Business Resilience and COVID-19: Webinar Recap

Ohio State’s Risk Institute at the Fisher College of Business continues to adapt and find creative ways of leading the pack and maintaining connections with innovative industry leaders and partners within the community. On June 23, over 100 nationwide businesses collaborated via Zoom for a virtual webinar to discuss Business Resilience.

This topic, which historically has been of paramount importance – in the current climate of the global COVID-19 pandemic – has taken on new meaning and necessitates conversation with a sense of urgency. The disruption, coupled with the expansion of digital commerce and the increasing complexity of supply chains, forces the industry to innovate, consider new tools and processes, and alternative approaches to build resiliency.

In this conversation, industry experts discussed supply chain vulnerabilities and identified ways to build internal and external collaboration to reinforce the enterprise resilience ecosystem.

Speakers included Keely Croxton, OSU Professor of Logistics and Co-Director of Full Time MBA Program and Joseph Fiksel, OSU Professor Emeritus, Integrated Systems Engineering, Former Executive Director, Center for Resilience, and facilitator Philip Renaud, Executive Director of the Risk Institute.

Resilience is seen as the capacity to survive, adapt, and prosper through unpredictable and turbulent times. Business resilience can be seen as an opportunity, during disruption, to bounce forward and find solutions to stabilize communities, supply chains, and resources.

“The increasing volatility, complexity, and ambiguity of the world … calls for a resilience imperative – an urgent necessity to find new opportunities to mitigate, adapt, and build resilience against global risks through collaboration among diverse stakeholders.” – WEF Global Risk Report, 2016

The World Economic Forum’s (WEF) top cascading forces for challenging business resiliency are as follows: Ecological/Environmental, Political, Economic, and Societal. In 2020, specifically, the top-ranked long-term global risk focus was on environmental threats (from storms and tsunamis to wildfires); Pandemics were not only receding as a perceived threat but also were identified as being one of the least likely to occur.

COVID-19 is perceived as a “black swan” event, blindsiding the industry, and serving to highlight the limitations of traditional Risk Management, which has historically followed a more systematic, linear trajectory. This approach illustrates that one can’t necessarily anticipate what risks will arise nor which ones will cause the most harm.

Armed with this information, it’s apparent that adaptation to a changing risk environment needs to be at the forefront of the conversation for risk professionals. Risks cannot always be anticipated, they may be hard to quantify, and adaptations may be needed to remain competitive. We are urged to ask, how can we be proactive, is there a more effective response, what can we do differently and, in turn, leverage our competitive edge?

In an age of global turbulence, resilience is a key competency for corporations. How can a company improve the resilience of its supply chain processes so that it can recover rapidly from unexpected disruptions, assure business continuity, and adapt effectively to changing external conditions?

Croxton identified vulnerability factors exposed by a disruption such as the COVID-19 pandemic. These include turbulence, deliberate threats, external pressures, resource limits, connectivity, and overall sensitivity. In turn, she identifies the concept of capabilities, which act to balance out or diffuse the vulnerability factors.

Let’s take turbulence, for example, COVID-19 would fit into this category, along with natural disasters, political disruptions, currency fluctuations, demand volatility, and/or technology failures. Capabilities that counteract turbulence might include Collaboration (such as risk-sharing with suppliers), Organization (such as creating a problem-solving culture or utilizing a diverse skill repertoire), Market position (for example using existing ties within a community and/or having loyal customers that support the brand).

According to Fiksel and Croxton, a company’s goal is to be in the “zone of balanced resilience”.

The audience is introduced to an innovative purpose-built tool that companies can utilize in their pursuit of reaching this zone of balanced resilience. SCRAM™, developed by researchers at The Ohio State University in collaboration with the U.S. Air force, Dow Chemical, and L Brands, among others, is a facilitated process supported by a computer-based toolkit, that provides a diagnostic assessment of an organization’s preparedness and fitness for coping with turbulent change.

The process offers businesses a unique, comprehensive approach to understand the pattern of their potential vulnerabilities and to design a portfolio of supply chain capabilities that will offset those vulnerabilities. This not only creates shareholder value, but strengthens a company’s capacity to survive, adapt, and flourish – this opposed to the more conventional risk management approach of “steer and adjust.”

