Risk has always been a business driver – but until recently, it has been largely focused on operational risk. In the past, risk management has primarily dealt with practical questions like, “How much risk can my business handle?” or “Do we have programs and processes to address issues?”
With the extreme changes brought by the past several years, standard risk management is no longer an option. The global pandemic has catapulted digitization forward, making work more efficient and exponentially increasing the number of cyber and compliance risks.
Today’s risks are interconnected and must be addressed in concert, across the enterprise – from the frontline to the boardroom.
This means shifting from a reactive, compartmentalized view of risk to an interconnected view is critical to building operational resilience, navigating new regulatory requirements, and safeguarding your business against the next threat. Here’s how.
Rethink Business Silos
Gone are the days of silo-based decision-making and department- or geographic-based risk management. Because businesses are now globally connected, businesses must also think of their risk posture equally as interconnected.
For example, geopolitical risks and turmoil have escalated risk in the supply chain around the world. Third parties and vendors are one of the top causes of cyber risk, but businesses haven’t caught up to handle this threat. In a third-party risk survey conducted by Ponemon Institute, 51% of the companies surveyed said they do not assess the cyber risk posture of third parties before allowing them access to confidential information.
What’s more, 63% of the companies surveyed said they do not have visibility into what data and system configurations vendors can access, why they have access to it, who has permissions, or how the data is stored and shared. These blind spots can impact the entire business network, if breached, causing an avalanche of issues for the business.
As another example, remote work and hybrid work are now the norm for many businesses and this shift has dramatically escalated attack surfaces. According to a survey by HP Inc., 71% of remote employees surveyed say they access more company data, more frequently, from home now than they did pre-pandemic. A greater level of access to protected data requires an active risk and compliance management strategy across the organization.
Whether dealing directly in impacted regions or affected by the downstream effects, all enterprises must be thinking about – and acting on – the connected risks within their business. Getting a holistic view of these risks is of critical importance, and it is important for organizations to consider available technology to help them achieve this goal.
See Business Risk in One Connected View
Given the size, scale, and impact of interconnected risks, businesses must gain a single view of their risks, data, and policies across the enterprise to stay ahead – and achieve a strategic advantage.
With so many risk areas and ways to assess risk, one effective way to measure risk meaningfully for all stakeholders is by quantifying risk impact in dollar values. Numbers become a universal measuring stick, offering leaders context to fully understand the risk impact against other values and assets in the organization. By quantifying risk in financial terms, CISOs and risk leaders can connect analytics to action, making better decisions that everyone can understand.
Just as an investor wouldn’t buy into a risky investment without first knowing the full picture of their assets and net worth, businesses should have one full, quantifiable picture of their risk landscape if they seek to bolster risk strategies and build operational resilience.
This might sound like a herculean task, but there are a host of technological solutions that exist to help turn this into a reality.
Grow Connections with Other Leaders
Connecting risk and turning it into a strategic advantage is a journey, and not one that risk leaders can take alone. Trusted advisors inside and outside the company are valuable connections to leverage when creating integrated risk management solutions.
There exist networks of elite communities that are working to drive greater business performance, and together they have shown the promise of building professional relationships with other risk professionals at different organizations. It is critical that leaders seek out these forums to ensure they are exchanging ideas and discussing risk-related best practices with their peers. They can also help to identify emerging risks that run across industries, providing an important forum to address common problems.
However, when building these connections, CISOs should be prepared to step up with improved communication and collaboration skills. Expect tough questions from board members and partners, and be prepared to provide data, information, and proposed solutions to back up asks for additional support.
As digitization continues to grow, the links between businesses, their supply chain and partners, and their risks will become increasingly complex. But strengthening connections in every direction and having one clear high-level view of the entire enterprise will offer risk leaders the best position to make informed decisions should a risk event occur.
Remember the saying: A chain is only as strong as its weakest link. Every part of a risk chain is critical, from people to processes to technology. It’s time organizations consider risk holistically and use that perspective to their advantage.
(The author is Mr. Prasad Sabbineni, Co-CEO, MetricStream and the views expressed in this article are his own)