Enterprise Risk Management Services for State & Local Government Drew Zavatsky Section Manager, Loss...
-
Upload
osborn-allison -
Category
Documents
-
view
213 -
download
0
Transcript of Enterprise Risk Management Services for State & Local Government Drew Zavatsky Section Manager, Loss...
Enterprise Risk Management Services for State & Local
GovernmentDrew Zavatsky
Section Manager, Loss Prevention ProgramOffice of Risk Management
(360) [email protected]
During this session, we will cover:-- legal basics,-- a review of Enterprise Risk Management, and-- some new trends.
Overview
• Typically, states have sovereign immunity
• Washington waived immunity in 1961
• Agencies can be sued just like private persons
• Washington is self-insured – RCW 4.92.130
Legal basics
• Immunity waiver also applies to counties and cities
• Three types of risk pools:– Local Government Property and
Liability– Individual and Joint Health
Benefits (both under RCW 48.62)
– Affordable Housing Property and Liability (RCW 48.62)
• All pools operate under rules established by the State Risk Manager, who has a regulatory function
Local Government Basics
• By request of a municipality, the State Risk Manager also may buy (or use a broker to buy) property and liability insurance for the city, county, or special purpose district. - RCW 43.19.772
• One risk related to contracts for municipalities, from Washington Constitution, Article XI, §14:PRIVATE USE OF PUBLIC FUNDS PROHIBITED. The making of profit out of any county, city, town, or other public money . . . by any officer having the possession or control thereof, shall be a felony . . .
Local Government Basics (cont.)
• What is a tort? A civil wrong.
• State tort financing via the SILP. RCW 4.92.130
• Commercial insurance is purchased to cover property loss in certain circumstances.
Tort Liability Basics
ERM Defined
ERM is a coordinated method of performing risk management that considers every aspect of risks that affect agency goals. Includes all agency programs and operations (no more silos)Requires open communication from all levels of the
organization about goals, operations and issuesResults in a high-level review of the most severe risks to
achieving all agency goalsCreates a coordinated way to identify and assess
opportunities In 2011, ERM was adopted as the American Standard for risk
management – ISO 31000
How ERM Defines ‘Risk’
Risk: anything that can interrupt the achievement of your goal on time
Opportunity: the ‘flip’ side of risk: anything that results in over-achievement of your goal
The ERM Method (ISO 31000)
Clearly state the goalList risks and opportunitiesEvaluate each risk/opportunityPrioritize risks/opportunitiesRespond (Mitigate/Seize)Make a RegisterCommunicate Results
Risk/Opportunity Register
A Risk/Opportunity Register is a list of priority risks/ opportunities & an overview of how you will handle themA register functions as a dashboard for managing risks and/or opportunities – and therefore goals
GOAL: Priority Risk
or Opportunity(Briefly
describe)Root Cause(s)
Risk or Opportunity Response(Check type and briefly
describe)
How will we know our response was
successful? (What are the ‘measures’?)
Target Response
DatePerson
Responsible
□ Avoid/Exploit□ Accept & Monitor□ Reduce frequency□ Reduce impact□ Transfer
□ Avoid/Exploit□ Accept & Monitor□ Reduce frequency□ Reduce impact□ Transfer
What is a privacy breach / security breach?A privacy breach is the theft, loss or unauthorized disclosure of personally identifiable non-public information (PII) or third party corporate confidential information that is in the care, custody or control of the organization or an agent or independent contractor that is handling, processing, sorting or transferring such information on behalf of the Organization.
A computer security breach is:– the inability of a third party, who is authorized to do so, to gain access to an
organization’s systems or services;– the failure to prevent unauthorized access to an organization’s computer systems that
results in deletion, corruption or theft of data; – a denial of service attack against an organization’s internet sites or computer systems; or– the failure to prevent transmission of malicious code from an organization’s systems to a
third party computers and/or systems.
• Incident vs. Breach
How do data breaches occur?
Lost Devices & Inadvertent Publication
of DataDisgruntled Employees
Vendors & Subcontractors
Hackers & Unsecured Websites
Accidental IntentionalIn
tern
alEx
tern
al
Percentage of breaches by threat type
2012
2011
2010
Environmental, 0%
Environmental, 0%
Environmental, 0%
Error, 2%
Error, 1%
Error, 1%
Physical, 35%
Physical, 10%
Physical, 29%
Misuse, 13%
Misuse, 5%
Misuse, 17%
Social, 29%
Social, 7%
Social, 11%
Hacking, 52%
Hacking, 81%
Hacking, 50%
Malware, 40%
Malware, 69%
Malware, 49%
Verizon: 2013 Data Breach Investigations Report
Are you at risk?Ask your team.
• Has your organization ever experienced a data breach or system attack event? • Does your organization collect, store or transmit any personal, financial or health
data?• Do you have a solid incident response plan in place?• Do you outsource any part of computer network operations to a third-party service
provider? • Do you partner with businesses and does this alliance involve the sharing or
handling of their data (or your data) or do your systems connect/touch their systems?
• Does your posted Privacy Policy actually align with your internal data management practices?
• Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers?
• Where is your data?
Vendor management and requirements
Due diligence on vendors – some suggestions:• Transparency
– Who handles administrative rights?– Who has database and network access? – Get access logs– Include a right to audit your vendor
• Ask for documentation– Copy of security risk analysis, outside reviews, third-party audits – Documentation that implemented corrective actions or addressed deficiencies
• Verify use of encryption– All portable media– All network communications– Ask about encryption of data in storage area networks, or SANs
• Remember, your indemnification agreement only has value if your vendor can actually pay….
What is complacency?
Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies.
Merriam-Webster Dictionary
Complacency? What do you mean?
What is the opposite of complacency?
If complacency is being unaware of actual dangers or deficiencies, then we need to be:• Aware• Inquisitive• Open-minded
Let’s think about solutions
How best to remain vigilant about safety?We create Safety - in our practice.In order to change our practices we need to change our thinking.One simple change improved the safety in state prisons . . .
Example: safety at work
Example: safety at work
My Safety is My Responsibility
Your Safety is My Responsibility
Place Safety is Our Responsibility
It takes all of us to create a culture of safety. It takes all of us to fight complacency.
What we covered today
Drew ZavatskyOffice of Risk Management
Department of Enterprise Services1500 Jefferson StreetOlympia, WA 98504
(360) [email protected]
Learned about legal basicsHeard highlights of the actuary’s report on state
tort liabilityGot some ERM tools for using risk intelligence at
work (registers, the three questions)Heard about new trends – cyber insurance and
complacency riskThank you for participating!