5 Strategies to Maximize Your Risk Assessments

While risk assessments enable organizations to understand their business issues and identify uncertainties, the best assessments go further. They prioritize top risks, assign risk ownership, and most critically, integrate risk management and accountability into front line business decision-making. Simply put, “checking the boxes” just isn’t enough to achieve an organization’s real objectives.

Effective risk assessments can also give organizations a true advantage. Our sixth annual Risk in Review study–comprising viewpoints from more than 1,500 corporate officers in 80 countries—finds that companies shifting risk management leadership and collaboration to the first line of defense are measurably better equipped to succeed. We call these companies “front liners.” While a majority of companies agree that front line decision-making is ideal, somewhat surprisingly, front liners represent only 13% of survey respondents.

Front liners use effective risk assessment strategies to enable revenue and profit growth, while also creating agility to bounce back from adverse events more quickly than their peers. They also outpace the pack when it comes to using risk management tools and techniques (such as a risk rating system or scenario planning).

Based on the study results, here are five strategies you can adopt to gain a front liner advantage:

  1. Put your risk assessments to use in real-time

For true impact, organizations incorporate risk assessment findings into their business decisions. Assessments should be efficient, and actions should be implemented quickly to address immediate challenges. Annual assessments are a best practice, but our study shows front liners have a robust risk culture, conducting regular assessments. Ongoing collaboration across all three lines of defense, reinforced by continuous monitoring, enables the organization to more effectively align business strategies with risk appetite.

  1. Develop actionable guidance and insights for leadership

Effective risk assessments are relevant and actionable. Be sure to interpret risk information and recommend next steps to help management incorporate the findings into their strategic decisions. Make it easy for boards and senior management to understand the key findings by providing thorough insights. Data will mean a lot more if you identify the recommendations, target outcomes and next steps. Gaining the front liner advantage is best achieved by integrating risk guidance holistically into the organization, including planning, growth strategy and investments to M&A, staffing, disaster recovery and crisis management.

  1. Speak in lay terms

Leaders outside the risk management function may perceive risk assessments as an onerous process loaded with abstract language and a heavy focus on negative outcomes. To help leaders see value in these assessments, define the risks, drivers and consequences in familiar terms using meaningful scenarios that are specific to the organization.

  1. Balance automation with the human touch

While automation enables mass data collection, organizations benefit most when risk assessment surveys are combined with facilitated discussions. Gathering important qualitative information, facilitators can bring together multiple viewpoints and encourage productive debate. Pre-reads may also be a helpful tool to level-set on the organization’s strategic objectives and overall risk landscape.

  1. Adopt a realistic view of risk management

It can sometimes be difficult for management to accept the findings of a risk assessment, especially if they believe there is a low probability such events will occur. To support strategic, risk-based decision-making, risk scenario analyses can spur productive discussions about the organization’s overall risk landscape, while dynamic, engaging tools like a risk scenario dashboard can help to draw in even the most reluctant participants.

Following these strategies can help your risk assessments to not only be relevant, but also essential to your organization’s business strategy and growth objectives.

Eliminating Language Barriers Between Information Security and the C-Suite

Whether or not security operations pose a core focus to a company or are an afterthought, the largest obstacle now affecting business and security outcomes is the language barrier that exists between security teams and the C-Suite.

In general, security groups’ budgets have increased over the years, with organizations adding more vendors to the mix, “layering” security with the latest new tool to address the latest threat. One of the newest such tools is “threat intelligence” which organizations are using to form an “intelligence-led security” program, a security operations center, or incident response capabilities. While threat intelligence and other solutions hold the answers to many of the important questions executives ask about cyberattacks, this terminology means nothing to C-level executives, nor does the output from these systems and programs. What does it mean that you have stopped one billion attacks this past month? What impact have the 30 incident responses you’ve run over that same period of time had on the business? What’s the significance to reducing response time from one month to one day?

Executives running and overseeing a company have two primary concerns: increasing revenue and shareholder value. There is a big disconnect between security and the C-suite because they speak two different languages. One is a very technical language that needs a translation layer to explain it to the executives. The other is a very strategic language that needs to be conveyed in a way that makes security part of the team and company, and ensures alignment and participation with the business units and executive suite.

What’s the fix? Communication. Each group has to understand the other at least enough to relay the core concepts as they apply to the other and in a language the other understands. As a first step, some companies are adding a technical expert—a “designated geek,” if you will—to their board of directors so they can work on improving communication and understanding. While that can help, it takes a lot more to make sure priorities, efforts and results don’t get lost in translation.

