In many ways this year’s Risk Institute Annual Conference hosted by the Fisher College of Business was both the best in recent years and certainly the most unique. The global COVID-19 pandemic challenged the traditional format for the conference and questioned its ability to be delivered. However, within these challenges, the Risk Institute found the opportunities to deliver what may have been the best conference in recent memory.

Both speakers and attendees were provided new opportunities to engage with the Institute and the conference. With the support of video conferencing and Zoom, the conference was able to attract speakers and attendees from across the globe. The value of this global diversity was on full display throughout the conference with many of the speakers being from outside of the immediate Columbus, Ohio region and many from international backgrounds.

This increased global flavor was a key aspect given the conference’s theme of Geopolitical Risk. Not surprisingly, the growing risk posed by China to both the US and its Allies was at the forefront of many of the conversations during the conference. However, this risk shared the stage during Baroness Pauline Neville-Jones’ discussion with the new risks posed by fraying western alliances. During Baroness Neville-Jones’ discussion of the US and its recently contentious relationship with western allies took center stage. Baroness Neville-Jones provided analysis and advice based on her more than 50 years of experience in international relations and security. Many attendees, including myself, were delighted to hear her share support for western alliances and the value they have in managing global risks effectively. Baroness Neville-Jones also provided the attendees cautious warnings about the increasing global risk of cyber-terrorism and cyber-warfare.

As our conference continued, we dove further into the global risk facing all of us as global citizens, not just as citizens of our respective nations. Our sessions also began to welcome more corporate practitioners. This was notably valuable to me as a graduate student to hear the practices of successful companies and how they address the topics we discuss so thoroughly in the classroom and corridors of the Fisher College.

The Risk Institute’s 2020 Annual Conference was unlike one we have ever seen. The national and global environment under which the conference took place can only be described as challenging. Despite our distance in the time of COVID, we are more connected than ever before and more reliant on each other to manage the risk we all face. This conference allowed us to reflect, expand our knowledge, and propel ourselves forward into our professional passions.

The Risk Institute is pleased to have Rt Hon Baroness (Pauline) Neville-Jones speak at this year’s Annual Conference on September 22nd and 23rd.  As a conservative peer in the UK House of Lords and National Security Strategy Joint Committee Member, she will offer a fascinating perspective on geopolitical risk.  She and Moderator Mark Policinski, CEO of the Ohio-Kentucky-Indiana Regional Council of Governments, will talk about how risk mitigation is now a way of life.  Read below for a preview of some of the topics that will be discussed. Don’t forget to register for the conference!

“Great Decoupling”: Current Geopolitical conversations speaks to the “Great Decoupling” where the US/Chinese tech sectors are disrupting the bilateral flow of technology, talent and investment. Can you speak from your experience on what appears to be a rapidly developing geopolitical risk and/or opportunity, depending upon perspective?

Baroness: The decoupling has gone beyond bilateral trade issues and is beginning to oblige third countries to take sides.  We are on the edge of a new political split in the world which will dominate the international scene for many decades.  Unlike the Soviet Union which competed effectively with the West only in defence and nuclear industries, China is very competitive economically and technologically and is willing to subsidise its exports to third countries.  She does not have much soft power attraction but plenty of hard power and will be a formidable challenger of Western democracies.  As risk escalates in the cyber world and the danger of physical conflict eg in the S China Sea or over Taiwan, increases, the US needs to develop a joint China strategy with her European and five Eyes Intelligence allies. It is short sighted to ignore them.

Multinational corporations (MNC’s) are facing greater pressure from political officials on issues ranging from cyber security challenges, slowing global growth and widening social inequality. Interested in your perspective from government on these areas. 

Baroness: COVID, slowing growth and widening inequality (partly the result of Chinese competition and – especially in the US – tax policies-) the role being played by big corporations is attracting attention from government.  In Europe the state is growing once again and paying for it and for COVID losses is likely at some point- not immediately- to result in increased corporate taxation and more progressive income tax.  The social and political role of the giant tech companies is also controversial and likely to result in more regulation.

Articles are appearing mentioning Geopolitical Europe as a framed discussion.  Some speak to that the EU should defend itself more aggressively against competing economic and political models. As someone who has more exposure than we do in this region, very interested in your perspective on regulation, trade rules enforcement and tariffs on certain tech products, especially technology. 