The Chinese word for “crisis” (simplified Chinese: 危机) is composed of two Chinese characters signifying “danger” and “opportunity” respectively. Fiksel takes this opportunity to remind attendees that every disruption, no matter how damaging, provides a learning opportunity and a chance to bounce forward.

The Risk Institute will be sponsoring more virtual webinars in the coming months on topics pertinent to the industry, Institute members, and the community at large.

September 22-23 is The Risk Institute’s Annual Conference, featuring two sessions per day from 10:00-12:00 and 2:00-4:00 EST. Registration will be opening soon.

Written by Jack Delahunty in partnership with The Risk Institute at Ohio State’s Fisher College of Business

Webinar Recap: Cyber Risk in Today’s Changing Environment

Speakers: Helen Patton (Chief Information Security Officer, The Ohio State University), Emre Koksal (Founder, DAtAnchor, Professor, The Ohio State University), and Dakota Rudesill (Assistant Professor of Law, The Ohio State University, Moritz College of Law).

In response to what seems to be evolving as the new normal, Ohio State’s Risk Institute at the Fisher College of Business, in partnership with representatives from the insurance industry, found an innovative way of discussing some of the pertinent questions surrounding COVID-19’s impact on business with over 300 listeners through a virtual webinar on Zoom, June 10, 2020.

When asked what keeps them up at night, many risk professionals place cybersecurity near the top of their lists. With the changes in how we work amidst the COVID-19 pandemic, this discussion around cyber risk – particularly the protection of data – becomes even more relevant.

Previous to the outbreak, it was not unusual for a portion of the workforce to work from home, at Starbucks, or the airport. For years security teams have had to work across multiple clouds, with multi-national companies, and with workers in differing locations and on a variety of platforms and devices. This in itself is not new, but the degree of which is. The first speaker of the afternoon, Helen Patton, views the current changes as not necessarily an acceleration or drastic change in risk profile, but more a change in the risk flavor.

Every time an employee works remotely, an organization’s security team has to monitor and secure that user’s endpoint. When thousands of employees are at different locations, this becomes a near-impossible task. Furthermore, when working with associates outside an organization, companies have to find ways to verify that vendors are doing what is expected to maintain security and processes are in place to leverage the relationships to protect both parties.

In this new normal of distributed workers, it’s harder to rely on technology to control the work environment. Risk is the human element. It’s now “easier” for employees to make “bad” risk choices, therefore training and processes are more important than ever to guide them to make “good” risk choices.

Accompanying this problem is the fact that data is ever-growing, and it all needs to be stored, replicated, and shared accurately. Each step heightens the risk. There are an average of 25 data breaches every day, varying in scope, frequency, targets, and attackers. According to a report from IBM, in 2019 the average data breach cost $3.92 million, with the healthcare industry experiencing the most expensive and damaging losses, at an average of $6.45 million per breach and an average loss of 25,575 records.

In early-March, during the first weeks of the COVID-19 shutdowns, some sectors saw a doubling of attacks. According to research undertaken by Barracuda Networks and Cloudflare, phishing emails have increased 667% since the end of February, while general cybercrime activities increased by 37%.

To protect themselves and their organization from data breaches or cyberattacks, people working from home are advised to keep their personal online activities separate from work and to ensure their systems remain updated as the first line of defense, as home computers are often non-secured and operating on a home WIFI network. Tools like Virtual Private Networks (VPNs) can help protect data and online connections, but workers may need to adapt in other ways.

This is where the second speaker, Emre Koksal, and his discussion around data security – in particular a security model called “Zero Trust” – comes into play.

 Zero Trust Security, a Data-Centric Approach

Koksal began his discussion by pointing out that many network security protocols don’t offer adequate protection against today’s cyber criminals. Currently, most organizations have a network-centric approach, where data is confined to and accessed via a protected network. This data is created and stored outside the network, so organizations rely on 3rd parties for fully distributed generation and storage that permits full access for its remote workers. He reminds us that almost any organization’s data is worth stealing and with a large majority of people working from home, this valuable data is being consumed over shared, potentially vulnerable infrastructures.

