The Industry’s Premier Risk Management Educational Program
October 21–25 // Scottsdale, AZ
PRIMA Institute 2024 (PI24) is an innovative educational symposium comprised of fundamental risk management curriculum, outstanding faculty, and excellent networking opportunities.
PI24 is aimed at new and seasoned risk management professionals who want to learn more about emerging trends and best practices.
The Public Risk Management Association promotes effective risk management in the public interest as an essential component of public administration.
PRESIDENT
Laurie T. Olson
Sr. Risk Management Consultant City/County Insurance Services Salem, OR
PAST PRESIDENT
Scott J. Kramer, MBA, ARM County Administrator Autauga County Commission Prattville, AL
PRESIDENT-ELECT
Adam F. Maxwell, CLRP
Director, Administrative Services City of Westerville Westerville, OH
DIRECTORS
Sean Barham, MBA, ARM Executive Director of Human Resources
Las Cruces Public Schools Las Cruces, NM
Joe Costamagna Risk Manager Schools Insurance Authority Santa Rosa, CA
Chester Darden
Director of Loss Control Public Entity Partners Franklin, TN
Dana S. Henderson, CWCP Risk Manager Town of Mount Pleasant Mount of Pleasant, SC
Jennifer Hood, COSS Safety & Risk Director Montgomery County Government Clarksville, TN
Steve M. LePock, II Risk Manager
Virginia Beach City Public Schools Virginia Beach, VA
NON-VOTING DIRECTOR
Jennifer Ackerman, CAE
Chief Executive Officer Public Risk Management Association Alexandria, VA
EDITOR
Jennifer Ackerman, CAE 703.253.1267
jackerman@primacentral.org
ADVERTISING
Jennifer Ackerman, CAE 703.253.1267
jackerman@primacentral.org
Public Risk is published 4 times per year by the Public Risk Management Association, 700 S. Washington St., #218, Alexandria, VA 22314
tel: 703.528.7701 • fax: 703.739.0200
email: info@primacentral.org • Web site: www.primacentral.org
Opinions and ideas expressed are not necessarily representative of the policies of PRIMA.
Subscription rate: $140 per year.
Back issue copies for members available for $7 each ($13 each for non-PRIMA members). All back issues are subject to availability. Apply to the editor for permission to reprint any part of the magazine.
POSTMASTER: Send address changes to
PRIMA, 700 S. Washington St., #218, Alexandria, VA 22314.
Copyright 2024 Public Risk Management Association
If you’re like me, that question reminds us that not everyone understands what risk management really is. For good reason, too. The duties of risk managers can vary depending on geography, size of the organization, private vs. public sector, industry, or state legislation that guides insurance, workers’ compensation, tort claim laws, etc. Some people even mistake a single component of risk, like safety for example, for the entire field of risk management.
As practitioners, we know that risk management is so much more. With PRIMA’s Annual Conference right around the corner, the vast number of topics demonstrates that risk includes anything from managing insurance, safety, or a specific risk program to implementing an ERM program or captive at your organization, and everything in between.
The educational sessions for this year’s Annual Conference offer a menu that will satisfy the appetite of anyone wearing a “risk hat” at work. The Conference Planning Committee (CPC) has crafted a schedule designed to provide basic and advanced risk management concepts, as well as sessions in human resources and benefits, general liability, auto, workers’ compensation, risk control, and insurance/ market trends.
The venue is Nashville, and the time to register is NOW! In addition to enhancing your risk knowledge, it will be a time where risk professionals, specialized experts, sponsors, exhibitors, corporate partners, members, and speakers can come together to learn from each other and share information. I invite you to join us from June 6-9th for PRIMA’s main event.
“
Your elevator speech can be a great tool to share what you do with coworkers, executives, peers, strangers, your family, or at conferences. I encourage you to design one that works best for you.
“
One thing is certain. Public sector risks evolve to reflect advancements in society. It wasn’t that long ago that cyber, artificial intelligence (AI), and drone risks were uncommon, if they existed at all. Learning to manage these risks through insurance and legal development is now part of what we do. As we tackle the best ways to approach them, we often find common solutions to managing these risks together, only to find that new risks await us around the next corner. But this is what makes our profession so fun and challenging!
Perhaps it is because our risks are evolving that it’s not always easy to answer the “what does a risk manager do?” question. Maybe now is the time to revisit your “elevator speech.” The elevator speech is a brief way of introducing yourself, getting across a key point or two, and making a connection with someone so we can continue to stamp the value of risk management on people who don’t understand the field.
Design your pitch to be 30-60 seconds. You should be compelling in your approach to answer who you are, what you do (two or
three short persuasive descriptors), and what you hope to achieve. For example, in this issue of Public Risk, there is an article on “Risk Managers as ERM Policy Entrepreneurs in Municipal Risk Management” (p. 15). If your goal is to be an ERM policy entrepreneur and have your program established by 2025, state that in your elevator speech. Keep your speech positive and upbeat, and design it for a broad audience, so you can adjust it as needed.
Your elevator speech can be a great tool to share what you do with coworkers, executives, peers, strangers, your family, or at conferences. I encourage you to design one that works best for you. With that, I look forward to seeing everyone in Nashville and hearing YOUR elevator speech. See y’all soon!