Baroness: European attitudes to economic competition can often be very defensive, betraying lack of confidence in European capabilities.  France in particular has a long history of protectionism where as the free trade tradition is much stronger in the UK and Germany.  The new element is the growing feeling that the US is no longer much of a friend politically or economically and the more the US acts alone in the world and does not offer inclusive leadership,  the more the EU sees itself as a separate entity with competing rather than cooperative territorial jurisdiction. In this climate cooperation on issues affecting data can get very difficult as priorities diverge.

Politics versus the economics of Climate change.  The world appears on a collision course between government, investors and society when choosing between ambitious investment to reduce emissions and corporate bottom lines. Especially true as global warming trends continue, frequency and intensity of storms grow, all coupled with the Covid-19 Pandemic.  How do we manage to accomplish all this in the shorter term? 

Baroness: European attitudes to economic competition can often be very defensive, betraying lack of confidence in European capabilities.  France in particular has a long history of protectionism whereas the free trade tradition is much stronger in the UK and Germany.  The new element is the growing feeling that the US is no longer much of a friend politically or economically and the more the US acts alone in the world and does not offer inclusive leadership, the more the EU sees itself as a separate entity with competing rather than cooperative territorial jurisdiction. In this climate cooperation on issues affecting data can get very difficult as priorities diverge.

Interested to hear your thoughts on the United Kingdom’s Geo-Strategic plans in the post-Brexit world.  Any thoughts on the UK’s hopes for US policy?

Baroness: I would feel more comfortable if I felt the UK government had worked out what it wanted to do in the world post Brexit.  Slogans like Global Britain are just that.  The commitment to free trade is genuine enough but the UK has to face the fact that trade agreements do not result in Christmas presents.  Relations with the EU are currently fraught with the increasing possibility of no agreement at the end of the transition period on 31 December 2020.  The UK/Canada/Australia/NZ political and trading quadrilateral is set to grow.  And relations with Japan are developing well. The UK needs to make the most of our strength in services, in data technologies, the medical and bio sciences, in the quality of our universities.  We will retain a military and intelligence capability. The relationship with the US is very important to us but for all that the current Administration supports Brexit,  I do not think the bilateral relationship is on an especially sure foundation currently.  Trust is a commodity in short supply in the world.

Register here to hear from Baroness Neville-Jones on September 22nd!

The Risk Institute is proud of the annual conference topics we have hosted over the past few years. We have always sought to highlight wider Enterprise Risk issues that are currently facing our community and membership. That said, our topic chosen for the 2020 Annual Conference, GeoPolitical Risk is one that will influence and shape our future in multiple ways. By definition, the traditional conversation about GeoPolitical Risk centers around how geography and economics influence politics and relations between countries.  These are all true statements, but the world in the 21st Century, and as such, GeoPolitical Risk, is so much more complicated. We are now in the midst of a global pandemic, that in many ways is shaping how we as citizens of the world respond, to the greatest crisis faced in the last 100 years.

As we think of Geopolitical Risk in the 21st Century, so many things come to mind.  Topics like US/China decoupling, Cyber Risk and the Repercussions of the Digital Age, Changing Global Order, and Geopolitical Consequences of Migration are but a few examples of GeoPolitical Risk facing society.

Our sessions during these two days will seek to explore these and many more GeoPolitical Risks our world faces.  We are very fortunate to be able to bring a true global representation of experts, that will approach the topic from an Academic, Political and Business perspective.   We are confident The Risk Institute will be able to provide a much deeper understanding of the topic when considering the varied perspectives of our world class line up of experts.

For details and registration for the Annual Conference, click here.

We asked our members how their companies have managed risk during the COVID-19 Pandemic to continue their operations and avoid financial distress. We identified that a majority of respondents have navigated risks (and opportunities) well during the pandemic due to their strong risk management and liquidity positions built prior to the shock. However, for many firms, there have been significant changes in how they do business. Significant uncertainty about the future of their businesses remains real, making the role of corporate governance and Enterprise Risk Management (ERM) even more vital.

We surveyed risk executives from about 80 firms, spanning a wide range of firms in terms of revenue: About 35 percent had less than $100 million; 20 percent had more than $10 billion; and 45 percent were mid-sized in terms of revenue as of fiscal year end 2019. Out of these surveyed firms, 42 percent are financial firms from Insurance and Banking industries. Among nonfinancial firms, Professional Services (12 percent), Retail and Wholesale Trade (7 percent), and Food, Beverage & Franchised Restaurants (6 percent) are three industries with the largest representation.

