Cos Have to Reward and Incentivize Risk Management to Build a Risk Culture
David Walter, Vice President, RSA Archer, RSA in
conversation with dynamicCIO decodes risk management.
Q. Considering the
digital transformation that organizations are undergoing and adoption of new
age digital technologies, what are some of the pertinent risks organizations
need to own up?
There are three different risk aspects of digital
transformation that organizations need to manage. The first concern is around
operational risk, requiring to ask questions like - What is the impact that
leveraging these technologies will have on our actual operations and the
ability to achieve financial objectives? Will these technologies actually do
the things that they say they will do and actually allow them to accomplish the
goals they need to. That is the basic risk that needs to be managed.
Secondly, third party risk is another big domain of risk
that we are seeing a lot of activity in. A lot of the new digital technologies,
like cloud for example, are done through a partner and a lot of the
enhancements are through partnerships. As companies are partnering more with
other organizations they have less control over what’s going on and the data
they have. So, you can help monitor the control that your partners have to
ensure that they have the same rigor as you have.
The third one is the business resiliency risk that
interrupts your ability to perform your business. You have a plan in place to
continue your business and to continue to accomplish what you need to
accomplish. Because these technologies are new and innovative and they are not
always in your control, the ability to have a prompt business resiliency and
business continuity plan in place is a big part of managing the risks around adopting
these technologies.
Q. We have recently
seen a lot of breaches, including the Equifax one. Where do the companies go
wrong?
It’s a combination of a lot of things. Companies have always
spent more money on trying to keep attackers out. They are spending money primarily
on preventive control and building higher walls to prevent people in, which no
longer works. Truly if an attacker wants to get into your environment, he/she
will get in. How these companies can prevent that is by focusing more on
detection and response in addition to prevention.
The other problem is around not prioritizing the risks.
Organizations having SOCs and security management groups are getting lot of
information and false positives, but are unable to separate out what is most
important from what is less important. Treating any risk and any event the same
will put them in a serious blind spot to being able to react quick enough to
the events that do matter. As a result, the attackers end up spending more time
within their environment to take out what is of value. Organizations need to
really focus on business context and what is most critical for them, and having
that information on the fingertips so that when an event occurs they can understand
its impact on the business and should be able to know whether to prioritize it
or not. This, however, should not be a one-time exercise but rather an ongoing
one that has to happen in agreement with the business to understand and agree
what are the most critical assets and data that is needed to accomplish the
business objectives.
Q. You have said in
the past that risk management cannot be done in a silo. Can you elaborate on
that?
If you look at risk across the company, there are lots of
different types of risks - operational, security, financial, strategic, reputational,
etc. All these departments that are set up and help you manage the risk and
departments that help you run the business, if you are operating those in
silos, I’m not sure how you can do risk management.
At the end of the day, risk management is about
prioritization. A company only has so much money that they can spend on
managing and mitigating the risks. So, having a good holistic view of risk across
the organization will help the company make the best decision possible on where
to spend the resources, where to implement controls and where to improve
processes. Doing in silos will prohibit you from having that holistic view,
understanding what’s most important to your business and being impactful for
the risk domain that you are trying to manage.
Q. What’s the key to
effective risk management?
For effective risk management organizations need to adopt a
risk culture. The concept is around having a true identity and philosophy about
how to manage risk across the organization.
There are two concepts within risk management about how to
do it effectively. One is top down and the other is bottom up. A top down view
of risk is at the board level and the board obviously has their own perspective
of what risks the organization has because they have a good overview of the
whole organization, the markets, what’s going on, the strategy and the company.
But, they don’t know everything. Then, there is the bottom up view, which is of
the people out there in the field, those operating the business and the
customers themselves. They have a different perspective of risk than what the
board does.
In order to do risk management successfully, you have to
merge those two. And, the risk culture opened up at the end of the day is a
concept and a philosophy about a company wanting to adopt that kind of value
system where it can actually invite people to record risks, think about risks in
their everyday business and be able to have a system in place by which they can
collect that data and co-relate it to other reportings so that it enriches the
understanding of risk across the organization.
Q. How does an
organization build the risk culture and embed it within their processes?
Risk culture is like any culture that you want to try to
bring into your organization. It can’t be something that you just say and talk
about. Its something that you have to live by and it takes time to develop. It
starts and flows from the top. Top management has to believe in risk and they
have to reward and incentivize risk management within the organization. That
means you can’t punish people for playing out risks. You have to have a very
open and engaging kind of environment and welcome conversations about risk in
the organization. You have to have a philosophy by which you can collect the
data and aggregate it and enable the conversations about risk in the
organization. Those are some of the practices that we are seeing as starters to
having a good risk culture.
 copy.jpg)
