The COVID-19 pandemic gave chief risk officers (CROs)—a relative newcomer to the C-suite—an opportunity and a challenge: to assess, manage, and measure risk and resilience in a crisis. Disruptions throughout organizations and their supply chains, which continue today with shortages of chips for automobiles and raw materials for home manufacturing, helped organizations see the fragility of many systems they took for granted. Looking ahead, CROs are ensuring their businesses are building resilience into their plans and operations to be prepared for the next natural disaster, activist-driven shutdown, or data breach.
According to new research from ServiceNow and ESI ThoughtLab that surveyed 1,080 business leaders across 13 countries, CROs are taking the lead in setting up resilience roles, engaging in resilience audits, shoring up their company’s cybersecurity, and working to build a resilient corporate culture. Depending on their location, they also are heavily involved in—if not leading—their company’s adoption of new privacy regulations and management of ESG (environment, social, and governance) risk as well.
Since the CRO’s remit covers the entire organization, they see many of the same barriers to, and benefits from, resilience as their peers. But they’re slightly more concerned about barriers to fluid internal communication and persistent and rigid silos—two of the most common obstacles to managing risk—and they’re putting privacy risks front and center.
Privacy risks top of mind for CROs
According to Check Point Software’s Mid Year Report 2021, global cyberattacks are up almost 30%, while global ransomware attacks have almost doubled from earlier in the year, pushing data privacy risks to the forefront of the CRO’s agenda.. Nearly all CROs surveyed say that assessing and managing privacy risk is a top area of responsibility—and 4 in 10 say they’re in charge of implementing strategies to boost data privacy. This is an area where risk teams and security leaders share common interests and can leverage a common technical foundation with ServiceNow.
CROs also say they’re responsible for building a more resilient corporate culture, establishing financial rewards for resilience, recruiting risk specialists, reporting on key risk indicators and metrics, and other resilience-focused tasks.
Compared to other executives, CROs play a larger role in two areas, the survey showed: improving compliance planning to ensure the organization is up-to-date on regulatory and governance requirements; and conducting resilience audits, which assess the organization’s readiness to handle and respond to disruptions.
CROs value continuity planning and testing
The disruptions in the last years have increased the focus on prioritization based on business impact, and planning ahead. Resilience requires thinking about what matters to and could affect your business and the risks associated with these priorities, and then building plans, processes, policies, and programs to reduce these impacts.
To aid in these objectives, CROs are improving the entire lifecycle of resilience—from business impact analysis to crisis response and recovery. They reported that their increased focus on business continuity planning, scenario testing, and plan maintenance delivered the greatest value toward resilience. They also invest in resilience audits, tools and data for employees, reporting on key risk indicators, and creating a common risk management toolset. Much like the CIO, CROs see high value from tools and technology that improve cybersecurity.
They also see the importance of investing in people as well as technology. More than one-half of CROs want to hire resilience and risk-management specialists and establish incentives for resilience.
CROs see link between resilience and scalability
CROs cite, as other executives do, greater revenue and sales as the top benefit of risk management and resilience. But they’re also more likely to see a link between resilience and scalability. CROs understand that when an organization works to anticipate and mitigate potential risks, it unlocks the potential for faster growth. When bad things happen, resilience helps minimize the cost and damage and bounce back faster and more successfully.
On average, CROs agree with the rest of the C-suite on the challenges related to making their companies more resilient. They’re concerned about their ability to quantify the ROI of resilience investments, to recruit top talent, and to modernize processes.
But CROs also are more worried about the impact of rigid silos and divisions in various corporate departmental cultures than their peers, and for good reason. If CROs can’t easily communicate across departments and roles—to solicit data from across the organization, create meaningful priorities and plans, and manage through crises—then they can’t create or maintain informed risk-management strategies to help the organization survive future disruptions.