Industry Perspectives

Security & Risk Controls: Why You Need Them

Apr 26, 2020 | by Steve Schlarman |

There once was a risk manager who worked day and night;
Worried and bothersome was he.
He prodded and warned about things to come,
But even this he could not see.

2020 has thrown us, without a doubt, the greatest risk management curveball of the modern era.

Most risk managers have a pandemic on their radar, along with all of the usual business disruptions: economic downturn, political upheaval, major regulatory shift and natural disasters. Dutifully, these mega risks have some calculation of impact and likelihood informed by past events in the industry, or the geographic profile of the organization.

The probability factor of likelihood is often what trips us risk managers. We expect some of these events to unfold – in some cases the probability may be close to inevitable. But, determining when the event will hit is the magic question.

Pandemics or outbreaks of illness are not a black swan events. While most organizations can handle a business disruption of some sort, the magnitude and velocity of the current crisis is yielding a new normal, yet to be determined.

For well-prepared organizations, plans have been made, and may unfold as expected. Unfortunately, on-the-fly decisions become the standard during an extended crisis, not the exception.  At the heart of crisis management is being equally equipped to act by the script and improvise as circumstances dictate. We see evidence of companies creatively responding to today’s disruption in everyday life with contactless payment highlighted in commercials and plexiglass dividers in checkout lanes.

For risk management functions, on-the-fly decisions typically cause heartburn. The business must operate regardless, reinforcing the fact that being comfortable with being uncomfortable is becoming a standard skill for a risk manager. One major consideration to prepare for is the post-event ‘unraveling’ of temporary choices. Inevitably, the business may come back with questions regarding controls that were relaxed during crisis events. As organizations emerge from crisis mode, a discussion on risk tolerance should be anticipated.

There is a difference between luck and an unnecessary control.  Just because something bad did not happen during the time a control is ‘relaxed’ does not mean that control is unnecessary. Controls can be relaxed for many reasons. Business necessity, technical limitations and temporary ease of regulatory obligations are common rationales. Resumption of business practices post-disruption opens the door for questions like:

  • “Do we really need that control?”
  • “Is this the right control or can we alter it to make work easier?”
  • “Can we adjust operations to mitigate risk but smooth the process for efficiency?”
  • “Nothing bad happened, anyway - can we just forget the control altogether?”

When it comes to regulated controls, the discussion is generally brief. For those controls that are non-obligatory, risk tolerance and balancing investment with risk come into play. An important concept to remember is that risk tolerance is a two-way door. While the discussion may contemplate elimination of relaxed controls, there is also an opportunity to discuss the risks that were tolerated before but can no longer be accepted.

Risk tolerance is a core tenet of risk management and should be the agreed upon level that risks are measured against. In light of today’s disruption, the risks that can be endured, and those that are unacceptable, will certainly shift. For example, companies that continue to embrace the work-from-home momentum will need to ensure long-term security controls are in place – not just the stop-gap measures whipped into place for the short-term. Companies that experienced major supply chain disruption may look for alternative strategies for vendor management and need to expand the rigor of third-party governance. As efforts take shape to adjust to the new normal, the discussion of tolerance, rooted in meeting business objectives, must be baked into the refactoring of the risk management strategy.

Ultimately, this current disruption should be a catalyst for organizations to accelerate and shape their capabilities to manage risk in the digital era. Digital maturity is a critical enabler to maintain business operations and deliver products and services . Adjusting to the new normal and establishing a modified definition of risk tolerance is a more critical element of success today. An integrated approach to digital risk management will be foundational in navigating the challenges ahead.

To quickly evaluate key areas of digital risk management, use the RSA Digital Risk Index to understand your risk exposure.