It's that time of the year. As we wrap up another celestial measurement of time, people begin predicting the future. My crystal ball tells me you will see a slew of predictions of what's over the horizon in 2019. Contributing to this time-honored tradition, here are my thoughts on what 2019 holds.
I admit I think a lot about the future of risk management. Earlier this year, RSA held the 15th RSA® Archer Summit and just last month the RSA EMEA Summit. These events are highlights for the RSA Archer community - a time to gather and share insights on the future of risk management. This got my wheels turning as I contemplated this thought provoking topic – and the enormity of risk in business today – especially given the massive digital transformations affecting companies across all industries.
Technology moves blindingly fast – we all know this – and the coming years will continue to be mind boggling in the advancements. The way we do business today is not how we will conduct business in the future. Digital Transformation is undeniable with a corresponding Risk Transformation moving at the same pace – perhaps even faster. Risk has so many variables it is really overwhelming to investigate the future and predict how risk management will transform. When I began thinking about the future of risk management, I knew I had to approach risk like something else really, really complex… like the universe.
Then it hit me… if theoretical physicists can pose theories to understand the universe, a theoretical riskicist can pose theories on the future of risk management. For years I have been using Schrodinger's cat as an analogy for Risk and Opportunity and I have watched every Big Bang Theory episode numerous times. (You know it's bad when your wife says "Ok – Sheldon – just give me the cliff notes…" on a regular basis.) Before one explores a universe – a Cartesian coordinate system to describe the space comes in handy.
Risk's Cartesian Coordinates
The first dimension we consider as our X-axis is the horizontal alignment of risk domains. Security, compliance, operational risk, vendor management, fraud management, audit, and business continuity - all the functions in an organization traditionally associated with risk management. Alignment across these domains means you are using the same language to discuss risk. It means your data, your processes, and your discussions are focused and meaningful to each other. RSA is blending security and risk management as part of its core strategy. We see these worlds converging. Communication and coordination across operational functions is absolutely critical in dealing with risk.
The second risk dimension, the Y-axis, indicates the spectrum of strategic to operational risks. Risk management strategies must be vertically aligned to connect strategic objectives to day-to-day operations. Small events can quickly turn into major catastrophes and we must connect those dots. Context properly places an operational event into the big picture. Additionally, the ability to drill into more detail when looking at strategic business risks is necessary for alignment. RSA's strategy of integrating threat detection and risk management is a notable example of this alignment. For instance, by being able to connect a security alert to a business application that stores personal data creates a true picture of what risks mean to your business.
Which leaves us with defining the Z-axis. It may sound cliché but the "People, Process and Technology" paradigm is even more crucial in managing risk today. Moving towards an increasingly digital world, the pressure to push the envelope is on the technology front. There will be much more data for us to consider, but we can't forget the other two elements – we need the right talent pool and we need optimized processes.
This is our Cartesian space – our X, Y and Z. As your company matures in each of these dimensions, the view of risk becomes clearer and clearer. This Cartesian Risk space gives us our guideposts to explore our universe.
Riskicist's Guide: The Theory of Exponential Growth
As I begin myRiskicist's Guide to the Universe, the first theory of the future of risk management deals with change.
In very simple terms, the change of risk in the past can be thought of as growing on a mainly linear scale as a function of the organizational size or complexity. In other words, a straight line, but there is more to it. Your company has market dynamics within your industry that force change. As your competitive pressures increase and your market changes, it affects your risk. Therefore, the rate of risk change is a function of your market: F(x) = Y * x where Y is a measurement of your market volatility. If your market is changing rapidly, the coefficient is > 1. The line is steeper as the rate of risk is higher. If the market pressures are relatively slow then the rate of change is between 0 and 1. The line isn't as steep – or risk is not expanding as fast. Now, don't think of these as actual mathematical models – they are conceptual depictions – but the logic applies.
Prior to the digital revolution, this might have been adequate for graphing a simple rate of change of risk. However, risk in the digital world doesn't grow in a linear fashion. It grows at an exponential rate.
This leads to my first theory:
The GROWTH OF RISK will follow an exponential curve based the rate of change of your market
taken to the power of your digital transformation.
In this conceptual model, Y is your market change and Z is the rate of technology adoption within your organization. The market pressures have been a constant force affecting industries. It is the Digital Transformation that creates a massive shift. As your business goes digital, it can represent an explosion of elements in your risk management framework. More systems, more data, more threats, more EVERYTHING. It is this exponential factor that fuels hyper growth and changes how we think of some of our fundamental needs in our risk program.
The main impact of this rapid risk growth I want to explore is on understanding the business context around risk.Business Contextis the relationship of any risk management framework element – like an incident or a control – to the business. Business Context sets the aperture by which risk can be viewed - the more context, the more clarity. When you have Hyper Risk Growth, you need Hyper Risk Management. Hyper Risk Management requires Hyper Business Context.
Hyper Business Contextmust be fueled by automation. Manual cataloging anything related to the risk management process in this new world quickly falls behind. In short, the hyper growth of risk forces us to look to automated inputs with a frequency and reliability that exceeds today's capabilities. We must rethink what it means to create the relationships to formulate business context. Your risk program must build business context from the insights it gathers – and not rely solely on manual efforts.
GRC programs already help you build context for your risk program, but we can also think outside the box when building business context. For example, why not let the systems tell us what is important? Network monitoring systems can tell us how much a system is used to identify availability risks. Identity Management systems can connect applications to user profiles building relationships between business functions and IT infrastructure. The byproducts of these technologies can be used to better inform business context.
