Cybersecurity stays in the foreground, and leadership is gaining visibility with better ERM reporting and sources of risk data.
At its 2017 H1 Meeting in Purchase, New York, the Corporate ERM Group discussed balancing the delicate relationship between the risk group and the strategy team, a critical task given their current focus in these areas:
1) Cybersecurity and Data Privacy Regulations. The biggest cyber risk threats are not external forces but the internal forces in a company.
2) ERM Reporting—Moving Beyond Heatmaps. ERM looks at new ways to show risk to stakeholders.
3) Alternate Sources of Risk Data. A leadership challenge alters a risk framework.
Cybersecurity and Data Privacy Regulations
One member’s head of security for operations and technology walked members through his thoughts on internal security threats. Employees unknowingly letting in external threats by clicking on false links or responding to “fake” employees is an increasing problem. Also, theft of intellectual property is another problem that risk managers need to address.
KEY TAKEAWAYS
1) A successful cybersecurity strategy is to think about it (prevention) and manage it (response). The corporate security chief highlighted his two biggest concerns:
- Unintentional insider sharing. The social media explosion makes employees increasingly vulnerable to this. The bad guys continue to invent new ways to get in, and employees continue to “help” them.
- Internet weakness. The Internet has created products that make life easier, but these products give opportunity to bad actors. The member used the example of child monitors that use the Internet and can be hacked.
2) Focus on prevention. The member explained to the group that one layer of the team is dedicated to prevention. His company has a security engineering team that is aligned with the business teams. This team looks for operational issues and drives programs to prevent bad things. Being a cyber-patriot is viewed as necessary in a functioning defense program. The company’s defense plan is formed by a standard framework that has evolved from several different companies.
3) When bad things happen. Despite the prevention effort, bad things will happen. The company has a security operations response team running 24/7 and uses several approaches to bolster its cybersecurity efforts, including deploying external consultants, a peer networking group and continuous improvement of the technical depth/background of the team.
4) Creative approaches. The company fortifies its cyber defenses in several ways:
- The “bug bounty.” Ethical hackers and security professionals are willing to help. The company pays them to find vulnerabilities.
- Phishing tournaments. Employees are sent fake links to see if they click on them. The timing is quick enough to notify employees that clicking on the link didn’t just compromise their data, but long enough to give employees a brief feeling of dread.
- Spam contests. Employees receive points for turning in spam email. The employees get bragging rights and prizes. The contest raises awareness and foils common spam scams.
- A multi-company hacking marathon to help the IT department role play trying to get in.
- The marketing department helps foster cultural awareness in the company.
Praedicat Update
Two members updated the group on their companies’ use of the Praedicat service, which provides risk data in emerging risks. Praedicat helps the firms:
- Shift focus to enhance risk management benefits. One company uses data to move from a reactive risk management to a proactive risk management process:
- Influence regulation based on science, not speculation. One of the member companies uses the Praedicat service to relate science to regulation as well as litigation and more general risk.
– Using advanced data analytics and risk modeling to gain earlier visibility to emerging EHS and enterprise risks.
– Provide objective risk assessment and trend analysis.
– Mitigate new risks and protect the brand.
– Partner with the businesses to enhance product/service offerings that meet their risk appetite and solve customer issues.
OUTLOOK
It is important that business units understand cyber risk is a business risk and not just an IT risk. Corporations are focused on prevention but also have a response team ready to go in case any bad things do happen.
ERM Reporting— Moving Beyond Heatmaps
For reporting purposes, data solutions that allow for easy manipulation of data, enabling members to show risk in various ways, seem to be very helpful to members. This session included reporting that senior management has found helpful.
KEY TAKEAWAYS
1) Members are not ready to give up on heatmaps. Members decided that they are ready for what is next after heatmaps, but generally feel that heatmaps are still a useful tool to strike up a conversation. Members agreed that heatmaps cannot drive the conversation, but are needed to initiate conversation. One member cautioned that they must be careful about behavior risk. For example, a risk could be in red on the heatmap, but this might be a risk the company is willing to accept. Because of these heatmap shortcomings, members feel that it’s time for a new generation of communication tools for risk data.
2) Little consensus on how often ERM reports to the board. For some members reporting is more ad hoc or on special topics, while for others annual meetings with the board occur in addition to formal meetings with the audit committee.
