One of the biggest challenges to risk management programs, including cyber risk, arises from imposed belt tightening when economic downturns constrict funding and other resources. We’ve all been there from one time or another. All your efforts to re-evaluate risk management program needs, gaps, and improvements to further your maturity and completeness are derailed when funding and other resource allocation priorities leave you with far less to work with than hoped for or planned. However, this isn’t an “all-or-none” situation. When economic conditions require companies to constrict spending, it’s an opportunity to adjust risk management’s focus, and sharpen some processes and practices nearer to home. There’s great value to be gained through this approach, as it leaves little room for waste or excess in its execution. Let’s take a look at some best practices to follow.
Turn Your Focus Inward
Many researchers and cyber experts point out that internal risks are often found to be the root cause for serious breaches and cyber incidents. This is also the case for many operational incidents and events. Frankly, such concerns also fall well within your risk program’s ability to manage and mitigate. Also, they often fall within the realm of matters where operating controls you can influence will address such risk opportunities. The scope of internal focus is broader than you might perceive at first consideration. Included in this category are staff, of course, but also processes, policies, internal audit findings and recommendations, operating metrics, tools, education, and communication. This is not an exhaustive list and depending upon your line of business there may be even more. Moreover, fine tuning or upgrading controls addressing these business processes and practices are often economical to determine and execute—relying upon current resources and staff and as a result, not necessarily as seriously impacted by corporate belt tightening that may have deferred staff expansions, or other resource costs.
Revisit Insider Risks
How often have incident investigations lead to determinations of internal root causes, specifically through the actions of insiders? Insiders may be staff, or contractors performing services within your organization. The recent FAA “event” that shut down domestic air travel nationwide is a current example of a reported error by an internal contractor. Insider risks need to consider how you detect and address actions that are intentional and accidental. Do your critical processes have steps to catch malicious or accentual errors that would result in serious loss of services? I recall often asking software development groups if they had a staging server setup that always mirrored current production. Making changes to that environment, loading new products, etc., was a great step to prove an apparently well tested and documented change would, in fact, flow into the production environment without causing disruption. Many groups resisted this as unnecessary, until, upon detailed review, it was often disclosed that there were “helper” or supporting bits of code or other resource configuration adjustments, not in production, that were needed to accompany any live implementation. The extra step of implementing into a staging server prevented a lot of downtime and lost confidence in products, as well as lost revenue, by this seemingly “over-cautious” change in practice.
The incidental or accidental risks associated with insider threats are often addressed through training and communication. These programs are likely already in place, but often left out of consideration for regular attention and upgrade. Is the content of your staff training really current to your technology, processes and policies? How often is it reviewed? What did your most recent risk assessment tell you about the strength and validity of your training efforts? Likewise, how do you promote and communicate policy and process changes? Are they well documented? Can users easily identify and source current versions? What controls are in place to assure critical staff are kept current? These are often not expensive matters to monitor and control, nor to fine tune and update where needed. And this is a great time to refocus attention looking inward at them to do so.
Sharpen Your Tools
Great cooks and chefs alike know that sharp tools are safer than dull ones. This practice generalizes well to many business practices, including risk management. Take a good, hard look at your risk management systems and supporting tools. Are they current? Have you maintained control set updates, standards, reporting software, policy repositories, linkages to related systems for internal audit, distributing assessments, and whatever else you may use to assess, detect, mitigate and monitor risk? Are you using old software on older hardware that might gain efficiencies or performance upgrades by a modest upgrade in either, or both? Have you outgrown the old systems, found maintenance fees excessive and might you gain efficiencies and functionality through something new offered through an “as-a-service” arrangement? How about the reports you produce? Do they answer critical business questions? How well do they keep your leadership informed about risk? Do they help executives examine and re-assess their risk appetite as business conditions change? What key information might you provide to do this better, and, will your current tools produce the data you need in a form you can utilize in your reporting?
Looking back at the analogy to cooking tools, do you have more knives than you need, and equally important, do you have the right ones? Risk management systems built by cobbling together many pieces intended for other applications, but offered over to help “make due” don’t offer economic operating solutions. And keeping big, overly complex solutions that don’t serve the needs of today are like trying to use a cleaver when you need a paring knife to do detail work. The result is clumsy, inefficient, ineffective, and often prone to waste and error. Sometimes, the acquisition of something new, incorporated with the retirement of something already in place, can yield financial and operating economies. Such opportunities, where they may be present, offer rich gains to your program and the overall management of risk across your enterprise. Examine the tools, but also the processes they require to make them work, and any additional steps, supporting practices and materials needed to perform risk assessments, detect risks, events, and anomalies, and to analyze findings that you can report and discuss in meaningful business context. For example, can you distribute access to risk assessment content, gather results, aggregate findings, and produce reports all within one platform’s framework of services, or do you have to string together a number of separate services, and manage those connections manually, to make the whole system work? Factor in the staff resources needed to do that, because they could be assigned to other duties yielding more meaningful and valuable outcomes if not otherwise occupied with keeping a series of plates spinning.