Sincerely,
Laurie Olson, EMPA PRIMA President 2023–2024
Matt Vasilogambros | Stateline | February 14, 2024
Federal law enforcement and cybersecurity officials are warning the nation’s state election administrators that they face serious threats ahead of November’s presidential election.
Secretaries of state and state election directors must be ready for potential cyberattacks, both familiar and uncomfortably new. And they must remain vigilant about possible threats to their personal safety.
Voter databases could be targeted this year through phishing or ransomware attacks, election officials were told. Bad actors — both foreign and domestic — are trying to erode confidence in the integrity of elections through
dis- and misinformation, and advancements in artificial intelligence present unprecedented challenges to democracy.
“The threat environment, unfortunately, is very high,” said Tim Langan, executive assistant director for the Criminal, Cyber, Response, and Services Branch of the FBI, speaking at the winter conference of the National Association of Secretaries of State in Washington. “It is extremely alarming.”
Read More: stateline.org/2024/02/14/feds-deliver-starkwarnings-to-state-election-officials-aheadof-november/
Scott Ikeda | CPO Magazine | February 7, 2024
Last year was the worst year yet for occurrences of data breaches, according to a new annual report published by the Identity Theft Resource Center (ITRC). A record for total amount of compromises was set, up 78% from 2022 and 72% from the previous record set in 2021. The total number of victims decreased by 16%, but researchers attribute that to cyber criminals becoming more polished in their work and focused on specific targets and types of information.
Supply chain attacks are seeing a spike in popularity, part of an upward trend that has been in place since 2018. Financial services also continue to be a highly popular target, but the industry has now been topped by attacks on healthcare providers. Healthcare is increasingly a focus for cyber criminals given the amount of valuable data that can be found packed into one place. However, the industry with the highest count of total victims is utilities, and the transportation sector is the fastest riser with over two times as many data breaches as it had in 2022.
Read More:
www.cpomagazine.com/cyber-security/ identity-theft-resource-center-2023-worst-yearon-record-for-number-of-data-breaches/
Pei-Chin Wu, Meng “Matt” Wei and Steven D’Hondt | Governing | February 26, 2024
Sea level rise has already put coastal cities on notice thanks to increasing storm surges and even sunny day flooding at high tide. However, many cities are facing another factor making them even more vulnerable to rising waters: land subsidence. The authors, scientists at the University of Rhode Island Graduate School of Oceanography working with the U.S. Geological Survey to research challenges facing waterfront cities, said their findings indicate that land is sinking faster than sea levels are rising in many coastal cities throughout the world.
Most of New York City is sinking between 1 and 4 millimeters per year due to a combination of glacial rebound and the weight of its more than 1 million buildings. In a city where sea level is projected to rise between 8 and 30 inches by 2050, subsidence further increases vulnerability to coastal storms. Most of the cities on the Atlantic coast are also subsiding due to glacial rebound. Even if the rate is lower, at less than 1 millimeter per year, it should be accounted for. Other cities in the U.S., especially along the Gulf of Mexico, including Houston and New Orleans, also face subsidence.
While the research continues to evolve — for example, by using machine learning to improve our monitoring capability — the researchers urge city planners, emergency managers, and other decision-makers to account for subsidence in the plans they are making today to prepare for the impacts of rising sea levels in the future.
Read More:
www.governing.com/resilience/sea-levels-arerising-but-many-coastal-cities-are-sinking-faster
News Staff | Government Technology | February 2, 2024
A dozen national nonprofit agencies that support K-12 education recently filed official comments urging the Federal Communications Commission to move forward with its proposed $200 million cybersecurity pilot program for K-12 schools and libraries.
The FCC’s proposal, announced in November, would determine which firewall and dataprotection measures are the most important for protecting learning institutions’ broadband networks. It would also cover the costs of cybersecurity measures for qualifying entities. The FCC’s Universal Service Fund (USF), if the measure is approved, would provide the money over a three-year period. While the pilot would be a separate expenditure from the USF’s E-rate program, which covers discounted Internet services for libraries and schools, it would expand the definitions of firewalls and other security measures funded by E-rate money in the future.
The Consortium for School Networking (CoSN), State Educational Technology Directors Association (SETDA), American Library Association, Council of the Great City Schools, Health and Libraries Broadband Coalition (SHLB), National School Boards Association (NSBA), All4Ed, Council of Chief State School Officers (CCSSO), National Association of State Boards of Education (NASBE), Link Oregon, Common Sense, and Pacific Northwest Gigapop support the idea of publicizing the data that would be obtained during the pilot for the purpose of informing decisions. But they also asked the FCC to protect the participants’ confidentiality and any sensitive data they would submit to the federal agency as part of the pilot process.
Read More:
www.govtech.com/education/k-12/professionalcoalitions-endorse-fccs-k-12-cybersecurity-plan
Rebecca Heilweil | FedScoop | January 11, 2024
A bipartisan quartet of House lawmakers revealed new legislation in January meant to rein in how federal agencies use and purchase artificial intelligence. The proposal follows similar legislation unveiled in the Senate in November. It also signals Congress’ growing effort to regulate how the government uses and acquires artificial intelligence, particularly as the Biden administration encourages federal agencies to adopt the technology.
