The Risk You Can’t Avoid – Weather Disruption

minton bernadette 130x195By Professor Bernadette A. Minton
Academic Director and Interim Executive Director, The Risk Institute
Arthur E. Shepard Endowed Professor in Insurance
Professor of Finance
The Ohio State University Fisher College of Business

Weather plays a big role in our economy – from retail to agriculture to transportation, all industries are affected by it in some way or another.

A summer drought in the Midwest can negatively impact the agriculture sector while simultaneously creating a boom in new housing construction. Consumer behavior is also influenced by the weather. Consumers in Phoenix in light rain and 75° react differently than those in Portland, Oregon in similar conditions.


Over the recent years, climate variability has been increasing with extreme weather occurrences becoming more normal. Thus, understanding your organization’s vulnerabilities to weather disruptions is important to achieving corporate objectives and creating value.

In the upcoming Risk Institute Executive Education Risk Series, we will explore the risk management and strategic implications of weather disruptions. Our session leaders from The Bryd Polar and Climate Research Center at The Ohio State University and from Analytics and Impact Forecasting Services at Aon Benfield (Aon is a founding member of The Risk Institute) will collaborate to provide executives with insights into how:

  • It is less about the averages and evolving weather trends and more about the increasing extremes in our global and regional weather patterns. The use of recent advances in technology, data collection and data quality has led to new predictive analytics tools to more reliably project the weather risks.
  • These new analytical tools can improve managers’ abilities to better understand their business’ exposures to weather and more effectively manage these risks.

No one can control the weather, but planning for weather disruptions and its impact on your business is vital. If you wish to join us for this timely and thought provoking discussion, there are still seats available for the session.

The Risk Institute Executive Education Series will continue on Nov 12, 2015 with Weather Disruption and Risk Management, a half-day course for executives. For more information, or to sign up for the session, visit FISHER.OSU.EDU/RISK

Who are Your Disrupters?

Jim McCormick photoBy Jim McCormick
Founder and President
Research Institute for Risk Intelligence



So, let’s say you’ve decided that you need to cause some disruption in your industry.  You have come to see the value of the mantra of The Risk Institute and want to “leverage risk to create value.”

Likely at the core of your decision is the need to strengthen your competitive advantage.  Perhaps you need to respond more quickly and effectively to changes in the competitive environment such as –

  • new competition from unexpected sources,
  • competitors with new products, offerings or distribution channels, or
  • competitors with cost structures you cannot currently match.

Or perhaps you need to be more responsive to changes in the marketplace like –

  • new payment methods,
  • generational preference changes, or
  • transient customers or clients with no loyalty.

It may be that you need to up your game on the innovation front and develop more new products, services and methods.

So, who do you put on the team that is going to drive the disruption?

  • All risk-takers so they will charge ahead?
  • Perhaps people who are all risk-adverse so they won’t do anything crazy?
  • Or a healthy mix to achieve some balance?

But how do you know even know the Risk Inclination of your people?

At the Research Institute for Risk Intelligence, we have spent a lot of time and effort studying personal risk inclination.  Because like The Risk Institute at Ohio State, we feel it is vital that organizations move away from conventional risk management and its emphasis on minimizing risk to the more current approach of utilizing risk.  And that process of utilizing risk to create or respond to disruption requires understanding the risk inclination of your people.

Because fueling innovation, inspiring initiative and attaining organizational agility are not just desirable – they are now mandatory if your organization is going to survive and prevail in today’s hyper-competitive, technology-accelerated, global world of business.

At The Risk Institute’s annual conference October 7 and 8 I will discuss these issues and provide insights that will help you answer these questions.  I will present insights based on our research into personal risk inclination that will help you better lead and persuade.


DISRUPTION: Implications for Risk Management

minton bernadette 130x195By Professor Bernadette A. Minton
Academic Director and Interim Executive Director, The Risk Institute
Arthur E. Shepard Endowed Professor in Insurance
Professor of Finance
The Ohio State University Fisher College of Business


In just over a week, The Risk Institute at The Ohio State University Fisher College of Business will host its second annual conference on the Columbus campus.

This year’s conference focuses on DISRUPTION – a trendy and perhaps overused word these days in corporate America, but very much relevant and worthy of discussion.