A Two-Way Street

Executives need to include the chief information security officer or chief technical officer as part of their strategic discussions and make sure that security leadership has the ability to push that communication down to their teams in a way everyone understands. To that end, CISOs and executives need to train their security operations personnel to ensure they understand the business. This starts by asking some critical questions:

  • Does every member of the security team understand what is it that you sell/produce/provide?
  • What are the things your security teams need to watch out for to protect revenue?
  • Many organizations operate large industrial control systems. If your organization has such a system, is your security team aware of this?
  • If your company is moving into the cloud or is about to launch a mobile app, does your security team know about this and have you enabled them to get the right monitoring in place to protect it?
  • Have you involved the security team as you were designing that new revenue stream, or evolving your business model in some other way, to be sure that security isn’t an afterthought?

These are just a few examples of how executives need to think about the enterprise to ensure that security is strategically aligned. It is incumbent on the business to train the security personnel on its priorities so that security teams can look for attacks that are important to the business and take action.

Likewise, security teams need to change how they communicate to the C-suite. Every security team should conduct a stakeholder analysis to identify who needs to be informed of what and when. It all comes down to content, format and frequency. Make sure you have regular communications with not only your peers in security and network operations, but with the business units, risk management, C-level executives, the board of directors, and anyone else in the company that is involved in the day-to-day objectives and operations of the company. The CISO should be the link to make this connection happen, working with executives to establish regular communication.

There is no “right way” to communicate. Some executives and boards are more technical than others. Security teams need to take the time to learn what type of communication will be most effective or forever struggle to align security with the business. Sticking with the generated metrics of number of events, alerts and incidents per month has far less impact than an update that contains the “who, what, when, where and why” of a thwarted attack. For example: “We identified and stopped one attack this month from a cyber espionage group targeting our Western European manufacturing facility, which is responsible for $20 million per year in revenue to the company.”

For those in security who feel they can’t deliver such a statement because their security infrastructure doesn’t provide that kind of information about threat actors and campaigns, there is a path forward. Look into creating a program that uses adversary-focused, contextual cyber threat intelligence and make sure you understand enough about your business to know the impact of threats against the various business units. With the communication gap closed, and security and business goals aligned, organizations can become more secure, and profitable.

Wells Fargo: What Should Have Happened

wells-fargo

When Wells Fargo fired 5,300 employees in September for inappropriate sales practices, then-CEO John Stumpf approached the scandal with an outdated playbook. In response to the $185 million in fines levied by regulators, he first denied any knowledge of the illegitimate accounts. Attempting to mitigate press fallout by distancing the company from a group of “bad eggs” acting independently is not the answer, however. Even if Stumpf had maintained this assertion of innocence, changes in the risk environment over the past few years demand a proactive approach.

Rather than simply deflecting responsibility in these situations, executives must be able to accomplish two things:

• Provide historical evidence of due diligence and risk management (if such a program was actually used)
• Demonstrate how the company is adjusting its policies and/or implementing new policies to ensure a similar incident doesn’t happen in the future

In 2010, the SEC’s Proxy Disclosure Enhancement (rule 33-9089) explicitly made boards of directors responsible for assessing and disclosing risk management effectiveness to shareholders. It mandates the use of risk monitoring systems to demonstrate that existing controls (mitigation activities) are effective. Under this rule, “not knowing” about an activity performed by employees is considered negligence. This is a crucial development; negligence carries the same penalty as fraud, but it does not require proof of intent. The Yates Memo (2015) gave the SEC ruling more “teeth” by requiring organizations to provide the Department of Justice with all the facts related to responsible individuals.

As a result, many companies have suffered significant penalties and frequently criminal charges, even though their executives were allegedly unaware of illicit activities. Consider the emissions scandal at Volkswagen and fines paid (to the SEC) by global health science company Nordion Inc. In both instances, deceptions were perpetrated by individuals below the executive level, but senior management’s inability to detect/prevent the incidents came back to bite them.

How to Prevent Risk Management Failures at Your Organization

John Stumpf’s approach should have started with an admission of Wells Fargo’s failure in risk management processes across the enterprise, followed by evidence that a more effective, formal enterprise risk management process is being implemented. For example, risk assessments must cascade from senior management down to the front lines and across all business silos. This ensures that the personnel most familiar with operational risks (and how to mitigate them) can keep the board informed.

In other words, instead of simply apologizing and attempting to provide restitution, Stumpf should have demonstrated that Wells Fargo is taking proactive risk management measures to protect its many stakeholders. It is the company’s duty to ensure that something like this never happens again.

The scandal is predictably following the same track as have previous failures in risk management: it starts with regulatory penalties, then leads to punitive damages, class action lawsuits, and finally, criminal charges and individual liability, depending on the particular case. The key to this pattern is the absence of adequate risk management, which means negligence under the new enterprise risk management laws, regulations and mandates passed since 2010.