Many executives firmly believe outsourced services are economical compared to internal operations. And, in many cases, this may be a valid approach to working through times in a down turning economy. Risk management, and cyber risk in particular are important functions for any company, but rarely are the core competencies or services offered to their clients and customers. For example, banks and other financial services institutions all promote security as core aspects of their services, but at their root, offer money, investments, insurance, or other financial products to their customers. Their core competency lies with those financial services, with security, (and risk management by inference) as value adds to their product and service features. Security may be a discriminating feature or a particular promotional benefit, but mortgages often sell on their interest rates and fee structures, not security, which is often presumed to be in place. If you are relying upon a burdensome, aging, and difficult to operate enterprise risk management (ERM) platform, that consumes a lot of resources just to perform the basics, you may be positioned to reap economies of service, staff resources, and even finances by outsourcing your tools to an as-a-service platform provider. Today it is common to outsource aspects of security and risk management technologies where significant expertise is needed to configure and maintain them, such as data loss prevention (DLP), network, and other monitoring and data analysis services. It’s also now possible to operate your ERM platform as a cloud based service hosted by a third party. This reduces your dependence upon centralized IT resources, and any need to duplicate them locally in your operation. Technical training burdens, upgrade management, maintenance and support costs are all off loaded to an expense for a third party vendor.
Strengthen Third Party Management
There is some low hanging fruit to be harvested from careful, thoughtful third party risk management (TPRM). Much of it pertains to linking risk assessment to your third parties, and even more from careful monitoring of contract terms and conditions. Incorporating key suppliers into your risk assessments makes your assessment more complete, and reflective of your true risk footprint. Keep in mind that loss of a key supplier without adequate backup options, or using one whose security provisions don’t match your company, industry, regulatory, or contractual obligations, is a very risky, and potentially expensive move. A good ERM platform should be able to assist your monitoring and performance of both. Factor that into your plans for risk management. Also, make sure you are tracking when payments are due, opportunities for discounts, obligations to provide material or services in support of the supplier’s services, and other contract terms. Keep in mind that TPRM is an internal process, often tied closely to procurement. But it also has lines into finance, audit, compliance, and fulfillment that can lead to many dollars expensed or saved depending on how well it’s managed.
Opportunity Is Always There
An economic downturn is a challenge. It’s also an opportunity to look inward and refine what works, and address what doesn’t. You can use it to take stock of what is done well and what improvements, within the scope of services and processes that “really need to be done” can be made with the resources at hand, or new ones that can economically upgrade or replace them. It would be wise to focus upon essentials. By identifying those, you can also see where some process, activity, or service pruning may be possible, without sacrificing the quality and scope of your risk program. Risk does not recognize a down economy; rather it takes advantage of one and feeds off the convenient moves managers make without consideration for their consequences. Your risk program can help draw a map pointing out the obstacles and dangers in the waters, offering guidance to executives to help them navigate a down economy safely with a sound enterprise equipped to address whatever comes its way.
How can ERM One™ help?
ERM One™ is a DoubleCheck offering uniquely positioned to help address the challenges of risk management in a down economy. It incorporates into one intuitive, turnkey application the best-practices tools and content to help optimize the crucial discipline of Enterprise Risk Management (ERM) and thereby put your firm on a path to achieving its strategic business objectives. DoubleCheck fully understands and supports the merits of ERM and the benefits of its adoption by all companies.
ERM One™ centers on the successful implementation of that ERM mission statement.
Although ERM does enjoys general theoretical support as an important business discipline, it has become undeniably evident to DoubleCheck that there are shortcomings in ERM acceptance and program structure. Challenges range from no ERM platform in place all the way to a complex and inflexible infrastructure in effect but one that is not delivering as effectively and efficiently as needed. DoubleCheck has concluded that the time has come for a responsive, alternative solution. With the design and rollout of ERM One, DoubleCheck is stepping in to fill these voids in a unique, get-it-done manner.
ERM One™ adheres to ERM best practices and, very importantly, presents a risk register system that has been preconfigured and prepopulated in a manner not before seen in the GRC marketplace. DoubleCheck has structured the tool in a modular manner, with options available to add incremental GRC functions or advanced business intelligence (BI) capabilities to extend functionality. Further, services and features are highly integrated into one package. Reporting is embedded rather than independently aligned to content and processes, making the risk management practice a seamless effort rather than a disjointed one.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.