Consider the two sides of DISRUPTION:

You or your organization can cause disruption by creating a new business model for which your competitors’ revenues and cost infrastructures do not allow them to respond quickly.  In this case, the disruption has the potential to create value.

Or, alternatively, you or your organization can be subject to disruption when your business strategy, process or infrastructure, for example, are interrupted by an unexpected event.  In this case, disruption has the potential to negatively impact the firm.

Save the Date  6.8.15During our upcoming conference on Wednesday, October 7 and Thursday, October 8, senior executives will have the opportunity to engage in conversations with experts and peers about leading practices and current challenges related to DISRUPTION.

Highlights include our keynote speakers, Kenny Dichter, founder and CEO of Wheels Up, and retired General Michael Hayden, former director of the National Security Agency and the Central Intelligence Agency.  General Hayden, speaking on the opening night, will focus on Managing DISRUPTION.  Mr. Dichter will headline the second day of the conference and present on DISRUPTION as a Catalyst.

Conference attendees also will be challenged during a collection of six 20-minute RISKx talks, modeled after the high-impact and popular TED Talks, to consider DISRUPTION strategically and to generate new insights and influence risk management practice. The RISKx session includes topics such as a firm’s risk appetite, employees’ attitudes toward risk, consumer payment methods and the activist investor.

We will conclude our conference with panel discussions focusing on strategic risk management implications of DISRUPTION in Financial Business Transactions and DISRUPTION in Core Systems.

To learn more, visit The Risk Institute Annual Conference page.

Not If, But When – Facing Cyber Risk in the Digital Age

minton bernadette 130x195By Professor Bernadette A. Minton
Academic Director, The Risk Institute
Arthur E. Shepard Endowed Professor in Insurance
The Ohio State University Fisher College of Business 


When the World Wide Web was invented nearly thirty years ago, the concept of what today’s cyber landscape would look like was little more than science fiction. Rapid advances in technology coupled with the growth of the Internet have revolutionized the way businesses and individuals interact. Integrated networks are allowing organizations to access, analyze, use and share information more easily than ever before. The composition of firms in the global economy is changing from organizations producing primarily material goods to those creating intangible assets relying on technology and intellectual property.

Yet, as the global economy becomes increasingly Internet-connected,  organizations, while reaping the potential benefits, are simultaneously exposed Internet_map_1024_-_transparent,_invertedto an increasing array of known and unknown cyber threats. Not a day goes by without the news of another cyber attack taking place at another organization. The conventional wisdom is not “if a cyber breach will happen” but “when will it happen.”

In the upcoming Risk Institute Executive Education Risk Series, we kick off the 2015-16 academic year with a discussion on the evolving environment of cyber threats.  Our session leaders from Battelle, EY and Aon will collaborate to provide executives with insights into how to:

  • Embrace a systematic approach to understanding the evolving cyber landscape and assess the various cyber threats facing the organization
  • Develop an integrated and enterprise-wide approach to consistently assess the organization’s vulnerabilities to cyber threats
  • Proactively quantify their organization’s cyber exposure and apply potential risk management and insurance solutions to help insulate the exposure
  • Apply current findings of research on cyber vulnerability to the products and services

Overall, the half-day session will emphasize the importance of balancing the power of cyber ecosystems with the associated risks to create organizational value.

To learn more or to register, please visit the Risk Series page.

The Risk Institute 2014 Survey – Evolving the Conversation

minton bernadette 130x195By Professor Bernadette A. Minton
Academic Director, The Risk Institute
Arthur E. Shepard Endowed Professor in Insurance
The Ohio State University Fisher College of Business 


Last week, The Risk Institute released its first annual Survey on Integrated Risk Management.  As my colleagues and I reviewed the survey results, we agreed that they provided insights into three aspects of risk management:

  • Senior executives’ views about the role of risk management in their firms
  • The structure of risk management functions
  • How firms integrate risk management into business decisions

Yet, we also agreed that the results raised several questions, including:

