Tag Archives: enterprise risk management

Immediate Vault Immediate Access

The Case for Strategic Risk Management

Posted on by

At last week’s RIMS 2019 in Boston, a group of risk professionals got together for the panel session “NextGen ERM: Strategic Risk Management” to discuss the advantages of strategic risk management (SRM) and the challenges to successfully integrating it into organizations.

buy reglan online medilaw.com/wp-content/uploads/2015/03/jpg/reglan.html no prescription pharmacy

The panel examined several major organizations that have taken shortcuts with training or even rushed to out-duel a competitor, failing to consider the long-term impact on strategy, reputation and market-share. Blockbuster, Kodak and Sears failed to innovate, and these once-thriving name brands are now prime examples of SRM’s benefits.

“Blackberry is one such company, but there are countless examples of organizations that have overlooked the long-term strategic impact of their actions,” said Marian Cope, owner of CopeRisk LLC.

Despite recent corporate missteps tied to failures in long-term strategic analysis, as recently discussed in Risk Management, risk professionals still face resistance to their SRM initiatives. “Demonstrating the value of SRM has to be a priority for risk professionals if they hope to gain buy-in from leadership,” said Rick Roberts, director of risk management and employee benefits at Ensign-Bickford Industries and a former RIMS president.

One of the value propositions of SRM—and an easy one for leadership to support—is the focus on taking advantage of risks that can accelerate the achievement of strategic objectives. “Artificial intelligence is an example of a disruptive technology that is impacting many industries. But, if your organization is aware of it, understands its usefulness and has developed a plan for it, it can give you a competitive edge,” said Marian Cope, owner of CopeRisk LLC.

But the case for an SRM initiative should not just be made with cautionary tales of organizations that did not use SRM. “Don’t just share failures, it’s also important to share SRM successes,” said Ellen Dunkin, senior vice president, general counsel and chief risk officer at Amalgamated Life Insurance Co. “Even Amazon and their business model that gives consumers almost instant access to their purchases has adjusted its strategy and started to open brick-and-mortar shops.”

According to the panel, the risk professional should ideally be involved in strategic planning from the get-go. “Some organizations have a chief risk officer that participates in the preparation as well as the strategic planning and decision-making discussions. Unfortunately, that’s not the norm,” Cope said.

The panel identified the next-best option for risk professionals, which is to work from the strategic objectives established by the organization. From there, they need to analyze the business model, identify, assess, and prioritize the risks that can derail or accelerate achieving the strategic objectives, facilitate the development of appropriate risk responses, and then align such objectives, risks, and risk responses with operations.

An effective SRM program will incorporate plans for a risk strategy, communications strategy, implementation, and training with the goal of integrating strategic risk management into decision-making processes. “The risk professional is going to require support from others in the organization too.

buy cymbalta online medilaw.com/wp-content/uploads/2015/03/jpg/cymbalta.html no prescription pharmacy

They’re going to need risk champions to vouch for them, as well as a final presentation that includes achievable and measurable deliverables that demonstrate the value of the process,” Roberts said.

SRM can be a stand-alone program or a component of ERM. Regardless, the panel noted that SRM is vital to the long-term success of organizations as alignment of strategy and operations results in the identification of opportunities to accelerate achievement of strategic objectives and prevents operational blunders that will trigger strategic risks (e.g., substantial reputational harm). Accordingly, SRM as a stand-alone program allows risk professionals to add more value while streamlining the process.

“SRM is the next generation of ERM and identifies external and strategic risks as opposed to the more granular view for ERM. It allows the team to bring the top 10 key risks to leadership, with a focus on the top two to three as opposed to overwhelming them with the full risk register that could include 100,” said Ellen Shew Holland, higher education practice leader for Hanover Stone Partners LLC and president of Strategic Risk Frameworks LLC.

Ultimately, the group agreed, SRM will help fully integrate risk management programs into an organization’s business model and the value should be evident in each positive step the business takes toward achieving its strategic objectives.

buy xifaxan online medilaw.com/wp-content/uploads/2015/03/jpg/xifaxan.html no prescription pharmacy

Increasing Risk Complexity Outpaces ERM Oversight

Posted on by

More organizations are recognizing the value of a structured focus on emerging risks. The number of organizations with a complete enterprise risk management (ERM) program in place has steadily risen from 9% in 2009 to 28% in 2016, according to the N.C. State Poole College of Management’s survey “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.”

