blindside of risk, potentially
costing you money and causing you to miss growth opportunities in critical areas.
It starts by mapping each individuals pre-disposition to risk, and then aligning it with
the corporate goals. Ownership and accountability of risk can be increased through
proven management and behavioral science strategies. The process can then be made
continuous through a living risk culture dashboard, aligned to your strategic and
operational objectives.
An embedded and open risk culture can improve collaboration and encourage dialog that
can help you establish key risk indicators tied directly to key growth and performance
metrics. This positive risk culture can help you better understand your risk landscape and
build an ERM framework that addresses risk proactively to improve business resilience and
profit potential.
How can you deal with the risks that you may not even know exist? Can you
efficiently prioritize and budget resources for critical strategic and operational
risk mitigation? What is the true risk appetite of your organization? It is
challenging to incorporate risk considerations into strategic planning, budgeting, supply
chain management, business continuity or other operational activities. A company must
evaluate the risk/reward balance and also ensure risk management culture is consistent
and effective across your enterprise.

Deciding what opportunities to fund, which risks to protect

Creating a risk management policy

Whats clear from these lessons is that the important tasks of determining corporate risk
appetite and deploying qualitative judgments must be sanctioned by those at the very
top senior management and the board. In order to provide this type of top-down
guidance, many organizations issue a risk management policy each year. The benefits
are many to creating this type of policy, but include keeping the overall risk management
approach in line with current best practice, focusing on the intended benefits for the
coming year, identifying the risk priorities and ensuring that appropriate attention is paid
to emerging risks.

For many organizations,

the top-down commitment
required of an ERM
program can be the
difficult aspect to embed.

In a report, A structured approach to ERM and the requirements of ISO 31000, issued
by the Public Risk Management Association in the U.K. in early 2010, a risk management
policy structure was included that can help corporations ensure their ERM approach is
updated and disseminated throughout the organization each year. The following sections
were recommended in developing an ERM policy:
Risk management and internal control objectives (governance)
Statement of the attitude of the organization to risk (risk strategy)
Description of the risk aware culture or control environment
Level and nature of risk that is acceptable (risk appetite)
Risk management organization and arrangements (risk architecture)
Details of procedures for risk recognition and ranking (risk assessment)
List of documentation for analyzing and reporting risk (risk protocols)
Risk mitigation requirements and control mechanisms (risk response)
Allocation of risk management roles and responsibilities
Risk management training topics and priorities
Criteria for monitoring and benchmarking of risks
Allocation of appropriate resources to risk management
Risk activities and risk priorities for the coming year

Technology support of ERM

For many organizations, the top-down commitment required of an ERM program can
be the difficult aspect to embed. Effective utilization of technology can support this
objective, and while it cannot replace a good process, it can serve as an invaluable
support tool.
Complex organizations often attempt to utilize common spreadsheet applications to
bolster their enterprise risk management effort, with the result being a frustrating lack
of functionality. Despite significant efforts to manage risk holistically, many companies
fail to integrate software that can fully support ERM objectives. Utilizing ERM software
can enable a company to amplify its risk management efforts and magnify its insights

10

Deciding what opportunities to fund, which risks to protect

without creating the need to scale resources accordingly. ERM-specific software is

designed to support the user through each distinct stage of the ERM cycle (including
establishment of context, risk identification, risk analysis, risk evaluation, risk treatment,
monitoring and review).
A software solution can support this growth by providing a solid foundation in the early
stages, while including more advanced functionality to be used as appropriate along the
journey. Overtime, software will enable a company to more closely align its risk appetite
with its corporate strategy. In addition, it enables the company to optimize its capital
allocation and reduce its total cost of risk.
Perhaps the biggest advantage ERM software has over traditional tools is the capability
to monitor and track risks within its built-in risk register. This risk register is capable
of distinguishing between corrective and preventative controls, enabling the user to
compare and explore combinations of various options. The tool may also be capable
of displaying the residual risk that remains after a control has been implemented, and
instantly reporting on the status of a companys risk profile in a dynamic way. Since a
variety of user groups need to access risk reports, ERM software can provide a multitude
of ways to make use of data depending on the strategy setting.
When choosing a software program to facilitate an ERM initiative, it is imperative that
it can be seamlessly integrated into an organization. Therefore the configuration of the
software must be adaptable to the companys operating structure. The foundational
ERM framework should be modeled after the ISO 31000 or similar standard, utilizing
the following inputs: contexts, risks, consequences, preventative and corrective controls,
triggers, and mitigation activities. While it may seem insignificant, using the appropriate
terminology may be the first major step towards an effective ERM program. Additional
considerations when choosing an ERM software application are:
Ease of use can the frontline utilize the interface with minimal training?
Relevant analysis will the software produce impactful information?
Prioritization can the companys risk identification process be incorporated?
Notification will the software actively alert users as appropriate?
In this era, companies face substantial pressure to be transparent about risk. This
becomes increasingly difficult as globalization creates a complex environment of
interdependency. The trend of risks becoming more difficult to manage will certainly
continue, so implementing a software tool capable of growing with the needs of the
company at an early stage is critical to a valuable ERM program.