The Federal Artificial Intelligence Risk Management Act would order the Office of Management and Budget to issue guidance that requires agencies to incorporate the National Institute for Standards and Technology’s Artificial Intelligence Risk Management Framework, which was introduced early last year, into their operations. The Comptroller General, who leads the Government Accountability Office, would also study the impact of the framework on how agencies use AI, while OMB would report back to Congress on agency compliance.
Read More: fedscoop.com/house-ai-bill-nist-aiframework/
Controls and coverage are necessary to protect public entities from liability.BY LISA HAMMOND
CYBERCRIMINALS HAVE WREAKED HAVOC
on local governments in recent years, primarily through costly ransomware attacks. Ransomware is the fastest growing type of cybercrime, and because public entities are especially vulnerable, they continue to face the real and ever-increasing threat of this type of attack.
In a ransomware attack, cybercriminals infect a public entity’s computer system with malware, software most often installed when an employee opens a “phishing” email and unwittingly clicks on a malicious link or attachment. The malware encrypts the system’s data, restricting the entity’s access to it. The criminals then demand a ransom to restore the data, usually threatening permanent destruction of the data unless the ransom is paid.
Cybercriminals consider public entities soft targets because their defenses are often
inadequate to repel their ever-evolving and expanding attacks. They know many public entities operate on tight budgets and lack the funding to develop a robust defense.
Many public entities are vulnerable to attack because they do not:
• Have staff with cybersecurity expertise (the cybersecurity skills shortage disproportionately affects the public sector because it has more difficulty attracting talent than the private sector)
• Make necessary upgrades to their IT systems and equipment
• Identify and correct vulnerabilities
• Operate secure backup systems
• Provide ongoing security awareness training for all employees
• Invest in cyber insurance
Cybercriminals also understand that public entities provide critical services that, when interrupted, cause major disruption and public safety concerns. This creates an urgency for public entities to pay the ransom in the hopes of restoring their systems as quickly as possible.
Public entities can mitigate the increasing costs of cyberattacks and cyber insurance by implementing these security measures:
• Two-factor or multi-factor authentication (MFA)
• Updated antivirus and anti-spyware software (antivirus software should include firewall protection)
• Encrypted data storage and data backups
• Software patching
• Vulnerability testing and endpoint detection response (EDR)
• Ongoing security training for employees that includes strong password practices and how to identify phishing emails
• Hardware and software inventory (uninstalling unused software, updating outdated software, and replacing equipment every three to five years)
• Rapid response plan in place in the event of a breach, including identifying a response team, including vendors and template notifications for quick access
• Improved physical security, including restricted access to buildings and server rooms and use of surveillance cameras
• Protected personally identifiable information (PII) encryption and a policy that outlines the handling and sharing of PII
• Monitored email traffic
• An isolated area on the network for public access (where applicable)
• Prohibited use of personal drives on business equipment
• Virtual private network (VPN) for remote access
• Social media policy outlining acceptable use for computer equipment
• Protocol for reporting security incidents (including language about internet safety, downloading software, accessing unauthorized websites, and guidelines for the secure handling of payment cards, such as using chip technology instead of magnetic strips)
• Vendor security controls, including a process to terminate vendor, contractor, and temporary employee accounts at the end of their contract
• Secure electronic records storage and a record destruction policy
Public entities should assess and regularly reassess opportunities to improve controls as technologies can change rapidly.
Other contributing factors to public entities’ vulnerability include:
• Transparency requirements
• Storage of personal information, tax records, and other sensitive information
• 24/7 availability requirements for networks and applications so constituents can access resources and conduct transactions (making it challenging to take systems offline for maintenance)
An evolving issue is federal and state government policy on responding to ransomware attacks. While an affected entity may believe it is in its best interest to pay the ransom, doing so presents a collective problem. When a single victim pays ransom, it encourages cybercriminals to launch more attacks. Federal
CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY (CISA)
www.cisa.gov/free-cybersecurityservices-and-tools
NICCS — CISA GLOSSARY OF CYBERSECURITY WORDS AND PHRASES
niccs.cisa.gov/cybersecurity-careerresources/glossary
U.S. GENERAL SERVICES ADMINISTRATION
gsa.gov/technology/government-itinitiatives/cybersecurity/cybersecurityprograms-policy
GOVERNMENT TECHNOLOGY MAGAZINE
govtech.com/tag/cybersecurity
FEDERAL TRADE COMMISSION ftc.gov/business-guidance/smallbusinesses/cybersecurity/cyber-insurance
GOVERNMENT FINANCE OFFICERS ASSOCIATION
gfoa.org/cyber-insurance
law enforcement officially discourages ransom payments. In April 2022, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms.
Ransomware is an extremely profitable crime, and the number of attacks is dramatically increasing. Reports indicate that in the U.S., cybercriminal black markets can be more profitable than illegal drug trafficking. Given the significant revenue that can be generated by cybercrime, cybercriminals are often well-funded and well-organized, financing their abilities to swiftly conduct sophisticated attacks.
