It’s my first day on the job as the new municipal risk manager. I am excited for sure, but then I realize that the “Culture of Risk Management” is nearly absent. My excitement dwindled to an anxiety of how in the world can I turn around this very large ship of “that’s not my job," to a team of, “I am the risk manager.”

My first advice is to assess where you are now. Do employees know how and when they should report incidents and accidents? Do employees actually follow that procedure? Is compliance training up to speed? Are policies in place that support my organization’s goals and objectives?  Are incidents and accidents reviewed by peers and then the message of prevention shared? How is risk management viewed by my supervisor, directors and the employees at large? Maybe the most important question is: who do the employees think the risk manager is?

Other signs a risk management culture was seriously lacking was also obvious; a high experience modification factor, a number of frequent flier claims, late reporting of incidents and accidents, a lack of near miss reporting and a view that risk management was... over there somewhere.

And so it began. I had to slow down and recognize that this is a 3-5 year change process.

I first had to start with what is most important and will have the largest positive impact with the least amount of resistance. Small wins early on build credibility and foster inclusion of risk management.

I have come to learn that the secret to building a positive culture is - - you guessed it - --  people. Begin by sitting down with directors and key leadership to talk about risk management. Find out what they believe it has been, what they see it as today and how they envision risk management in the future. To be clear, this meeting is NOT about risk management, but about building the foundation of a working relationship and teamwork with the organization’s leadership.  The side benefit is you will get to learn about their department and to educate them on how, when and where risk management can help them meet their objectives. At the same time, invest a few hours every month in “ride alongs” with the employees on the ground…police, fire, sanitation, public works and other departments you serve. Always keep in mind that to achieve desired results, you must have the support of the employees or progress will be severely impaired.

Then, policies need to be current and in place to provide direction to the employees and to assist in meeting the organization’s goals.  Remember, small steps.  This is a 3-5 year plan of teamwork. Networking and a series of small wins is the course.

Reporting of incidents and accidents is also most critical. Make your reports short and easy to understand in a form that can be easily emailed. When I first arrived at my entity, the ONE and ONLY report form was 13 pages long and contained sections that seemed to duplicate each other. A large percentage of time the reports were not completed, nor sent to risk management promptly, or at all. The structure today is outlined in a how-to manual broken into specific loss sections. The instructions are on one page and the corresponding report form is one or two pages long. The objective is to be in the loop as soon as is practical and making it easy for employees to make that happen.

When a new training program is first designed, polished and ready to roll, the first audience is the department director. After review, look for input into making changes, adds, deletes and most importantly, ask the key questions.

We professional risk managers are really risk consultants. Our role is to grow and nurture employees to understand their role as risk manager and encourage concepts like, “Stop Work Authority," “I am the Risk Manager," and “My Voice Matters,” to move the needle to a culture of risk management.

I did not realize how far we had moved the needle until one day, in a large auditorium filled with employees, I approached the podium and asked a question. “So, who is the risk manager?” Over the background music the resounding reply of hundreds of employees was “I AM." It brought a tear to my eye, for in that moment I realized we were there.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

The public focus has been heightened on law enforcement operations resulting in additional policies and procedures, as well as increased emphasis during training and implementation. For example, De-Escalation Techniques and Duty to Intervene policies are critical not only for street operations but also for jails and lock-ups. We must remember not only to de-escalate detainees in difficult and tense situations but ourselves as well.

Additionally, four key issues lead to the majority of losses in jails:

1. Medical Care: An overwhelming percentage of losses (43%), both number and monetary, results from failure to provide medical care, as shown from aggregated losses over 7 years. This is the largest area of exposure that a public entity can have. Individuals in custody are under the care of those managing the detention facility 24/7, including their healthcare. If staff neglect to take care of detainees’ medical needs, their issues could get worse, and they could become seriously ill or die. Liability increases if these issues were noted during the initial medical evaluation but were neglected to be addressed, if the detainee asked for help and never received it, or did not receive help within a reasonable time frame. Focused management of medical services and in-house response procedures are critical to reducing unnecessary suffering, fatalities, claims, and lawsuits. It should be ensured that appropriate hold harmless and indemnification language is incorporated into all medical contracts. Always have contracts reviewed by qualified local counsel. Further, it should be ensured that proper resources and supplies are available so detainees can maintain acceptable levels of hygiene.