Risk management and ISO 31000

On November 15, 2009, the International Organization for Standardization (ISO)
published the ISO 31000:2009, Risk Management Principles and Guidelines. ISO 31000
is the first of the ISO 31000 series of risk management standards to be published by ISO.
Also in this family of standards is:
1. ISO Guide 73:2009 Risk Management Vocabulary. This standard provides the
definitions of generic terms related to risk management and aims to encourage a
consistent understanding of, and a coherent approach to, the description of activities
related to risk management as well as terminology.

Deciding what opportunities to fund, which risks to protect

11

2. ISO/IEC 31010, Risk Management Risk Management Techniques. This is

a supporting standard for ISO 31000 offering guidelines on the selection and
application of systematic techniques for risk assessment.
ISO 31000 is designed to help organizations build an ERM framework that can:
Increase the likelihood of achieving objectives
Encourage proactive management
Be aware of the need to identify and treat risk throughout the organization
Improve the identification of opportunities and threats
Comply with relevant legal and regulatory requirements and international norms
Improve financial reporting
Improve governance
Improve stakeholder confidence and trust
Establish a reliable basis for decision making and planning
Improve controls
Effectively allocate and use resources for risk treatment
Improve operational effectiveness and efficiency
Enhance health and safety performance, as well as environmental protection
Improve loss prevention and incident management
Minimize losses
Improve organizational learning
Improve organizational resilience
Although ISO 31000 provides generic guidelines, it is not the intention of the standard
to promote uniformity of risk management techniques across all organizations. Rather,
it is to promote the adoption of consistent processes so as to ensure the risk is managed
effectively, efficiently and coherently across organizations.
The ISO 31000 standard will be useful to:
Those responsible for implementing risk management within their organizations
Those who need to ensure that an organization manages risk
Those needing to evaluate an organizations practices in managing risk
Developers of standards, procedures and instructions relating to managing risk

12

Deciding what opportunities to fund, which risks to protect

The Conference
Board study showed
that a strong ERM
program is a factor in
increasing revenue and
shareholder value:
8
 0% Increased
management
accountability
(shareholder
confidence)
7
 9% Smoother
governance practices
5
 9% Increased
profitability
6
 2% Reduced
earnings volatility
(less volatility)
8
 6% Better
informed decisions
(learn from risk
information and
mistakes)

The strategic benefits of ERM

The benefits of developing a new ERM framework, or improving upon an existing, more
basic one include:
Minimizing barriers to achieving objectives and maximizing strategic
growth opportunities
Reducing variability in expected business outcomes to enhance value
creation advantage
Generating superior business intelligence to enable improved strategic
decision making
Decreasing total cost of capital through optimizing the balance of risk
and opportunity
Identifying key exposures, quantifying critical activity, and solidifying value chains
Demonstrating the benefit of increased risk transparency across your organization
Using additional risk information to improve risk transfer and decrease
negative events
Protecting tangible and intangible assets to minimize impact on bottom
line profitability
A study of hundreds of organizations by The Conference Board6, a leading global
not-for-profit management research organization, showed that a strong ERM program is a
factor in increasing revenue and shareholder value. According to the survey respondents,
the incorporation of a sophisticated risk management program yielded increased
management accountability, smoother governance practices, increased profitability,
reduced earnings volatility and better informed decisions based on risk intelligence.
Clearly, managing risk can no longer be left to one person such as a Chief Risk Officer or
siloed into one department, but demands a transparent approach to strategic decisions
and daily operations. ERM can encourage resilience and protect profitability in an everchanging business climate. Applied robustly across all areas of an organization, a strategic
ERM process will efficiently manage available capital funding the appropriate growth
opportunities, while budgeting for potential risks.

