210 likes | 387 Views
Enterprise Risk Management Services for State & Local Government. Drew Zavatsky Section Manager, Loss Prevention Program Office of Risk Management (360) 407-8155 drew.zavatsky@des.wa.gov. Overview. During this session, we will cover: -- legal basics,
E N D
Enterprise Risk Management Services for State & Local Government Drew ZavatskySection Manager, Loss Prevention ProgramOffice of Risk Management(360) 407-8155drew.zavatsky@des.wa.gov
Overview During this session, we will cover: -- legal basics, -- a review of Enterprise Risk Management, and -- some new trends.
Legal basics • Typically, states have sovereign immunity • Washington waived immunity in 1961 • Agencies can be sued just like private persons • Washington is self-insured – RCW 4.92.130
Local Government Basics • Immunity waiver also applies to counties and cities • Three types of risk pools: • Local Government Property and Liability • Individual and Joint Health Benefits (both under RCW 48.62) • Affordable Housing Property and Liability (RCW 48.62) • All pools operate under rules established by the State Risk Manager, who has a regulatory function
Local Government Basics (cont.) • By request of a municipality, the State Risk Manager also may buy (or use a broker to buy) property and liability insurance for the city, county, or special purpose district. - RCW 43.19.772 • One risk related to contracts for municipalities, fromWashington Constitution, Article XI, §14: PRIVATE USE OF PUBLIC FUNDS PROHIBITED. The making of profit out of any county, city, town, or other public money . . . by any officer having the possession or control thereof, shall be a felony . . .
Tort Liability Basics • What is a tort? A civil wrong. • State tort financing via the SILP. RCW 4.92.130 • Commercial insurance is purchased to cover property loss in certain circumstances.
ERM Defined ERM is a coordinated method of performing risk management that considers every aspect of risks that affect agency goals. • Includes all agency programs and operations (no more silos) • Requires open communication from all levels of the organization about goals, operations and issues • Results in a high-level review of the most severe risks to achieving all agency goals • Creates a coordinated way to identify and assess opportunities • In 2011, ERM was adopted as the American Standard for risk management – ISO 31000
How ERM Defines ‘Risk’ Risk: anything that can interrupt the achievement of your goal on time Opportunity: the ‘flip’ side of risk: anything that results in over-achievement of your goal
The ERM Method (ISO 31000) Clearly state the goal List risks and opportunities Evaluate each risk/opportunity Prioritize risks/opportunities Respond (Mitigate/Seize) Make a Register Communicate Results
Risk/Opportunity Register • A Risk/Opportunity Register is a list of priority risks/ opportunities & an overview of how you will handle them • A register functions as a dashboard for managing risks and/or opportunities – and therefore goals
What is a privacy breach / security breach? A privacy breachis the theft, loss or unauthorized disclosure of personally identifiable non-public information (PII) or third party corporate confidential information that is in the care, custody or control of the organization or an agent or independent contractor that is handling, processing, sorting or transferring such information on behalf of the Organization. A computer security breach is: • the inability of a third party, who is authorized to do so, to gain access to an organization’s systems or services; • the failure to prevent unauthorized access to an organization’s computer systems that results in deletion, corruption or theft of data; • a denial of service attack against an organization’s internet sites or computer systems; or • the failure to prevent transmission of malicious code from an organization’s systems to a third party computers and/or systems. • Incident vs. Breach
How do data breaches occur? Intentional Accidental Internal External
Percentage of breaches by threat type Verizon: 2013 Data Breach Investigations Report
Are you at risk?Ask your team. • Has your organization ever experienced a data breach or system attack event? • Does your organization collect, store or transmit any personal, financial or health data? • Do you have a solid incident response plan in place? • Do you outsource any part of computer network operations to a third-party service provider? • Do you partner with businesses and does this alliance involve the sharing or handling of their data (or your data) or do your systems connect/touch their systems? • Does your posted Privacy Policy actually align with your internal data management practices? • Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers? • Where is your data?
Vendor management and requirements Due diligence on vendors – some suggestions: • Transparency • Who handles administrative rights? • Who has database and network access? • Get access logs • Include a right to audit your vendor • Ask for documentation • Copy of security risk analysis, outside reviews, third-party audits • Documentation that implemented corrective actions or addressed deficiencies • Verify use of encryption • All portable media • All network communications • Ask about encryption of data in storage area networks, or SANs • Remember, your indemnification agreement only has value if your vendor can actually pay….
Complacency? What do you mean? What is complacency? Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. Merriam-Webster Dictionary
Let’s think about solutions What is the opposite of complacency? If complacency is being unaware of actual dangers or deficiencies, then we need to be: • Aware • Inquisitive • Open-minded
Example: safety at work How best to remain vigilant about safety? We create Safety - in our practice. In order to change our practices we need to change our thinking. One simple change improved the safety in state prisons . . .
Example: safety at work My Safety is My Responsibility Your Safety is My Responsibility Place Safety is Our Responsibility It takes all of us to create a culture of safety. It takes all of us to fight complacency.
What we covered today • Learned about legal basics • Heard highlights of the actuary’s report on state tort liability • Got some ERM tools for using risk intelligence at work (registers, the three questions) • Heard about new trends – cyber insurance and complacency risk • Thank you for participating! Drew Zavatsky Office of Risk Management Department of Enterprise Services 1500 Jefferson Street Olympia, WA 98504 (360) 407-8155 drew.zavatsky@des.wa.gov