Can we make risk management a performance lever? Yes, we can
How about turning risk into an opportunity? The semantic spin aside, it’s a question that needs asking. On a company-wide scale, it invites us to consider risk management in information systems security (InfoSec) as a key element towards improving the company’s strategic decision-making.
As a GRC tool (governance, risk management, compliance), fully developed InfoSec makes it possible to guide the company’s development and its innovation whilst managing the associated risks.
To become a performance lever, InfoSec GRC will look to foster a risk-oriented company culture. It must also work hard to implement a global rather than silo approach to risk, fed into by contributors from across all different departments. Finally, the approach should be company-wide and structured by shared, industrialised and properly equipped standards.
This cross-approach will transform the restriction of risk and compliance into an opportunity for the company to develop. And what can we gain? Concrete operational benefits.
Real opportunities lie at the heart of security risk management
As the saying goes, nothing is permanent, except for change. Whether they can be anticipated or not, risks are part of everyday life. At company level, the challenge for GRC is to integrate these changes and their inherent risks, so as to improve their strategy for growth in an ever changing environment. The ENRON, Worldcom and Parmalat scandals remind us of the need for this awareness.
Once at the heart of the company’s governance structure, the risk management tool becomes one of the fundamental foundations for its own development. The goal: finding the right balance between rash decision-making and excessive caution, that could turn out to be just as harmful.
Managers take better decisions when risks and their potential impacts have been clearly laid out for them. The current example would be moving to the Cloud, a move being considered by an increasing number of CEOs in their digital transformation policies. The main hold-up is well-known: security. To overcome this and set things in motion, an in-depth risk analysis should be carried out quickly, measuring all the possible impacts whether they are InfoSec, IT, HR (skills), or regulatory in nature.
On the other hand, most companies, whatever their size or sector, are facing a growing number of legal and regulatory requirements. Meeting these efficiently now requires involving the entire company, and not just the IT department. In this regard, we can refer to the recent obligation for the ISO 27001 certification for healthcare data hosting (HDS) or the soon to come into effect General Data Protection Regulation (GDPR).
Here we can see the limitations of the silo approach: it is impossible to pre-empt compliance risks without involving other business areas. We will, then, look to set up horizontal-type GRC security, based on established methodologies and interconnected with all the different departmental processes, to drive activity over the long term with a real, overall view of compliance issues.
These examples highlight that a proactive approach to GRC can be a driver for opportunity and confidence able to optimise a company’s development strategy. But what are the keys of success for such an approach?
They revolve around the following three cornerstones: adding value to risk , cross-responsibilities, and setting up a suitable frame of reference.
Adding value to risk
Setting up such a system must be done at the same time as giving some consideration to the company’s level of Risk Appetite. Regardless of the activity, it defines the level of risk that is acceptable for ensuring the company’s development and will allow it to design a tool for measuring, reporting, and adjusting the level of risk exposure. By sharing this vision with all those involved, InfoSec GRC promotes risk culture within the company.
This journey towards awareness must clearly occur via suitable communication targeted at Executive Management, but not just this. Risk management is, indeed, a collective role. All the employees within the company are concerned, each at their own level, whether they hold responsibilities or are contributing.
Given the diversity of those involved and their practices, making each of them aware of the importance of their role and the added value they bring is fundamental. As such, the COSO 2, referential risk management framework, is a key element in any company’s strategy, which supports the entire organisation.
This point of reference enables us to identify risks and to manage them in line with their risk appetite and strategic objectives. It breaks down the silos between the company’s departments, particularly different audit and inspection roles, and promotes the establishment of relationships between them as well as the sharing of analyses and approaches.
In this context of risk cross-distribution, the role of the Risk Manager (RM) takes on great importance. Managing cyber risks, a key skill of the Chief Information Security Officer (CISO), requires solid technical expertise as well as the ability to contextualise threats and general impacts in a business environment.
By strengthening links with Risk Managers, as well as with other contributors, the CISO can contribute to formally mapping out the company’s risks, in keeping with the company’s security needs. The role also contributes to the emergence of shared practices as well as prioritising and rolling-out processing measures. The CISO is, then, established as a stakeholder in the management of the company’s strategy and performance optimisation
To perform the role well, the CISO must have, at his or her own level, a long-term concise and up-to-date vision of the company’s InfoSec risks, made possible by the implementation of standardised, and if possible properly-equipped and industrialised, GRC approaches.
A standardised and industrialised approach
Standardisation aims to share a common foundation of reference points and knowledge between the different contributors, and to set up unified approaches. Led in parallel to the alignment of those involved with risk, standardisation is a key driver behind efficiency; particularly in large matrix and/or international organisations, subject to mixed processes and various, even sometimes contradictory, regulatory frameworks. Moreover, it acts as a coherent, operational foundation for setting up an industrialised and properly-equipped approach, promoting greater efficiency and productivity.
Having a suitable tooling means that we can implement the sector’s standards and good practices more easily. It also means that making the company’s different stakeholders aware of their responsibilities can be done much quicker. Due to this, it promotes collaborative working and improves the reporting to the Executive Management. Thanks to this, we can accelerate key decision-making at the lower end of the chain.
Industrialisation and having a proper set of solutions are only, in the end, ways for GRC to create conditions of resilience and confidence that are needed for its development. They can be extremely useful for this end goal, particularly by concentrating the InfoSec team’s efforts on performing tasks with higher added value, such as advising or benchmarking.
In the end, you might say that the idea of a cross-department and proactive GRC approach is simply wishful thinking, being so little adapted to the realities on the ground. And you wouldn’t be wrong! It’s even our conviction: this approach is a goal and has to be adapted to the company and the ability of its employees. But even if it seems idyllic now, all these actions will have a benefit, and as such we are dealing with an ambition that we can carry out across the whole organisation…