Every business decision holds risk, but are companies prepared? With accelerated digitalization in the wake of the pandemic, companies must plan for a range of risk management scenarios, from operations and strategic risk to business continuity, brand, and security.
To stay on top of the fast-changing risk management landscape, businesses must proactively invest in the right tools, infrastructure, and workflows to swiftly act in the course of an event. They must also educate and empower their teams to take control and make smart decisions.
My colleagues explored all of this and more with risk experts on the Innovation Today podcast. Here are some ways risk management professionals are driving change for their companies and clients.
As companies embrace modern strategies for risk and resilience, there’s been a noted change in the overall risk management discussion. Risk has become something more than one initiative or function; forward-thinking companies increasingly refer to it as “operational resilience.” It’s about encouraging people to do the right thing and to make intelligent, informed decisions—not about control, rules, and punishment.
It’s also high stakes. “There’s a lot of pressure for the Institutions to make sure that they have adequate controls in place, not only for business as usual, but also [to confront] regulatory challenges,” says Dan Prior, partner at the EY consulting practice. This has produced “an environment that is very cumbersome from a control and technical debt perspective.”
These sweeping changes in approach to risk must start at the top—with the CEO. The CEO has the authority and the vision to encourage a culture by which silos are broken down and collaboration and accountability across the company are encouraged.
Melissa Cohoe, global director of security, risk, and resiliency at NewRocket, a business advisory firm and a ServiceNow partner, has seen risk management evolve over the last decade to encompass more consistent and holistic strategies. “The organizations that are most successful are the ones that realize the results they want to achieve,” she explains.
Although companies of different sizes and stages may vary in their maturity and approach to risk, one area she says every company must think about is the end result. Cohoe recommends companies ask themselves questions such as:
What is our board or senior executive team asking us to accomplish?
What results do we need to solve for?
What business problems are we specifically addressing?
Once you determine your goal, she adds, it’s important to empower your teams with the why. The more knowledgeable they are about controls and the deeper reasoning behind any new risk management protocols, the more likely the organization is to succeed. To execute, she recommends working with an experienced partner that can guide you in the right solution.
Hunter Freeman, senior manager at Edgile, a cyber risk and regulatory compliance company, points to getting the company aligned as a way to begin.
“It starts with having a consistent definition of risks,” he says. “We should have a good idea of what are the common risks facing the business, the assets, and then take it from there.” This requires having the discipline for consistency—to compare risks in an apples-to-apples manner, across the enterprise. “We need to be consistent about what risks we apply to what items.”
“Risk is a journey,” Cohoe adds. “You're going to mature over time. Your potential attack surface is going to change over time...You need to be prepared to constantly examine your risk management program: How successful is it? What has changed? What's emerging that you now need to respond to?”
The idea is to approach risk with a sense of malleability. Simply put, avoid strict structures and rules. Instead, lean into being flexible and open to changes as your program evolves.
Every organization will have its own priorities and challenges, but one must-have, Cohoe says, is response planning. “Make sure you’re prepared so that you’ve got plans in place for business continuity and disaster recovery. Make sure you’ve got your playbooks for security incident response.”
Moving fast to implement software is key to avoiding “analysis paralysis,” she adds. Change requires preparation, planning, and cultural change—the faster you can implement, the easier overcoming these hurdles will be.
Resilient companies know spreadsheets no longer cut it. They place too much burden on humans to manually keep data up to date, including the tedious effort of pulling metrics and forming reports for senior leaders and boards.
Like Cohoe and NewRocket, EY is seeing a transition to a more holistic approach. “A lot of what we’re seeing in our clients is this focus on not only automation and the risk and compliance space to get out of doing things on paper or spreadsheets, but a transition to technology as well as thinking about what we call a unified experience,” says Chris Lucado, a partner at EY.
“We’re also seeing a lot of clients who enabled governance, risk, and compliance technology years and years ago,” adds Angie Leggett, managing director of cybersecurity services at KPMG. “These tools are very old in nature and have a lot of inaccurate and stale data. We’re seeing the need for a shift in identifying modern-day technologies that can improve productivity, reduce overall costs, and bring stakeholders together.”
These modern tools and approaches include:
Humans in the loop, with care: Companies must be aware of when to expose (or not expose) humans to potential risks. Exposures may lead to a faulty sense of judgment, bias, or indecision. In parallel, technologies must “speak up” and flag risks so that the right people can jump in and address them.
Integrated risk management: “Integrated risk management is bringing together the worlds of risk and compliance,” Freeman notes. “I think in many organizations these are separate-but-related functions, but historically they've been a little more siloed. We're operating in email, we're operating in spreadsheets, and all of that kind of hinders the free flow of information between those two functions.” When those are integrated together, businesses can expand their risk conversations to broader compliance objectives, he adds.
Third-party risk management: An IBM report found that 17% of critical infrastructure breaches were due to a business partner. Third-party risk management is a must-have in every strategy. Companies must constantly ask themselves, “Who has my most sensitive information?”
AI: AI is proving beneficial in aggregating data and identifying trends and issues. It sets the foundation for fast reporting, eliminating rote, manual tasks.
Automation: Streamlining processes will be essential for companies that want to stay ahead of changing regulations. This requires tools and systems that can address regulations quickly and remediate issues as they arise.
Advanced reporting: Traditionally, risk has been reported quarterly. Yet today, leaders expect an always-on approach, with a continuous audit of data. Agility will determine the winners with new compliance and regulations. A common set of controls will also be critical in supporting risk management frameworks across the organization.
For integrated risk management programs to truly take off, access to data is critical. “Where we see clients being successful is when we can get these programs operating on a common solution like ServiceNow so that we can leverage and have all that data in one place,” Freeman notes.
“The name of the game is data,” Lucado agrees. “[Companies] need to not only figure out how to harness their own risk data, but also connect that to other types of data within the organization...It’s about a breadth of capabilities,” he explains.
It goes beyond the data. It’s also the ability for your team to have controls, reporting, and continuous monitoring, all in real time. This means clear insights into real-time risk vulnerabilities and the capability to update the risk rating immediately, view trends, and get proactive—before it leads to a breach.
“That's really what's unique about ServiceNow and how we're working with ServiceNow with our clients,” Lucado continues. “It provides the risk capabilities as well as the broader platform capabilities to provide that unified experience...as well as workflow across functions.”
Find out more about how ServiceNow helps with modern approaches to integrated risk management.
© 2023 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.