Incorporating Cybersecurity Into Effective Risk Management
December 15, 2020
In the second part of Process Risk and Technology Solutions' series on Risk Management, Nina Kelleher and Jason Connotillo highlight how cybersecurity enhances effective risk management.
NK: Prior podcast guests, Ray Soriano, responded to the noticeable uptick in regulatory fines at some well-known institutions. He outlined that many up here related to lapses in risk management and that proper risk management typically involves a few things, but at a minimum addressing what your risks are and where they reside. I'd like to get your thoughts around the approach and the timing of assessing risk, and how information technology should be included.
JC: Sure, Nina. An at risk management program is only as effective as the sum of its parts. So taking an enterprise wide approach when assessing risk is crucial. Doing so lays the groundwork to assess the full breadth of business activities. And I think also include people and processes from areas like technology that are often missed. I know it may sound rather simple, but having too narrow focus when you execute a risk management program likely excludes a portion of an organization's operations and objectives.
NK:And your thoughts as far as the frequency and timing?
JC:Yeah. So I think mature organizations assess risks as frequently as quarterly. Mostly because they're affected by accelerating risk drivers within their industries more than others. Some organizations may opt for less frequent assessments because their risk drivers don't materially change. We typically do not see risk assessments performed less frequently than once a year at companies that do employ risk management practices.
NK:So you mentioned risk drivers. Can you give us some examples of what a risk driver is?
JC:Yeah, sure. I'd love to. And two come to mind. One would definitely be the regulatory fines that, discussed with Ray in the previous podcast. Regulatory scrutiny and financial penalties within your industry can certainly be both a wake-up call to risks as well as a risk driver.
Another is the increase in cybersecurity attacks. These things pop up all the time and they make headlines often. These are serious. They knock out company operations and expose sensitive data. Attacks now are up something like four fold since the pandemic has started, and anytime risk drivers change, really it's a good reminder to re-perform risk assessments, regardless of your industry. And again, regardless of industry, risk drivers as they appear even more so a compelling reason to begin doing them, if you haven't already.
NK:So in your experience, do you see organizations performing risk assessments around individual risk drivers?
JC: Yeah, they totally do. While focus risk assessments should form part of that broader enterprise wide risk approach that I mentioned earlier and also appears in prior podcasts, there's value in focusing short-term efforts on areas of accelerating risk. And again, cybersecurity that I just touched upon is a really good example of this.
With the uptick and incidents and the moving to a largely remote workforce as a result of the pandemic, reassessing your cyber risk exposure, identifying security gaps, and prioritizing your efforts to prevent an attack is a meaningful and timely focused risk management activity. We're identifying more recently through focused cyber security risk assessments, a significant number of unprotected devices connected to networks post-pandemic, just as an example. And correcting that is not a hard lift and impactful decreases the attack surface for a company.
NK:Great insight. Do you have any final thoughts to share before we conclude?
JC:Sure. I think assessments, whether enterprise wide or focused like I just talked about, are an essential part of any robust risk management strategy. But they don't have to be burdensome, whether enterprise wide or focused. Develop them, stay lean, align your risk assessment with the breadth of your business or the targeted business activity you want to look at, is generally a great approach. There's no one size fits all.
NK:Jason, thank you for this valuable information and thank you for listening to the EisnerAmper podcast series. For more information on this and a host of other topics, visit eisneramper.com/PRTS and join us for our next podcast.