2. Poor Conditions: Regarding jail conditions, sometimes a facility is older or has issues beyond what the entity can solve expediently, but good jail management and treatment of detainees can make a positive difference. Facility reviews (formal and daily) with documentation and plans for improvement with documented updates are important, but even more key is working with the detainees by establishing a good rapport and by working to make the best of a less than ideal situation. An example of this would be providing daily buckets of ice and fresh washcloths to detainees when the air conditioning is broken or non-existent.

3. Suicides: Suicide prevention begins at the time that the detainee is taken into custody and is brought to the jail/lock-up. Good communication should exist between the booking/transporting officer and jail/lock-up intake personnel. Proper assessments and monitoring practices should be in place, following established Standard Operating Procedures (SOPs). If detainees are on suicide watch, then they should be visually observed in their cell about every 15 minutes in addition to any video surveillance. The corrections officer should also periodically alter the routine, for example, by occasionally returning in a few minutes after checking on the detainee in order to maintain uncertainty of observation times with detainees. Any visit to the cell should be documented. Remember that key events can trigger suicidal attempts, such as the shock of being arrested, court dates/sentencing, upcoming facility transfer, and receiving visitors or bad news.

4. Sexual and Physical Assaults: Although physical and sexual assaults account for a fewer number of losses, they incur considerably higher monetary expenses, following that of medical care claims. Sexual and physical assaults against detainees have been and are currently being committed both by staff and by detainees. These incidents can be reduced by implementing procedures for careful observation of detainees, including using large video display screens with good camera systems. Furthermore, staff should establish good SOPs incorporating the Prison Rape Elimination Act (PREA), as well as annual training with documentation and continuous awareness for prevention.
6. Jail and lock-up operations present unique challenges, but they must be well-operated for employees, detainees, and communities. To those who serve the public, thank you for all that you do!

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

Educational service districts in Washington state support and provide services to school districts
in designated regions across the state. Here at North Central ESD, we walk alongside 29 public school districts, which includes creating opportunities for engagement around employee safety.

Oftentimes, focus is set on the fund balance of a workers’ compensation pool. We lose sight of the importance of preventing incidents/claims from occurring in the first place and the overall impact that can have on the fund balance. Our workers’ compensation pool is governed by an executive committee of district superintendents, and in 2018 we proposed a safety incentive program which would rebate back to districts a percentage of their premiums when they partnered with us.

Why an incentive program? A couple of years ago we realized we had an opportunity not only to reduce the highest frequency and severity of our claims but engage, connect and assist our members in the overall safety of their school buildings.

What was the objective of this program? The main objective was for us to keep the program simple, make sure we did the heavy lifting for our districts, and build deep relationships so they would see the overall benefit of this program and ultimately reduce slip, trip and fall claims. Now in our third year (we suspended it during COVID) we have seen what a positive impact this incentive program has made in our districts.

How does the program work? The initial program included multiple walkthroughs of district buildings throughout the year to look for “hazards” as well as a compliance piece that focused on safety committees. We developed an assessment tool to be used during each walkthrough, and as long as the cumulative score is above the set amount, the districts are eligible for the incentive dollars.

How do districts spend their incentive dollars? Our only request is that they use the money for staff-related safety items for their buildings. It is up to the district to determine the best way to utilize these funds.

How do we measure the success of this program? That part is pretty easy! We have seen a reduction in claims being filed, and one of the largest wins was the reaction of the schools’ board of directors when we presented their incentive checks at board meetings. It was not about the amount of money they were receiving, but the opportunity to share positive news and recognize their staff.

Overall, thinking outside of the box when it came to incentivizing our workers’ compensation pool has helped our agency actualize our philosophy of weaving safety into the culture of a business while we walk alongside our district members, helping them get to where they want to be, at the pace they want to go.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

Risk Management for Smart Cities

Perhaps the largest looming risk in smart cities is the increase in systems that rely on connectivity. The last few years have shown us that public entities are not exempt from cybercrime. In fact, cities and municipalities seem to be prominent targets. Over 100 state and local governments were attacked by ransomware in 2019 alone,[1] with the damage ranging from a handful of employee computers to widespread loss of data and payment systems. The costs of these attacks also vary greatly from a couple hundred to tens of millions of dollars, with some cities opting to pay the criminals’ ransom demands and others racking up fees to recover data and rebuild systems.

