3 things you need to know to succeed in risk

Panelists from the Women. Fast forward panel at this year's annual conference

Panelists from the Women. Fast forward panel at this year’s annual conference

Disruption and gender diversity are two of the biggest topics facing business leaders today. Both issues are critical to the future of every industry. And they’re closely connected.

The best way to navigate disruption is to harness the power of diverse thinking by enabling people with different experiences, ideas and knowledge to come together in an inclusive culture. Gender diversity is a critical part of the equation. Not only this, gender diverse leadership is proven to increase the skills businesses need to navigate the disruptive trends transforming their industry.

So what does this mean?

If a person, or company, wants to succeed in mitigating risk, they must embrace gender diversity at every level.

In short, everyone benefits from thinking like a woman.

  • “You need to get comfortable being uncomfortable” — Jessica Jung, Director, Oswald Companies

Achieving success isn’t something that just happens to a person. It requires a lot of hard work, tough choices, and generally being willing to put yourself out there— trying something new.

  • Have an entrepreneurial spirit

No matter if you’re the intern grabbing Starbucks for your department or a C-suite executive, don’t be afraid to think outside the box. When approaching any situation, don’t come to the meeting and just point out the risks — offer real solutions.

  • Communicate. Communicate. Communicate.

Every panelist punched this point home — communicate with everyone, from your spouse to your organization and boss. By being an open communicator, you project to others that you are confident, open to compromise, and available.

Each year, The Risk Institute at The Ohio State University Fisher College of Business hosts an annual conference that brings together thought leaders, industry experts, and academics to engage in a dialogue about the latest trends in risk management. This year the conversation focused around governance, culture, and the vital role women play in the field.

One of the Institute’s founding member’s, EY, cosponsored a panel spring-boarding their Women. Fast forward initiative, which aims to accelerate the achievement of gender parity in business.

The Risk Institute will continue this conversation and others through this year’s Risk Series.

Building responsible and resilient supply chains

Supply chains have become global and highly complex. Building and maintaining a resilient supply chain is a key success factor for businesses operating in a fast-changing world.connected-globe-rgb-international

EY Climate Change and Sustainability Services (CCaSS) collaborated with the UN Global Compact on the study in an effort to better understand how companies are managing their supply chains in ways that support the objectives of the United Nations 2030 Agenda and Sustainable Development Goals (SDGs).  The UN Global Compact is the world’s largest sustainability initiative and EY has been a participant since 2009.

The report draws on business inputs across geographies, sectors and business models. CCaSS and Advisory Supply Chain and Operations professionals interviewed 70 clients globally to explore how they are embedding sustainability in their supply chains by managing risks and adopting new commitments around human rights, the environment and the well-being of communities in which they operate.

Overall, the study indicates that by improving environmental, social and governance (ESG) performance throughout the supply chain, companies can enhance processes, reduce costs, increase productivity, innovate, differentiate and improve societal outcomes.

Conclusions explored in the report include:

  • Companies are on a continuum from managing risks through creating shared value with stakeholders to achieving differentiation for their products or services;
  • Leaders are achieving competitive advantage in the supply chain through increased collaboration, technology innovation, greater efficiency and supplier diversity;
  • Mature supply chain models integrate buying and sourcing practices with product design and development to enhance sustainability results tied to their manufacturing and service delivery;
  • Currently, only a small percentage of companies have achieved leadership maturity levels that can lead to shared value with suppliers, enable suppliers to operate as an extension of the business and engage in meaningful, collaborative dialogue.

Based on interviews we identified several actions companies can take to further embed sustainability in their supply chains:

  • Assess materiality, to focus on the most pressing issues, taking UN Global Compact principles into consideration
  • Align resources, structures and processes to focus on supply chain sustainability across the organization
  • Train management and suppliers on market practices
  • Invest in diverse and inclusive supply chain partners
  • Stretch existing sustainability goals beyond direct operations, to include tiers of the supply chain
  • Deploy technology to increase accountability and transparency
  • Leverage buying power and influence to trigger shifts toward supply chain sustainability
  • Disclose supply chain information, beyond stand-alone sustainability reporting mechanisms

This post was written and published by EY, one The Risk Institute’s founding members, in August 2016. To view the original article or download detailed study findings, click here. 