Cybersecurity Ventures, a researcher and publisher covering the global cyber economy, predicts that the global cost of ransomware will exceed $265 billion by 2031, with an attack carried out every two seconds, up from every 11 seconds in 2021.
It is critical that public entities identify and address vulnerabilities before an attack happens. Whether an entity pays the ransom or expends considerable time and resources to restore access, a ransomware attack can be an extraordinary expense and seriously impact operations for weeks and even months.
The cost of an attack on a public entity is also not limited to the ransom demand. Costs can also include forensic investigations, system recovery services or new systems, claims services and related expenses, improved security, cybercrime prevention and response measures, and lost or delayed revenue.
More frequent and costly ransomware attacks, spiking insurance claims, and increased demand for coverage have led to changes in the cyber insurance market.
Cyber insurance premiums have risen, coverage limits have changed, and insurers are requiring stricter security controls before issuing or renewing policies. Without certain controls, an entity may be considered uninsurable. See the
sidebar on p. 7 for controls public entities can implement to help improve their insurability for cyber coverage.
Public entities’ commercial general liability policies do not cover cyber liability, and errors and omissions insurance is not cyber insurance.
Cyber insurance is purchased as either a standalone policy or as an extension to another policy. The range of cyber risk is broad, and not all risks may be covered by cyber policies.
Coverage can vary significantly between different insurers and different policy forms.
Cyber insurance policies typically include coverage for:
• Cyber extortion
• Data restoration
• Loss of income and extra expenses
• Crisis management costs, including notification and IT forensics expenses
• IT security liability
• Privacy liability
• Confidentiality liability
• Data protection regulatory fines and costs
Policies may also include additional coverages such as:
• Network security and privacy liability
• Electronic media liability
• Regulatory proceedings
Public entities should always discuss cyber coverage and policies with their insurance agent.
Lisa Hammond is risk control and business development manager of Tokio Marine HCC’s Public Risk Group.
APRIL 17 | 12:00 PM – 1:00 PM ET
SPEAKER:
Karl Miller, VP, Sales and Compliance, American Computer Estimating
As artificial intelligence (AI) becomes a greater part of our professional lives, what does a public risk manager need to know to make the best decisions on how and when to utilize AI tools in the workplace? This webinar will look at ways to make AI work for you and your staff. We will also discuss the risk associated with utilizing AI tools, and how to identify the “sweet spot” where AI and human interaction work in tandem for maximum efficiencies and results. Finally, we will discuss ways to measure effectiveness and value of AI platforms.
ATTENDEE TAKEAWAYS:
1. Better understanding of how AI usage has revolutionized the public risk sector
2. Discussion of some of the AI tools that are of value to the public risk sector
3. Considerations (pros and cons) when introducing AI tools into the workplace
4. Ways to measure value/ROI of AI tools
Register
MEDIATING PUBLIC MEETINGS, PLANNING SPECIAL EVENTS, AND PUBLIC SAFETY SOLUTIONS
Whether citizens who attend public meetings are representative of those not in attendance is open to debate. What is not debatable, however, is the increase in inappropriate behavior during public board meetings, ranging from disruptions and threats of violence to actual violence.
Enter the risk manager. Unlike more traditional risks which can often be avoided or transferred, the risks associated with public meetings must be managed and mitigated.
It has been my experience that public boards generally conduct themselves honestly and professionally. However, some boards are their own worst enemy when it comes to dealing with outspoken, rude, or hostile citizens who differ with their perceptions or actions. The risk manager should ensure that the public boards or committees in their organization publish rules outlining the manner in which public meetings are conducted. Further, when it comes to the citizen comment portion of the meeting, it is essential that the board or committee in question educate the public on the mechanics of these rules, as well as provide training on how to effectively present their concerns to the board. For instance, a board can hold a workshop for citizens and other stakeholders who wish to address the board, and suggest that those who wish to speak:
• Learn when and where the board is meeting
• Request a copy of the agenda in advance of the meeting (most states have public records laws designed for such a purpose)
• Request a copy of the board’s public comment policy, which will provide citizens with the length of time allotted, as well as whether the board will engage citizens, rather than merely letting them speak
• Discuss a specific topic in the time allotted
• Be clear about what they want the board to do—e.g., change a particular policy, introduce a new program, or better support an existing one
• Follow up with a letter or testimony to the entire board, even if the stakeholder has previously spoken to an individual board member, to reiterate one’s points
• Remind stakeholders that not all board meetings are open to the general public. Most states permit certain boards to meet in closed session to discuss threatened or ongoing litigation.
Along with assisting the public in effectively appearing before the board, the board must enforce its public comments policy consistently and uniformly. The board must also have the wherewithal to eject from the meeting persons who disrupt the governmental process or make threats of violence.
The risk manager should strive to inculcate in boards and committees that the work they put in before meeting is crucial to running successful meetings where public business can be conducted in a civil and professional manner while permitting the general public to have a voice. Public boards and committees must have easily understood and legally defensible policies in place, and board members and administrators must understand their roles during meetings. When citizens wishing to address a board know the rules of the game and believe that they will be treated fairly and equitably, a board can go a long way to minimize meeting mayhem, while enhancing its relationships with the citizenry it was designed to serve.