From Risk Management to Risk Strategy

Report #1363 The Conference Board
www.conference-board.org
6

Deciding what opportunities to fund, which risks to protect

13

Sources:
Enterprise Risk Management: Complacency is No Longer an Option, But a Practical
Start Is 2006, KPMG www.kpmg.com
Effective Enterprise Risk Management starts with a Conversation American Institute
of Certified Public Accountants, September 2009 www.aicpa.org
ISO 31000 Risk management Principles and guidelines. International Organization
for Standardization, 2009. www.iso.org
Strengthening Enterprise Risk Management for Strategic Advantage Committee of
Sponsoring Organizations of the Treadway Commission 2009, www.coso.org
Progress Report: Integrating Enterprise Risk Management Analysis into Corporate
Credit Ratings Standard & Poors Ratings Direct www.standardandpoors.com/
ratingsdirect July 2009
Christina, Diana. Dissecting the Anatomy of ISO 31000,
www.dianechristina.wordpress.com/2010/02/05/dissecting-the-anatomy-of-iso-31000/
Committee of Sponsoring Organization of the Treadway Commission. Enterprise Risk
Management Integrated Framework: Executive Summary Sep 2004
Good Practice Guidelines 2008. Business Continuity Institute
Strategic Risk Services - Zurich Services Corporation
Zurichs Strategic Risk Services helps organizations improve their business performance
through an Enterprise Risk Management approach to strategic, operational and financial
exposures. This broad, 360 view helps businesses ensure resilience, reduce total cost of
risk, protect profitability, and enhance capital efficiency.

14

Deciding what opportunities to fund, which risks to protect

Deciding what opportunities to fund, which risks to protect

15

Zurich
1400 American Lane, Schaumburg, Illinois 60196-1056
800 382 2150 www.zurichna.com

A1-112001632-A (06/13) 112001632

The information in this publication was compiled from sources believed to be reliable for informational purposes only.
All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and
procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may
serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice
and accordingly, you should consult with your own attorneys when developing programs and policies. We do not guarantee the
accuracy of this information or any results and further assume no liability in connection with this publication and sample policies
and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that
this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be
appropriate under the circumstances.
The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and
procedures ensure coverage under any insurance policy.
2013 Zurich American Insurance Corporation

Click here to view web page

Five Tips for Every

Business to Become
Tornado-Aware

Five tips for every business

to become tornado-aware
The safest areas for
employees to seek
shelter typically include
basements, hallways,
interior stairwells and
small internal first
floor rooms.

Unlike hurricanes, which can be tracked days in advance of making landfall, tornadoes
can appear suddenly, allowing only a few hours for warnings of deadly storm conditions
to be issued. Occasionally, tornadoes develop so rapidly that little, if any, advance
warning is possible. And while the path of a tornado is far narrower than that of a
hurricane, tornadoes can be more destructive to homes and businesses.
The peak wind speed of a Category 5 hurricane rarely exceeds 180 miles per hour, while
an EF5 tornado has estimated wind speeds in excess of 200 miles per hour by definition
and can generate maximum wind speeds of greater than 250 mph. EF5 tornadoes can
be powerful enough to strip the bark from a tree!1
Fortunately, companies can take steps to help protect people, property and business income.
The key factors are preparedness, vigilance and rapid response to dangerous conditions.

How to help minimize injuries, property damage and

business losses
1. Plan in advance to protect people.
Preparedness is essential to helping protect people in an emergency situation.
Some of the key elements of a tornado safety program include:2
Identifying the safest areas in a building so employees know where to congregate in
the event of a warning;
Designating the roles and responsibilities of supervisors and employees, including the
appointment of a tornado warden (typically the same person as the fire warden);
Practicing for an event with tornado drills; and
Posting signs in public buildings to direct customers and visitors to safe areas.
The safest areas for employees to seek shelter typically include basements, hallways,
interior stairwells and small internal first floor rooms. For businesses in tornado-prone
areas, consider constructing a tornado-hardened safe room.
2. Take actions to help minimize property damage.
Few structures can survive a direct hit by an EF5 tornado, but most tornadoes are far
less powerful, and much of the damage is caused by debris hurled by the storm rather
than direct damage from high winds in the vortex. Some practical steps to help minimize
property damage from a tornado include:3,4
Securing outdoor gear and outbuildings to prevent them from becoming
airborne missiles;
Reinforcing vulnerable areas of a building, such as adding supports to garage doors
and bracing and strapping the roof;
1. Jonathan Erdman, F/EF5: The Most
Violent Tornadoes, The Weather Channel
www.weather.com
2, 4. Steps to Reduce the Risks of Tornado
Damage in Commercial Structure,
Insurance Institute for Business and
Home Safety, www.disastersafety.org

Housing servers and other vital equipment in protected areas of a building, preferably
in tornado-resistant server rooms; and
For new construction, working with an architect or contractor to incorporate wind
mitigation techniques and high wind-rated products.