In 2018, the city of Atlanta unfortunately became a prominent example of the damage these attacks can incur. The city no longer had the ability to use online payment systems and years of police dashcam footage was lost, some of which was earmarked as evidence in ongoing trials. One report estimated the cost at $17 million to rebuild and replace the systems that were lost and mitigate future vulnerabilities.[2] While this is certainly on the high end of prospective costs, it’s clear to see that even a fraction of this cost could seriously cripple a smaller municipality if not properly insured.

The cyberattacks to date have generally taken out rudimentary technology, yet they have created large disruptions. Now imagine a world where an attack halts all common payment systems, reprograms connected traffic signals, or disables automated shuttle routes. This could be catastrophic when it comes to business interruption, and it could also pose legitimate safety concerns for the commuters in the city.

The potential downsides of these technological advancements seem daunting, but keep in mind that resilience is forged through progress. The current success of cybercriminals can be partially attributed to a lack of preparation on the part of city planners and risk managers alike. Implementing new smart systems brings about the opportunity to reassess the current approach to cybersecurity and places a renewed importance on protecting the systems that run a city, as well as the residents who rely on them. For this reason, increasing the amount of connected things will not necessarily lead to a proportionate increase in exposure and insurance costs, due to the offsetting nature of better cyber protection.

As cities become smarter, forming a risk management plan that focuses on risk avoidance, mitigation, transfer, and tolerance will become more challenging. The focus should not be on finding that perfect balance, but rather having a well thought out plan in the first place. Risk managers should be brought to the table as cities look to become smarter. The allocation of resources to preventive versus reactive measures needs to be discussed collaboratively to provide the utmost risk management flexibility.

“Smart cities” will need “smart” risk managers, which is why risk management collaboration should not end there. Determining the amount of risk to insure and self-insure will be difficult without the expertise of brokers, actuaries, IT professionals, and other risk managers, not to mention the engineers developing and testing this smart technology. Continue to seek opportunities to educate yourself on these emerging risks and build your risk management strategies today as your city plans for tomorrow.

[1] Recorded Future (December 20, 2019). State and Local Government Ransomware Attacks Surpass 100 for 2019. Retrieved October 5, 2021, from https://www.recordedfuture.com/state-local-government-ransomware-attacks-2019/.

[2] Deere, S. (August 1, 2018). Confidential Report: Atlanta’s cyber attack could cost taxpayers $17 million. Atlanta Journal-Constitution. Retrieved October 5, 2021, from https://www.ajc.com/news/confidential-report-atlanta-cyber-attack-could-hit-million/GAljmndAF3EQdVWlMcXS0K/.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

Introduction

In the past decade, more cities have been focusing on advanced infrastructure to improve public services. The objective is to make the city services operate more efficiently and safely for all residents and visitors, and to be more equitable for citizens who have traditionally been underserved.

Smart infrastructure systems have the potential to make cities better places to live and more efficient. They also create many new scenarios requiring public risk managers to step into the unknown and develop novel risk management strategies.

Smart City Infrastructure

Smart city infrastructure is a broad term referring to a range of projects, usually centering around the use of a specific technology to support roads, buildings, parking, utilities, and other city-managed systems. Smart city infrastructure includes:

• Smart data platforms: Open-source data platforms incorporating smart city data for development of third-party applications (e.g., live bus location updates). These platforms serve as the basis for many other smart infrastructure systems.
• Traffic and transportation management centers: Centralized locations where all transportation feeds are processed, usually utilizing an array of displays to monitor traffic operations.
• Dynamic traffic signal timing: Traffic signals that utilize methods to measure current traffic flows and adapt to provide more green-light time and optimize travel for platoons of vehicles through a corridor.
• Connected traffic signal systems: Traffic signals that have a form of wireless communication and are able to communicate directly with surrounding vehicles to optimize traffic flow and exchange safety information (e.g., red-light runner warnings, pedestrian in crosswalk warnings, etc.).
• City vehicle route optimization: Optimizing routes and schedules for city vehicles such as trash pickup, street cleaners, or snowplows.
• Mobility-as-a-service (MaaS): Seamless integration of all transportation modes on a common platform to allow point-to-point booking using multiple transportation services to get people to places faster, cheaper, and/or more efficiently. Trips can be paid for individually or through a subscription model. MaaS includes common payment systems and touchless fare collection.
• Smart mobility hubs: Strategically located transportation centers within the metro area with access to multiple modes of transit including buses, light rail, bikes, and scooters.
• Micromobility: Lightweight, low-speed, personal vehicles to allow for fast transportation to destinations over a few blocks away and up to a few miles. These vehicles include bike shares, e-bikes, electric scooters, and mopeds.
• Automated shuttle services: Automated shuttles can be deployed in traditionally underserved areas of the city to provide dynamic routes that connect to the larger transit systems and serve neighborhoods all hours of the day. Other areas for automated shuttle use include campus routes, first-last mile links, and local deliveries.
• Smart streetlighting: Streetlights that are connected to the city’s management center that can be set to automatically turn on and off and sense pedestrian presence to turn on when needed.
• Curb-space management: Treating curb space as the valuable asset that it is, these systems charge for use of the curb space based on time of day, location, vehicle size, and vehicle classification.
• Smart parking garages and spaces: Parking garages that can automatically count spaces available and relay this information to potential parkers. Specific spots can be found and/or reserved through more advanced systems.