Public boards and committees must have easily understood and legally defensible policies in place, and board members and administrators must understand their roles during meetings.
First responders serve as the frontline managers of risk and safety in the public sector, responding in real time to worst-case scenarios across our communities 24 hours per day, every day of the year. The threats responded to by our police, firefighters, EMS professionals, and 911 dispatchers include murders, suicides, high-risk domestic violence, environmental catastrophes, active shooters, mass evacuations, and myriad other terrible realities most of us never confront firsthand.
Responding to these harsh realities leads to two interrelated types of risk. The first, decision-action risk, captures the extent to which first responder decisions and actions mitigate the risk of the situations they respond to over time. The second, wellness-trauma risk, captures the extent to which first responders are negatively affected over time by the stressful and traumatic aspects of the situations and scenarios to which they respond. Of course, wellness-trauma risk, by undermining emotional stability and decision-making quality, directly aggravates decision-action risk, which in turn fuels greater wellness-trauma risk.
Both types of risk are the direct concern of risk managers, first responders, the public at large, and any stakeholders concerned with mitigating risk or maintaining public safety. Research demonstrates that first responders are also suffering from an unsustainable degree of understaffing, further aggravating these risks. Fortunately, many solutions are available.
First responders benefit substantially from high-
quality peer support or fellow first responders specially trained to provide support related to both work and non-work stressors. Because peer supporters are also first responders themselves, they are easy to access, capable of building trust, and relate effectively to the realities of the work. Research has shown that 90% of first responders who used peer support found it helpful, 80% reported they would seek assistance again, and 90% said they would recommend the program to a peer (Digliani, 2018).
While peer support is a key part of the solution to managing risk, it is far from the entire solution. Many challenges experienced by first responders routinely go beyond what can be resolved with peer support alone and must be referred to licensed clinicians qualified to treat post-traumatic stress, depression, suicidal thinking, and related mental health issues common among first responders. Many years of firsthand experience has taught us the critical importance of clinicians who are culturally competent (i.e., familiar with the realities of first responder work), effective (i.e., skilled at treatment), professional (i.e., ethical and law-abiding) and available (i.e., responsive when needed).
First responder wellness-trauma risk and decision-action risk are challenges we face on a national scale, and therefore nationally scaled solutions are necessary to ensure consistent quality, accessibility, and availability of support. Technology has become a vital key to addressing these challenges at scale. Examples
First responders benefit substantially from high-quality peer support or fellow first responders specially trained to provide support related to both work and non-work stressors.
of agencies implementing high-tech wellness solutions for their first responders include the Vacaville Police Department and the Memphis Police Department, both of which subsequently won the prestigious Destination Zero National Officer Safety and Wellness Awards, a testament to their innovation and leadership in implementing strong wellness programs designed to care for their personnel at scale.
Other examples of technology-enabled solutions include online training and certification of peer supporters and first responder clinicians, virtual access to certified first responder peer supporters, clinicians, and crisis support resources, a wide range of high-quality wellness self-help tools designed specifically for first responders, and in-hand, on-demand access to the full range of wellness tools and support resources available to first responders, regardless of the size of the agency.
Public safety agencies have experienced substantial leadership turnover in recent years. Fortunately, strong leadership training is available for first responders at mass scale. For example, retired Navy Seals and New York Times best-selling authors Jocko Willink and Leif Babin recently co-created online training for first responders on topics including extreme ownership, leading up and down the chain of command, and caring for team members while also achieving the overall mission of the organization. Executive peer support for police chiefs and fire chiefs is also now available to help ensure that leaders have access to the same level of support available to other first responders.
First responders nationwide face enormous challenges and stressors on a routine basis, leading to wellness-trauma risk and decisionaction risk—which should be topline concerns for anyone invested in upholding public safety. Fortunately, many scalable solutions now exist that can help address these challenges through training and certification programs, scalable technology applications, leadership development, and peer support.
Special events are an opportunity for the community to gather and participate in activities that can generate community publicity and dollars for the local economy while instilling goodwill. If managed efficiently, the collaborative efforts between government agencies and private sector companies can combine resources to promote the special event in a community context, increasing the profile of government, private enterprise, and hometown initiatives.
These events are a unique opportunity to show the very best of what a community has to offer. Communication and planning are key to inviting a community’s diversity into the organizational process of determining the scope and breadth of these events. While labor intensive, special events also allow businesses of all sizes and types, which often lack resources to promote their products and services, to benefit from the publicity a special event may have to offer.
Public-private partnerships are important in organizing special events on a large scale, regardless of whether they are in a private or public setting. An argument can be made that both are mutually beneficial to each other…if done correctly.
Success in any endeavor requires constructive communication in managing the totality of the risk associated with it. This includes proactively communicating the initial special event program proposal and then engaging in ongoing communication to provide updates as they occur. Population projections and the scale of the event will drive the resources needed to effectively manage the risks associated with the event and plan risk mitigation activities for the inevitable issues that may arise. Planned activities, vendors, and entertainment need to be examined individually and in the context of what is being planned.