3) Important to communicate risk across the organization. Members expressed the importance of driving the message down to many levels of the corporation. One member suggested that getting a clear message out has helped control unprofitable behavior, such as not taking on enough risk and paying too much to mitigate risk.
4) ERM reporting facilitates communication. Examples of communication include heatmaps, summaries, charts and graphs, and dashboards. One member says her team presents charts and graphs to show alignment among the most significant risks and opportunities. This reporting is used in the annual assessments with the businesses.
5) Risk software can be a useful tool not only with governance but also with reporting and communication. Software allowing for data filtering and sorting adds a level of transparency.
Alternate Sources for Risk Data
Members provided a brief refresher on how they gather their risk data and shared some new sources. The group put together a list for future sharing on their sources of risk data.
- Procurement data put to good use evaluating risk. One of the members walked the group through how they analyze procurement data to see where they have embedded insurance and are thus paying for unnecessary risk coverage. In addition to showing where money might be wasted, such reviews also point to opportunities to broaden coverage to more carriers, reducing counterparty and payout risk.
- Should I stay or should I go? In this political climate, events can be harder to measure. For example, will a key executive in a firm receive backlash from consumers for meeting with the president at the White House?
- How is evolving technology impacting the risk profile? Smart technology is being employed by members to try to be more proactive and “keep up.”
- Future exploration? Members were asked what other sources of risk data they would like to explore at a future meeting, and the ideas generated include:
– Talent (What makes a risk manager?)
– Blockchain
– Anti-globalism–Nationalism
– Being on the wrong side of society–guilt by association
OUTLOOK
Heatmaps are here to stay, though members are actively seeking alternative ways to show risk. All the members agreed that reporting is an excellent way to initiate conversation, but should not be driving actions alone.
Alternate Sources of Risk Data
One member shared results of a senior management challenge to use “alternate” sources of risk data, walking the group through his company’s risk framework.
KEY TAKEAWAYS
1) Identify areas of risk to the organization in broad categories. Risk is reviewed in terms of both risk to the enterprise and risk to the business units. When the company thinks of risk, they ask themselves: Do we have the appropriate risks identified, and is there alignment of framework and strategy?
2) Evaluate the corporation at the business level. The focus is on five to eight risks in the following areas:
- Strategic—competition
- Product—technology changes
- Execution—quality of products
- Financial—management
3) High-level assessment for six. The six most important risks to the organization are reported with commentary provided around the risk. The risks are evaluated at the business unit and ranked (1–5) as to the likelihood.
4) Challenge the ERM team to review the overall framework. Challenged by leadership, the team reviewed what the company was presenting to the world and how this was affecting ERM. To look externally, they utilized common tools such as COSO guidance and ensured their terminology was up to date. To look internally, they read through employees’ comments on the annual opinion survey, especially reviewing employee concerns to make sure they had not missed anything.
5) Act on findings. The ERM team took three steps after its review. It broadened its risk categories and increased the list of specific risks. It also moved to an on-demand product and shifted focus to delivery. The team now plans to conduct a comprehensive review every three years.
Cyber Defense Is Everybody’s Business
Being a cyber defense professional is still evolving and the career path remains fluid. Experience counts for a lot. More colleges are offering courses aligned with cybersecurity, with direct input from the NSA, and the military is training more cybersecurity experts. Even high schools are starting to offer courses. That’s just how hot this issue is. The threat comes from outside and within.
Group members also realize the importance of understanding the data that vendors have and the risk they pose. Vendors must comply with standards from several companies, and it is important to evaluate your corporate standards when working with vendors.
Data leaving the company is also a growing problem. One member is doing several things to monitor the data “leaving” the company, including reviewing certain file types and monitoring for unusual employee patterns such as large downloads. Another member suggested that they use templates that cannot be copied. This is all an attempt to proactively prevent the inside from moving to the outside.
Many members reported that their boards have requested regular updates. One member presents a cyber readiness scorecard to the Audit Committee.
OUTLOOK
Although the challenge to review alternate sources of risk data did not dramatically change the member company’s program, it did result in some new insights. Added insight is important if risk is to make progress in inserting itself into business strategy and planning discussions. Alignment of the enterprise risk framework and strategy is critical for this, too. To the extent the sources of data used by risk are also those used by strategy a connection can be made. Similarly, if strategy can gain insight from alternate sources of data that risk uses, then the cross-fertilization of data can help both areas. Going forward, a challenge might be for risk and strategy to swap data sources to see what happens.