3.
 Simple Tips to Reduce High Wind,
Tornado Damage, FEMA, www.fema.gov

Five Tips for Every Business to Become Tornado-Aware

3. Prepare in advance to help maintain business continuity.

Continuity and disaster recovery planning is essential to help businesses bounce back
after any sort of catastrophe, not just tornadoes. However, the potential for total
destruction of an individual property from a tornado, combined with likelihood of severe
damage to local infrastructure, makes a well-conceived continuity and disaster recovery
plan all the more essential.
Specific elements of continuity and disaster recovery plans will vary by size and type of
business, but questions to address typically include:
How employees will communicate;
Where employees will work;
How manufacturing and other critical business operations will continue until a
damaged building is repaired or replaced;
Every warning should be
taken with the utmost
seriousness, and
appropriate measures
should be taken
immediately to protect
lives and property.

How data and information technology will be restored; and

How supply chain logistics will be maintained.
4. Monitor the weather when threatening.
Forecasters can sometimes identify potentially deadly weather systems forming more
than a day in advance of tornadoes being spawned, and Doppler radar significantly can
improve the timeliness and accuracy of spotting tornadoes that have formed or are in
the process of forming. However, advance warnings are not helpful if they are not heard
and heeded. The National Weather Service provides local weather broadcasts over a radio
network called NOAA Weather Radio from over 1,000 different transmitters nationwide.
Businesses should buy a NOAA Tone Alert Weather Radio, and the tornado warden or
other designated employee should monitor information from the National Weather
Service as well as from local radio and television stations.
5. Take warnings seriously and act quickly.
Most often, the aftermath of a tornado warning is a funnel cloud producing little or
no damage, or sometimes even no tornado at all. As a result, many people become
complacent and underestimate the danger inherent in a severe weather situation.
Weather service officials in some areas are now enhancing warning communications to
convey a sense of urgency for extreme events. For example, one warning in advance of
a powerful EF3 tornado proclaimed: This is a life-threatening situation. You could be
killed if not underground or in a tornado shelter.5 But even in the absence of enhanced
communications, every warning should be taken with the utmost seriousness, and
appropriate measures should be taken immediately to protect lives and property.

Insurance
Most property insurance policies provide insurance protection for tornado damage to
both real and personal property. These policies also may cover costs to remove, clean
up and dispose of debris after a tornado. Companies also should consider time element
coverages, especially Business Interruption and Extra Expense, which cover lost business
profits and the additional expenses to keep a business running while insured property
is being restored or replaced. Civil Authority and Ingress/Egress coverages cover lost
business profits due to disruptions caused by the inability of customers or employees to
access a building.
5. M
 anny Fernandez and Matt Flegenheimer,
100 tornadoes, 5 deaths: New early
warning puts Midwest towns on notice to
take care, New York Times, April 16, 2012
www.twincities.com

Five Tips for Every Business to Become Tornado-Aware

Advance preparation can

help business owners and
executives rest assured that
both lives and property will
be preserved to the
greatest extent possible.

Even if a company is undamaged by a tornado, its business still may be disrupted if

suppliers are damaged and unable to deliver goods to the company, or customers are
damaged and are unable to receive goods. Contingent Business Interruption coverage
can provide insurance protection for this scenario. Companies should work closely with
their brokers to identify their tornado-related exposures, and to assure they have enough
of the right coverages.

Conclusion
Tornado damage can cripple or even destroy a company, but businesses are not helpless
in the face of even the most powerful twister. Advance preparation can help business
owners and executives rest assured that both lives and property will be preserved to the
greatest extent possible, and continuity and disaster planning can contribute to a rapid and
complete rebound in the aftermath of a catastrophic event. Advance preparation, however,
can be undermined by failing to react effectively to an imminent threat. Companies need
to monitor developing weather conditions and respond quickly and decisively as soon as
severe conditions materialize. Insurance protection also is essential, and companies should
work with their brokers to guarantee they have traditional property insurance policies that
cover loss to tangible property, as well as time element coverages that help businesses
remain financially viable after a catastrophe.

A1-20956-B (03/14) 112002806

Zurich
1400 American Lane, Schaumburg, Illinois 60196-1056
800 382 2150 www.zurichna.com
The information in this publication was compiled from sources believed to be reliable for informational purposes only.
All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies
and procedures. We trust that you will customize these samples to reflect your own operations and believe that these
samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended
to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs
and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in
connection with this publication and sample policies and procedures, including any information, methods or safety
suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable
safety and compliance procedure or that additional procedures might not be appropriate under the circumstances.
The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and
procedures ensure coverage under any insurance policy.
Insurance coverages are underwritten by individual member companies of Zurich in North America, including Zurich
American Insurance Company. Certain coverages are not available in all states. Some coverages may be written on a
nonadmitted basis through licensed surplus lines brokers.
2014 Zurich American Insurance Corporation