Public resources for community event planning begin with a robust licensing/ permitting process. That review should include a multidisciplinary approach by risk, public safety/fire and police, code enforcement, public works, and building/ zoning departments. Each of these reviews brings with it an opportunity to ensure the success of an event and to proactively identify potential issues that may negatively impact it. Events also come with costs that should be proactively assessed and managed, including additional staffing, overtime, and public works preparation.
Private resources for special events may include increased staffing, security, event participation fees, and planning for potential business obstructions or modifications if the event has special conditions. Building, zoning, and code enforcement play a special role in helping determine whether the event lawfully meets a community’s land use regulations.
Strategic risk planning seizes opportunities. Community special events are opportunities for entrepreneurship, publicity, participation, and an influx of money into private and public coffers. They also increase community risk profiles. Social media, while beneficial, also has the potential of generating negative risk characteristics that require more careful considerations to ensure a community’s spirit is protected while ensuring the civil liberties of all.
The nuts and bolts of risk mitigation for special events relies on proactive and effective communication and partnerships. It’s important to understand that the private business sector is an integral partner in the success of any special event and municipal risk mitigation. Remembering that the private sector is freer to embrace innovation enables risk managers to learn and grow and be mutually beneficial to governance in special event planning and its community.
MAY 15 | 12:00 PM – 1:00 PM ET
SPEAKERS:
Mike Harrington, FCAS, MAAA, President, Bickmore Actuarial
Mark Priven, FCAS, MAAA, Vice President, Bickmore Actuarial
Stefan Zepernick, ACAS, MAAA, Actuarial Manager, Bickmore Actuarial
The actuarial report may have many numbers and look pretty daunting, but with knowledge of some basic concepts, reading an actuarial report can actually be enjoyable. This session will not only provide attendees with a firm understanding of key actuarial results such as outstanding liabilities and projected funding rates, but also important actuarial concepts including loss development, inflationary trends, claim frequency and severity, reserve discounting, and confidence levels. Current industry trends will also be discussed.
ATTENDEE TAKEAWAYS:
1. Better understanding of actuarial concepts and results
2. Ability to reasonably check the assumptions in the actuarial report
3. Ability to use actuarial results to determine appropriate funding levels and claims trends
4. Knowledge of current industry trends in various lines of business
IN THE LOCAL GOVERNMENT LANDSCAPE, THE ROLE OF RISK MANAGER is shifting significantly, catalyzed by the adoption of enterprise risk management (ERM). This evolution demands risk managers to accept the role of policy entrepreneur as they introduce complex and transformative ERM policies into their organizations and begin exercising administrative skills that are not always associated with the risk management position. The journey to implement ERM in local government entities faces multiple challenges stemming from cultural, structural, and institutional complexities, and risk managers play a pivotal role in this transformational process.
Determining the suitability of an organization’s culture and structure for ERM implementation is a critical first step. While enterprise risk management may introduce long-term organizational benefits that make decision making systematic, collaborative, and data-driven, risk managers must consider the initial barriers before introducing ERM as a policy.
The first step is an assessment of risk appetite and tolerance for introducing change to the organizational decision-making approach. Local government decision-making is known for incremental and evolutionary types of change introduced slowly over time. This is due to several factors: Bureaucratic structures within administrations favor stability and risk aversion. The complex network of departments and decision-making processes, both formal and informal, can hinder inertia, making it challenging to implement new ideas or policies. Local governments also operate in a context influenced by public opinion and community dynamics. They navigate diverse interests and opinions, often resulting in a cautious approach to change to avoid upsetting constituents or facing resistance from stakeholders. The combination of bureaucratic structure and the need to balance diverse community interests makes local governments typically slow in adopting changes, not to mention that actors involved in the decision-making process are not only community-interested, but also selfinterested, as relatively large and rapid change
could result in implications for personal careers if implementation goes poorly.
The second step involves the question of garnering stakeholder support and convincing leadership to support ERM implementation. This includes the process of identifying allies and striking alignments with key stakeholders who will be supportive of the benefits of ERM adoption. Make no mistake, introducing ERM is a transformative undertaking that will have a lasting impact on the organizational approach. Therefore, relationship building is an important skill, along with the ability to convey and convince others about the merits of ERM. Moving forward requires a commitment among a constellation of actors willing to change their current practices to engage in an ERM process that feels unfamiliar. It is a beneficial practice for the ERM entrepreneur to identify the minimum coalition of support they will need among administrative leaders, politicians, and other stakeholders that can lead to a tipping point of support cascading into policy adoption.
Understanding the local government policymaking process is integral because it serves as the framework within which ERM policies are developed. The process involves three stages: policy crafting, policy adoption, and implementation. While the process may appear complex, the primary ingredients for success are careful planning, inclusion, agreeableness, and resilience.
The place to begin in planning a potential ERM policy is by reviewing a battery of policies from other jurisdictions which can be obtained directly from those municipalities, or by drawing on the expertise of the PRIMA membership.