The good news is that avoiding serious, long-term consequences is possible if proper actions are taken. For example, by providing a historical record of risk management practices, Morgan Stanley avoided regulatory penalties when an employee evaded existing internal controls. Other corporations that can provide evidence of an effective risk management program (risk assessments, internal controls that address risks, monitoring activities over these internal controls, and an electronic due-diligence trail) are largely exempt from punitive damages, class-action lawsuits, and possible jail time.

When implemented proactively, effective risk management systems have and will continue to prevent scandals, regulatory fines, litigation and imprisonment. For a more in-depth analysis of the Wells Fargo scandal, read the LogicManager blog post “The Walls Fargo Scandal is a Failure in Risk Management.”

Holding Executives Accountable for Cybersecurity Failures

The average cost of a data breach for companies surveyed has grown to $4 million, a 29% increase since 2013, with the per-record costs continuing to rise, according to the 2016 Ponemon Cost of a Data Breach Study, sponsored by IBM. The average cost hit $158 per record, but they are far more costly in highly regulated industries—in healthcare, for example, businesses are looking at $355 each, a full $100 more than in 2013. These incidents have grown in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014.

Ponemon wrote:

Leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach–saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach. Part of these high costs may be linked to the fact that 70 percent of U.S. security executives report they don’t have incident response plans in place.

With so much on the line, more and more companies and consumers continue to search for whom to hold accountable for cybersecurity failures, and the message is becoming clearer: executives need to get serious or watch out.

In a recent report from Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports,” board members expressed a surprising amount of confidence in their abilities to understand and act on cyberrisk threats and indicated there are real risks on the table for IT and security executives. Almost all of those surveyed said that some form of action will be taken should these executives not provide useful and actionable information, with 59% claiming there is a good chance one or more security executives would lose their job over such reporting failures.

More board members (26%) ranked cybersecurity risk as their highest corporate priority than any other risk, including financial, legal, regulatory and competitive risks, and 89% said they are “very involved” in making cybersecurity decisions.

Following the typical presentations from IT and security executives, more than three in five board members are both significantly or very “satisfied” (64%) and “inspired” (65%), but 32% are significantly or very “worried,” and 19% are significantly or very “confused” and “angry.”

According to the report:

Of the information provided to them during these presentations, the majority of board members (97%) say they know exactly what to do or have a good idea of what to do with the information. This statistic, however, does conflict with IT and security executives’ thoughts on the information they present. Based on our December 2015 survey, only 40% of IT and security executives believe the information they provide the board is actionable. There is a clear disconnect here between what the board perceives is actionable information, and what IT and security executives define as data that can be used to make informed decisions.

“IT and security executives are focusing on what they believe are the most impactful issues: a) forward-looking information about known vulnerabilities that could potentially harm the company in the future, b) specifics about data that was lost as a result of known infiltrations and data breaches, and c) the impact of these infiltrations and breaches,” Bay reports. “Interestingly, while information about how much is spent to address cyber risk is reported by IT and security executives in less than one-half of the companies surveyed, this was the most commonly cited information that board members said they needed to make investments for cyber risk planning and expenditures.”

Bay also pointed to a critical challenge in the education gap of many board members and the reliance upon information security executives: a large portion of the education board members have on infosec is from the organization’s IT and security executives, and “when the person education you on cybersecurity is the same individual tasted with measuring and reducing cyberrisk, there’s a fundamental disconnect.” It is extremely difficult for board members to understand what they are missing without education of their own and a third-party audit in place.

As cyberrisk continues to become a top enterprise risk priority, the consequences of failure may impact more of the C-suite than just chief information security officers or top IT executives. In May, following a social engineering fraud case that resulted in a wire transfer of 50 million euros, Austrian aircraft parts manufacturer FACC fired its chief executive of 17 years. Some regulators also want to start holding chief executives accountable in a way that truly speaks to them: their paychecks. According to a report from members of parliament on the British Culture, Media and Sport Select Committee, Britain’s status as the leading internet economy in the G20 is under threat from a combination of increasing reliance on digital infrastructure, and inadequate protection of it. To address the issue, they suggest that chief executives who fail to prevent cybersecurity breaches have a portion of their pay docked.

Such was the case with Baroness Harding, the chief executive of TalkTalk, Britain’s fourth-largest broadband provider, which suffered a high-profile cyberattack recently. Her performance bonus was slashed by more than a third as a result of the company’s security failings.

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment,” said Jesse Norman, chairman of the committee. “Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”