Risk management has always been at the core of successful organizations. It is vital. The new ways of doing business are creating new “musts” of risk management. While cyber security risks tend to get the most risk management attention, many other types of risks also menace today’s businesses.
Risk management encompasses the identification, analysis and response to risk factors that form part of the life of a business. Effective risk management means attempting to control, as much as possible, future outcomes by acting proactively rather than reactively.
Effective risk management can reduce both the possibility of a risk occurring and its potential impact. Consultants echo caution while business owners, leaders, senior management and investors now consider dealing with risks as routine but vital aspects of their role and the success of their businesses.
The past is prologue and it’s undisputable. Today’s business plans emphasize risk management techniques and assessment capabilities.
“Risk management is absolutely an essential basic when it comes to the operation of a business,” says the plugged-in Alice Lin, an instructor at Edmonton’s Norquest College faculty of business, environment and technology. “It is a critical part of business. Risk management utilizes a combination of predictive analytic techniques and inexpensive data-gathering technology, allowing businesses to evaluate alternatives more effectively.”
She points out that the world is changing views and perspectives about risk and the risk management environment is being transformed. Stories and case studies show that companies often mismanage risks, triggering various business problems from scandals, financial repercussions, safety breaches, potential strategy issues, management distrust and more.
Experts warn that risks are sometimes mismanaged when companies don’t understand the purpose or definition behind risk management. “Or when companies rely too much on historical data, making their parameters for risk too narrow, disregarding risks that are obvious, when they don’t look closely enough for hidden risks, when they don’t communicate well or react effectively to issues in real-time.”
She adds that, in the past five to 10 years, the need for effective risk management has become widely accepted. “Traditionally, people viewed risk management as single events (silos). The ERM (enterprise risk management) concept eventually became more widely accepted and now businesses are treating risk management as a way to identify potential future opportunity vis-a-vis risks.
“Enterprise risk management is the process of studying all identified potential risk events together to better understand and subsequently restructure some strategic objectives, to turn risks into future opportunities and improve overall competitiveness.”
A sure sign of wide acceptance is risk management now being included in most post-secondary course curriculums as more and more organizations embrace risk management as vital components of their operation. “Risk management is no longer just a cost centre, as it was in the past,” she adds.
Business leaders and consultants are unanimous. As technology continues to transform and re-define modern life, it is also a critical new dimension of doing business. Cyber risks have become almost stereotypical and synonymous with risk management, because, as with all business and technology trends, there is a dark side.
The digital transformation is also transforming the dynamics of risk management. In today’s business – from mobile phones, cloud networks and thumb drives – data is everywhere! Some say data is a business’ most important asset and make the comparison that digital data is the new water; both are necessary for survival!
“Many organizations treat cyber security in a reactive and ad-hoc manner,” warns Drew Buhr, cyber security assessments lead at MNP in Edmonton. “They wait until a breach happens, either to them or someone else, and then they scramble to apply a quick fix. The better approach is to proactively manage the risk by identifying the blind spots and building a plan on how to manage the risks upfront.”
He points out that many organizations have a technical department, usually with legacy systems that are difficult to replace. Attackers target these systems, exploit the unpatched vulnerabilities and gain unauthorized access. Then they can escalate their attack and move throughout the rest of the network, compromising additional systems.
“There are numerous other areas where vulnerabilities lurk, including servers, network devices, computers and mobile devices that have not been protected, missing security patches not securely configuring the systems against attack and issues with account and access management.”
Buhr also cautions about a common risk management nightmare scenario for businesses: when hackers install software called ransomware on the company’s computers. When a computer gets infected, a notification pops-up, letting the user know their data has been encrypted and they no longer have access… until they pay a fee.
From experience, he explains that hackers often target organizations simply because they’re connected to the internet. “Once they find a vulnerable system, or person on the inside lets them in, they figure out where they are and see how they can make money. The threats typically come from the outside and then they try to pose as insiders. This is because, even though the external systems can be well protected, the internal systems are usually not. Insiders can be threats as well, so it’s important to having layering of security throughout.”
When those types of warning signs happen, it’s often too late. Even if the organization has a backup of the data, hackers target the backup systems to delete the data or threaten to publish the company’s sensitive data online.
“Many organizations do not have good monitoring systems,” he says. “While backups are important, organizations should focus on identifying the weaknesses in their IT systems before these sorts of things occur. An effective cyber security program that leverages risk management requires a defensive-in-depth strategy with layered security controls to identify, protect, detect, respond and recover from security events. The program requires continuous diligence and should be based on structured and tailored plans to manage risk.
“There is no one-size-fits-all approach,” Buhr says. “Organizations should conduct cyber security risk and maturity assessments to identify the risks, so they can effectively thread them through different risk management strategies.”
Whether it’s cyber or the gamut of business risks, the news is not all bad. Risk management experts and consultants agree that companies must establish well-defined risk management from the top levels of the organization to ensure clarity about what to do and how to react when challenges arise.
Lin emphasizes some key benefits of effective and good ERM, “Potentially reducing the hazard risk’s impact and costs, the ability to take advantage of good risks – because not all risks are bad – the ability to seek optimal profitability, practice holistic risk management and ensure compliance with regulatory and legal requirements.”
There’s no doubt about it. The past two-plus years of business disruptions have only heightened the need for effective risk management. For business, with trends like work-from-home routines and more open remote access to a company’s systems and data than ever before, it has been two-plus years of unexpected risks, unwanted surprises and some nasty consequences.
Many organizations were caught flat-footed by a risk they never planned for: the fragilities of doing business in risk-prone times.