Automation and integration will be key in ensuring your context keeps up with the data flowing from your many systems, especially as your business continues along its digital transformation journey.
The Riskicist's Guide: Theory of the Risk-Time Continuum
TheTheory of Exponential Growthhighlights the rapid change of risk in today's world and the need for automation. With automation we gain better visibility, which then provides us more data to drive insights and actions. However, as things move faster we need to better understand WHEN to deal with an issue, as well as how it impacts the business. This brings me to the next aspect of my riskics – TIME.The most constant, ever present variable in hyper risk management is TIME. In fact, time could be one of the most critical variables in the Digital Risk Management transformation.
For example, most data classification schemes are one-time affairs and answerWhat is the value of this piece of data today? However, the value of data – the currency of the digital transformation – can change over time. I wrote about this in my 2014 blog "The Data Classification Curve". In a nutshell, the criticality, value or sensitivity of data depends on time – financial numbers go from extreme confidentiality to public knowledge overnight; the sensitivity of personal data hits a threshold as elements are combined or collected over time.
The point is risk associated with your business, like data sensitivity, goes up or down depending on time. When we apply that concept to our traditional definition of likelihood and impact, we clearly see both are affected by time. The likelihood of an event may increase or decrease depending on the time of day. The impact of a financial system outage at the end of the quarter is different than the middle of the quarter.
This leads to my next theory:
Measurement of risk will REQUIRE an element of TIME.
Risk, when approached with this concept of time, becomes less of a dashboard and more like a stock ticker. A loss exposure at one time could be $3M, another time $1M, another time $5M… all depending on time. Going back to our traditional risk formula, risk still depends on likelihood and impact, but each must be considered in relation to time.
This concept could be applied to any gap identified during a risk or compliance process. It could also apply to prioritization of events and alerts. RSA's experience gives us a leg up in helping risk management processes utilize time as an input. User experience behavior analytics (UEBA) and an advanced authentication risk engine use this approach.
Time as an input to risk management processes in the digital era affects calculating risk exposure and driving action. A security incident may be more or less critical based on the time of the day. A Business Continuity plan may need to factor in the time of the month of a potential event. Not that you would leave an event to chance or ignore something based on this time element, but the timing of events need to factor into prioritization and measurement.
As risk management processes begin to become more and more data driven, fueled by the business's digital transformation, there will be a need to tighten up the response and prioritization to that data. As insights into risks are produced, time will be a major input into what actions are needed, when they are needed and how to prioritize those actions. Risks will need to be prioritized not only on automated business context flowing in from different systems – but prioritized based on the time.
The Riskicist's Guide: The Risk Synchronicity Theory
My final theory for you to contemplate borrows from an interesting phenomenon in nature. Synchronization of seemingly random events in nature is not uncommon. Flocks of birds and schools of fish synchronize to ward off predators. Even inanimate objects can synchronize. The point is there is no one master object necessary to give direction for these things to synchronize. In some cases, it is instinct and in some cases it is physics - but out of chaos comes order.
What does this have to do with the future of risk management?
Culture has a lot to do with risk management. In some respects, culture is one of most direct influences on how well your risk program works. Your program relies on people who have personalities. Every employee in your company has a risk personality and they display that personality in everyday life. Do they instinctively speed up when the stoplight is yellow, immediately go for the brake, or do they take a split second to calculate? Do they play the lottery every week or think it is a waste of money? Maybe they wait until the prize is "big enough" before they wager?These personality traits vary across a company – and depending on the level of influence a person has within the organization – this risk personality affects the company's culture. We have seen companies where risk-taking – fueled by these personalities - has built empires or destroyed from within.
We need to contemplate the emerging views on what is risky and how that will affect our organization's culture. We need to contemplate the expectation of the future workforce when it comes to managing risk through technology – and using technology to manage risk.
My last theory is:
The forces of SYNCHRONICITY will affect your organization's approach to risk management
MORE than any other force.
Your workforce - including the entry level risk analyst or security admin you hire in the future - is being built on digital natives – those not knowing a world without technology. Their RISK PERSONALITY will continue to change - and be different than many of the established cultural norms. As these new personalities enter your workforce, they will bring much potential. However, your culture will change and eventually your organization will synchronize to these new ways of thinking.
In a future digital world based entirely on data, it will be the personalities of your organization that will determine success or failure. These personalities may be the difference between taking a risk that pays off – or missing an opportunity by exercising caution. For the risk management professional, we must anticipate that synchronization. More importantly, WE need to be ready to change with it and become open to controlled, risk taking. We must become comfortable with the uncomfortable.
The Future of Risk Management?
So, what does the future of risk management look like? As much as I would like to, I can't see into the future. Even with these theories, it is difficult to know exactly what will come. We know amazing technological advances are coming our way. We know we will change how we think about risk. Your digital transformation will force new paradigms; your workforce will demand innovative approaches.
When it comes to what we, as a risk management community, need to think about going forward, we have some clear indicators. One thing I know is risk management will be all about speed. Risk management cannot be a hindrance in your organization moving forward. You are faced with a complex and fast-moving landscape that requires an evolution towards Integrated Risk Management. We can use aCartesian space– horizontal and vertical integration through people, processes and technology - to guide us. We can prepare ourselvesfor the rapid changes in risk,factor time into our risk equations, all while anticipating the synchronization factor.
Our industry is on an evolutionary path and sitting on the precipice of a new digital world. RSA has been leading the pack in building technology solutions over the past 35 years and proud to be part of your journey. My final thought to leave you with is this…
The future is not in FRONT of you…
It is BUILT on you.
I know you are up for the challenge.