What Are the Hidden Threats to Driver Safety?

When you’re running a business, you’ve got a whole host of obligations. Those obligations range from profit obligations to shareholders all the way to smaller obligations, like a promise made to a junior member of your team.

Above all else though, your first and primary obligation is always that of the safety of your employees. It comes above all else and is severely punished by the law should you fail to ensure effective care and protection for your staff.

In your own premises, ensuring safety is simple. After all, the risks within a building are often predictable and easy to manage. But what about when your staff step outside of your premises and take to the road using your fleet vehicles? You still have a duty of care, after all.

The answer is fleet risk management, but what are the hidden threats to your business that fleet risk management can protect against? Let’s take a look.

Invalid/banned driving licenses

It might seem like a slim risk, but there are a shocking number of drivers on the road which have had their licence revoked, are driving with an expired license or have been disqualified from driving for a period. In fact, 1 in 650 drivers who have had their licence checked are driving while disqualified and 1 in 300 have a revoked or expiring licence. Additionally, 1 in 16 drivers have issues with their photocard.

Driving with any of these issues is illegal and, should an accident happen, you will be held personally liable for failing to check their credentials. It’s why fleet driving license checking is utterly vital in a comprehensive risk management solution.

Bad driving habits

We’re all guilty of bad driving habits, picked up over years of driving the roads. Those bad habits are dangerous in our own vehicles, but in a fleet vehicle, it risks putting the entire business at risk unless you move to address them.

Whether it’s things like taking a corner too quickly, failing to check wing mirrors, consistently driving above the speed limit, late braking or any other bad driving habit, anything can put you, your staff and the public’s safety at risk. It’s why driver retraining is a legal requirement.

Other drivers

You can be as safe as possible on the road, but you simply can’t always predict what other drivers on the road will do. Either by inattention, inebriation or simply dangerous driving, many accidents which happen won’t be your staff’s fault.

Fleet driver training, however, can teach your staff to pay closer attention to the warning signs and act accordingly. It’s another small way that training proves essential – especially if it saves a life.

What Is a Cyber Security Risk Assessment and Why Do One?

Modern day companies face serious dangers from the cyber domain. The FBI recently reported that cybercrime increased 24% last year. The time has come for businesses to become proactive and conduct a cyber security risk assessment. It focuses on identifying the threats and vulnerabilities that confront an organization’s information assets.

Threats are forces that can harm organizations and destroy mission critical data. Vulnerabilities are the pathways that threats can follow to damage, steal, destroy or deny the use of information assets. Risks are realized when threats converge with vulnerabilities. Devastating losses can occur in a variety of ways.

A cyber risk assessment produces an understanding of the consequences associated with unauthorized disclosure of an organization’s confidential or mission critical information. A business owner or governing authority, with the results of a cyber risk assessment in hand, can decide to accept the risk, develop and use deploy countermeasures or transfer the risk.

The world is immersed in an enormous asymmetric threat environment that is enabled by an incalculable number of vulnerabilities. Cybercrime is growth industry has a low-risk with a high-pay off. The financial losses, due to data breaches, now exceed the dollar amount of the illegal global drug trade. Law enforcement, sadly, is unable to prevent cyber criminals from attacking your company. Organizations are largely on their own.

One of the few ways that a company can thwart cyber risks is to realistically assess its exposure and to implement controls that lower the chance of risks from being realized. Cyber security must be regarded as a business process that requires precise managerial controls similar to those found in accounting and finance.

How can an organization accomplish the cyber risk assessment?

Information assets must first be identified. Internal and external threats and vulnerabilities need to be realistically and objectively measured. The consequences of failing to offset risk needs to be understood. Existing policies, procedures and controls should be aligned with security
best practices. Risk mitigation strategies, based upon organizational priorities, can be adopted.

Organizations would then be able to focus on increasing their information security efforts.

Failing to take extra information security steps can result in irreparable harm to the organization, violations of regulations, statutes, fines, lawsuits and damage to the value of the company and customer base.

The directors of publicly owned corporations and privately owned companies must comply with multiple laws, regulations and take all prudent steps to prevent information security breaches. Doing otherwise is irresponsible and stands as evidence of a lack of due diligence.

