How Ryder Approaches Enterprise Cyber Risk Management

March 28, 2018

Ryder does more than just lease and rent trucks. In addition to having more than 200,000 trucks on the road, the company also offers supply chain management, fleet management, and small business services. As the company’s business model has evolved, so has the role of Risk Management within the organization. At the recent Executive Risk Summit hosted by AIG and Axio, Amy Wagner, Director of Risk Management at Ryder, provided insight into how the company has managed growing cyber risk.

  • There was a recognition in Ryder that it needed to start managing Risk on an Enterprise basis.
  • That the role of Risk Management had previously only been concerned with purchasing insurance and has evolved into much more.
  • That the risk team needed to get out there and connect with all the stakeholders in the organization.
  • The Risk Manager is an officer of the company so the “Officer of Risk” has a seat at the Board table to have real discussions about risks and how to mitigate them.

1. Ryder has a formal Enterprise Risk Management Committee with broad representation that has tactical discussions on controls, process, people, and training.

Stakeholders in this committee include:

  • IT
  • Safety
  • Legal
  • HR
  • Security
  • Logistics
  • Environmental
  • Treasury

Structure & Activities of the Enterprise Risk Management Committee include:

  • Quarterly Meetings
  • Regular scenario planning
      • What if X happens?
      • What is the likelihood of X happening?
      • What are the financial implications?
  • Review Risk Matrix to quantify risk and prepare for Bi-annual Board Report
      • Outline the risks
      • Outline plans to mitigate

2. Sometimes there are not Insurance Products for all risks

  • Ryder runs large supply chains and cannot afford to shut those lines down
  • Ryder evaluated their first Cyber policy about 8 years ago
    • As more bad things happen, it is clear that the issue is broader than just HR data and Credit Cards; it’s about shutting OEMs supply chains down due to a breach.
  • Ryder has multi-million dollars contracts at stake
  • Insurance products are being created as new risks are identified

3. Proactively Identify Risks

  • Ryder needs to identify end-to-end the long list of vendors working together on the supply chain to make sure proper protections are in place
  • Ryder created formal protocols to vet other vendors they work with
  • Ryder works to match Terms and Conditions in policies to the extent possible

4. People and Processes are as important as technology

  • Ryder processes more than 20,000 physical damage claims each year to fix trucks. They have 800 shops all over North America to repair their trucks.
  • It was a decentralized and inefficient process
    • IMPACT: vehicles had an inordinate amount of downtime, which means no revenue on that vehicle while it was in the shop
    • DECISION: Take the process in-house and do a Root Cause Analysis: why is it taking so long?
    • CREATE: A Center of Excellence to centralize processes, protocols, and specialization of roles
    • KAIZEN: performed a Kaizen analysis
      1. Minor repairs were reduced from 37 to 15 days. A 60% improvement!
      2. Major repairs were cut in half from 60 to 30 days.
      3. There was no new technology applied, just improved processes and policies
      4. Today Ryder is looking to apply technology to get to the next level of efficiency

“Technology enables the process, but it’s not going to fix your broken process.”  – Amy Wagner, Ryder

5. Partner with Insurance Brokers and Carriers

  • Once Ryder identifies a risk in our Risk Committee, we reach out to our Carrier and ask them to help us understand the risk and impact. It all starts with scenario planning.
  • Who better to sit with you and help you understand the risks than your carrier or broker?
  • This can help protect not only yourself but your partner’s balance sheet
  • The best ideas come from collaboration
  • GOAL:  Identify gaps in coverage, remove coverages that are no longer needed, and consider new areas to insure.

As a final takeaway, Amy reminded the audience that the biggest concern is the evolution of technology and keeping up with it.

Learn more about Identity & Access Management: Projects Challenges & Recovery in our upcoming webinar on Friday, April 20, 2018. Click here to reserve your spot now.

This article was co-authored by Hanno Ekdahl and Jeff Luther.

Follow @Idenhaus on Twitter and subscribe to our biweekly newsletter.

Photo credit: Flickr

Download my new, FREE digital book entitled Reimagining Identity Management: How To Design, Choose And Implement The Right IAM Solution For Your Business.

More News