Because of these complexities, there’s no way to track openings or vulnerabilities in a network. In this new normal, this network-centric security approach is not enough, the reason being that it’s not sufficient to focus solely on protecting the network. The focus needs to be on protecting the data itself through a data-centric approach. Enter Zero Trust, an information security model that does not implicitly trust anything inside or outside its network perimeter. Instead, it requires authentication or verification before granting access to sensitive data or protected resources.

The philosophy behind it is this: anytime a user is connecting to a website or application they are given
“zero trust” until they can prove they are secure. This is particularly important for remote work, as workers often change locations or internet networks. Each time a user tries to access data, it must be clear they are abiding by rules of organization and that they have permission to access it. This way, from a security standpoint, it doesn’t matter where the data is accessed.

With Zero Trust there is no notion of securing a network boundary (the network-centric approach), rather, data is its own security boundary – so the security travels with the data. Zero Trust also utilizes multi-level encryption, which translates data into another form, or code, so that only people with access to the keys can access it. With this approach, boundaries are built around the data and the keys, not around the network itself.

This security model helps eliminate data loss and maintain control of files even when employees are connected to personal networks, on personal devices. Zero Trust’s data-centric security solution also enables access and data sharing without an organization having to fully give up ownership of the data.

State of the Art in Zero Trust:

  • Military-grade encryption made simple (can be applied for all data everywhere)
  • Fully transparent to the legitimate user (they won’t even know that there’s something between them and the data)
  • Geofencing and location tracking (for employee accountability)
  • Real-time audit logs (who accessed what and when)
  • Governance rules baked into key manager (leading to dynamic revocation if rules are broken)

Impact on Business:

  • Retain control of sensitive data, even outside office walls
  • Simplified compliance (HIPAA, GDPR, NIST, CCPA)
  • Secure and frictionless data sharing
  • Monitoring and real-time audit logs
  • Secure workflow for remote workforce
  • Low IT overhead

Balancing Liberty and Security in the New Normal

The new normal of increasing numbers of remote workers has prompted changes in regulation. Organizations falling under the scope of data protection regulations and standards like PCI DSS, HIPAA or GLBA, have now been forced to reconsider their stance on remote work and have begun adopting it as a strategy across the board.

Some compliance measures for confidentiality have already been suspended to help sectors such as telemedicine be more accessible and improve their ease of use. Business processes are being altered. Changes are being considered to allow for an easier digital transmission of data and digital signatures.

The Risk Institute’s third speaker, Dakota Rudesill, talked briefly about privacy, or more specifically the balance between liberty and security, as a potential obstacle in this new normal. Most workers – and certainly customers – don’t want to be tracked.

Consider the opposition of some to COVID-19 contact tracing. To let Apple or Google track where you go is a risk choice for yourself but also for the community around you. People are more likely to be comfortable being tracked, driven by a focus on public health, but less likely if the information could be used for marketing or purposes that might be considered an invasion of privacy.

Moving forward, this balance between liberty and security is only going to get tougher, especially as the Internet of Things (IoT) continues to exponentially infiltrate our homes and offices. As of now a clear end to the COVID-19 pandemic is impossible to determine, but when that happens, the question is will these current changes in-the-making become the new standard or will things snap back to the way they were before?

 

Written by: Jack Delahunty, in partnership with The Risk Institute at The Ohio State University

Business Interruption in Light of COVID-19: Webinar Recap

In response to what seems to be evolving as the new normal, Ohio State’s Risk Institute at the Fisher College of Business, in partnership with representatives from the insurance industry, found an innovative way of discussing some of the pertinent questions surrounding COVID-19’s impact on business with over 300 listeners through a virtual webinar on Zoom, May 13, 2020.

Three experts from the insurance field, Dean Fadel, President of the Ohio Insurance Institute, Joseph Petrelli, President of Demotech, and insurance industry attorney Kirk Pasich of Pasich LLP collaborated with Philip Renaud, Executive Director of the Risk Institute, to talk about business interruption and the impact of COVID-19 from the insurer and policyholder perspectives. Specifically:

  • The dynamics of what is happening across the country and how various jurisdictions are interpreting coverage or lack thereof.
  • Does revenue loss due to supply chain problems and business shutdowns by government directives trigger coverage? (Either direct business interruption losses, or contingent, resulting from a supply chain’s inability to provide good or services).
  • How underwriters and actuaries looked at pandemic clauses and the risks associated with policies were originally written compared to today.