Yet this progress may lag behind the increasingly complicated risks that need addressing. Of respondents, 20% noted an “extensive” increase in the volume and complexity of risks the past five years, with an additional 38% saying the volume and complexity of risks have increased “mostly.” This is similar to participant responses in the most recent prior years. In fact, only 2% said the volume and complexity of risks have not changed at all.
buy zydena online https://royalcitydrugs.com/zydena.html no prescription

Even with improvements in the number of programs implemented, the study—which is based on responses of 432 executives from a variety of industries—found there is room for improvement. Overall, 26% of respondents have no formal enterprise-wide approach to risk oversight and currently have no plans to consider this form of risk oversight.

buy periactin online www.northwestmed.net/wp-content/uploads/2023/10/jpg/periactin.html no prescription pharmacy

Organizations that do have programs continue to struggle to integrate their risk oversight efforts with strategic planning processes.

buy oseltamivir online www.northwestmed.net/wp-content/uploads/2023/10/jpg/oseltamivir.html no prescription pharmacy

“Significant opportunities remain for organizations to continue to strengthen their approaches to identifying and assessing key risks facing the entity especially as it relates to coordinating these efforts with strategic planning activities,” the researchers found.

According to the study:

Many argue that the volume and complexity of risks faced by organizations today continue to evolve at a rapid pace, creating huge challenges for management and boards in their oversight of the most important risks. Recent events such as Brexit, the U.

buy ventolin online www.northwestmed.net/wp-content/uploads/2023/10/jpg/ventolin.html no prescription pharmacy

S. presidential election, immigration challenges, the constant threat of terrorism, and cyber threats, among numerous other issues, represent examples of challenges management and boards face in navigating an organization’s risk landscape.

Key findings include:

Eliminating Language Barriers Between Information Security and the C-Suite

Posted on by

Whether or not security operations pose a core focus to a company or are an afterthought, the largest obstacle now affecting business and security outcomes is the language barrier that exists between security teams and the C-Suite.

In general, security groups’ budgets have increased over the years, with organizations adding more vendors to the mix, “layering” security with the latest new tool to address the latest threat. One of the newest such tools is “threat intelligence” which organizations are using to form an “intelligence-led security” program, a security operations center, or incident response capabilities. While threat intelligence and other solutions hold the answers to many of the important questions executives ask about cyberattacks, this terminology means nothing to C-level executives, nor does the output from these systems and programs. What does it mean that you have stopped one billion attacks this past month? What impact have the 30 incident responses you’ve run over that same period of time had on the business? What’s the significance to reducing response time from one month to one day?

Executives running and overseeing a company have two primary concerns: increasing revenue and shareholder value. There is a big disconnect between security and the C-suite because they speak two different languages. One is a very technical language that needs a translation layer to explain it to the executives. The other is a very strategic language that needs to be conveyed in a way that makes security part of the team and company, and ensures alignment and participation with the business units and executive suite.

What’s the fix? Communication. Each group has to understand the other at least enough to relay the core concepts as they apply to the other and in a language the other understands. As a first step, some companies are adding a technical expert—a “designated geek,” if you will—to their board of directors so they can work on improving communication and understanding. While that can help, it takes a lot more to make sure priorities, efforts and results don’t get lost in translation.

buy cytotec online thecifhw.com/wp-content/uploads/2023/10/jpg/cytotec.html no prescription pharmacy

A Two-Way Street

Executives need to include the chief information security officer or chief technical officer as part of their strategic discussions and make sure that security leadership has the ability to push that communication down to their teams in a way everyone understands. To that end, CISOs and executives need to train their security operations personnel to ensure they understand the business. This starts by asking some critical questions:

  • Does every member of the security team understand what is it that you sell/produce/provide?
  • What are the things your security teams need to watch out for to protect revenue?
  • Many organizations operate large industrial control systems. If your organization has such a system, is your security team aware of this?
  • If your company is moving into the cloud or is about to launch a mobile app, does your security team know about this and have you enabled them to get the right monitoring in place to protect it?
  • Have you involved the security team as you were designing that new revenue stream, or evolving your business model in some other way, to be sure that security isn’t an afterthought?
    buy amoxil online thecifhw.com/wp-content/uploads/2023/10/jpg/amoxil.html no prescription pharmacy

These are just a few examples of how executives need to think about the enterprise to ensure that security is strategically aligned. It is incumbent on the business to train the security personnel on its priorities so that security teams can look for attacks that are important to the business and take action.

Likewise, security teams need to change how they communicate to the C-suite. Every security team should conduct a stakeholder analysis to identify who needs to be informed of what and when. It all comes down to content, format and frequency. Make sure you have regular communications with not only your peers in security and network operations, but with the business units, risk management, C-level executives, the board of directors, and anyone else in the company that is involved in the day-to-day objectives and operations of the company. The CISO should be the link to make this connection happen, working with executives to establish regular communication.