The risk management implications of this infrastructure will be discussed in Part 2...

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

Transparency is a key component in any relationship. In almost every instance, the more one knows and understand about the object of that relationship, the better off they are in the long run. When applying transparency to property insurance the same is true. The more transparency an insured can provide, the better the insurance marketplace can understand the exposure, extend appropriate terms and price the coverage accordingly.

Property underwriting data’s relevance has grown exponentially. Understanding the relationship between data, insurance terms and cost is vital when developing a best in class property submission, especially in a hard property market. Property underwriters use your property data, predictive analytics and technology platforms to determine how your property might perform when exposed to the perils you are looking to insure. Modeling enables an underwriter to weigh predictability against uncertainty to calculate the cost of insuring property for the covered peril. In today’s marketplace, greater uncertainty typically equates to lesser coverage terms and greater cost.

Historically, robust data was typically required for property exposed to higher risks like earthquakes and hurricanes. Now in many instances this is no longer the case. Climate change and more severe weather patterns bring into play additional perils like inland flood, winter / convective storms and wildfires that require additional exposure data to analyze risk properly (https://www.businessinsurance.com/article/20210817/NEWS06/912343906/Property-insurers-tighten-coverage-as-climate-change-continues) As insurers look to catastrophe modeling firms for more information to help address climate change, the subset of secondary property and exposure data that these models require is quickly becoming more relevant.

While there are a number of things that comprise a best in class property submission like claims data and engineering information, robust, well organized property data can make a significant difference in how insurance carriers analyze, extend terms and price your risk.  When setting out to collect and organize your property data here are some things to keep in mind:

• Ask your insurance professional what data you need. Remember it is the quality of your data not the quantity that matters. Data collection efforts should focus on data that will provide an insurer with a transparent understanding of your property. Often, risk managers are under the impression that the more data they collect, the better off they will be. This can often lead to collecting an overabundance of exposure data that has little or no impact on the cost and terms and increases to the cost of the data collection effort.

• Develop a plan. Property data collection shouldn’t be a one-time event. Think of it as a program not project. Develop a systematic program for collecting and keeping your data current. Create a narrative around your program to include how data is collected, managed and updated. Your plan should result in a program that provides a comprehensive overview and supporting data for the property you want to insure. Remember, transparency about your program bolsters credibility and fosters great long term relationships with insurance carriers because they can understand the risk.
• Set realistic goals. Once you know what you need for your program, be realistic about how to meet your objectives. If you have internal resources to manage your program, make sure they understand the plan and can execute it in a timely manner. If you do not have the resources or expertise, consider engaging a professional firm to manage the program for your organization. Outsourcing to a professional valuation or consulting firm can typically deliver program cost management and the resources required to successfully implement and manage your program.
• Weigh the costs. An ounce of prevention is worth a pound of cure. The cost of a good property data program is miniscule when compared to property premiums. A well administered program and a best in class property submission, place your organization and your broker in the position to negotiate advantageous cost and terms for property coverage year after year.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

An effective government solicitation requires a great deal of effort. Whether it is an Invitation for Bid (IFB) or a Request for Proposal (RFP), comprehensive government agency solicitations allow for knowledgeable purchasing decisions. Many agencies which are understaffed and overworked, create an environment which may tempt employees to accelerate through the solicitation process; but it is advisable not to do so. A sound solicitation, with an accompanying sound evaluation process, will not only help your agency identify the right vendor and service or commodity solution, it will also allow your agency to mitigate potential risks before entering into a contract.
There are a number of ways your organization can mitigate risk with your government solicitations:

