It's D-day... The meeting starts at 9:00 AM. Carol's timeslot is a tight 20 minutes, squeezed between Human Resources and the afternoon break. As Chief Risk Officer, Carol knew she had to be on point. With an agenda full of critical topics, the board looked to her for guidance in balancing investments and risk. Her mind is swirling with the challenge of summing up the company's risk profile and the myriad of activities across the organization to contain emerging threats – while staying on time, in scope and dodging the potential rat holes of technical discussions. She feels prepared but still has the tinge of nervous energy she relies on to stay sharp. With a last sip, she finishes her morning coffee and takes a deep breath. Gathering her notes and laptop, Carol heads to the conference room. The quarterly boarding meeting is always a stressful day.
CROs, CISOs and other executives responsible for risk management today are frequently tasked with this seemingly impossible duty. Presenting a clear and coherent depiction of risk across a complex business is already a challenge. However, many times boards are unpredictable in their desire for essential information. Without a clear expectation, the resulting discussion can derail into irrelevant technical discussions or very high-level discussions that leave the board unsatisfied. One way to prepare for the inevitability of the board discussion is to focus on seven key habits of a 'risk ready' digital enterprise.
Habit #1: The organization thinks of risk in an integrated manner.
In a hyperconnected digital world where systems are strung together over complex infrastructures, risk is no exception. Risks are inherently connected. 'Risk Ready' enterprises view risk in a horizontal and vertical manner – they understand strategic initiatives can be disrupted by tactical events; they know that tactical efforts must be prioritized in the context of the long-term vision. Silos are broken down on a regular basis to ensure collaboration and unified approaches are the foundation of the risk management strategy.
Habit #2: People, process and technology is not just a cliché.
We hear this phrase frequently but putting it into practice can be difficult. There must be a balanced approach utilizing technology where appropriate, optimizing processes and ensuring skills and resources are well matched. Technical purchases and strategies are aligned with skills and process engineering that extend across IT and business.
Habit #3: Engagement with the business is ongoing.
Being 'risk ready' means your strategy evolves as fast as the business. This requires a regular discussion with a shared vision, stated business objectives and a consistent, rolling dialogue between business leadership and risk functions. Business decisions are based on balance of opportunity and risk and the only way to make the informed determination is to have a clear picture of both sides.
Habit #4: Pivoting is anticipated.
Today's market is too competitive to recover from a total restart. Starting over is not an option. 'Risk Ready' enterprises understand the stakes and agility is expected and built in to the strategy. In the digital world, Agile is not just a development approach adopted by IT operations; it is a business strategy that requires vision providing guidance without prohibiting flexibility.
Habit #5: Their eyes are on the road, not just the rear window.
One expectation of risk management is to learn from the past to predict the future, or at least not repeat mistakes. 'Risk Ready' enterprises track meaningful leading indicators, not just lagging metrics. This allows them to align risk management efforts with business milestones and adjust accordingly.
Habit #6: The 'Risk Ready' enterprise understands its success depends on others.
We see expanding business ecosystems affecting more and more enterprises today. A digital business ecosystem is unavoidable so 'risk ready' enterprises accept that fact and enable it. External parties offer many benefits ranging from specialty skills to opening new markets, but they also can introduce complex risks. Third-party risk management must be executed inside the organization across functions as well as build the bridges to coordinate efforts outside the organization.
Habit #7: 'Risk Ready' enterprises not only kick the tires, they look under the hood.
Technology can optimize and transform many parts of your business, but it isn't a silver bullet. The constant technology evolution and migration of existing operations utilizing emerging technology opens many doors. 'Risk ready' enterprises look for opportunities to deploy controls that go beyond 'checking the box'. Their risk management strategies optimize the business and put in the right safeguards to move fast, but safely, during their digital journey.
It is 6:30 and Carol leans back in her office chair, proud of her and her team's hard work. The board was satisfied. She stayed on point, deflected distractions and painted a concise picture of the risk landscape. Although there were some rough spots in the past three months, she articulated the events in the context of the business to assuage the board's concerns. Their recent efforts to rebalance their strategy with a solid training program for staff, risk assessment process improvements and security technology deployments had paid off. Her regular meetings with the risk committee had allowed them to understand the strategies of the business unit leaders and anticipate organizational shifts, including the new channel strategy that opened a tremendous new market. The cherry on top was the kudos they received from their regulators recognizing their strategic approach to compliance. All in all, it was a good day. As she powers down her laptop, her mind is already fast forwarding three months ahead, confident in the fact they were on the right course.
# # #
Read the RSA Digital Risk Report 2019 to learn about the perceptions and attitudes towards risk in the digital world. Understanding the challenges facing your organization is a great way to get started down the path of 'good habits. Use the RSA Digital Risk Index as a quick assessment for ideas on how you can adjust your strategies as your organization takes on digital business.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity