The Growing Risk in Risk Management

With a fragmented view of the threats facing your enterprise you can’t easily model, quantify or mitigate risk, let alone weigh the magnitude of one risk against another. As cybersecurity, data privacy, and compliance risks grow in scale and complexity, the biggest risk facing large companies may be the inability to see the big picture.

Too often, risk analysis is isolated within functional silos. Data is collected and assessed manually in spreadsheets. (For those of you using them, we salute you). Reporting to executive teams may occur quarterly, biannually, or annually. This inability to perform continual, real-time monitoring — in the spirit of the Zero Trust — leaves companies flying blind between these periodic reviews. As a result, they may miss  emerging issues until they escalate into crises.

A holistic view is difficult to achieve, so most enterprises function on piecemeal information, struggling with risk prioritization and proactive, strategic planning.

Even when risk assessment occurs within a specific functional area, it’s often hampered by the inability to consistently monitor and quantify threats. For example, only 30% of organizations surveyed for PWC’s new 2022 Global Digital Trust Insights Report  quantify their cybersecurity risk. And fewer than half understand their third-party risk and the associated supply chain impact of a cyber attack.

Teams responsible for monitoring and managing risk across the enterprise are doing everything they can, but the processes, technologies and tools available to them have not kept pace with the complexity of accelerating threats.

The New Age of Risk

“When you think about the landscape now, we’re talking about a lot of different kinds of risks and issues,” said Felix Sterling, chief legal officer and chief compliance officer at Trend Micro, a $1.7B internet security company. “You have exploding regulatory risk, ever-evolving attack surfaces and increasingly motivated attackers, an increasingly complex internal environment — and more and more pressure, rightly so, to be proactive about preventing risks.”

In this new age of risk management, conditions can change quickly, and factors of risk compound exponentially. Problems in one area impact operations across your entire organization. Too many companies, however, are navigating this terrain with poor visibility which threatens their ability to compete and, in some cases, survive.  The inability to visualize your risk landscape and proactively plan, measure, and predict risk — in a consistent and unbiased manner — is more important than ever.

“Threats aren’t just attacks… With all of these things converging, you need to monitor all of your internal environments,” Sterling noted. “What we used to think about as just product-level issues are now becoming Cloud issues and environment issues, and all of the data that used to sit on the customer side is now inside of our environment, so there are . . . a lot of factors we need to address.”

Sterling noted the importance of presenting this information to board members and the C-suite in a format that facilitates important financial decisions.

“The frustration I have . . .  is trying to understand how to parse all of this technical information that’s coming in from all these different points in the organization — both because it’s pushed to me when events happen and because I’m trying to pull it and not necessarily knowing where to pull it from. How do I parse all of that information and turn it into something that’s comparative, that helps me understand (whether) we’re getting better or getting worse?

“How do you . . . have visibility? There is no easy answer.”

Effective Risk Modeling

Corporate risk monitoring programs have not kept pace with today’s accelerating threats and challenges. Too often, risk assessment and reporting processes don’t quantify risk and leave enterprises in a reactive mode when threats emerge.

In order to strengthen risk management programs that support corporate business objectives in a more proactive manner, teams need to be able to:

  • Continuously monitor risk exposure based on your company’s own operational data, not general industry information. In this way, you can be alerted to trends, outliers and aberrations affecting your operations in time to respond proactively and minimize damage.
  • Eliminate operational silos so your executives and board members can see the big picture and can make more informed and strategic decisions.
  • Present enterprise-wide reporting in a format that is intuitive and unbiased that enables more consistent decisions based on comprehensive data.
  • Calculate and predict financial exposure. By quantifying the cost of each threat, you can prioritize your responses and aggressively address the most dire issues.
  • Compare company-specific, real-time risk score against industry benchmarks to track progress against peers.

“A lot of us have been looking for something that can do this,” Sterling said.

Companies today face numerous intertwined, fast-changing, high-stakes risks — and their biggest threat is the lack of an integrated, holistic, real-time view of enterprise risk based on their organization’s unique circumstances. They need new tools to give them a fighting chance.

To view the full 6-minute interview with Felix Sterling, part of The New Age of Enterprise Risk CXO Series, watch it today.