  1. Are firms’ risk management approaches really integrated or are they just aspirational? On the one hand, firms say they view their risk management approach to be integrated, meaning they stress its use across the firm and recognize it to be a source of growth opportunities and not just a reactive or defensive strategy. Yet, further survey questions about how they integrate risk management into business decision-making show that such integration is piecemeal and does not extend to all functional areas or units.
  2. If a firm reports the recognition of risk management as the source of growth and as the most important catalyst for their increased risk management efforts over the last three years, why does the audit committee have the primary responsibility for risk management? The executive committee and/or strategy committee of the board understand the drivers of firm value and set the corporate objectives to enhance firm value. However, firms rarely reported that these committees are responsible for risk management at the board level.
  3. Why are business functional areas like marketing, sales, human resources or research and development not more involved in risk management processes? These functional areas have large amounts of data that can help firms understand risks to their corporate objectives as well as help identify emerging risks.
  4. If balancing risks to create value means mitigating risks at times and leveraging risks at other times, why are firms not using mechanisms to set the scope of risk taking consistent with this view?

At The Risk Institute, we are dedicated to advancing the adoption of leading risk management strategies by leveraging the collaboration between academic scholars and RiskInstitute_block Dpractitioners. As we work to provide insights into the questions raised by the survey, we look forward to continuing the conversation on the evolving role of risk management through: new areas of research; translations of completed academic research for practical business applications; and educational programs for business professionals, undergraduate and graduate level students.  Through these dialogues, we can collectively advance our knowledge of risk management and influence adoption of leading risk management practices.

To learn more and access the complete 2014 Survey on Integrated Risk Management, visit:

A Snapshot of Risk Management in 2015

minton bernadette 130x195By Professor Bernadette A. Minton
Academic Director, The Risk Institute
Arthur E. Shepard Endowed Professor in Insurance
The Ohio State University Fisher College of Business 


As published on Columbus CEO’s CEO Live blog on May 20, 2015

In recent years, risk management has evolved into a more comprehensive and integrated practice.  Risk management was once viewed as only being done to meet regulatory requirements and to protect the firm against the negative effects of volatility in their business environment.  While those aspects remain leading catalysts for firms who increased risk management efforts over the last three years, a fraction of firms recognize risk management to be a source of growth.

Over the same three-year period, senior executives and the board of directors have become more involved in risk management processes. This integrated approach leverages collaboration across an organization to identify and evaluate risks and to proactively manage those risks to achieve corporate objectives and enhance shareholder value.

One of the primary goals for The Risk Institute at The Ohio State University Fisher College of Business is to create a greater understanding of how organizations can proactively leverage risk management to create value.  Given the varied roles that risk management plays in different organizations, it is important to hear from senior executives from both financial and nonfinancial industries about how they view risk management’s role in their organization. It’s also critical to understand how executives, if at all, integrate risk management into business decisions as well as structure their risk management function to support its role in the firm.

Organizations are increasingly impacted by risks that are more interconnected and ever changing. This means that the conversation about risk and risk management must continue to evolve and grow. It is with this goal in mind that The Risk Institute developed a comprehensive research initiative to survey senior risk management executives. The survey is designed to deepen the understanding of how U.S. companies structure their risk management practices.

The annual Risk Management Survey is one example of how The Risk Institute and its founding partners are committed to moving this conversation forward. In this inaugural survey, we provide a snapshot of risk management practices among a large and diverse set of U.S. firms.

As The Risk Institute unveils the findings from its inaugural 2014 Risk Institute Survey on Integrated Risk Management several things are clear.

 1) In order for firms to transition to a more integrated risk management approach, which views risk management as a source of value enhancing opportunities, it is important to choose a leader of the risk management functions who embraces this view and who does not see risk management as merely a defensive strategy. Equally important is choosing a leader who can effectively collaborate with other C-suite executives to leverage risk to enhance shareholder value.  Finally, the Board committee responsible for risk management also should share this view.

2) For firms wanting a more integrated risk management approach, it is important to include more business units/functions in the processes and not only rely on those functions related to finances and meeting mandated requirements. Aligning risk management with key organizational strategies will aid an organization to successfully develop a fully integrated risk management function that can leverage risk to achieve corporate objectives and enhance growth and shareholder value.

3) For firms to fully reap the benefits of an integrated approach, not only do they need to recognize a business process and analyze the risks of that process, they must also increase their efforts to have their analysis feeding back into the risk management of the firm itself. This “looping” process will allow firms to proactively manage the risks impacting their organizations and identify emerging risks to be leveraged or mitigated.

