Over the past two years, risk management has gained a lot of attention in the media and among practitioners. Even though it has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted a pro-active approach to addressing risks. What are the inhibitors to risk management and how can companies overcome them?
In today’s threat-driven environment the bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack. This has led many industry standard bodies (e.g., Payment Card Industry) and government regulators (e.g., Office of the Comptroller of the Currency, SEC) to change their approach and incorporate the concept of risk management into their regulations. These refreshed guidelines are designed to address several factors including scarcity of resources, the disruptive effect of big data in the context of cyber security, market volatility, regulatory changes, and the need for better, faster decision making.
Rather than following the traditional compliance-driven approach to risk management which promotes a check-box mentality, the renewed guidelines encourage organizations to find ways to streamline governance processes, continuously monitor compliance and their security posture, and correlate it to business criticality.
However, old habits die hard: According to the 2015 Black Hat Attendee Survey (PDF), nearly three quarters (73 percent) of top security professionals think it is likely that their organizations will be hit with a major data breach in the next 12 months. One of the frustrations voiced in the survey links back to the fact that many organizations are still focusing more on compliance rather than a risk-based approach to security. This negatively impacts a company’s security posture because this approach takes time and resources away from activities needed to ensure systems are secure and protected.
Meanwhile, many organizations are still struggling to operationalize their knowledge of risk in order to optimize business investments and performance. Let’s consider the factors that are preventing organizations from adopting a risk-based approach to security and what can be done to overcome them.
When implementing risk management practices, it is essential to instill a risk-aware culture at all levels and across all functional areas of the organization. Lack of buy-in from all stakeholders is one of the most common hurdles to making the transition from a compliance- to risk-driven approach to security. There are many examples of organizations that hired a first-time Chief Risk Officer in an attempt to force the transition, but failed due to the fact that the individuals required to implement the new practices on a day-to-day basis were still stuck in their antiquated compliance views. To be successful, risk management must avoid a gap between senior management and the rest of the organization when it comes to understanding and embracing risk management concepts and benefits. To address this roadblock, a well thought out training program is required for current and incoming employees.
Risk Management Perceptions
Although risk management was initially introduced to increase shareholder value, not all companies understand its benefits. It is important to realize that there is no one-size-fits all approach, but rather the benefits and costs of risk management are dependent on factors such as organizational size, complexity, vertical industry, and location. Considering these factors when planning the scope of a risk management implementation will increase the odds that its benefits will be more clearly understood and supported across the organization.
Instead of relying on employees to implement risk management in silo-based fashion using antiquated tools such as spreadsheets to document their findings, organizations should consider the use of a technology-based system. Pitfalls to look out for include integrating the necessary tools and techniques in a holistic manner and managing these at an enterprise level. Other alternatives, such as implementing Governance, Risk, and Compliance (GRC) processes using outside consultants and traditional GRC solutions, often require extensive customization that can result in months, if not years long rollouts.
A recent white paper by global advisory firm Enterprise Strategy Group (ESG), entitled “Beyond GRC: SRM and the Move to Integrated Risk Management”, found that a majority of respondents view the traditional mix of GRC systems as inflexible, slow, and incapable of delivering on the promise of automating risk management processes. In fact, nearly 78 percent of the enterprises surveyed are in the process or planning to replace these systems with advanced Integrated Risk Management platforms. There stated goals include increasing operational efficiency and audit accuracy, streamlining remediation, gaining improved visibility into enterprise risk posture, and ultimately making better investment decisions.
Organizations that address the above mentioned inhibitors to risk management head-on, can significantly reduce the time it takes to produce risk profiles; shorten the policy control process; involve all required subject matter experts via a centralized, standardized collaboration system; achieve tremendous overhead savings by automating risk assessment efforts; and increase credibility with management, regulators, and boards of directors. Ultimately, they can use their knowledge of risk to optimize business investments and performance, while achieving and often surpassing their corporate budget objectives.