The latest enterprise risk management news from around the world

No-one would argue that a cyber attack doesn’t pose a potentially catastrophic threat to any company, however other less obvious interconnected risk vectors can stack up – and pose as big a threat says Gary Lynam.

Overlooked risks in an unpredictable world

If the COVID-19 pandemic has taught us anything, it is that once in a hundred-year events do happen and it is near impossible to predict when with any accuracy. This harsh fact has made us acutely aware of unforeseen threats that could be lurking anywhere. Top of that list for many businesses are probably cyber threats, which can manifest themselves in many forms (phishing, malware, ransomware, DDoS attacks etc.) and can strike at any time.

Although cybercrime grabs the headlines, it would be a mistake to focus on cyber risk alone rather than as one of the many interconnected risk components of any organization. Risks travel in clusters, so when a cyber threat emerges, whether it is due to perimeter penetration, unauthorised data access or malware, it is already associated with risk-related outcomes. It can provoke GDPR issues, which can lead to regulatory risks and result in remediation activities, financial loss and reputational damage. It is these consequential risks that businesses often spend too little time thinking about. The question is: how do we ensure we are well placed to mitigate such risks?

Identifying the key indicators for cyber risk management

Start with a risk appetite statement (RAS), a stated definition of the amount and type of risk a company is willing to take to safeguard or enable its strategic goals, broken down into subcategories, such as cybercrime, geopolitical, economic, or financial. Identify the associated metrics and assign a traffic light system to indicate the level of risk and whether it brings an upside or downside.

For example, if you were to map the risk metrics associated with a land war in Europe, you might measure supply chain implications, energy impact, and the consequences these will have on you and your partners/suppliers. This is all part of a bigger mapping process, whereby you document in detail the entire end-to-end process for your business. Identify each step at the most granular level and attach the requisite resources, such as person, software, hardware, supplier, data and location. Then, flesh out the vulnerabilities and apply red, amber, or green.

All this data is useful in and of itself but it becomes more valuable when you add a layer of smart analysis. Using a centralised, integrated repository, with an inbuilt analytical engine, provides output via a dashboard that can be easily digested and acted upon. However, it is essential that this approach is reproduced across the entire business and not just one unit. When it comes to metrics, insight is useful but not if the organization is running different processes in different areas; everything must be joined up, consistent, and integrated.

Be prepared for disruption at any time

As noted above, the COVID-19 pandemic has reinvigorated the use of scenarios, and shifted mindset to recoverability; organizations are now more accepting that disruption will occur. Recent events such as the TSB Bank’s record fine for operational resilience failings highlighted that organizations need to be prepared: don’t plan under the assumption something might happen; plan assuming that it already has. What next? What do your crisis management and business continuity plans look like? How do you ensure critical service maintenance?

Scenario analysis

Desktop simulations can be very helpful here to get people more engaged and involved with the scenario process. However, we are also seeing a significant rise in organizations seeking external help from independent experts to run live simulations, during which they knock off live critical systems to see what happens and whether contingency plans actually work. Just as airline pilots learn from actual airtime and not just simulations, this on-the-job approach yields impressive results and will best prepare you for the unexpected.

In addition to running real-world tests, it's helpful to have a conceptual view of your risk profile. We recommend what is known as the Risk Bow Tie technique, which helps provide a rational and pragmatic view of risk. This methodology analyses risk logically so we can adopt sensible responses and ensure a robust framework to understand and manage it. This approach can be broken down into four primary components:

  • The root causes – where the risk begins
  • The risk events – the events that link the causes to the impact
  • The risk impacts – the impacts on your objectives
  • Controls – measures that maintain and modify the risk.

Next steps to prepare for every eventuality

Ultimately, we need a deeper understanding of the interconnected nature of risks so we can be better protected against any downside coming our way. By encouraging a dynamic, open approach to risk we can boost operational resilience. Stop thinking about probabilities and act as if the worst has already happened. Prepare staff to be offline for a day when you purposefully stress test your systems; establish a satellite office to add capacity; set aside money on the balance sheet for a stormy day. These are a few ways to ensure your business is best placed to withstand another one in a hundred-year event.

The author

Gary Lynam is Director of ERM Advisory, Protecht.

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.