4) Given the changing nature of risks impacting firms, firms must continue to use a variety of techniques like best case/worse case and extreme scenario analyses, which can effectively evaluate these risks by including proprietary models and simulations.

5) As firms move from viewing risk management as a defensive strategy to a more fully integrated approach, senior executives and the Board must develop mechanisms to set the scope of risk-taking that are consistent with this latter view of risk management.

These findings afford some great insights and will enable us to investigate and address challenges in the practice of risk management so to advance the adoption of leading integrated risk management strategies.

To learn more and access the complete 2014 Survey on Integrated Risk management, visit:

Data Analytics and Managing the Risk of Demand Uncertainty

by Gregory Sabin – Visiting Lecturer, The Ohio State University Fisher College of Business

A 2012 Supply Chain Insights survey asked supply chain managers to name their top 10 pain points. Three out of four respondents listed demand volatility, which made it one of the most painful aspects of supply chain management, second only tosabin Greg supply chain visibility.  Firms can reduce demand volatility and the associated risks by incorporating economic and demographic data to create simple and more accurate business models.

Risks associated with demand volatility include both risks of overestimating and underestimating demand.  Overestimation of demand will cause declines in the firm’s return on assets (ROA) because of the overcommitment of assets and unnecessary expenditures that will be incurred in anticipation of surplus demand that does not materialize.  Underestimating demand is associated with increased production costs, lower quality levels and decreased customer satisfaction.

These risks affect every part of the business, including customer service, financial planning and analysis, supplier development, new product development, human resource management, product/process engineering and investor relations.  As such, firms need to approach forecasting and planning from a cross-functional perspective.

Why are most businesses not already doing this? As recently as five or six years ago, businesses lacked not only easy access to the detailed information needed to add analytical models to their forecasting process, but also the ability to process that information in a cost-effective manner. Traditionally, this meant firms focused primarily on internal marketing and supply chain information such as distributor estimates, sales projections, product lead times, inventory levels, production capacity and workforce head counts.

Now we are seeing the amount of readily available information exploding in the public domain.  As “big data” and tools to access the information has grown to a point of critical mass, firms cannot only access customer, product and competitor information, but also macroeconomic data that is more detailed and forward-looking than what has been available in the past. Combining this economic data with proprietary firm specific information is creating a new proactive approach to balancing the risk associated with forecasting and demand management.

Early adopters of this new approach are utilizing data-driven analytical tools to enhance the planning and forecasting processes and to give significantly more accurate information to all business units involved in their company’s planning process. The pain associated with demand volatility can be reduced because a firm has armed itself not only with better information, but also with an integrated cross-functional perspective.

The Risk Institute Executive Education Series will continue on April 30, 2015 when Professor Sabin will co-lead a half-day session on Demand Uncertainty, Data Analytics and Risk Management. For more information or to sign up for the session, visit FISHER.OSU.EDU/RISK


Managing the Risks and Opportunities of Social Media

By Professor Bernadette A. Minton, Academic Director, The Risk Institute
Arthur E. Shepard Endowed Professor in Insurance

During the last decade, the rise of social media, which accelerated with the introduction of smartphone technology, has provided unprecedented opportunities for organizations to build influence, their brand, and reputations.  The organic nature of social media allows enterprises to reach millions of consumers and influencers in ways they never could before.

Yet, this opportunity does not come without risks.

RiskInstitute_block B 250x296During a recent Risk Institute Executive Education session on Social Media and Risk Management, Prof. Lanier Holt of The Ohio State University’s School of Communication stressed the effect of social media in today’s media climate is that “Perception IS the Realty.” Customers, bloggers and others can use social media to quickly turn on a firm/brand, leaving in shambles a distant memory of its once vibrant self.

Thus, it is not surprising that, in the same session, Bill Deakin, Executive Director, North American Consumer Products, EY, noted that recent surveys consistently report that executives view social media as one of the leading risks facing their organizations.

An organization’s brand is a collaborative effort of most, if not all, areas of the firm – from marketing and sales to finance and operations.  As such, the benefits and risks of social media rarely impact just one area of an organization.  So, as Deakin stressed, a social media strategy must be an organization-wide responsibility.

