As new risks emerge, security and risk management are converging and driving the development of integrated risk management, writes David Walter, the Vice President of RSA Security’s* Archer division.
The concept of risk has been around since the beginning of time. From the early days and into the modern era of governance, risk and compliance (GRC), the core principles of risk management have remained consistent. However, at a time when organizations are taking far greater risks and facing greater cybersecurity threats, we’re having to change the way we think about risk management, and even the vocabulary that defines the practice.
Driven by digital transformation and the adoption of new technologies like mobile, cloud and the Internet of Things (IoT), business risk today is growing in scope and complexity. The need to manage it in a more agile, responsive manner is pressing. That urgency might prompt us to consider abandoning the “old ways,” or look at established approaches to GRC as outdated and unsuitable for this new era of IoT. After all, GRC has been rooted in manual and qualitative processes. In many ways, this approach is reactive – a way to look in the “rearview mirror” of risk. Facing an expanding threat landscape, this old school approach is not sustainable and will hinder organizations as they pursue digital transformation initiatives – to the tune of $1.3 trillion in investments by the end of 2018.
Rather than abandon GRC, however, an organization’s risk management strategy must evolve into Integrated Risk Management (IRM), a new term and strategy that is better suited to address today’s multifaceted challenges and helps connect multiple domains of risk with operational business transactions. This new risk lexicon also serves as a shift in how organizations should be thinking about, and managing, risk.
Acronym Watch: What is IRM?
Integrated Risk Management (IRM) is the industry shift needed to help organizations thrive in the new digital economy, one that is flooded with data and is ripe with potential security vulnerabilities. IRM will allow risk management professionals to focus on visibility, insight and action.
With IRM risk practitioners no longer act as the referees on the sidelines, trying to react to changes in the business. IRM embeds risk into decision making bylooking at the risk of failed execution and also the risk of uncaptured opportunity.
How IRM Works
A recent study found that elements of digital transformation are impacting every aspect of a business, and rearranging the IT department’s priorities. While the Board once allocated funds for IT security with little oversight, the CISO now hasis now having to engage in a risk and return on investment (ROI) conversation with the C-Suite. Without being able to quantify the financial value of risk, though, that conversation is fruitless. The impact of poor execution and missed opportunity is so large that the C-Suite needs to understand the risk impact of, and connection between, strategic business decisions and how the execution of those decisions impacts business risk.
However, driven by the production of continuous data, performance metrics like data velocity and agility are becoming harder to manage and measure. Risk management teams must leverage new processes and technologies to turn qualitative, manual risk identification and assessment processes into automated functions. So-called “Big Data” data analysis and the use of machine learning and artificial intelligence can help identify and evaluate risk in real-time and increase the scope of risk management.
[See also: Three Decades on RSA Sets Course for the Future]
The best way to do that is to quantify the transactional risks in dollars and cents (risk economics) to be able to bring the transactional to a strategic level. Quantification also allows the C-Suite to engage in “What if?” scenario planning and look at the transaction risk impact of various strategic decisions. This is why many CISOs are looking to the practice of Cyber Risk Quantification to do this effectively and efficiently.
Risk and Security are on a Collision Course
The worlds of risk and security are on a collision course, and the kinetic energy driving this convergence is digital transformation. Fueling this shift is an endless, and growing, output of data. Relying on the traditional, manual GRC model to process and make sense of all this new data won’t work. The pace of business is accelerating too quickly. GRC has to evolve into the practice of Integrated Risk Management that encompasses enterprise, operational, cybersecurity and digital risk.
Having an effective strategy to address digital risk will enable risk professionals to help their organization seize opportunities without jeopardizing putting it at risk of a cybersecurity incident.
All of this is to say: Integrated Risk Management is a journey. In the not-so-distant future, I believe the conversation risk practitioners are engaging in will with shift: focusing on “upside risks:” the potential risk associated with not making an investment in technology.
(*) RSA Security is a sponsor of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.