Once upon a time, risk management was a relatively calm area of organizational life. Management made sure that employee-, customer- and product-safety measures were in place. Controls and safeguards deterred theft and fraud. The regulatory environment was relatively stable.
Organizations insured against losses and employed hedging, diversification and other time-tested risk management tools.
Most organizations understood the risks they faced and addressed them with fairly reliable approaches. Risks could be quantified, losses could be remediated and senior executives could sleep at night.
Times have changed.
In recent years, the volume and velocity of change have rendered risks far more numerous and complex. Risks have multiplied as business models and methods, information and communication technologies, and laws and regulations have become more complex. Add to that the globalization of markets, supply chains, innovation and crime, and you have a transformed risk environment.
As a result, today’s risks can be hard to identify and quantify, harder still to avoid, and intertwined with formerly unrelated risk areas. An operational risk event can ignite a reputational risk that generates a financial risk — a firecracker string of follow-on impacts.
In general, this environment calls for a series of shifts in management’s approach to risk:
- From largely compliance-based methods to more strategic approaches
- From backward-looking approaches to more forward-looking postures
- From reactive responses to proactive risk management
- From a focus only on value protection to a focus that includes value creation
Organizations need broader, deeper, more dynamic and holistic risk management approaches. The competitive, technological and regulatory environments demand it, as do customers, suppliers, investors and other stakeholders.
Most organizations already possess many useful elements of a cyber risk management program. For example, policies, firewalls, access management tools and third-party due diligence hold a key place in a cyber risk program. Linkage with an organization’s IT strategy also plays an essential role. Regulatory compliance remains as important as ever. Yet a lack of an aligned, integrated and measurable cyber risk management program renders most cyber risk initiatives inadequate, inefficient or both.
Learn how a holistic approach is best organized by means of a framework that helps management identify roles, responsibilities, relationships and other relevant factors.
Read the white paper