Whether you are in Kern County’s energy or IT segments — or any other segment of our economy — none of us can ignore the risk of cybercrime.
Uniquely, it is both a property and liability risk.
In the last issue of the Kern Business Journal, Alphonso Rivera, CEO of Advance Micro Resource, offered steps business owners can take to mitigate this highly technical risk.
His guidelines reflected the complexity of this risk. His final recommendation was: “Develop a risk management plan including regular forensic audits of your company’s online systems.” However, no explanation was included of what a risk management plan needs to be. I’m pleased to “fill this gap” in his otherwise well-written article.
Traditional risk management is “operational.” Risks addressed are static — those that produce only a loss, e.g., fire, earthquake, liability, etc.
Enterprise risk management is “strategic.” In addition to static risks, those addressed are dynamic — risks that can produce either a profit or a loss, e.g., marketing, product design, investment strategies, etc.
The three overall processes within either risk management system need to be integrated into your overall culture so you can take your organization from the level of “insurance management” — where most companies are today — to the next level of risk management. They are:
1. Risk assessment — identification and measurement
2. Risk control — mitigation and reduction
3. Risk finance — including insurance
Insurance is the very last step — intentionally. It doesn’t come into play until all other alternatives have been considered.
Once risks are assessed, planning shifts to risk control, including not only cybercrime prevention but also fire prevention, security, safety, etc. — including Rivera’s forensic audit of online systems.
In addition, risk control includes disaster preparedness plus the most overlooked risk reduction task of all — business continuity planning.
Hurricane Katrina and other disasters each generated memorable stories of lives saved through effective disaster preparedness, yet other stories described businesses totally lost because no business continuity plan was in place.
Once risks are reduced, and some even eliminated, the final process can begin, viz., risk finance.
First is contractual risk transfer to others other than insurance. There are generally three levels of contractual risk transfer. The first two are reasonable. The third is disastrous! It is prohibited by law in energy contracts of most oil-producing states but not California. It is unenforceable in construction contracts in California.
A local drilling contractor imposed a contract with this third level on a trucking firm whose employee was injured by the sole negligence of a drilling company employee. Because of this clause, all financial burdens were assumed by the trucking company with no opportunity for reimbursement from the drilling company.
This increased the trucker’s workers’ compensation costs for the ensuing three years. Moreover, for the injured employee to receive damages beyond workers’ compensation benefits, he had to file a liability claim against his own employer! This totally violates the historical intention that workers’ compensation is the exclusive remedy from employers.
Next, residual risks are either assumed or insured. Some can be assumed through deductibles, self-insured retentions, total assumption, etc. Others must be considered for insurance through alternative risk transfers, e.g., formal self-insurance, captive insurers, high deductible plans, retrospective rating plans, etc.
Only then is conventional insurance considered.
There you have it — the overall risk management system that should be inculcated into your organization’s culture in perpetuity!
This completes Rivera’s steps to a cybercrime solution — and more — plus the long-term benefit of risk management to all: a quiet night’s sleep!
— John Pryor is a risk management consultant and author of “Quality Risk Management Fieldbook” published by the International Risk Management Institute in Dallas.