By integrating enterprise risk management strategies for understanding, evaluating and managing these risks, organizations can capitalize on the opportunities inherent in social media, which include:

  • empowering consumers to comment anywhere and anytime on an organization and what it is doing and companies to provide real-time feedback to customers letting them know they are being heard.
  • providing organizations a venue to tell stories in engaging ways to a wider audience, helping to build reputation, customer affinity and sales.
  • allowing companies to analyze in real-time online conversations to assess the effectiveness of the firm’s products or initiatives.
  • providing firms a way to provide the information in real time to manage risk by getting ahead of negative events, not allowing others to tell their stories for them.

The power of social media is something that was unimaginable even 10 years ago. But, today it can empower an entrepreneurial startup with the same brand-building abilities as the world’s largest and most well-established company. When approached with an enterprise risk management perspective, organizations can create value by balancing the power of social media engagement with its associated risks. To find out more about The Risk Institute’s perspective on enterprise risk management, visit

To find out more about The Risk Institute’s Executive Education Risk Series, or to register for the upcoming session on Demand Uncertainty on April 30, 2015, visit our webpage.


Cyber Security: About Whale Phishing, the Deep Web and the Dark Net

By Professor Ingrid M. Werner, Risk Institute Faculty Member, and Martin and Andrew Murrer Professor in Finance at The Ohio State University Fisher College of Business.

October 28, 2014


Ingrid M. Werner The Risk Institute Faculty Member Martin and Andrew Murrer Professor in Finance, The Fisher College of Business

The attendees at The Risk Institute Launch and Conference last week learned two new terms from cyber-space: Whale Phishing, and the Deep Web and Dark Net. These terms were introduced by Mr. Jeremy Kroll, CEO and co-founder of K2 Intelligence who discussed effective strategies for managing cyber security risks faced by business around the world.   

Whale Phishing

Whale phishing is a new form of cyber crime in the general family of hacker strategies known as spear phishing.  Generally, phishing scams cast a wide net and hope that a few foolish individuals that click on the attachment or link in an e-mail compromising the security of their computer or financial account.  Spear phishing instead targets specific individuals or organizations, aiming to harvest financial information or trade or military secrets that can be used for financial gain.  Whale phishing, or simply whaling, takes this practice to a new level by targeting senior executives and other key leaders in an organization.  Vircom Guest Blogger Megan Horner, Marketing Coordinator at TrainACE, lays out the strategies commonly used in whale phishing attacks, and also explains what to look out for in an article here.

A spear phishing scam targets an employee with access to sensitive information or financial accounts.  It takes the form of an email that looks as if it was sent by a person in a position of authority within the company (the boss) or from outside (a regulator).  For example, a staff member in the purchasing department may get an e-mail from IT requesting that the individual login and reset his or her password.  Malware is used by the attacker to direct the individual to a fake website which is designed for the sole purpose of capturing the username and password for use to access the organization’s network.  The access can be used to manipulate accounts, transfer funds to external accounts, or simply to download sensitive information.

You guessed it, a whale phishing scam follows the same strategy but targets senior management.   The emails used are personalized and often extremely well-crafted, using corporate logos and html templates to convey a sense of authenticity.  The sender’s address looks like it comes from a known person or organization, and often alludes to a sensitive and urgent business matter.  Finally, the matter raised is one that requires the intervention of senior management.  For example, it may be a subpoena and the official-looking email instructs the CEO to click an link to download special software so they can view the subpoena.  According to Megan Horner, a scam like this targeted an estimated 20,000 recipients.  Shockingly, about 10 percent responded and thus downloaded the malicious software, so called malware.  In addition to being used to display the fake subpoena, the malware was actually a key logger that captured anything the CEO typed, including network access credentials and other sensitive information.  Using the opened door, the phishers then launched attacks against the corporations to harvest information, manipulate accounts, and transfer funds external accounts controlled by the phishers.

How does senior management avoid being caught in a whale phishing scam?  Megan Horner lists the following red flags for managers who receive emails with urgent calls to action involving confidential data.