Liquidity (cash flow) risk is ranked as one of the top risks not only during the crisis but also before the COVID-19 shock:

As firms had recognized the importance of liquidity prior to the pandemic, most of them were not liquidity constrained when the crisis hit, with only about 5 percent of respondents reporting they were illiquid while 64 percent responded that they had stored liquidity as cash holdings.

Firms that needed more liquidity during the COVID-19 shock mostly borrowed from banks through existing lines of credit and new loans (12 percent) or from the government-sponsored borrowing facilities (10 percent).

 Majority of firms were highly resilient to the COVID-19 shock:

Although 68 percent of firms experienced a revenue decline, 76 percent of respondents reported that they were highly resilient: 77 percent did not furlough any associates at all; 65 percent did not close any locations; 83 percent of firms did not experience any change in their ability to secure insurance neither in terms of capacity nor cost; and almost all of the firms that deemed essential had the ability to meet customer demand.

Better governance and increased ERM helped in bad times:

About 40 percent of firms responded that their board of directors have been more engaged since the COVID-19 shock hit, with the risk and audit committees meeting more regularly. In about 30 percent of firms, the ERM function has been more involved in assessing risks related to the COVID-19 pandemic! While risk appetite of most firms (71 percent) did not change during the shock, 12 (17) percent of firms said they increased (decreased) their risk appetite due to the shock.

Over the past few years, firms have been discovering that using a comprehensive and integrated risk management approach leverages collaboration across business functions, increasing their ability to achieve corporate objectives and enhance shareholder value.  The COVID-19 shock has been a real stress test for risk management of both financial and nonfinancial firms. Our survey results confirm that strong governance and enterprise risk management have helped firms manage their cash flow and other risks associated with the crisis. We look forward to continuing our conversation about risk management with you in the future as we know ERM will continue to help firms survive shocks like the COVID-19 pandemic, balance their risks, and create value for their stakeholders.

Written by: Isil Erel, David A. Rismiller Chair in Finance; Academic Director, The Risk Institute at The Ohio State University Fisher College of Business

Ohio State’s Risk Institute at the Fisher College of Business continues to adapt and find creative ways of leading the pack and maintaining connections with innovative industry leaders and partners within the community. On June 23, over 100 nationwide businesses collaborated via Zoom for a virtual webinar to discuss Business Resilience.

This topic, which historically has been of paramount importance – in the current climate of the global COVID-19 pandemic – has taken on new meaning and necessitates conversation with a sense of urgency. The disruption, coupled with the expansion of digital commerce and the increasing complexity of supply chains, forces the industry to innovate, consider new tools and processes, and alternative approaches to build resiliency.

In this conversation, industry experts discussed supply chain vulnerabilities and identified ways to build internal and external collaboration to reinforce the enterprise resilience ecosystem.

Speakers included Keely Croxton, OSU Professor of Logistics and Co-Director of Full Time MBA Program and Joseph Fiksel, OSU Professor Emeritus, Integrated Systems Engineering, Former Executive Director, Center for Resilience, and facilitator Philip Renaud, Executive Director of the Risk Institute.

Resilience is seen as the capacity to survive, adapt, and prosper through unpredictable and turbulent times. Business resilience can be seen as an opportunity, during disruption, to bounce forward and find solutions to stabilize communities, supply chains, and resources.

“The increasing volatility, complexity, and ambiguity of the world … calls for a resilience imperative – an urgent necessity to find new opportunities to mitigate, adapt, and build resilience against global risks through collaboration among diverse stakeholders.” – WEF Global Risk Report, 2016

The World Economic Forum’s (WEF) top cascading forces for challenging business resiliency are as follows: Ecological/Environmental, Political, Economic, and Societal. In 2020, specifically, the top-ranked long-term global risk focus was on environmental threats (from storms and tsunamis to wildfires); Pandemics were not only receding as a perceived threat but also were identified as being one of the least likely to occur.

COVID-19 is perceived as a “black swan” event, blindsiding the industry, and serving to highlight the limitations of traditional Risk Management, which has historically followed a more systematic, linear trajectory. This approach illustrates that one can’t necessarily anticipate what risks will arise nor which ones will cause the most harm.

Armed with this information, it’s apparent that adaptation to a changing risk environment needs to be at the forefront of the conversation for risk professionals. Risks cannot always be anticipated, they may be hard to quantify, and adaptations may be needed to remain competitive. We are urged to ask, how can we be proactive, is there a more effective response, what can we do differently and, in turn, leverage our competitive edge?