1. Plan After You Start Planning: Proper planning for a substantial agency procurement can help manage the project efficiently and effectively by scheduling the needed procurement activities in a manner that complies with the agency's policies, needs and resources. This will enhance transparency and minimize risk by enhancing predictability.
2. Hindsight is 20/20, Should Not Refer to Your Scope of Work: An agency's scope of work and the expectations of a potential vendor must be clearly defined. If the user department is not certain of how to develop a scope of work, then start with publishing a Request for Information (RFI). An RFI can be used to gather information about industry standards and innovative processes.
3. Oranges aren’t Apples: By standardizing evaluations and the scoring criteria, subjectivity will be removed from the process. Make sure you have the information you need and can make an apples-to-apples comparison in order to score potential vendor submissions.
4. Show Me the Money: The financial strength of a potential vendor should be part of your evaluation process. Request financial reports as part of the proposal submission or require a performance bond. Create a financial stability rating scale. Ratings do not need to be complicated to be effective. There can be three classifications – satisfactory, moderate and unsatisfactory. Moreover, it provides more consistency in the scoring process and is simpler to understand.
5. Would You Hire Them Again?: Checking references is a best practice when choosing a potential vendor. A few simple questions you can ask can help you judge the potential vendor objectively and in a balanced way. Is your organization of similar size? What are some things you wish the vendor did differently? Does the vendor work well with deadlines? Where deliverables met?
6. Copies of the Contracts: Attach a sample copy of your agency’s contract to the solicitation. This will allow potential vendors to submit any exceptions to your agency’s standard terms and conditions.
   By adhering to these practices, agencies can reduce contractor risk and awards will be less susceptible to scrutiny and protests.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

Before the pandemic, only 3.6% of the US workforce worked remotely. And according to a report by CNBC, the unexpected surge in work from home setups created a great demand for worker monitoring systems. Today, software like ActiveTrak, Hivedesk, and Time Doctor are the biggest players in this growing marketplace. However, with features like keystroke logging, browser monitoring, screen recording, and monitoring solutions, one can't help but ask: are worker tracking solutions too invasive?

What exactly is being monitored?

Resume help site StandOut CV recently released a comparison report on 32 employee monitoring websites. It revealed that 75% of worker tracking software include features that record employees’ screens; 65% can show employers their workers’ browsing history, with an undisclosed number of apps including incognito searches; 34% allow employers to access devices and make changes to computer settings; and 22% let employers access cameras to take photos of employees at work. Additionally, a whopping 44% of monitoring software can give employers a record of everything their employees have typed, including login information. Around 47% have stealth mode, a feature that allows the software to monitor users without them knowing.

There is an argument that this same method of monitoring employees has been in place in traditional workplaces for years. When you work in an office, you have supervisors overseeing your work, and you are expected to use company’s facilities for work purposes and nothing outside of that arrangement.

However, this argument ignores the fact that remote workers are operating in a space that belongs to them. Remote employees don’t have the option to report to a physical office, so when you place extensive surveillance on them in their own homes, monitoring activity on their personal devices — that’s a different story. They should be granted privacy, especially when they are in their own spaces.

A question of stakes

On the other hand, there are industries and lines of work that naturally benefit from employee trackers. The supply chain, for example, has rolled out industry-wide technology such as telematics. This technology is powered by GPS tracking systems, which Verizon Connect notes also monitors driver behavior. GPS technology can provide insights into how truck drivers behave on the road, based on the data about their speed, tardiness, and idling hours. While this information largely benefits fleets by improving efficiency, monitoring workers can also be very important for their own safety and security.

Although, it’s worth nothing that not all industries operate under such high stakes. Desk workers such as accountants, programmers, and writers aren’t like drivers – they don’t need to consider whether their driving habits are endangering other vehicles on the road. While missed deadlines can cost time and money, the inefficiency of their working processes don’t cause any immediate external harm. And NBC News reports that invasive surveillance software can lead to low morale, which ends up reducing productivity. This is mainly because using monitoring software can look like the employer doesn’t trust the workforce to manage their own time — you’re telling your workers you don’t believe they’ll do their jobs unless they are being supervised. Thus, employees feel stressed, detached, and even undervalued. The combined effects can push workers to seek kinder employment landscapes, increasing the company’s turnover rates.

