Cos Have to Reward and Incentivize Risk Management to Build a Risk Culture


David Walter, Vice President, RSA Archer, RSA in conversation with dynamicCIO decodes risk management.

 

Q. Considering the digital transformation that organizations are undergoing and adoption of new age digital technologies, what are some of the pertinent risks organizations need to own up?

 

There are three different risk aspects of digital transformation that organizations need to manage. The first concern is around operational risk, requiring to ask questions like - What is the impact that leveraging these technologies will have on our actual operations and the ability to achieve financial objectives? Will these technologies actually do the things that they say they will do and actually allow them to accomplish the goals they need to. That is the basic risk that needs to be managed.

 

Secondly, third party risk is another big domain of risk that we are seeing a lot of activity in. A lot of the new digital technologies, like cloud for example, are done through a partner and a lot of the enhancements are through partnerships. As companies are partnering more with other organizations they have less control over what’s going on and the data they have. So, you can help monitor the control that your partners have to ensure that they have the same rigor as you have.

 

The third one is the business resiliency risk that interrupts your ability to perform your business. You have a plan in place to continue your business and to continue to accomplish what you need to accomplish. Because these technologies are new and innovative and they are not always in your control, the ability to have a prompt business resiliency and business continuity plan in place is a big part of managing the risks around adopting these technologies.

 

Q. We have recently seen a lot of breaches, including the Equifax one. Where do the companies go wrong?

 

It’s a combination of a lot of things. Companies have always spent more money on trying to keep attackers out. They are spending money primarily on preventive control and building higher walls to prevent people in, which no longer works. Truly if an attacker wants to get into your environment, he/she will get in. How these companies can prevent that is by focusing more on detection and response in addition to prevention.

 

The other problem is around not prioritizing the risks. Organizations having SOCs and security management groups are getting lot of information and false positives, but are unable to separate out what is most important from what is less important. Treating any risk and any event the same will put them in a serious blind spot to being able to react quick enough to the events that do matter. As a result, the attackers end up spending more time within their environment to take out what is of value. Organizations need to really focus on business context and what is most critical for them, and having that information on the fingertips so that when an event occurs they can understand its impact on the business and should be able to know whether to prioritize it or not. This, however, should not be a one-time exercise but rather an ongoing one that has to happen in agreement with the business to understand and agree what are the most critical assets and data that is needed to accomplish the business objectives.

 

Q. You have said in the past that risk management cannot be done in a silo. Can you elaborate on that?

 

If you look at risk across the company, there are lots of different types of risks - operational, security, financial, strategic, reputational, etc. All these departments that are set up and help you manage the risk and departments that help you run the business, if you are operating those in silos, I’m not sure how you can do risk management.

 

At the end of the day, risk management is about prioritization. A company only has so much money that they can spend on managing and mitigating the risks. So, having a good holistic view of risk across the organization will help the company make the best decision possible on where to spend the resources, where to implement controls and where to improve processes. Doing in silos will prohibit you from having that holistic view, understanding what’s most important to your business and being impactful for the risk domain that you are trying to manage.

 

Q. What’s the key to effective risk management?

 

For effective risk management organizations need to adopt a risk culture. The concept is around having a true identity and philosophy about how to manage risk across the organization.

 

There are two concepts within risk management about how to do it effectively. One is top down and the other is bottom up. A top down view of risk is at the board level and the board obviously has their own perspective of what risks the organization has because they have a good overview of the whole organization, the markets, what’s going on, the strategy and the company. But, they don’t know everything. Then, there is the bottom up view, which is of the people out there in the field, those operating the business and the customers themselves. They have a different perspective of risk than what the board does.

 

In order to do risk management successfully, you have to merge those two. And, the risk culture opened up at the end of the day is a concept and a philosophy about a company wanting to adopt that kind of value system where it can actually invite people to record risks, think about risks in their everyday business and be able to have a system in place by which they can collect that data and co-relate it to other reportings so that it enriches the understanding of risk across the organization.

 

Q. How does an organization build the risk culture and embed it within their processes?

 

Risk culture is like any culture that you want to try to bring into your organization. It can’t be something that you just say and talk about. Its something that you have to live by and it takes time to develop. It starts and flows from the top. Top management has to believe in risk and they have to reward and incentivize risk management within the organization. That means you can’t punish people for playing out risks. You have to have a very open and engaging kind of environment and welcome conversations about risk in the organization. You have to have a philosophy by which you can collect the data and aggregate it and enable the conversations about risk in the organization. Those are some of the practices that we are seeing as starters to having a good risk culture.

Categories: Technology

About Author

Write a Comment

Your e-mail address will not be published.
Required fields are marked*

*

Recent Comments