Who are Your Disrupters?

Jim McCormick photoBy Jim McCormick
Founder and President
Research Institute for Risk Intelligence



So, let’s say you’ve decided that you need to cause some disruption in your industry.  You have come to see the value of the mantra of The Risk Institute and want to “leverage risk to create value.”

Likely at the core of your decision is the need to strengthen your competitive advantage.  Perhaps you need to respond more quickly and effectively to changes in the competitive environment such as –

  • new competition from unexpected sources,
  • competitors with new products, offerings or distribution channels, or
  • competitors with cost structures you cannot currently match.

Or perhaps you need to be more responsive to changes in the marketplace like –

  • new payment methods,
  • generational preference changes, or
  • transient customers or clients with no loyalty.

It may be that you need to up your game on the innovation front and develop more new products, services and methods.

So, who do you put on the team that is going to drive the disruption?

  • All risk-takers so they will charge ahead?
  • Perhaps people who are all risk-adverse so they won’t do anything crazy?
  • Or a healthy mix to achieve some balance?

But how do you know even know the Risk Inclination of your people?

At the Research Institute for Risk Intelligence, we have spent a lot of time and effort studying personal risk inclination.  Because like The Risk Institute at Ohio State, we feel it is vital that organizations move away from conventional risk management and its emphasis on minimizing risk to the more current approach of utilizing risk.  And that process of utilizing risk to create or respond to disruption requires understanding the risk inclination of your people.

Because fueling innovation, inspiring initiative and attaining organizational agility are not just desirable – they are now mandatory if your organization is going to survive and prevail in today’s hyper-competitive, technology-accelerated, global world of business.

At The Risk Institute’s annual conference October 7 and 8 I will discuss these issues and provide insights that will help you answer these questions.  I will present insights based on our research into personal risk inclination that will help you better lead and persuade.


Cyber Security: About Whale Phishing, the Deep Web and the Dark Net

By Professor Ingrid M. Werner, Risk Institute Faculty Member, and Martin and Andrew Murrer Professor in Finance at The Ohio State University Fisher College of Business.

October 28, 2014


Ingrid M. Werner The Risk Institute Faculty Member Martin and Andrew Murrer Professor in Finance, The Fisher College of Business

The attendees at The Risk Institute Launch and Conference last week learned two new terms from cyber-space: Whale Phishing, and the Deep Web and Dark Net. These terms were introduced by Mr. Jeremy Kroll, CEO and co-founder of K2 Intelligence who discussed effective strategies for managing cyber security risks faced by business around the world.   

Whale Phishing

Whale phishing is a new form of cyber crime in the general family of hacker strategies known as spear phishing.  Generally, phishing scams cast a wide net and hope that a few foolish individuals that click on the attachment or link in an e-mail compromising the security of their computer or financial account.  Spear phishing instead targets specific individuals or organizations, aiming to harvest financial information or trade or military secrets that can be used for financial gain.  Whale phishing, or simply whaling, takes this practice to a new level by targeting senior executives and other key leaders in an organization.  Vircom Guest Blogger Megan Horner, Marketing Coordinator at TrainACE, lays out the strategies commonly used in whale phishing attacks, and also explains what to look out for in an article here.

A spear phishing scam targets an employee with access to sensitive information or financial accounts.  It takes the form of an email that looks as if it was sent by a person in a position of authority within the company (the boss) or from outside (a regulator).  For example, a staff member in the purchasing department may get an e-mail from IT requesting that the individual login and reset his or her password.  Malware is used by the attacker to direct the individual to a fake website which is designed for the sole purpose of capturing the username and password for use to access the organization’s network.  The access can be used to manipulate accounts, transfer funds to external accounts, or simply to download sensitive information.

