Enterprise Risk Management Services for State & Local

GovernmentDrew Zavatsky

Section Manager, Loss Prevention ProgramOffice of Risk Management

(360) 407-8155drew.zavatsky@des.wa.gov

During this session, we will cover:-- legal basics,-- a review of Enterprise Risk Management, and-- some new trends.

Overview

• Typically, states have sovereign immunity

• Washington waived immunity in 1961

• Agencies can be sued just like private persons

• Washington is self-insured – RCW 4.92.130

Legal basics

• Immunity waiver also applies to counties and cities

• Three types of risk pools:– Local Government Property and

Liability– Individual and Joint Health

Benefits (both under RCW 48.62)

– Affordable Housing Property and Liability (RCW 48.62)

• All pools operate under rules established by the State Risk Manager, who has a regulatory function

Local Government Basics

• By request of a municipality, the State Risk Manager also may buy (or use a broker to buy) property and liability insurance for the city, county, or special purpose district. - RCW 43.19.772

• One risk related to contracts for municipalities, from Washington Constitution, Article XI, §14:PRIVATE USE OF PUBLIC FUNDS PROHIBITED. The making of profit out of any county, city, town, or other public money . . . by any officer having the possession or control thereof, shall be a felony . . .

Local Government Basics (cont.)

• What is a tort? A civil wrong.

• State tort financing via the SILP. RCW 4.92.130

• Commercial insurance is purchased to cover property loss in certain circumstances.

Tort Liability Basics

ERM Defined

ERM is a coordinated method of performing risk management that considers every aspect of risks that affect agency goals. Includes all agency programs and operations (no more silos)Requires open communication from all levels of the

organization about goals, operations and issuesResults in a high-level review of the most severe risks to

achieving all agency goalsCreates a coordinated way to identify and assess

opportunities In 2011, ERM was adopted as the American Standard for risk

management – ISO 31000

How ERM Defines ‘Risk’

Risk: anything that can interrupt the achievement of your goal on time

Opportunity: the ‘flip’ side of risk: anything that results in over-achievement of your goal

The ERM Method (ISO 31000)

Clearly state the goalList risks and opportunitiesEvaluate each risk/opportunityPrioritize risks/opportunitiesRespond (Mitigate/Seize)Make a RegisterCommunicate Results

Risk/Opportunity Register

A Risk/Opportunity Register is a list of priority risks/ opportunities & an overview of how you will handle themA register functions as a dashboard for managing risks and/or opportunities – and therefore goals

GOAL: Priority Risk

or Opportunity(Briefly

describe)Root Cause(s)

Risk or Opportunity Response(Check type and briefly

describe)

How will we know our response was

successful? (What are the ‘measures’?)

Target Response

DatePerson

Responsible

□ Avoid/Exploit□ Accept & Monitor□ Reduce frequency□ Reduce impact□ Transfer

□ Avoid/Exploit□ Accept & Monitor□ Reduce frequency□ Reduce impact□ Transfer

What is a privacy breach / security breach?A privacy breach is the theft, loss or unauthorized disclosure of personally identifiable non-public information (PII) or third party corporate confidential information that is in the care, custody or control of the organization or an agent or independent contractor that is handling, processing, sorting or transferring such information on behalf of the Organization.

A computer security breach is:– the inability of a third party, who is authorized to do so, to gain access to an

organization’s systems or services;– the failure to prevent unauthorized access to an organization’s computer systems that

results in deletion, corruption or theft of data; – a denial of service attack against an organization’s internet sites or computer systems; or– the failure to prevent transmission of malicious code from an organization’s systems to a

third party computers and/or systems.

• Incident vs. Breach

How do data breaches occur?

Lost Devices & Inadvertent Publication

of DataDisgruntled Employees

Vendors & Subcontractors

Hackers & Unsecured Websites

Accidental IntentionalIn

tern

alEx

tern

al

Percentage of breaches by threat type

2012

2011

2010

Environmental, 0%

Environmental, 0%

Environmental, 0%

Error, 2%

Error, 1%

Error, 1%

Physical, 35%

Physical, 10%

Physical, 29%

Misuse, 13%

Misuse, 5%

Misuse, 17%

Social, 29%

Social, 7%

Social, 11%

Hacking, 52%

Hacking, 81%

Hacking, 50%

Malware, 40%

Malware, 69%

Malware, 49%

Verizon: 2013 Data Breach Investigations Report

Are you at risk?Ask your team.

• Has your organization ever experienced a data breach or system attack event? • Does your organization collect, store or transmit any personal, financial or health

data?• Do you have a solid incident response plan in place?• Do you outsource any part of computer network operations to a third-party service

provider? • Do you partner with businesses and does this alliance involve the sharing or

handling of their data (or your data) or do your systems connect/touch their systems?

• Does your posted Privacy Policy actually align with your internal data management practices?

• Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers?

• Where is your data?

Vendor management and requirements

Due diligence on vendors – some suggestions:• Transparency

– Who handles administrative rights?– Who has database and network access? – Get access logs– Include a right to audit your vendor

• Ask for documentation– Copy of security risk analysis, outside reviews, third-party audits – Documentation that implemented corrective actions or addressed deficiencies

• Verify use of encryption– All portable media– All network communications– Ask about encryption of data in storage area networks, or SANs

• Remember, your indemnification agreement only has value if your vendor can actually pay….

What is complacency?

Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies.

Merriam-Webster Dictionary

Complacency? What do you mean?

What is the opposite of complacency?

If complacency is being unaware of actual dangers or deficiencies, then we need to be:• Aware• Inquisitive• Open-minded

Let’s think about solutions

How best to remain vigilant about safety?We create Safety - in our practice.In order to change our practices we need to change our thinking.One simple change improved the safety in state prisons . . .

Example: safety at work

Example: safety at work

My Safety is My Responsibility

Your Safety is My Responsibility

Place Safety is Our Responsibility

It takes all of us to create a culture of safety. It takes all of us to fight complacency.

What we covered today

Drew ZavatskyOffice of Risk Management

Department of Enterprise Services1500 Jefferson StreetOlympia, WA 98504

(360) 407-8155drew.zavatsky@des.wa.gov

Learned about legal basicsHeard highlights of the actuary’s report on state

tort liabilityGot some ERM tools for using risk intelligence at

work (registers, the three questions)Heard about new trends – cyber insurance and

complacency riskThank you for participating!