Risk management is a good business strategy, as it helps you prepare for the unexpected. But how do you manage risk when you're about to enter uncharted territory, considering that you're stepping out of your comfort zone?
The digital transformation era makes risk management even more challenging because of the increased velocity of change, and digital initiatives remain a priority for many businesses.
“In the new world we live in, things are changing quicker and quicker than in the past," says Brett Alston, managing partner of RedCloud Consulting, a management-consulting firm in Bellevue, Washington. “I think of digital transformation as the next technological frontier. […] You still have the people, processes and tool components but change is coming down the pipe at increasing speed."
Managing Risk Holistically
Some businesses tend to focus on the more tangible aspects of risk management. When moving to the cloud, for example, that may be physical components such as data centers. But Alston says the bigger risk is not the migration of data itself but the migration of the processes.
“The bigger business risk is in the migration of the processes, the process mapping and the change management associated with that," he says.
You may not be able to control some risks, like external risks, but an enterprise risk management program can help steer you into a safer direction.
—Mark Bednarz, risk advisory group lead, PKF O'Connor Davies
He recommends a holistic risk assessment that takes into consideration not only the tools but also the people and processes. That means evaluating and updating not only technology, but also your policies, training and so on.
Creating an Enterprise Risk Management Program
Whether you're adopting new technology, expanding locations or venturing overseas, your business strategy should include an enterprise risk management (ERM) program. Mark Bednarz, who runs the risk advisory group at the accounting firm PKF O'Connor Davies, says that by understanding the business, defining risk appetite and evaluating alternative strategies, organizations will be in better position to understand opportunities and challenges.
“The business objectives [...] will lead into defining your risk appetite, identifying risks, prioritizing the risks and developing a risk response," he says. “A well-developed ERM program will help answer: Is it worth taking that next step? Or, what do you need to do to remediate the risk level before you move forward?"
Through a risk assessment, you can answer questions such as:
- What is the likely impact from this risk?
- How quickly is the risk likely to occur (risk velocity)?
- What's the acceptable level of risk?
- What are the remediation steps to reduce the level of risk?
“Part of creating a dynamic enterprise risk management program is to identify individuals who can evaluate internal and external risks and update the risk universe," Bednarz says. “If you assign them certain responsibilities, these individuals can help you identify, monitor and control the risks."
He recommends including different departments such as legal, compliance, internal audit, IT and sales. Each department brings a different perspective.
“You may not be able to control some risks, like external risks, but an enterprise risk management program can help steer you into a safer direction," Bednarz says. “And make sure you establish KRIs (key risk indicators) in order to be in a better position to anticipate risks, adapt to disruptors and seize opportunities."
Alston suggests using what he calls cascading metrics.
“You need to have a high-level metric, or top level scorecard, that's driving awareness, otherwise the people below won't pay attention," he says. “Once that gets down to the appropriate level of management an execution, then the metrics are more granular and include a frequency component."
Focusing on Data Security and Privacy
As more operations and processes become digital, fraud protection and data security are growing concerns. And new regulations such as European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act are raising the stakes due to the possibility of large fines when consumer privacy is violated in a data breach.
One requirement of GDPR is the mapping of data and information flow. Bednarz says that data flow mapping “will open management's eyes" to the amount of personal and sensitive data the organization maintains or has access to via service providers.
“Key elements of data flow mapping include type of data, format, transfer method, legal basis, location, data owner, security controls and application name," he says.
Peter Fidler, partner with the New York IT consulting firm WCA Technologies, says organizations struggle to control how information is publicly shared and to “protect their employees from themselves."
“Start with the premise of giving your users access to information they need, not information they may need," he says. “It's really important to set policies and procedures about how people can get the information out, and what's appropriate to share and what isn't. And there are a lot of tools available to control the flow of information, both in and out of the organization."
He recommends exploring built-in tools in applications such as Office 365.
“If you mark a document confidential, then it can't even possibly leave the organization," he says.
Securing the infrastructure and the data with tools is only one step in risk management. There's still the human element, Alston says.
“You need threat prevention and threat detection and mitigation, but you also need employee training," he says.
In addition to training all employees on data security best practices, key employees should be trained in incident response in the event of a data breach.
“There are proven incident response processes that can help organizations reduce risk exposure from a breach," says Ben Munroe, director with Cisco Security. “Quick situational containment is always critical—so it's very important to have a living incident response plan that addresses multiple scenarios, and to then practice drills and exercises for responding to those scenarios."
“The [incident response] plan should factor in the most expedient recovery methods to get the business back up and running as quickly as possible," Munroe says. “And, of course, proper incident response requires rigorous investigation of how the breach occurred and where and how it spread, so that lessons can be learned and integrated into the plan. That information can also add to the knowledge base underpinning employee training on cyber risks."
Photo: Getty Images