Surviving in the risk-roaring ‘20s

In this decade, uncertainty reigns. Geopolitical upheaval affects every market. “Once in a century” weather events now happen yearly. Multi-cloud is the norm, and generative AI has disrupted the heck out of everything, including making it easier for hackers to social engineer their way into your organization (i.e., fool your people with more sophisticated phishing). And the regulatory landscape keeps on changing.

{{guide-feature-1="/guides-comp"}}

Most frightening, risk isn’t just about a company’s losses anymore. Since the SEC started holding CISOs personally liable for cybersecurity failures and inadequate cyber risk assessments, they face stiff fines and even jail time. Chief Compliance Officers aren’t off the hook either, according to SEC Enforcement Director Gurbir S. Grewal.²

Unfortunately, in a risk climate Accenture calls “hyper-disruptive,” most enterprises today aren’t prepared to keep up. Seventy-two percent of 700 surveyed risk professionals say their organization’s risk management capabilities have not kept pace with the rapidly changing landscape.³

So, if you’re feeling pressure to modernize your risk management program, you’re not alone.

{{guide-feature-2="/guides-comp"}}

In fact, based on the dozens of companies we talk to each week, even established GRC teams are still managing risk by tracking spreadsheets and hounding control owners through Slack, Teams, or email. Historically, that was good enough. But with the continuous onslaught of complex, interconnected risk, a rapidly evolving regulatory landscape, and increasing customer requests for security audits, manual programs don’t cut it anymore.

It’s time to get ahead of the inevitable call from your board to take your risk program to the next level. This guide will show you how.

Steps to Mature Your Risk Management Program

1. Establish risk as a strategic issue

Throughout your career, you’ll find different risk attitudes among CEOs and CFOs. Some think the goal is to reduce risk to zero. But that’s impossible. Risk is unavoidable.

Part of your role is to change the mindset around risk in the organization. Help your C-suite accept that risk is ever-present and needs to be embedded strategically across the company. Here are three of the strategies we’ve seen work best:

Frame risk preparedness as an opportunity

To capture the hearts and minds of business leaders outside of compliance and security, you need to move risk from a cost center to a profit center. How can risk management boost your corporate image? How can it give your organization a commercial advantage in transacting business with vendors and customers more quickly?

Marketing around ESG is one obvious win for most organizations. You can also frame threats as opportunities to capture a larger customer base. For example, you could invest in e-commerce capabilities to take on a new online competitor that is disrupting market share.

Show them the money (to be lost)

To drive the threat home, translate risk into financial terms whenever possible. Conduct cost-benefit analyses of potential risks and risk mitigation strategies to show leadership the tangible impact of “doing nothing.”

Align risk with organizational priorities

Develop a risk management framework that aligns with the organization's overall goals and objectives. Demonstrate how effective risk management contributes to achieving strategic priorities. For example, vendor security reviews can slow down the sales cycles while the customer’s security team conducts its audit. Many times the primary customer concern is information being shared incorrectly, which can be mitigated by creating a Trust Center and allowing potential customers and salespeople access to self-complete security reviews. By streamlining Third Party Risk Management this way, you can remove a potential bottleneck and shorten the sales cycle.

2. Define your company’s risk appetite and tolerance

Once the C-suite is on board, it’s time to agree on just how much risk they can stomach. This judgment of risk comes in two forms:

Risk appetite is, broadly speaking, how much risk the organization will accept to pursue its objectives. It can be expressed both qualitatively (e.g., "we are averse to risks that could harm our reputation") and quantitatively (e.g., "we are willing to accept up to a 5% variance in our annual revenue due to market risks").

Risk appetite typically takes a long-term view and aligns with the company’s strategic goals and objectives. It should serve as a guiding principle for decision-making, helping to align business strategies with an acceptable level of risk.

Risk tolerance is the level of risk an organization can accept for particular activities or business units. It provides detailed, specific thresholds or limits that can be monitored and managed. It’s closely linked to day-to-day operations and is a measurement tool to monitor and control risks within risk appetite boundaries. Risk tolerance may be different for the different categories of risk (or even for activities within these categories):

{{guide-feature-3="/guides-comp"}}

Your organization's risk appetite and tolerance level will depend on many factors, including its industry, business impact analysis data, legal and regulatory obligations, and so on. Some companies are risk-averse; some like to occasionally walk on the wild side.

Wherever your organization falls, you must understand its risk culture. That way you’ll know which risks are low enough not to be addressed, what level of residual risk is acceptable (after the application of controls), and when additional investment or other action is necessary to reduce risk to an acceptable level.

Finally, you need clear alignment and acceptance of the priorities across your organization. Make sure they’re documented in a central location and communicated across the organization.

3. Do a full risk assessment

Whenever you reconsider your risk management system, you must go back and do a complete risk assessment. You need to understand the full threat landscape, which is a constantly moving target.

Risk management is full of “unknown unknowns” until things go sideways. A fresh risk assessment is your opportunity to start on solid footing—with the backing of the C-suite, an agreed-upon risk profile, and a clear way to measure risk—to minimize the number of those unknowns.

A. Identify risks

Find allies who can tell you about the risks the business is facing and interview them. Your job here is to hold up a mirror and show you understand their concerns. It can be eye-opening to hear how an executive responds to the classic question: “What keeps you up at night?” Are they worried about a breach by an external hacker, an insider stealing customer data, or something else entirely?

Don’t just talk to executives. Include others who own a process or are directly involved. For example, ask the director of Engineering about the business's risks. They will have a macro view. Also, ask a dev manager what they see as risks. They will be able to specify key processes, people, or tools that pose a risk.