Numbers don’t tell the whole story

The simple truth is that employers can never get a full picture of actual productivity with just keystrokes and logged hours. A content writer might log fewer keystrokes because he or she can draft ideas more quickly on paper. Meanwhile, a programmer might log multiple hours and keystrokes and not actually complete any working code. How long a person works, and how much input they produce, isn’t always an accurate measure of what they have accomplished.

For all their invasiveness, monitoring software might not even be the best way to push productivity. In 'The Biological Basis of Complacency', Sharon Lipinski stated that complacency isn’t a choice, but rather a neurological byproduct of doing repetitive work. When the brain gets used to a certain habit, it requires fewer and fewer neurons to perform the task. As a result, their external awareness may be decreased. The solution, then, isn’t to bog them down with more reminders to do work, but to find ways to keep their brains actively engaged.

Employers would get the most benefit out of tracking software if they were mainly used as supplementary evaluation tools. Even then, they need to be transparent with their employees and refrain from using invasive features such as stealth mode and keylogging. The best way to increase productivity is to show your employees that you value them, which can be achieved when fostering an environment that promotes trust.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

Public entity risk pools are wholly adept at managing risk. With more than 90,000 public entities in the United States, the Association of Governmental Risk Pools (AGRiP) estimates that at least 80% of them participate in one or more pools.

By pooling their risk—and accountability—these not-for-profit organizations can economically provide risk management and loss control, underwriting, claims management and a comprehensive package of insurance coverages that typically include property, casualty and workers’ compensation. This effort supports a pool’s number one priority: the co-owners of the pool—its members. These members hail from local and state municipalities, including entire fleets of first responders (fire and police), public utilities, school districts, government-run hospitals, public libraries, community colleges, support staff and more. Accordingly, the typical pool must ensure its technology systems can reliably support the needs of its members.

This means ensuring uptime is paramount. During COVID, pools, like most private or corporate sector organizations, were forced to make adjustments in how they worked, many prioritizing their IT wish list to maintain operational performance and resiliency. However, unlike most organizations, pools are restrained by outdated legacy systems and a limited, fixed budget, and as a result, that wish list remains a wish instead of a reality.

Undoubtedly, budget concerns are one of many issues facing pools: Often, these organizations don’t have a large IT staff, so they’re forced to maintain operations “the way it’s always been done,” cobbling along in the hopes that the risks it faces will be minimal. In actuality, the risks facing these organizations are at an all-time maximum.

This conundrum is complicated by the fact that most pools rely on antiquated databases and Microsoft Office products for the bulk of their day-to-day operations. At a minimum, this reliance opens the door to Outlook phishing, making the pool more vulnerable to cyber criminals.  Many may use Excel or other inexpensive spreadsheet programs that make it difficult to access data and almost impossible to regroup on errors. Imagine the time required to backtrack, inspect various versions of the spreadsheet’s values, calculations, source data and file history to correct the error, wreaking havoc on routine financial or regulatory reporting. Some pools use insurance core system software that, with the exception of claims, includes workflows that don’t necessarily match with the pool’s own protocols.

If all this doesn’t spur you to think differently about how technology is managed, consider the largest, most recent risk impacting pools: ransomware. Public entities are one of the most targeted sectors, yet often have the least resources and capabilities to prepare for and respond to ransomware attacks. Consider that 2,400 U.S.-based governments, health-care facilities, and schools were victims of ransomware in 2020, notes Council on Foreign Relations blogger Michael Garcia. In 2020, cyberattacks cost government organizations in the United States approximately $18.88 billion in downtime and recovery costs, according to a report from consumer tech information company Comparitech. Local governments continue to experience the greatest number of ransomware attacks according to security company Blackfog.

Yes, ransomware is a network issue, and with ever-evolving ransomware keys and infiltration methods, there’s no way to prevent an attack with 100% certainty.  But the rise in cybercrime is spurring pools across the country to wake up to the fact that it’s the pool’s technology foundation that enables them to best respond to their individual public entity members, which makes that foundation a critical asset--and more valuable than ever. Without a unifying approach to IT management that includes modernization, pools will continue to struggle to operate efficiently, much less deter, disrupt, prepare for and respond to ransomware events.

