Enterprise Risk Management Services for State & Local Government Drew Zavatsky Section Manager, Loss Prevention Program Office of Risk Management (360)

Slides:



Advertisements
Similar presentations
THE ROLE OF INSURANCE REQUIREMENTS WITHIN AN ORGANIZATION By Aaron Hardiman, MBA, ARM.
Advertisements

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Confidentiality and HIPAA
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© Carnegie Mellon University The CERT Insider Threat Center.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Key changes from OHSAS 18001:1999
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
CPS Acceptable Use Policy Day 2 – Technology Session.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Liability and Insurance Issues Theodore A. (Ted) Feitshans Extension Associate Professor Department of Agricultural & Resource Economics North Carolina.
Understanding Insurance and Risk Management Theodore A. (Ted) Feitshans Extension Associate Professor Department of Agricultural & Resource Economics North.
HIPAA PRIVACY AND SECURITY AWARENESS.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
NAEP AUSTIN TX APRIL 8, AGENDA  Why we want certificates.  Types of insurance and limits  How to read a certificate.
Health Insurance Portability and Accountability Act (HIPAA)
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Introduction.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Privacy and Security Considerations in Research and Clinical Trials February 28, 2013 Joanna K. Napp, J.D., M.P.H. Chief Privacy Officer and Compliance.
Aged and Disabled Waiver Conflict-Free Case Management November 1, 2015.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Introduction to Procurement for Public Housing Authorities Getting Started: Basic Administrative Requirements Unit 1.
Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.
March 23, 2015 Missouri Public Service Commission | Jefferson City, MO.
Welcome to the ICT Department Unit 3_5 Security Policies.
Introduction to Enterprise Risk Management (“ERM”)
Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA.
10/04/2016 David LaPlante, CISO Information Security & Cybersecurity Program Planning Critical Infrastructure Cyber Security Framework.
Nassau Association of School Technologists
Cyber Insurance Risk Transfer Alternatives
An Overview on Risk Management
Privacy & Confidentiality
Obligations of Educational Agencies: Parents’ Bill of Rights
Introduction to the Federal Defense Acquisition Regulation
Cyber Issues Facing Medical Practice Managers
Move this to online module slides 11-56
Current Privacy Issues That May Affect Your Credit Union
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Cybersecurity compliance for attorneys
Health Care: Privacy in a Digital Age
The Health Insurance Portability and Accountability Act
HQ Expectations of DOE Site IRBs
Student Data Privacy: National Trends and Wyoming’s Role
Colorado “Protections For Consumer Data Privacy” Law
Protecting Student Data
Presentation transcript:

Enterprise Risk Management Services for State & Local Government Drew Zavatsky Section Manager, Loss Prevention Program Office of Risk Management (360)

During this session, we will cover: -- legal basics, -- a review of Enterprise Risk Management, and -- some new trends. Overview

Typically, states have sovereign immunity Washington waived immunity in 1961 Agencies can be sued just like private persons Washington is self- insured – RCW Legal basics

Immunity waiver also applies to counties and cities Three types of risk pools: – Local Government Property and Liability – Individual and Joint Health Benefits (both under RCW 48.62) – Affordable Housing Property and Liability (RCW 48.62) All pools operate under rules established by the State Risk Manager, who has a regulatory function Local Government Basics

By request of a municipality, the State Risk Manager also may buy (or use a broker to buy) property and liability insurance for the city, county, or special purpose district. - RCW One risk related to contracts for municipalities, from Washington Constitution, Article XI, §14: PRIVATE USE OF PUBLIC FUNDS PROHIBITED. The making of profit out of any county, city, town, or other public money... by any officer having the possession or control thereof, shall be a felony... Local Government Basics (cont.)

