2021 predictions: Quantifying and prioritizing cyber and business risk
Every new year brings new challenges surrounding risk management. Learn how to protect your company and its assets with these tips from an industry insider.
While a new year doesn’t necessarily bring new threats precisely at the stroke of midnight on Jan. 1, risk management is a year-round endeavor to which all businesses should devote resources. Risk management involves assessing potential threats to your business and implementing measures to block them in advance and remediate them if they cause impact.
SEE: Identity theft protection policy (TechRepublic Premium)
Steve Cloutman of risk management provider Ventiv wrote a blog post earlier this month outlining 5 Risk Management Trends & Priorities for 2021, which he listed in order:
- Mitigating the long-term effects of COVID-19 on the supply chain
- Build protection and resilience
- Innovate to reduce insurance costs
- Use good data to manage risk appetite
- Use data science to reduce claim costs
Obviously the pandemic and its effects play a significant role in risk management, especially with many companies supporting a remote workforce. Innovation and data analysis are always going to be significant allies in facing the challenges surrounding risk.
I spoke with Matt Kunkel, CEO of LogicGate, a cloud-based risk management provider, about the future of risk management.
Scott Matteson: What challenges are anticipated in 2021 for risk quantification and prioritization?
Matt Kunkel: The biggest challenge for quantifying and prioritizing risk is data. For most businesses, risk data lives everywhere. In order to truly quantify and prioritize risk, the data needs to be aggregated into one platform to create a single source of truth. In 2020, the pandemic forced many businesses into a state of reactive risk management.
Organizations will have to shift from this reactive state to a proactive approach to risk management. This will require better visibility into risk across the company, which has added complexities in a remote world. It will also take buy-in from the top. 2020 got the attention of executives on risk management, the challenge for risk professionals in 2021 is what will they do with it.
Scott Matteson: Where do the biggest risks lie, and what are the potential ramifications?
Matt Kunkel: In 2020, digital business initiatives took over, and with them came an increase in digital risks. Digital risks include many familiar risks such as cybersecurity, data shared with third parties and data privacy. Cyber risk is one of the largest areas of risk for companies today. As companies rely more heavily on technology, they are increasingly exposed to cyber risks.
These risks can be internal, stemming from within the organization, or external, stemming from outside the organization. The potential ramifications are monetary loss, operational disruption, a detriment to the company’s reputation and something we are seeing more and more of, regulatory fines.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Scott Matteson: How should organizations plan to prioritize risk management?
Matt Kunkel: Prioritizing risk management starts by evaluating your current risk exposure and the potential impact of those risks on your day-to-day operations. Then you build off this to determine your risk appetite, or how much risk you are willing to take on as an organization. The key to prioritizing risk is tying all risk back to business objectives, which allows you to translate it to dollars and cents. Organizations are not going to fully invest in risk until it’s talked about in a way executives and boards understand—dollars and cents. In order to get there, risk must first be tied back to business objectives.
Scott Matteson: What sort of technical/risk background is helpful here?
Matt Kunkel: Having a deep understanding of your business and the market you are in is crucial when evaluating risk. Certainly technology is a key component of quantifying and prioritizing risk. But the technology used is only as helpful as the processes already in place. So laying the foundation with what we call a risk-aware culture is not only helpful, it’s necessary. A risk-aware culture empowers all employees to be aware of and act on risk.
Risk management is ultimately a team sport, everyone in the company has responsibility. With remote work now the norm, this is even more important. You can have all the risk expertise, but ultimately the sales team has the best understanding of the risks they face, as does the marketing team. Creating and fostering a risk-aware culture from the top-down will set every business up for success.
Scott Matteson: What should IT staff be doing in advance to remediate potential risks?
Matt Kunkel: IT teams should always be monitoring their company’s risk profile and helping implement technology to manage risk. This includes creating a centralized repository of risk activities to serve as a single source of truth. Companies need agile technology that allows them to do this to scale quickly. As organizations continue to work remotely, IT teams should also be vigilant in educating employees on risky situations that may arise.
For example, phishing emails. Employees can’t just lean over to a coworker anymore to ask if they also received a fake-looking email from an employee in HR. IT teams have to continually put an emphasis on educating employees to expose potential risks.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
Scott Matteson: What is truly the weakest link in risk management?
Matt Kunkel: Any GRC [governance, risk, compliance] program is only as strong as the people who run them. If you don’t invest in the people and develop a culture of risk, your efforts will be hindered. Outdated technology or legacy methods can also be a big holdup for risk management efforts. If you’re managing risk on spreadsheets and email, you will quickly fall behind.
Scott Matteson: What technology is developing (or will be developed) to assist with risk quantification and prioritization?
Matt Kunkel: Robotic process automation (RPA) is a key technology for helping organizations quantity and prioritize risk. RPA frees companies up from repetitive, manual tasks and allows them to focus on more strategic work. Essentially, it helps companies make smarter decisions more quickly, which is what risk quantification and prioritization is all about. Again, this technology is only as good as the processes already in place.