You guessed it, a whale phishing scam follows the same strategy but targets senior management.   The emails used are personalized and often extremely well-crafted, using corporate logos and html templates to convey a sense of authenticity.  The sender’s address looks like it comes from a known person or organization, and often alludes to a sensitive and urgent business matter.  Finally, the matter raised is one that requires the intervention of senior management.  For example, it may be a subpoena and the official-looking email instructs the CEO to click an link to download special software so they can view the subpoena.  According to Megan Horner, a scam like this targeted an estimated 20,000 recipients.  Shockingly, about 10 percent responded and thus downloaded the malicious software, so called malware.  In addition to being used to display the fake subpoena, the malware was actually a key logger that captured anything the CEO typed, including network access credentials and other sensitive information.  Using the opened door, the phishers then launched attacks against the corporations to harvest information, manipulate accounts, and transfer funds external accounts controlled by the phishers.

How does senior management avoid being caught in a whale phishing scam?  Megan Horner lists the following red flags for managers who receive emails with urgent calls to action involving confidential data.

·  The email requires a download or website visit in order to view an official document.
·  The sender’s address is similar but not identical to a familiar one.
·  The email refers to an urgent matter, such as a legal proceeding, that the executive has never heard of.
·  A website requesting personal data does not use encryption. Although a site’s appearance is no guide to its authenticity, lack of encryption is a danger sign.
·  The communication contains supposedly confidential information that in reality is publicly available

She also suggests that if you cannot quickly verify an email’s authenticity you should immediately call IT Security.  This is good advice for employees and senior managers alike!

The Deep Web and the Dark Net

We have just gotten used to the word cyber-space, and now people start talking about the “Deep Web” or the “Dark Net.”  This is not some imaginary part of the universe, but rather a part of the web that is not accessible to the general public. It is a place where cyber criminals roam and is used for trafficking in drugs, guns, pornography, and credit card information but also in state and military secrets.  According to Amy Wilson, a blogger at K2 Intelligence, an estimated 80% of all online activity takes place in the deep web.

Amy Wilson also explains that world-wide web is tiered.  The top layer is the surface web which is indexed by our popular search engines such as Google, Yahoo, and Bing and is the place where most of us get news, engage in  e-commerce, and share information about organizations and individuals.  The next level is the deep web, which is not accessible using popular search engines as users need passwords or other credentials to get through the doof.  The closed access is often used by hackers in for example the Whale Phishing attacks to set up temporary web sites where stolen information can be sold to the highest bidder.  The third level is the dark net that in addition to requiring passwords or other credentials requires the user to surf anonymously by using applications such as Tor, I2P and Freenet. 

The deep web recently gained publicity through the 2013 shutdown by the FBI of the Silk Road, a site for mail-order drugs run by “Dread Pirate Roberts” and operating on the dark net.   The FBI arrested Ross William Ulrich, who they claim was the Dread Pirate Roberts running Silk Road.  While Ulrich is awaiting trial, and his site is closed down, law enforcement is not necessarily more on top of the mail-order drug business than before.  The reason is that when the monopolist Silk Road closed down, it opened up the market for a slew of tiny drug trafficking bazaars that  cropped up on the dark net, leaving law enforcement with an even bigger problem.

While the most highly-prized targets for cyber criminals are financial institutions, Amy Wilson points out that there are plenty of examples of less obvious victims. These include Sony’s networks of Playstation users that was hacked in 2011, leaking almost 80 million accounts with personal information that was subsequently published online.  Similarly, Goodwill had a credit card breach recently where malware was installed on a third-party system used to process credit card payments, compromising almost 900,000 credit cards.  More information on the Goodwill breach can be found here.

Amy Wilson also provides advice for companies on how to protect themselves against cyber-crime.  The first line of defense is to have a comprehensive cyber security strategy in place.  The second line of defense is to have a constant flow of intelligence scanning the deep web on your behalf.  The number of reported cyber security incidents increased 48% to 42.8 million in 2014 compared to 2013 according to PwC (http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf ), so companies clearly need to heed her advice!