Risk managers tend to be experts in executing policies but not necessarily in leading and navigating a complex policy-making campaign. Generally speaking, risk managers have traditionally tended to be policy takers who engage in incremental fiddling with existing policy. While risk managers may not have extensive experience exercising policy-making skills, they tend to display the attributes that would make them successful policy entrepreneurs in the local government setting.
Crafting an original draft of an ERM policy can be daunting, but existing ERM policies that have already been adopted in other jurisdictions can serve as a basis for reproduction. Policy mimesis, or policy reproduction from one jurisdiction to another, is a common practice and should be readily adopted. The place to begin in planning a potential ERM policy is by reviewing a battery of policies from other jurisdictions which can be obtained directly from those municipalities, or by drawing on the expertise of the PRIMA membership. The second task should be to consult ISO 31000-2018 and ISO 31010-2019 to use as a guide and framework as it represents the industry standard. A third suggestion is to attend an ERM training offered through PRIMA, so risk managers are well-grounded in the principles of ERM and can establish contacts with those who have successfully filled the role of policy entrepreneur. Knowing that successful ERM trailblazers already exist should be a source of confidence.
Once the initial ERM policy draft is completed, risk managers should follow the practice of garnering feedback from administrative leaders, politicians, stakeholders, and legal review. The most time-consuming and potentially frustrating component of these tasks is likely to be the legal review. The best approach is to let the process unfold naturally as the legal dance between one draft and the next unfolds.
With stakeholder consultation and legal review completed, the new policy will go before the decision-making body, which is usually a county board or municipal council. Prior to placing it as an item on the agenda, it is good practice to get some indication of support
The evolution of risk managers into policy entrepreneurs heralds a promising shift toward proactive risk management paradigms within municipal organizations, setting the stage for a more resilient and adaptive local governance framework in an increasingly complex world.
from politicians since it makes no sense to go to the effort of bringing an item forward if the policy is doomed to failure from the outset. When doing so, make sure to observe open meeting laws and be respectful when receiving feedback. Ideally, the risk manager should enter the meeting confident that the ERM policy will pass or be sent away with a request for minor revisions. If politicians send it back for changes, do not despair—address the issues of concern and when it is returned, identify their points in the presentation materials to show how their concerns were addressed.
Finally, careful thought should be given to implementation before bringing the policy forward. The two primary challenges involve education on the new policy and overcoming institutional barriers. Even when the ERM policy is well-delivered and informative, additional education will be needed. While the ERM policy may be a critical organizational tool for risk managers, it is unlikely to be the focus of those in other departments since they are busy carrying out their primary functions. As a result, implementation will require an education program comprising workshops,
communications, and trainings to clarify understanding and reinforce cohesiveness.
The expectation among decision-makers, administrative leadership, and other stakeholders is to include policy implementation timelines, which should be shared as part of the presentation when the ERM policy is introduced. This will establish accountability by establishing expectations which will be useful for overcoming institutional resistance in the implementation stage.
Adoption of the ERM policy should be celebrated, but expect minority opposition to the policy by those who prefer the status quo approach to government decision making. Some administrators may prefer to work in silos, believe in a winner-takes-all approach, and perhaps see the ERM process as a risk to their department’s objectives. Other reasons could involve personality differences, existing political alignments, and comfort with existing practices and entrenched institutional norms. Institutions tend to be sticky and resistant to change even after a policy is supported. Depending on the constellation of actors and the size of impact of change on the organization, it is possible that the implementation process will be more difficult than the process
of creating and codifying the ERM policy. It is sometimes difficult to accept the idea that there will be organizational members who prefer the ERM policy to fail despite the obvious benefits a successful implementation represents to the public, administrators, and decision-makers, but having a realistic understanding of this happening will help with resilience during the follow-through phase.
The evolution of risk managers into policy entrepreneurs heralds a promising shift toward proactive risk management paradigms within municipal organizations, setting the stage for a more resilient and adaptive local governance framework in an increasingly complex world. As they navigate the sea of change before them, risk managers should remember they possess the skills of planning, openness, agreeableness, and resilience which form a solid basis for being a policy entrepreneur. Challenges are inherent to policy-making, but the rewards of ERM in local government—enhanced risk resilience, improved decision-making, and better resource allocation—underscore its significance as a necessary transformative endeavor.
Jacob Skinner is the Nye County Risk Manager, PRIMA member, and a Ph.D. (abd) in Political Science from the University of Western Ontario.
PRIMA Podcasts are a convenient and quick way to learn about hot topics in the public risk management sector.
Listen at primacentral.org
Also available on
While still in high school, an employee safety and health manager of a public utility lived across the street from me. He provided me with work, which was interesting, and I absorbed it. After continued years of working for the organization while completing my formal education and postgraduate work, I progressed to different organizations, always as a part of the risk and safety field. Focusing on supporting public entities’ staff, their risk management programs, and their communities has always been part of my mission during my 38 years of tenure, including in my current role at Trident Public Risk Solutions. My mantra is “Energize! Empower! Educate!”