In an age of global turbulence, resilience is a key competency for corporations. How can a company improve the resilience of its supply chain processes so that it can recover rapidly from unexpected disruptions, assure business continuity, and adapt effectively to changing external conditions?

Croxton identified vulnerability factors exposed by a disruption such as the COVID-19 pandemic. These include turbulence, deliberate threats, external pressures, resource limits, connectivity, and overall sensitivity. In turn, she identifies the concept of capabilities, which act to balance out or diffuse the vulnerability factors.

Let’s take turbulence, for example, COVID-19 would fit into this category, along with natural disasters, political disruptions, currency fluctuations, demand volatility, and/or technology failures. Capabilities that counteract turbulence might include Collaboration (such as risk-sharing with suppliers), Organization (such as creating a problem-solving culture or utilizing a diverse skill repertoire), Market position (for example using existing ties within a community and/or having loyal customers that support the brand).

According to Fiksel and Croxton, a company’s goal is to be in the “zone of balanced resilience”.

The audience is introduced to an innovative purpose-built tool that companies can utilize in their pursuit of reaching this zone of balanced resilience. SCRAM™, developed by researchers at The Ohio State University in collaboration with the U.S. Air force, Dow Chemical, and L Brands, among others, is a facilitated process supported by a computer-based toolkit, that provides a diagnostic assessment of an organization’s preparedness and fitness for coping with turbulent change.

The process offers businesses a unique, comprehensive approach to understand the pattern of their potential vulnerabilities and to design a portfolio of supply chain capabilities that will offset those vulnerabilities. This not only creates shareholder value, but strengthens a company’s capacity to survive, adapt, and flourish – this opposed to the more conventional risk management approach of “steer and adjust.”

The Chinese word for “crisis” (simplified Chinese: 危机) is composed of two Chinese characters signifying “danger” and “opportunity” respectively. Fiksel takes this opportunity to remind attendees that every disruption, no matter how damaging, provides a learning opportunity and a chance to bounce forward.

The Risk Institute will be sponsoring more virtual webinars in the coming months on topics pertinent to the industry, Institute members, and the community at large.

September 22-23 is The Risk Institute’s Annual Conference, featuring two sessions per day from 10:00-12:00 and 2:00-4:00 EST. Registration will be opening soon.

Written by Jack Delahunty in partnership with The Risk Institute at Ohio State’s Fisher College of Business

Speakers: Helen Patton (Chief Information Security Officer, The Ohio State University), Emre Koksal (Founder, DAtAnchor, Professor, The Ohio State University), and Dakota Rudesill (Assistant Professor of Law, The Ohio State University, Moritz College of Law).

In response to what seems to be evolving as the new normal, Ohio State’s Risk Institute at the Fisher College of Business, in partnership with representatives from the insurance industry, found an innovative way of discussing some of the pertinent questions surrounding COVID-19’s impact on business with over 300 listeners through a virtual webinar on Zoom, June 10, 2020.

When asked what keeps them up at night, many risk professionals place cybersecurity near the top of their lists. With the changes in how we work amidst the COVID-19 pandemic, this discussion around cyber risk – particularly the protection of data – becomes even more relevant.

Previous to the outbreak, it was not unusual for a portion of the workforce to work from home, at Starbucks, or the airport. For years security teams have had to work across multiple clouds, with multi-national companies, and with workers in differing locations and on a variety of platforms and devices. This in itself is not new, but the degree of which is. The first speaker of the afternoon, Helen Patton, views the current changes as not necessarily an acceleration or drastic change in risk profile, but more a change in the risk flavor.

Every time an employee works remotely, an organization’s security team has to monitor and secure that user’s endpoint. When thousands of employees are at different locations, this becomes a near-impossible task. Furthermore, when working with associates outside an organization, companies have to find ways to verify that vendors are doing what is expected to maintain security and processes are in place to leverage the relationships to protect both parties.

In this new normal of distributed workers, it’s harder to rely on technology to control the work environment. Risk is the human element. It’s now “easier” for employees to make “bad” risk choices, therefore training and processes are more important than ever to guide them to make “good” risk choices.

Accompanying this problem is the fact that data is ever-growing, and it all needs to be stored, replicated, and shared accurately. Each step heightens the risk. There are an average of 25 data breaches every day, varying in scope, frequency, targets, and attackers. According to a report from IBM, in 2019 the average data breach cost $3.92 million, with the healthcare industry experiencing the most expensive and damaging losses, at an average of $6.45 million per breach and an average loss of 25,575 records.