The findings of a cyber risk assessment can point the way for an organization to develop and follow through upon an information security plan that assures mission critical information.

Avoiding the steps to correct any weaknesses that are discovered very well be considered to be a lack of due diligence.

The Cyber-Security Training Tips Your Business Has Been Looking For

Strictly Enforce a Multi-Tiered IT Security Plan for ALL Staff

As new threats arise, it is imperative to keep policies up to date to protect your business. Your employee handbook needs to include a multi-tiered IT security plan made up of policies for which all staff, including executives, management and even the IT department are held accountable.

  • Acceptable Use Policy – Specifically indicate what is permitted versus what is prohibited to protect the corporate systems from unnecessary exposure to risk. Include resources such as internal and external e-mail use, social media, web browsing (including acceptable browsers and websites), computer systems, and downloads (whether from an online source or flash drive). This policy should be acknowledged by every employee with a signature to signify they understand the expectations set forth in the policy.

  • Confidential Data Policy – Identifies examples of data your business considers confidential and how the information should be handled. This information is often the type of files which should be regularly backed up and are the target for many cybercriminal activities.

  • E-mail Policy – E-mail can be a convenient method for conveying information however the written record of communication also is a source of liability should it enter the wrong hands. Having an e-mail policy creates a consistent guidelines for all sent and received e-mails and integrations which may be used to access the company network.

  • BYOD/Telecommuting Policy – The Bring Your Own Device (BYOD) policy covers mobile devices as well as network access used to connect to company data remotely. While virtualization can be a great idea for many businesses, it is crucial for staff to understand the risks smart phones and unsecured WiFi present.

  • Wireless Network and Guest Access Policy – Any access to the network not made directly by your IT team should follow strict guidelines to control known risks. When guests visit your business, you may want to constrict their access to outbound internet use only for example and add other security measures to anyone accessing the company’s network wirelessly.

  • Incident Response Policy – Formalize the process the employee would follow in the case of a cyber-incident. Consider scenarios such as a lost or stolen laptop, a malware attack or the employee falling for a phishing scheme and providing confidential details to an unapproved recipient. The faster your IT team is notified of such events, the quicker their response time can be to protect the security of your confidential assets.

  • Network Security Policy – Protecting the integrity of the corporate network is an essential portion of the IT security plan. Have a policy in place specifying technical guidelines to secure the network infrastructure including procedures to install, service, maintain and replace all on-site equipment. Additionally, this policy may include processes around password creation and storage, security testing, cloud backups, and networked hardware.

  • Exiting Staff Procedures – Create rules to revoke access to all websites, contacts, e-mail, secure building entrances and other corporate connection points immediately upon resignation or termination of an employee despite whether or not you believe they old any malicious intent towards the company.

“More than half of organizations Attribute a security incident or data breach to a malicious or negligent employee.” Source: http://www.darkreading.com/vulnerabilities—threats/employee-negligence-the-cause-of-many-data-breaches-/d/d-id/1325656

Training is NOT a One Time Thing; Keep the Conversation Going

Employee cyber security awareness training dramatically reduces the risk of falling prey to a phishing e-mail, picking up a form of malware or ransomware that locks up access to your critical files, leak information via a data breach and a growing number of malicious cyber threats that are unleashed each day.

Untrained employees are the greatest threat to your data protection plan. Training once will not be enough to change the risky habits they have picked up over the years. Regular conversations need to take place to ensure cooperation to actively look for the warning signs of suspicious links and e-mails as well as how to handle newly developing situations as they happen. Constant updates about the latest threats and enforcement of your IT security plan creates individual responsibility and confidence in how to handle incidents to limit exposure to an attack.

“Every business faces a number of cybersecurity challenges, no matter the size or industry. All businesses need to proactively protect their employees, customers and intellectual property.” Source: https://staysafeonline.org/business-safe-online/resources/creating-a-culture-of-cybersecurity-in-your-business-infographic

Training Should Be Both Useful Personal AND Professional to Stick

Create regular opportunities to share topical news about data breaches and explore different cyberattack methods during a lunch and learn. Sometimes the best way to increase compliance is to hit close to home by making training personal. Chances are your employees are just as uninformed about their personal IT security and common scams as they are about the security risks they pose to your business.

