Members discuss cyberthreats, current challenges and risk.
Members and guests who attended IAPG’s second-half meeting, which was held at Microsoft in Redmond, Wash., focused most of their discussions on cyber challenges and risk, but still covered a wide range of topics. Participants began the meeting with a lengthy opening spent talking about current challenges and other notable business. They exchanged views on trade compliance, GDPR and how members promulgate the value of their function to the rest of the business. The group also was treated to a tour of Microsoft’s Cyber Defense Operations Center. Here are the two topics that generated a lot of member exchange:
1) Cybersecurity. Members discussed the rising importance of getting a handle on cyberthreats and how for one member company cybersecurity is just as important as innovation. Members also discussed standards, with a look at the National Institute of Standards and Technology’s (NIST) framework.
2) ERM and Emerging Risks. This member-led session looked at how companies are identifying emerging risks before they happen (to the extent they can). The session leader also talked about the resistance the ERM program generally encountered, and said that the program needed to be more streamlined. The presenter also mentioned that some individuals within ERM “have a credibility challenge internally—even if they are very experienced.”
Cybersecurity
For tech companies, particularly those that house customer data, cyberthreats are becoming more and more sophisticated—and thus more important to get a handle on. This has resulted in an increasing dependence on internal audit to ferret out cyberthreats and breaches when, or if possible, before they happen.
KEY TAKEAWAYS
1) Not the same old, same old. At one member company, the old way of doing things involved the greater business saying, “Do whatever you do but don’t bother us,” the member said. However, “now, security is so core to everything we do—for us to be secure, everybody has to change—we put security as high as innovation,” which means senior management must get involved. This gets IA access to more of the business and the people involved (that may be vulnerable to hacks and the like). Without it, the coverage is spotty. “It’s impossible to audit an environment without having access or working with the business/developers,” this member said.
2) The gist of NIST. Several members of the group have adopted NIST’s cybersecurity framework in order to organize their approach to confronting cyber risk. It’s also a format that can easily be shown to and understood by the board. NIST is a “voluntary framework” comprised of” standards, guidelines, and best practices to manage cybersecurity-related risk.” According to NIST, its cybersecurity framework “helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.” Members also use COBIT (Control Objectives for Information and Related Technologies), which is a “good-practice framework” developed by the international professional association ISACA for information technology (IT) management and governance.
3) Know your crown jewels. One company in the group conducted an assessment in the summer of 2018 to look at variety of ways to approach cybersecurity. Its approach now is data-centric and identifies the crown jewels of the organization, along with what specific program goes with each crown jewel. But it can get complicated trying to determine the sufficient rigor needed for each classification of data or figuring out “how many ingress and regress points do we have” in the system. Ingress traffic means all the data communications and network traffic originating from external networks and destined for a node in the host network. Regress is the reverse, where all traffic is directed toward an external network and originated from inside the host network. In this company’s case, it didn’t know the number (“Why do we not know precisely how many?” was the question the member and his colleagues asked). The company had an external search done and found 27 ingress points, though the member said the number should have been a quarter to a third of that. A strong message was passed on to the CEO that the situation must be addressed, “but not a message that the sky is falling,” this member said.
Keeping An Eye on Things
Microsoft’s Cyber Defense Operations Center (CDOC) “brings together security response experts from across the company to help protect, detect and respond to threats in real time.” That’s part of what members learned on a tour of the facility. The CDOC is staffed 24/7 and has direct access to “thousands of security professionals, data scientists and product engineers throughout Microsoft to ensure rapid response and resolution to security threats.” Microsoft says it invests $1 billion annually in security, data protection and risk management. It also estimates that 6 billion records were stolen globally in 2017 (and perhaps more in 2018), with the estimated cost of cybercrime to world economy running at about $8 trillion by 2022.
THE UPSHOT
Cybersecurity threats are changing the way members look at cyber risks—at one company they’re as important as innovation. While there are many approaches to confronting cyber risk, many companies are adopting the NIST approach. But it all starts with knowing thyself: That is—and this is where ERM can help—finding all the known risks and ranking them. Also, conduct “thinking the unthinkable” exercises to come up with possible risks in the future.
ERM and Emerging Risks
How are companies identifying emerging risks before they happen? This member-led session covered ways in which members try to detect future enterprise risks. There was also discussion of the resistance to the ERM program among some on the board. This member said the program needs to be more streamlined overall. He also discussed the fact that some individuals within ERM “have a credibility challenge internally—even if they are very experienced.”
KEY TAKEAWAYS
1) Familiar song—management buy-in needed. The session leader described his company’s ERM effort as a “fairly mature program” but noted that the reception of the program at the executive level was mixed. There are some people “who value what we deliver,” things like quarterly cadence on monitoring and treatment plans, “but some resist making our program work for them.” This means not only proselytizing or selling ERM but also restructuring the group and the mission. “We need to streamline, we’re a little cumbersome as a program.” This also involved finding the right personality; it seems some members of the ERM team, despite their experience, “have a credibility challenge internally.” To be taken seriously, ERM practitioners must be good problem-solvers, negotiators, story tellers and perhaps most important, they must thoroughly understand the business, its risk tolerance and risks to the business.
2) Risk interviews. A consistent theme in ERM is conducting interviews (which will ultimately help understanding the business). In the presenter’s case, interviews with executives resulted in the collection of more than 1,000 individual risk “comments.” These were broken down into 55 themes, and then ranked. This ranking was used to provide a basis for the audit plan, where “maybe one of the top 10 will hit the internal audit plan.”
3) Risk ownership. At this company, each of top 25 risks has a C-suite owner; the owner’s direct reports will own the treatment plan and mitigation efforts. The risk committee (CEO, CFO, head of manufacturing, sales, legal, HR and IA) then discusses the input provided by the C-suite about risk acceptance and residual risk, which isn’t that quantified yet. The recommendations need to go through the audit department and the board’s risk committee.
4) Example of an ERM setup. Another IAPG member only recently established a risk committee, after ERM was transitioned to report to the CRO (who also is the COO). ERM developed a risk radar (an analytical tool that looks at financial, market, force majeure and strategy execution risks) as well as a risk committee, and so far both have been well received by the audit committee. This company also created a filter to take the top 40 enterprise risks down to four (for review by a management risk committee). IA and management keep track of or monitor the remaining 36 risks. The four risks must have properly documented risk mitigation plans.
Global Reach, Global-Sized Issues
Many companies in the group have elevated risk management to the level of a product that must be constantly monitored and improved. As previously noted, at one company it’s as important as innovation. Companies, ever more global, are putting a lot more focus on FCPA, and more recently GDPR, along with other business risks that they weren’t thinking a lot about before. Also with a global footprint comes the seemingly eternal vigilance needed to monitor political developments in areas where companies do business and to work with local governments—sometimes in ways that are not palatable to free-market thinking (see Google in China). “The biggest impact is the overall global change in political, geopolitical trends and nationalism,” said one member, adding that trade wars “put pressure on us around trade compliance.”
THE UPSHOT
There are many ways to organize an ERM program, but what works for many members and serve as common denominators among the approaches are management buy-in, interviews, risk ownership and a solid reporting structure that involves many stakeholders in the business.