First, evolving technology, which has its own risks, has been a great advancement, especially being mindful of how it has affected the three major components of risk management: risk assessment with analysis, risk evaluation, and risk treatment including risk financing/ transference. We can now be more quickly accessible and efficient with communication, report claims online for expedient response which can help mitigate loss cost, use risk management information systems (RMIS) to manipulate data for identifying trends and developing solutions, create more dynamic presentations, programs, and training, and use online learning management systems (LMS) as well as webinars.
Second, networking by using technology allows us to immediately reach out to fellow risk managers for input, advice, and resources. We can provide and have support at the touch of our fingertips, which not only can help ourselves but also others who may be dealing with similar issues. The internet also has a dynamic wealth of information that can be
accessed at any time versus relying on encyclopedias and binders full of stale information.
Third, organizational cultural thinking has become broader, so we not only focus on issues as they arise but are also mindful of emerging risks and how they may manifest in our organization, as well as how they ultimately affect employees. We have learned the significance of obtaining top management support and how essential it is as a successful ingredient to achieving goals. We have expanded our perspective to include obtaining employee contribution, buy-in, and transparency. A positive work culture can make all the difference in enlisting teamwork to reduce and minimize losses, and also foster a great place to work and live.
My greatest appreciation of the many benefits includes access to continued education, the ability to share my knowledge with others which helps ensure that I stay current, networking on national and state forums, and moments with colleagues at conventions and events to celebrate accomplishments and energize each other for the upcoming year.
WHAT PRIMA BENEFITS DO YOU THINK BEST SERVE NEW RISK MANAGERS IN THE FIELD?
PRIMA is an excellent resource for providing both new and longtime risk managers with education, from the basics to next-level learning for seasoned professionals; the ability to network and hive-mind with fellow colleagues, experts, and experienced vendors; and resources for addressing topics as they arise within an organization with an eye toward preparedness for emerging risks.
PRIMA has implemented wonderful resources such as its website, the PRIMATalk forum, the Annual PRIMA Convention, PRIMA Institute, PRIMA’s Public Risk magazine, PRIMA’s monthly webinar series, PRIMA’s Enterprise Risk Management Seminars,
WHAT ARE TWO THINGS PRIMA COULD GET BETTER AT DOING?
The PRIMA Mentoring Program should be emphasized and expanded for future risk managers, as so many do not know about it. There are now fewer risk managers in the field, and their numbers seem to be diminishing as people change fields or retire. We need to consciously work together to capture the interest of members of the future workforce and get them excited about what we do, as we have the ability to improve and change lives within the scope of our work. By doing this, we can educate future risk managers with the very foundation of what makes us successful leaders and protectors of our organizations.
More support could also be provided to state-level PRIMA organizations so that there is a known and tangible link and relationship with the parent organization.
IF A NONMEMBER WAS ON THE FENCE ABOUT JOINING PRIMA, WHAT WOULD YOU SAY TO GET THEM TO JOIN?
PRIMA is a phenomenal user-friendly resource that can provide you with state-ofthe-art information, infinite networking and educational possibilities, professional development, and recognition for your achievements. It is also a community unto itself, full of positive, supportive individuals. PRIMA is my main professional go-to organization, and I strongly encourage anyone in the field to become a part of it.
HAS YOUR ENTITY LAUNCHED A SUCCESSFUL PROGRAM? An innovative solution to a common problem? A money-saving idea that kept a program under budget? Each month, Public Risk features articles from practitioners like you. Share your successes with your colleagues by writing for Public Risk magazine! For more information, or to submit an article, contact Jennifer Ackerman at jackerman@primacentral.org.
PRIMA’s calendar of events is current at time of publication. For the most up-to-date schedule, visit www. primacentral.org.
PRIMA
June 16–19, 2024
PRIMA 2024 ANNUAL CONFERENCE Nashville, Tennessee Gaylord Opryland Hotel
June 1–4, 2025
PRIMA 2025 ANNUAL CONFERENCE Seattle, WA Washington State Convention Center
PRIMA WEBINARS
March 20
Cultivating Relationships to Enhance a Culture of Safety
April 17
Artificial Intelligence: Strengths, Concerns, Opportunities, Impacts and Value to Public Entity Risk Management Professionals
May 15
Enjoying Actuarial Results: It’s as Easy as 3.14159265...
June 26
Fraud in Risk Management
July 17
Succession Planning: Your People, Your Board and Growing Your Own
August 21
Driver Management Essentials
PRIMA INSTITUTE
October 21–25, 2024 Scottsdale, AZ
City of Angleton, TX
City of Grand Rapids, MI
City of Unalaska, AK
Mike Reiner, Happy Valley, OR
Olympic Educational Service District 114, WCT Safety and Health, Bremerton, WA
Santa Ana Unified School District, Santa Ana, CA
Town of Herndon, VA
Brentwood Services Administrators, Brentwood, TN
Carroll County Public Schools, Westminster, MD
City of Columbia, TN
City of Cooper City, FL
City of Eagle Mountain, UT
City of Fayetteville, TN
City of Gatlinburg, TN
County of Wilson, TN
Kurt Braatz, Flagstaff, AZ
City of Redmond, OR
City of West Jordan, UT
Vancouver Police Department, Vancouver, BC
Western Virginia Water Authority, Roanoke, VA