There is no “right way” to communicate.

buy doxycycline online thecifhw.com/wp-content/uploads/2023/10/jpg/doxycycline.html no prescription pharmacy

Some executives and boards are more technical than others. Security teams need to take the time to learn what type of communication will be most effective or forever struggle to align security with the business. Sticking with the generated metrics of number of events, alerts and incidents per month has far less impact than an update that contains the “who, what, when, where and why” of a thwarted attack. For example: “We identified and stopped one attack this month from a cyber espionage group targeting our Western European manufacturing facility, which is responsible for $20 million per year in revenue to the company.”

For those in security who feel they can’t deliver such a statement because their security infrastructure doesn’t provide that kind of information about threat actors and campaigns, there is a path forward. Look into creating a program that uses adversary-focused, contextual cyber threat intelligence and make sure you understand enough about your business to know the impact of threats against the various business units. With the communication gap closed, and security and business goals aligned, organizations can become more secure, and profitable.

Creating a Strong Defense and Offense in Your Risk Management Program

Posted on by

Stakeholders demand that companies grow, but at the same time, they expect growth to be managed to make sure the brand is not tarnished. That means enabling value as well as protecting value, which comes down to striking the appropriate balance between risk agility and risk resiliency.

For many years, risk management has focused on protecting the brand and keeping the company out of trouble. But if it’s done right, risk management is about playing not only defense but offense as well—it’s about value protection and value enablement.

Defensive Risk Management

Defensive risk management is mostly about risk resiliency, enabling a company to either prevent bad things from happening or recover more efficiently from disruption. Defensive tactics include setting up a risk appetite statement and framework that are approved by the board on down. Next, the risks should be aggregated across the enterprise and mapped against that appetite along with related risk tolerances and limits. Defensive risk management is also about developing a set of very specific key risk indicators (KRIs) to look for. This includes having a solid business continuity management strategy that will quickly get things back on track after a risk event. These activities keep the company out of harm’s way, and may be the easier part of risk management.

Offensive Risk Management

The more difficult part is thinking about risk management offensively—leveraging it for strategic advantage and growth. The first offensive tactic is to align your risk management process with strategic planning so you can drive those priorities forward in light of all the risks you are facing. That’s not an easy thing to do because even though companies may think they’re aligned, many of them actually run two very distinct and separate processes. Another offensive tactic involves giving some of the risk management activities back to the business units—so they can run faster and drive risk-adjusted decisions and revenue plans.

Risk agility lets a company flex and grow by making the risk management process adaptable to changes in the business model or to external changes affecting the company.

online pharmacy cozaar with best prices today in the USA

It is also something that has to be thought about more formally so that it does not become counterintuitive to the growth agenda, but actually supports it and even helps drive it.

If a company is being held accountable by its stakeholders to grow—and they all are—that growth has to be pursued in a controlled manner so the brand doesn’t become tarnished. That is about striking the appropriate balance between risk agility and risk resiliency—playing offense and defense.

The simple fact is that companies that use their risk management activities to play both sides are more likely to see sustainable growth and better performance patterns because they are balanced between moving the business forward and keeping the business in check.

PwC’s study 2016 Risk in review: Going the distance highlights how companies can achieve this important balance. For example, companies that structure their risk management programs to play both offense and defense are more likely to see sustainable growth and better performance patterns.

online pharmacy rogaine with best prices today in the USA

In addition, these companies are nearly as likely to report that they expect significant revenue and profit margin growth (greater than 5%) as companies that are focused only on growth—and they are better positioned for sustainable success. Such companies are balanced between having the agility to move their business forward and the resilience to prevent bad things from happening and/or recover more efficiently from disruption.

online pharmacy fluoxetine with best prices today in the USA

pwc-3

High-risk growth

Some companies with aggressive top-line growth targets decide not to invest at the appropriate levels in their risk management programs, which can allow their growth to outpace their infrastructure. Following this course can bring more risks—vulnerability peaks and risk events become more crippling to the brand. In the end, more capital is spent on investments to take risk management activities to the next level after something bad happens to the business.

The mindset across industries is that immediate growth is great, but longer term, sustainable growth is better. Companies are building up stronger and more relevant second-line (risk and compliance) functions, and holding the first line more accountable on risk because they see that will help them achieve sustainable growth.
pwc-2

Adapt or get left behind

As the business landscape continues to evolve, companies need to adapt or find themselves in deep distress. The key to creating an effective risk management program is to find the right balance that allows for growth at a comfortable pace relative to the risk appetite and risk tolerance levels set by management, and accepted by the board. When that is done, your risk management program truly becomes a strategic asset, supporting both offense and defense.