·  The email requires a download or website visit in order to view an official document.
·  The sender’s address is similar but not identical to a familiar one.
·  The email refers to an urgent matter, such as a legal proceeding, that the executive has never heard of.
·  A website requesting personal data does not use encryption. Although a site’s appearance is no guide to its authenticity, lack of encryption is a danger sign.
·  The communication contains supposedly confidential information that in reality is publicly available

She also suggests that if you cannot quickly verify an email’s authenticity you should immediately call IT Security.  This is good advice for employees and senior managers alike!

The Deep Web and the Dark Net

We have just gotten used to the word cyber-space, and now people start talking about the “Deep Web” or the “Dark Net.”  This is not some imaginary part of the universe, but rather a part of the web that is not accessible to the general public. It is a place where cyber criminals roam and is used for trafficking in drugs, guns, pornography, and credit card information but also in state and military secrets.  According to Amy Wilson, a blogger at K2 Intelligence, an estimated 80% of all online activity takes place in the deep web.

Amy Wilson also explains that world-wide web is tiered.  The top layer is the surface web which is indexed by our popular search engines such as Google, Yahoo, and Bing and is the place where most of us get news, engage in  e-commerce, and share information about organizations and individuals.  The next level is the deep web, which is not accessible using popular search engines as users need passwords or other credentials to get through the doof.  The closed access is often used by hackers in for example the Whale Phishing attacks to set up temporary web sites where stolen information can be sold to the highest bidder.  The third level is the dark net that in addition to requiring passwords or other credentials requires the user to surf anonymously by using applications such as Tor, I2P and Freenet. 

The deep web recently gained publicity through the 2013 shutdown by the FBI of the Silk Road, a site for mail-order drugs run by “Dread Pirate Roberts” and operating on the dark net.   The FBI arrested Ross William Ulrich, who they claim was the Dread Pirate Roberts running Silk Road.  While Ulrich is awaiting trial, and his site is closed down, law enforcement is not necessarily more on top of the mail-order drug business than before.  The reason is that when the monopolist Silk Road closed down, it opened up the market for a slew of tiny drug trafficking bazaars that  cropped up on the dark net, leaving law enforcement with an even bigger problem.

While the most highly-prized targets for cyber criminals are financial institutions, Amy Wilson points out that there are plenty of examples of less obvious victims. These include Sony’s networks of Playstation users that was hacked in 2011, leaking almost 80 million accounts with personal information that was subsequently published online.  Similarly, Goodwill had a credit card breach recently where malware was installed on a third-party system used to process credit card payments, compromising almost 900,000 credit cards.  More information on the Goodwill breach can be found here.

Amy Wilson also provides advice for companies on how to protect themselves against cyber-crime.  The first line of defense is to have a comprehensive cyber security strategy in place.  The second line of defense is to have a constant flow of intelligence scanning the deep web on your behalf.  The number of reported cyber security incidents increased 48% to 42.8 million in 2014 compared to 2013 according to PwC ( ), so companies clearly need to heed her advice!

Upcoming events at the Risk Institute

It is that time of year again when campus is filled with the buzz and energy of returning students, new classes, Saturday tailgates and community events.   And as such, we wanted to make sure you are aware of the upcoming events associated with the Risk Institute so you can plan your fall schedule accordingly.

Executive Education Series:
On September 10, 2014, Dr. Keely Croxton, Associate Professor of Logistics at The Ohio State University Fisher College of Business will be leading a session on supply chain resilience.  This three and a half hour session will focus on the identification, measurement and management of supply chain risks and be a great opportunity for firms at all stages of development in the risk management spectrum.  This exec ed session costs $495 and is geared toward senior executives and business unit leaders charged with driving growth and creating value while managing risk.  More information on the session is available here.

Morning Briefing Series:
On September 30, 2014, Dr. Zahn Bozanic, Assistant Professor of Accounting at The Ohio State University Fisher College of Business, will discuss how “big data” is being used to help facilitate regulatory compliance of firms’ external financial reports. This research has been featured in Forbes and  The morning briefings are free, but seating is limited.  Reserve your seat and find out more information here.

The Risk Institute Launch Event and Conference:
On October 22-23, the Risk Institute will be hosting it’s launch event and conference where several leading academic and practitioners will be taking the ‘conversation about risk’ to the next level and examining a variety of aspects that relate to all aspects of risk management.  This cross functional event will cover aspects including financial, reputational, supply chain, cyber security, regulatory and more.  More information on this invitation only event can be found here.