Now let’s revisit the statement about pools and their fixed budgets. As they work with members on their annual loss control programs, they ask: What is the cost of not modernizing systems that are used to make city payroll, keep utilities up and running, communicate with first responders and even save lives?  If nothing else, the latest wave of ransomware is a learning moment for pools that have been trying to define a path to digital maturity.

That path, which can be undertaken by pools of all sizes, begins by conducting a basic technology assessment, which can be used to identify both known and unknown risks, issues that affect data access, workflow, operational performance and resiliency, network and systems’ vulnerabilities, mobility, and, of course, security.

The good news is that pools that have undertaken tech assessments are finding that their legacy systems can stay put—there are inexpensive ways to modernize and drive immediate front-end results without an overwhelming rip/replace approach. There are solutions available that can help them take a stepped approach to evaluating protocols, optimizing processes, enhancing workflows and improving services for its members.

Let’s face it: whether in it for a profit or not, pools want to reduce operational costs, increase policyholder/member satisfaction, offer systems that are attractive to younger IT workers, and form a solid and secure foundation for the future.

Recent events tell us that it’s no longer an option to “just get by” or “wait and see.”  The choice pools face today is a calculated one, and it’s important to recognize that their goal—to attain effective integrated risk management--is only as powerful as the technology foundation that supports it. It just takes that first step.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*

Now that more companies are relying on digital platforms, cybersecurity teams are not just an asset—they’re a necessity. PRIME’s Cybersecurity Supervisor Ed Penn emphasizes that these teams are essential in risk management, now that numerous cyber attackers are striking left and right. Without proper cybersecurity professionals and systems in place, attackers can launch multiple threats and infiltrate organizations. Even the biggest companies in the world are vulnerable to these attacks, as illustrated by the following two incidents:

US, UK, Australia Cryptojacking

In early 2018, various government websites from the US, Australia, and the UK were subject to an attack involving cryptojacking malware. Security researcher Scott Helme blew the whistle on the attack, and discovered that it was executed through a third-party plugin called Browsealoud. The plugin was designed to help those visually impaired browse websites. But due to the incident, all the websites that used the plugin were immediately compromised. Helme pointed out that cyber attackers often target websites that others rely on. In order to avoid this the government should have done greater testing to ensure their plug-in was completely secure. In order to make technology more accessible to users, governments and companies must be careful they don’t make it more accessible to hackers.

Google Plus Forced Shutdown

Google – being the tech giant that it is – has been the subject of various significant attacks in recent years. In May 2017, an email phishing scheme nearly exposed sensitive data from millions of users. A year later, Google’s own self-regulating mechanisms allowed them to spot a bug in the developer API of Google Plus, which could potentially expose sensitive data belonging to its more than 50 million users. TechCrunch's report on the incident reveals that there is currently no evidence that a third party has taken advantage of the data exposure. However, Google has responded to these incidents by expediting the shutdown of their Google Plus APIs rather than potentially exposing users to any risk. This pre-emptive measure may cause Google time and money, but it’s necessary to protect their users.

The Future of the Industry

Given the inadmissible growth of cybercrime in recent years, one very fine silver lining is that this directly translates to a higher demand for cybersecurity experts who specialize in pre-emptive measures. To fill in the gaps, plenty of institutions are establishing cybersecurity programs that provide aspiring cybersecurity professionals with an effective digital training ground. In particular, post-secondary institutions have been doubling down on cybersecurity degrees. The University of Hawaii unveiled new cybersecurity internships, while Benedict College and LaGuardia Community College extended their current cybersecurity programs to include postgraduate options. Meanwhile, Maryville University’s online master's in cybersecurity is not only taught 100% remotely, it teaches post-grad students how to build defensive and preventive strategies. Aspiring cybersecurity professionals are also trained in a Virtual Lab giving them vital real world experience in a safe environment. Together these universities are ensuring that more companies and governments are better able to protect themselves.

Since top cybersecurity specialists can be difficult to find, the Wall Street Journal points out that the median salary of corporate cybersecurity chiefs has risen to $509,000 this year. Omar Khawaja, a CISO himself, stated that numerous high-profile ransomware attacks have pushed big companies to invest more in their cybersecurity teams.

As cyber attacks sweep over hospitals, governments, and big companies, competent cybersecurity experts with the necessary experience are more important than ever. Organizations and cybersecurity experts have to work closely to take on pre-emptive measures based not just on estimates, but also on the massive amount of breach-related data available to companies today.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*