Expand on this idea by extending an invitation to educate their entire families about how to protect themselves from cybercrime during an after-hours event. Consider covering topics such that may appeal to a range of age groups such as how to control the privacy and security settings on social media, online gaming, etc and how to recognize the danger signs of someone phishing for personal information or money both via e-mail and phone calls. Seniors and young children are especially vulnerable to such exploitation.

Don’t Make a Hard Situation Harder; Remember you WANT red flags reported

Making ongoing security training a priority will greatly reduce repeat errors and prevent many avoidable attacks, however mistakes happen. It can be very embarrassing and a shock to ones pride to acknowledge their error and report involvement in a potential security breach. Your first instinct may be to curse and yell, but this would be a serious mistake. Keeping calm and collected is the key to the trust needed for employees to come to you right away, while they are feeling their most vulnerable.

For this reason, treat every report with appreciation and immediate attentiveness. Whether the alert turns out to be a false alarm or an actual crisis, avoid berating the employee for their mistake no matter how red your face may become.

When situation is under control, take an opportunity to thank them for reporting the situation so that it can be handled appropriately. Remember it takes a lot of courage to step up when you know you were to blame. Help the employee understand what to look out for next time is it was something that could have been prevented such as a user error.

Cyber Training Recap

  • Implement a Multi-Tiered IT Security Plan Strictly Enforced for ALL Staff
  • Training is NOT a One Time Thing;
  • Keep the Conversation Going
  • Training Should Be Both Useful Personal AND Professional to Stick
  • Don’t Make a Hard Situation Harder; Remember you WANT red flags reported

Effective Project Risk Assessment and Optimal Risk Mitigation Strategies

What are the nature and sources of project risks? What are the nature and function of project risk assessment? How do firms select risk mitigation strategies? What is the correlation between optimal risk mitigation strategies and effective project risk assessment? How do firms reach forecasted financial targets through quality management and statistical methods? The answers to these strategic questions are critical to effective formulation and execution of optimal risk mitigation strategy that equates marginal cost to marginal benefit of risk mitigation. Additionally, optimal risk mitigation strategy minimizes the known probability and incidence of project risks and maximizes the profit producing capacity of the enterprise.

In this review, we examine some pertinent and extant academic literature on effective project risk assessment and optimal mitigation strategies. Each risk mitigation strategy has costs and benefits. Therefore, the objective function is to maximize the net benefit of risk mitigation strategies. In practice, the optimal risk mitigation strategy equates marginal cost to marginal benefit of risk mitigation strategy by minimizing the incidence of project risks and maximizing the profit producing capacity of the enterprise. Project risk measured by the project standard deviation is the weighted average of possible deviations from the expected value (mean). The project standard deviation captures the likelihood that any uncertain event or condition might adversely affect a project and keep it from being executed as planned.

In practice, project risks like financial risks derive from weighted average of possible variations from expected results based on historical data. Therefore, firms should understand the nature and sources of variations to formulate effective risks mitigation strategies consistent with the profile of the firm which allows it to reach forecasted financial targets through quality management and statistical methods.

Not all project risks-variations are adverse. Some risk events such as innovative approaches or methods of completing an activity or favorable conditions such as lower prices for certain materials are risk-reducing and can facilitate project completion. These favorable events or conditions are called opportunities; but should still be treated as project risks-possible deviations from the expected value (mean).

Some Operational Guidance

Not all project risks can be effectively mitigated. To formulate and execute effective project risk mitigation strategies firms must develop a culture of assessment and continuous improvement. Firms cannot apply or manage what they do not understand, and they cannot measure or understand what they do not know; and they cannot know what they do not believe. Therefore, firms must always inspect what they expect by designing and deploying a robust assessment model that informs collection and analysis of relevant, accurate and timely data.

Sources and Types of Variation

In operations, variation source identification for projects is critical for product quality improvement. Many variation source identification techniques are based on a linear fault quality model, in which the correlation between process faults and product quality measurements are linear. In practice, many quality measurements are nonlinearly related to the process faults. A critical aspect of process characterization is to identify and quantify various sources and types of variation so that they may be minimized.