In early-March, during the first weeks of the COVID-19 shutdowns, some sectors saw a doubling of attacks. According to research undertaken by Barracuda Networks and Cloudflare, phishing emails have increased 667% since the end of February, while general cybercrime activities increased by 37%.

To protect themselves and their organization from data breaches or cyberattacks, people working from home are advised to keep their personal online activities separate from work and to ensure their systems remain updated as the first line of defense, as home computers are often non-secured and operating on a home WIFI network. Tools like Virtual Private Networks (VPNs) can help protect data and online connections, but workers may need to adapt in other ways.

This is where the second speaker, Emre Koksal, and his discussion around data security – in particular a security model called “Zero Trust” – comes into play.

 Zero Trust Security, a Data-Centric Approach

Koksal began his discussion by pointing out that many network security protocols don’t offer adequate protection against today’s cyber criminals. Currently, most organizations have a network-centric approach, where data is confined to and accessed via a protected network. This data is created and stored outside the network, so organizations rely on 3^rd parties for fully distributed generation and storage that permits full access for its remote workers. He reminds us that almost any organization’s data is worth stealing and with a large majority of people working from home, this valuable data is being consumed over shared, potentially vulnerable infrastructures.

Because of these complexities, there’s no way to track openings or vulnerabilities in a network. In this new normal, this network-centric security approach is not enough, the reason being that it’s not sufficient to focus solely on protecting the network. The focus needs to be on protecting the data itself through a data-centric approach. Enter Zero Trust, an information security model that does not implicitly trust anything inside or outside its network perimeter. Instead, it requires authentication or verification before granting access to sensitive data or protected resources.

The philosophy behind it is this: anytime a user is connecting to a website or application they are given
“zero trust” until they can prove they are secure. This is particularly important for remote work, as workers often change locations or internet networks. Each time a user tries to access data, it must be clear they are abiding by rules of organization and that they have permission to access it. This way, from a security standpoint, it doesn’t matter where the data is accessed.

With Zero Trust there is no notion of securing a network boundary (the network-centric approach), rather, data is its own security boundary – so the security travels with the data. Zero Trust also utilizes multi-level encryption, which translates data into another form, or code, so that only people with access to the keys can access it. With this approach, boundaries are built around the data and the keys, not around the network itself.

This security model helps eliminate data loss and maintain control of files even when employees are connected to personal networks, on personal devices. Zero Trust’s data-centric security solution also enables access and data sharing without an organization having to fully give up ownership of the data.

State of the Art in Zero Trust:

• Military-grade encryption made simple (can be applied for all data everywhere)
• Fully transparent to the legitimate user (they won’t even know that there’s something between them and the data)
• Geofencing and location tracking (for employee accountability)
• Real-time audit logs (who accessed what and when)
• Governance rules baked into key manager (leading to dynamic revocation if rules are broken)

Impact on Business:

• Retain control of sensitive data, even outside office walls
• Simplified compliance (HIPAA, GDPR, NIST, CCPA)
• Secure and frictionless data sharing
• Monitoring and real-time audit logs
• Secure workflow for remote workforce
• Low IT overhead

Balancing Liberty and Security in the New Normal

The new normal of increasing numbers of remote workers has prompted changes in regulation. Organizations falling under the scope of data protection regulations and standards like PCI DSS, HIPAA or GLBA, have now been forced to reconsider their stance on remote work and have begun adopting it as a strategy across the board.

Some compliance measures for confidentiality have already been suspended to help sectors such as telemedicine be more accessible and improve their ease of use. Business processes are being altered. Changes are being considered to allow for an easier digital transmission of data and digital signatures.

The Risk Institute’s third speaker, Dakota Rudesill, talked briefly about privacy, or more specifically the balance between liberty and security, as a potential obstacle in this new normal. Most workers – and certainly customers – don’t want to be tracked.

Consider the opposition of some to COVID-19 contact tracing. To let Apple or Google track where you go is a risk choice for yourself but also for the community around you. People are more likely to be comfortable being tracked, driven by a focus on public health, but less likely if the information could be used for marketing or purposes that might be considered an invasion of privacy.

Moving forward, this balance between liberty and security is only going to get tougher, especially as the Internet of Things (IoT) continues to exponentially infiltrate our homes and offices. As of now a clear end to the COVID-19 pandemic is impossible to determine, but when that happens, the question is will these current changes in-the-making become the new standard or will things snap back to the way they were before?

Written by: Jack Delahunty, in partnership with The Risk Institute at The Ohio State University