Cross-functional Partnership for Effective Risk Management
By Brent J. Pickens, Director-Global Risk Management, Bemis Company
Managing the threats organizations face from “being online” so that they continue to extract value from information technology, and win in their marketplace, is one of today’s critical challenges. While cyber-attacks are making strategic planning less certain, risk managers should be partnering with CIOs to organize the response to the threat.
I recently had the good fortune to be brainstorming cyber threats with a friend of mine who owns a business continuity and crisis management consulting firm, Sean Murphy of Lootok. “We are planning for an unknown event, at an unknown date and time, with an unknown impact, and since it is in the future— also, an unknown future current state. So, how can we prepare and plan for this environment if everything is unknown?” Sean said.
Typical linear thinking won’t do the job—putting some processes in place to capture experience and modify protocols will not deliver more certainty in strategic planning against new technology threats. The reality of emerging technologies— robotics, artificial intelligence, human biologic interfaces, and drones—in an environment where we are still trying to understand the implications of already widely adopted technologies—smartphones, tablets, and social media—which are constantly under attack, makes a linear solution a fantasy. New technologies and new threats are truly making the next incident an unknown.
And those threats are multiplying with mind-blowing speed. One analysis found that a new piece of malware is unleashed every few seconds while our best anti-virus protections catch only one in ten. Our new business environment is becoming more complex with every passing minute.
“A new piece of malware is unleashed every few seconds while our best anti-virus protections catch only one in ten”
However complex the challenge, there is something we can do to combat it. Our current online world presents a fantastic opportunity for risk managers to partner with their CIO and to build management competencies to address any threat that may emerge.
The partnership between a CIO and CRO (Chief Risk Officer) begins with each having a deep understanding of what the other is trying to accomplish for the company and how together they can achieve their objectives. This means sharing business plans and presentations, supporting cross collaboration between their teams and spending one-on-one time developing each other’s knowledge of their respective subject matter. This “rubber meets the road time” is critical to aligning messaging for board and officer communications, and it helps the risk manager be able to ask good questions while efficiently probing for the identification of threats and vulnerabilities which could harm the organization.
To partner effectively , each must recognize the gap in their own abilities and knowledge and allow the other to help facilitate improvement. The CIO may teach why IT resources are vulnerable to attack or misuse and the risk manager may teach how to prioritize threats and discover the impact to the business if specific threats arise.
Once the partnership is established, they can turn to leading the organization through the challenge at hand— managing the threats organizations face from “being online” so that they continue to extract value from information technology and win in their marketplace. No binder on a shelf ever survives first contact with an incident, but people who have the competence to lead and manage in a crisis can help organizations to navigate a serious situation with a greater likelihood of mitigating damage.
Urgency is added when we remember that about 80 percent of decision making in a company is done in middle management layers whose risk awareness and risk competence likely needs more attention. These are the very people whose linear, step-by-step, management abilities have promoted them in the first place. Is time best spent writing plans that become stale the moment the binder holes are punched, or is time better spent coaching, training, and exercising our middle managers competency to lead and manage through various unknown incidents? Let’s build their fundamental risk management abilities.
Teaching the competencies of incident management, business continuity, and disaster recovery by having a simple risk management conversation about what is critical to the business, how critical items are vulnerable and what threats may exploit vulnerabilities is the right place to focus. In a non-linear environment where anything is possible, we need flexible - minded managers who can stay calm and organize incident response based upon the facts coming in at the moment.
As foreign governments, hacker mafias, and rogue individuals continue to exploit an open internet and flaws in hardware and software to attack companies who continue to put themselves at risk to gain the benefits of being online, the logical response is to engineer flexibility and competence into our people—risk management competence is fundamental to a high performing culture. The binder on the shelf won’t just hurt you by falling on your head; it will hurt you most by diverting your focus from the reality of the moment that new technologies and threats are making.
New technologies will keep coming. New threats will keep evolving. Our best protection is a diverse internal partnership and becoming as expert as possible in the fundamentals of risk management. The business reward for this type of approach is to live and grow another day in the marketplace of your choice.