In addition, the ability to detect and minimize variation in the project processes gives firms competitive advantage, allowing them to provide superior quality products to their customers in the global marketplace and to reach forecasted financial targets through quality management and statistical methods. Traditional quality control focuses on statistical process control (SPC), to detect anomalies and deviations based on product and process measurements. However, this approach does not provide specific operational guidelines to identify the variation sources, a critical step toward variation reduction and the derivative project risk mitigation strategies.

Further, the availability of project and process assessment data as well as the criticality of problems caused by project and process variation led to the significant development of innovative methodologies for variation source identification. In the case of normal causes-common variation, the process is in control-stable and therefore predictable. This means that based on current process pattern, a firm can predict how it will behave in the future, i.e. always within the control limits. In the case of special causes-exceptional variation, the process is out of control-unstable and therefore unpredictable. In other words, based on current process pattern, a firm is not able to predict how the process will behave in the future.

As you know, there are not only different sources of variation but there are also different types of variation. Common cause variation describes random variability that is inherent in the process and special cause or assignable cause variation is due to specific circumstances. The two types variation are controlled variation and uncontrolled variation. Controlled variation is characterized by a stable and consistent pattern of variation over time. This type of variation is random and indicates a uniform fluctuation about a constant level. Uncontrolled variation is characterized by a pattern of variation that changes over time and hence is unpredictable.

The concept of controlled/uncontrolled variation is critical in determining if a process is stable and in control. A process is deemed stable and in control if it runs in a consistent and predictable manner. This means that the average process value is consistent, and the variability is controlled. If the variation is uncontrolled-process is out of control, then either the process expected value (mean) is not consistent, or the process variation is changing or both.

Risk Assessment and Mitigation Strategies

In practice, managing project risks is a process that includes risk assessment and mitigation strategy for identifiable and predictable risks. Project risk assessment includes both the identification of potential risks with known probabilities and the evaluation of the potential impacts of project risks so identified. Risk mitigation strategies are designed to eliminate or minimize the impact of the risk events-occurrences that have a negative or adverse impact on the project. Identifying risk is both a creative and a systematic process. The creative process includes actively developing new insights into situations and applying innovative, unique solutions to project problems. And systems approach entails ability to anticipate and understand the implications of project risks and mitigation strategies across the entire firm.

Finally, there is gathering empirical evidence in the extant academic literature suggesting that during process characterization, firms should endeavor to isolate, eliminate, or minimize all sources of uncontrolled variation. At the planning stage of the project, risks are still uncertain because they have not yet occurred. But eventually, some of the anticipated risks will occur, and the firm must deal with them. There are four basic strategies for managing project risks:

1. Risk Avoidance: The best thing a firm can do with a project risk is avoid it. If a firm can prevent risk from happening, it will not adversely affect the project. The easiest way to avoid project risk is to walk away, but this may not be a viable option. A common risk avoidance technique is to use proven and existing methods rather than adopt innovative methods, even though innovative methods may indicate better potential outcomes. Risk avoidance is often effective but seldom practical.

2. Risk Reduction: If a firm cannot avoid the risk, it can mitigate or minimize the impact. This means taking some actions that will minimize severity of damage to the project. Effective use of management information system, warning system and early problem detection system are some of the industry best practices.

3. Risk Transfer: One of the most effective ways to deal with a project risk is to pay a third party to accept the risk. The most common way to do this is to through insurance or re-insurance.

4. Risk Sharing: This involves partnering with other firms to share responsibility for the risky activities. Partnering with another firm to share the risk associated with a portion of the project is useful when the other firm has expertise or distinctive competency-resources and capabilities a firm lacks.

5. Risk Retention: This is planned assumption of risk by a firm. When a firm cannot avoid, mitigate, transfer, or share a project risk, then it must retain/accept part or all the risk. The most common way to do this is through self-insurance, co-payments, or deductibles.

In sum, there are always costs and benefits for every business decision and strategy. Therefore, firms must always weigh the costs and benefits of project risk assessment and mitigation strategies to decide whether the benefits justify the costs. The optimal mitigation strategy equates marginal cost to marginal benefit, ceteris paribus.