Interviewees may share a laundry list of risks. Help determine priorities by asking: “Of all the risks you mentioned, which would you say is the worst?” Include questions about the potential cost of the risks they see.

Repeat this interview with experts at all levels in your organization and see what commonalities arise. If people with different perspectives keep mentioning the same risks, that’s a strong signal about what you should address. As you listen, start considering whether your company’s current controls are effective enough to mitigate the risks being raised.

You can go beyond individual conversations with techniques like SWOT analysis, risk workshops, and brainstorming sessions.

B. Establish a Risk Register

Once you’ve gathered a preliminary list of risks, analyze them to create a risk register for your organization. When we talk about risk, we distinguish inherent risk, the amount of risk that applies to your organization without taking into account controls, from residual risk, the amount of risk remaining after implementing controls.

Each event or situation with the potential for undesirable impact constitutes a threat event. To calculate risk levels, consider the likelihood and impact of a potential threat event, given the details of your organization and the kinds of information it collects. Then, explore how it may affect the CIA triad (continuity, integrity, and availability of data).

Broadly speaking, there are two ways to come up with data on the likelihood and impact of a threat event: qualitative and quantitative methods.

{{guide-feature-4="/guides-comp"}}

Your risk register will change over time as you address existing risks and new risks arise. Below, we discuss more about maintaining the value of your risk management program by keeping it current.

You likely already have certain controls in place, such as antivirus software. As you consider inherent risk, think about whether existing controls reduce residual risk. For example, does your organization deal with sensitive data? If so, a data leak could badly impact your business. If you already comply with ISO 27001 and SOC 2, these controls may already reduce the likelihood of a data leak.

The potential impact of a threat event is often unchanged after implementing controls. Still, the likelihood of its occurrence is reduced—ideally to a level within the organization's risk acceptance criteria.

4. Assess your ability to monitor controls

Chances are your final risk register will be robust. Look at all those agreed-upon risks and the controls you put in place, and ask yourself: “How are we monitoring our risk remediation processes? How will we know if we have mitigated a risk? How will we know if things changed?”

Say you have a plan to mitigate the risk of cloud breaches with a particular security application. How do you know that it’s actually working? Can you confidently say that your risk controls are active at any point in time? Even if you check in on a regular cadence, do you know that it’s always working?

Given the velocity of change and the volume of threats today, always-on risk monitoring is a must-have.

5. Continuously monitor your controls with data from your systems

Not every risk poses an existential threat, but some do. How do you know you’re actually taking steps to reduce that risk? It’s not easy. There are too many tools, there's a ton of data, and there’s not much ability to interrogate and draw insights from the data.

Continuously monitoring your risk lets you learn about new risks at all times. It lets you know whether or not investments that respond to risk are working. Instead of getting a yearly snapshot, you can leverage your risk management for greater value—without spending much more time per day. Continuous monitoring lets you:

Respond more quickly to new risks.

If ransomware attacks are on the rise, your business needs to know about it sooner rather than a year later. Or with something like the pandemic: With all the risks it posed to business on so many levels, more organizations saw that the only way to avoid being hopelessly behind in assessing risk is through continuous risk assessment.

Check the effectiveness of controls sooner.

What if you have controls that were put in place in response to a risk assessment, but your subsequent risk assessment shows that residual risk didn’t go down despite the controls? Now consider how you could have better responded if you’d known this sooner. Continuous risk monitoring can give you up-to-date data at any time, to tell you whether your investment in controls is working—so you can course-correct earlier.

Get leadership to love you.

Maybe “love” is a strong word. But maybe not. Quantifying risk depends on data. When you get data more often, you can quantify risk better and prioritize risk more accurately. If you can say, “We reduced hacks from 1000 monthly real attacks on perimeter networks to 100,” you know precisely how effective your risk controls are.

When you quantify the ROI of investment in security technology, you’re making it easy for your leaders to decide which risks, based on dollar value, warrant their attention and funding. A continuous risk management process lets you show leaders you understand what’s important to the business and demonstrates your value.

You’ll want to find a platform that proactively provides you with a continuous flow of data, a unified view of your risk posture, and the ability to manage and collaborate on all aspects of your program in a single place.

6. Risk, security, and compliance are intrinsically connected—your approach should be too

Historically, even with a GRC team in place, risk, security, and compliance are often handled separately. The entire team will typically report to the organization’s CISO, but finance or legal may own risk; legal or compliance may own compliance; and security or IT may own security. That’s potentially three separate functions, with separate KPIs, being paid on separate things. Adding to the confusion, the people in these siloed departments tend to have inherently different backgrounds and approaches.

The more disconnected your systems and people are, the easier it is for breaches to happen. When you gain the technical ability to link your risk and compliance programs, you start to see contextualized information about how changes in your compliance program affect your defined risks. The right platform will provide bidirectional connectivity so you can mitigate evolving risks in real-time, and ensure you are compliant according to regulatory standards.

7. Don’t just do root cause analysis —do something about it

Most security and compliance requirements will say you have to do a root cause analysis to understand the underlying risks you’re facing. But beyond that, there’s not much guidance that really digs into what you do after that point.

Root cause analysis isn’t one-and-done. It’s a circular motion. That is to say, it’s not just about analyzing what’s behind the problem, or fixing the problem once you’ve worked out what’s going wrong. It’s about learning from those points of failure and revisiting them.

First, you go back to the very beginning. If you understand what your risk is and analyze what went wrong, you can take corrective actions so it doesn't happen again. But that’s only one turn on the merry-go-round! Then, you get back around to the point of implementing controls again. Each cycle you've learned more, and you can make adjustments to track down exact issues and lock down your response.