Most organizations cannot afford to reduce every single risk to what some practitioners would deem acceptable. Providing actionable information about all the things that might happen, not by using terms like High, Medium, or Low, but in specific business terms will help evaluate which risks to take.
Imagine you are the senior executive of a major organization.
You hold a meeting that includes the Chief Risk Officer (CRO), Chief Audit Executive (CAE), head of information security (CISO), CFO, Senior Vice President of Marketing (CMO), COO, CIO, and others.
You start the meeting with a question: “What should our priorities be in the coming year?”
Everybody starts talking at once. In fact, the decibels increase as they try to shout over each other. Eventually, you restore order and ask them to speak one at a time.
You point to each of them, in turn. This is how they answer.
The CISO is literally bouncing in his seat. Perhaps it’s because he doesn’t get to be heard by you very often.
CISO: “We need to put cyber risk at the top of our priority list. Our security is porous because we haven’t had the budget to hire the people I need to patch our vulnerabilities; we don’t have the tools to detect breaches; and, I can’t get the executive team to participate in our breach response planning and drills.”
You point to the CIO. He should understand what the CISO is saying. Will he agree?
CIO: “Well, cyber risk is a concern. That’s true. But I would not put it in the top ten when we have to replace our financial systems and upgrade our servers. The business is really suffering from very slow response time and our inability to deploy the latest data analytics. We need those analytics to keep up with our competitors.”
The COO chimes in. “I agree that we need to do something urgently about our IT systems. They won’t support the initiatives approved by the board, such as investments in the latest technology to support growth of our business and expansion into new markets.”
CMO: “Absolutely right. Our competitors have the tools and we don’t have the market insights they do. We need to catch up and quickly if we are not going to lose market share.”
COO: “Don’t forget we also need to allocate a major portion of our capital budget and operating expense for a new factory in Vietnam. We need to move manufacturing there quickly so we can remain price competitive. I understand the concern about cyber, but that is a possibility – and I think we can survive it – while failing to invest in the business is certain to cause us to fail.”
CFO: “Well, we can’t do everything. I am sensitive to the concerns raised by the board and some investors groups about cyber. But that may be a risk we have to take. We can’t spend as much as the CISO has asked for and still fund Vietnam, upgrade our business systems, and so on.”
You look to the CAE and CRO.
The CRO supports the CISO, distributing his latest risk heat map. Cyber is in the Red quadrant, marked as a High risk. “Cyber is a high risk, well above the risk appetite for IT assets that the board approved. But then so are other risks, such as customer satisfaction and market share.”
The CAE informs you that his team has audited the risk management activity and the heat map fairly presents the assessment of the management group of the more significant risks.
What would you do?
Can you afford to spend your entire capital budget and any increase in operating expenses on cyber? In fact, can you afford to treat all the “high” risks so that they drop below acceptable levels? How do you weigh addressing the defined risks against the opportunities from the Vietnam and analytics investments?
As you are considering the problem, the CFO speaks up again.
“Let’s analyze this to see whether there are any ‘stay-in-business’ needs. Then the rest can be judged based on ROI. As I see it, we need the Vietnam factory; without it, we will lose market share and that’s the end of our story. We can probably increase spending on IT infrastructure and analytics more slowly, but I want to see options from Marketing, IT, and the COO’s office first. As for cyber and the other so-called high risks, I want answers to these questions:
- If we do nothing, what is the worst that might happen? How likely is that?
- Is it likely (and how likely) that we will have problems that are less severe?
- How will those problems affect our key metrics of EPS, market share, customer satisfaction, and grow margin?
- What can be done about each of the high risks? How much will we need to spend and how much will that reduce the likelihood and magnitude of the risk?
- In fact, will we still face the same potential impact on our key metrics? What I mean is that will we be able to keep the risk down when threats continue to increase?
- Are there options for spending less?”
Protiviti just published a new piece on cyber.
As with almost every piece of guidance on risks and risk management, it tells us what we already know. Cyber is a risk that we need to understand and do something about.
But does it help us know what makes business sense to do?
Why does nobody (with few exceptions) tell you to assess risks in a way that helps leaders not only make decisions about risks but also decide whether it makes sense to take the risks because money is needed elsewhere?
In fact, most organizations cannot afford to reduce every single risk to what some practitioners would deem acceptable.
So how do we make the right business decisions?
I think it starts with providing actionable information about all the things that might happen, not in terms like High, Medium, or Low, but in business terms like ‘must do to survive’, ‘this will prevent our achieving our EPS targets’, and so on.
I welcome your thoughts.
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024