Dean Fadel believes that the insurance industry so far has been good corporate citizens. For customers, auto insurers have returned $10.5 billion to date through premium relief. For employees, many insurers are pledging no layoffs during the ongoing crisis. That said, the insurance industry as a whole will begin to see an increase in claims and a decrease in premium revenue moving forward.

One area relevant for insurers to consider given the current climate is business interruption insurance. Legislation is currently being discussed or introduced in eight states, including Washington D.C., thus far. These potential changes would retroactively enact business interruption coverage into existing policies — despite an absence of the physical damage required in property policies, and/or express exclusions for communicable diseases in those policies.

It is estimated that 40% overall and less than 30% of small commercial consumers purchase business interruption insurance. Mandating business interruption payouts would cost insurers at least $255 billion per month. Meaning, in three months the industry’s nearly $800 billion surplus would be depleted. Moving forward, companies need to not ask “what can I afford?” but rather “what did I sell this customer and what are my responsibilities under that policy?”

Joe Petrelli, President of Demotech, reiterates the fact that the insurance industry as a whole is not made up of just “the giants.” Out of 11 different insurance business models, the overwhelming majority are small companies (52% operate in one state or in one particular line of insurance). These companies will be waiting to hear about decisions made in that line of insurance or the decisions made in their particular state of operation.

The National Association of Insurance Commissioners (NAIC) have issued their own discussion for the federal government to consider. The Association thinks it’s inappropriate to ask for retroactive business interruption coverage and argue these companies should not have to “step up” just because they may have the financial wherewithal to do so.

The final speaker at the Risk Institute’s virtual webinar was insurance industry attorney Kirk Pasich of Pasich LLP, who began by touching on the relevancy of the distinction between a “virus” and a “disease.” For the record: the disease (coronavirus/COVID-19) causes the virus (Severe acute respiratory syndrome coronavirus two (SARS-CoV-2).

Some policies have exclusions for viruses, others have exclusions for communicable diseases. The baseline is that claims come because the spread of the virus can cause the disease. COVID-19 itself is not communicable, but the virus is. Therefore, the closings are to stop the virus. This begs the question, Is there physical loss or damage to property?

Pasich highlights the fact that insurers are likely to argue that the introduction of a virus does not constitute direct physical loss or damage to insured property nor is it a covered peril. This reality is reflected in a letter written March 18 by industry insiders:

“Business interruption policies do not, and were not designed to, provide coverage against communicable diseases such as COVID-19.”

-March 18, 2020, letter, National Association of Mutual Insurance Companies, Independent Insurance Agents & Brokers of America, Council of Insurance Agents and Brokers, and American Property Casualty Insurance Association, to House Committee on Business.

 According to Pasich, it depends on the policy language and what jurisdiction the company is in. Courts in individual jurisdictions will be responsible for interpreting that language amidst the current pandemic.

Furthermore, most insurers did not include virus/pandemic exclusions in their policies, despite knowledge of the potential threat since the early 2000s. If an insurance company elected not to use an available, standard, industry-wide exclusion then it can be held accountable for that, Pasich argues. He says there have been many warnings over the last 20 years about this risk and that the industry knew it was coming. It was a question of when not if.

In closing, Pasich reiterates that he doesn’t support changes in state law to force insurance companies to insure what they didn’t assume. But at the same time, those companies shouldn’t be able to walk away from the risk that they knowingly assumed.

The Risk Institute will be sponsoring more virtual webinars in the coming months on topics important to the industry, Risk Institute members, and the community at large. Registration is now open.

As Executive Director Philip Renaud highlights in his closing remarks:

“Be safe, stay well, and follow the CDC orders to wash hands, sanitize, and social distance as we move forward.”

 

Written by: Jack Delahunty, in partnership with the Risk Institute at The Ohio State University