What is a tort? A civil wrong. State tort financing via the SILP. RCW Commercial insurance is purchased to cover property loss in certain circumstances. Tort Liability Basics

ERM Defined ERM is a coordinated method of performing risk management that considers every aspect of risks that affect agency goals. Includes all agency programs and operations (no more silos) Requires open communication from all levels of the organization about goals, operations and issues Results in a high-level review of the most severe risks to achieving all agency goals Creates a coordinated way to identify and assess opportunities In 2011, ERM was adopted as the American Standard for risk management – ISO 31000

How ERM Defines ‘Risk’ Risk: anything that can interrupt the achievement of your goal on time Opportunity: the ‘flip’ side of risk: anything that results in over- achievement of your goal

The ERM Method (ISO 31000) Clearly state the goal List risks and opportunities Evaluate each risk/opportunity Prioritize risks/opportunities Respond (Mitigate/Seize) Make a Register Communicate Results

Risk/Opportunity Register A Risk/Opportunity Register is a list of priority risks/ opportunities & an overview of how you will handle them A register functions as a dashboard for managing risks and/or opportunities – and therefore goals GOAL: Priority Risk or Opportunity (Briefly describe) Root Cause(s) Risk or Opportunity Response (Check type and briefly describe) How will we know our response was successful? (What are the ‘measures’?) Target Response Date Person Responsible □ Avoid/Exploit □ Accept & Monitor □ Reduce frequency □ Reduce impact □ Transfer □ Avoid/Exploit □ Accept & Monitor □ Reduce frequency □ Reduce impact □ Transfer

What is a privacy breach / security breach? privacy breach A privacy breach is the theft, loss or unauthorized disclosure of personally identifiable non-public information (PII) or third party corporate confidential information that is in the care, custody or control of the organization or an agent or independent contractor that is handling, processing, sorting or transferring such information on behalf of the Organization. computer security breach A computer security breach is: – the inability of a third party, who is authorized to do so, to gain access to an organization’s systems or services; – the failure to prevent unauthorized access to an organization’s computer systems that results in deletion, corruption or theft of data; – a denial of service attack against an organization’s internet sites or computer systems; or – the failure to prevent transmission of malicious code from an organization’s systems to a third party computers and/or systems. Incident vs. Breach Incident vs. Breach

How do data breaches occur? Accidental Intentional Internal External

Percentage of breaches by threat type Verizon: 2013 Data Breach Investigations Report

Are you at risk? Ask your team. Has your organization ever experienced a data breach or system attack event? Does your organization collect, store or transmit any personal, financial or health data? Do you have a solid incident response plan in place? Do you outsource any part of computer network operations to a third-party service provider? Do you partner with businesses and does this alliance involve the sharing or handling of their data (or your data) or do your systems connect/touch their systems? Does your posted Privacy Policy actually align with your internal data management practices? Has your organization had a recent cyber risk assessment of security/ privacy practices to ensure that they are reasonable and prudent and measure up with your peers? Where is your data?

Vendor management and requirements Due diligence on vendors – some suggestions: Transparency – Who handles administrative rights? – Who has database and network access? – Get access logs – Include a right to audit your vendor Ask for documentation – Copy of security risk analysis, outside reviews, third-party audits – Documentation that implemented corrective actions or addressed deficiencies Verify use of encryption – All portable media – All network communications – Ask about encryption of data in storage area networks, or SANs Remember, your indemnification agreement only has value if your vendor can actually pay….

What is complacency? Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. Merriam-Webster Dictionary Complacency? What do you mean?

What is the opposite of complacency? If complacency is being unaware of actual dangers or deficiencies, then we need to be: Aware Inquisitive Open-minded Let’s think about solutions

How best to remain vigilant about safety? We create Safety - in our practice. In order to change our practices we need to change our thinking. One simple change improved the safety in state prisons... Example: safety at work

My Safety is My Responsibility Your Safety is My Responsibility Place Safety is Our Responsibility It takes all of us to create a culture of safety. It takes all of us to fight complacency.

What we covered today Drew Zavatsky Office of Risk Management Department of Enterprise Services 1500 Jefferson Street Olympia, WA (360) Learned about legal basics Heard highlights of the actuary’s report on state tort liability Got some ERM tools for using risk intelligence at work (registers, the three questions) Heard about new trends – cyber insurance and complacency risk Thank you for participating!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.