7 minute read
RISK MANAGEMENT
The importance of a zero-trust risk management strategy in 2021 and beyond
Well into its second year, the global Covid-19 pandemic has impacted on every business sector imaginable, and risk management is no exception. It is certainly one of the major factors in Allied Market Research’s prediction that the global risk management market will grow to an astronomical $28.87 billion by 20271 .
Advertisement
Among the main concerns of business leaders (74% of those interviewed), according to a recent study by Forrester Consulting2, is Insider Risk Management (IRM). “The -19 outbreak and followed lockdown had a positive impact on the market, owing to largescale adoption of the work-from-home culture among industries and the surge in the risk of cyber-attacks and other security concerns,” it says, adding: “The pandemic brought radical changes in daily lives, especially in work. The strict compliance of social distancing and digital transformation of business increased the demand for risk management services.”
What is Integrated Risk Management?
“Integrated risk management (IRM) is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organisation manages its unique set of risks,” says Gartner3 .
According to Gartner, IRM needs to include six key areas:
• Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership
• Assessment: Identification, evaluation and prioritisation of risks
• Response: Identification and implementation of mechanisms to mitigate risk
• Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
• Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls
• Technology: Design and implementation of an IRM solution (IRMS) architecture
Managing risk in the age of digital transformation
Michael Jabbara, Vice President of Global Risk at Visa, which commissioned a study into global digital trends and the evolution of risk strategies by Forrester Consulting4 , writes: “For months, the world watched as country after country tackled the challenge posed by the coronavirus in hopes of preventing widespread infections and saving lives. In most cities, businesses closed as a precaution and those with a digital footprint to serve consumers remotely fared better than those without. We’ve learned, though, that simply having a digital footprint does not ensure smooth and secure commerce. Only true digital transformation, with a holistic approach to risk management, will enable businesses to serve customers online through efficiency, personalisation, insight and safe transactions.”
The main takeaways of the study are:
• Identify and prioritise key digital transformation initiatives and the necessary risk management capabilities for each
• Determine what changes are most important to your company and be aware of the risk considerations. You cannot eliminate risk, but you may prepare for it with careful planning. Retrofitting risk protection after the fact will slow down your digital transformation and even impact your customer experience. Approach digital transformation in manageable phases to ensure you are able to apply the proper risk protections at each step.
• Recognise that change is constant and stay ahead of emerging risks. Risk management is not static; it is constantly changing in response to market dynamics. Firms should not only manage present risks but also plan for risks that are on the horizon.
• Leverage data from risk management systems to inform and improve ongoing business and technology decisions.
• Bring risk functions to the technology and business decision-making tables. Risk management is more than a menagerie of technologies; it is a strategy to protect your greatest assets. Investing in technology may help automate and streamline risk and compliance, but it will not compensate for a lack of process. Start with a risk management strategy that aligns with strategic business goals, then select technologies to enable them.
Risk management has to catch up with the business
“’Move fast and break things’ was the mantra of tech firms, and it spread to businesses that embarked on digital transformations,” avers PwC, in its recent PwC Pulse Survey5 .
“Often the ones left behind were risk managers who had been thought of as hurdles, people who would stop a transformation initiative in its tracks. Not anymore. There have been enough failed initiatives, bad investments, costly cyber breaches, disappointed workforces and disgruntled consumers to change the norm to ‘move fast and do not break things’. That is being accomplished by having risk professionals embedded in business units and product development teams that lead the charge on transformation.”
Transformation comes with opportunities – and accentuated risk
“But,” warns PwC, “with tremendous opportunities come increased risks and accentuated risk profiles for many companies. Sixty-five per cent of risk management leaders say that risks from transformation adoption and tech will increase in 2021. Because of the nature and scope of transformation, these risks may be encompassing and highly interconnected with other risks expected to increase this year: cyber and data protection risks (65%), data governance (63%), human capital and talent management (59%), third-party and supplier management (57%), regulatory compliance (55%) and enterprise resiliency (48%).”
The ‘intelligence-driven one risk office’ accordingly needs to find the right balance between ‘human-led’ and ‘tech-powered’, says PwC, through collaboration, fixing disconnects, laying a clear and common foundation, and embracing integration.
Data protection is becoming more and more challenging
“An alarming number of South African enterprises have a resiliency gap that’s putting their data at risk,” says Lee-Anne Williams, Veritas product manager at Axiz. “Today’s digital data deluge has heralded changes in enterprise workloads, with data analytics, artificial intelligence, and machine learning all taking advantage of – and ultimately creating more – data throughout the enterprise. As organisations shift away from legacy relational databases toward new open source and cloud-based platforms, the very nature of applications and data is constantly shifting, making data protection increasingly challenging.”
It’s not that organisations don’t know the importance of backups, she continues, it’s that they’re battling with cobbled-together, fragmented systems in the face of growing cybercrime. “Cyber incidents continue to grow yet data shows many organisations are simply not prepared and remain vulnerable. Not only has ransomware grown exponentially, but data privacy regulations are in full effect and taking chances isn’t an option anymore.
Building cyber-resilient back-ups
Fortifying backup environments and leveraging technologies that focus on speed of recovery are the two critical elements required to build a cyber-resilient backup strategy, says Williams. “Covid-19 and the subsequent need for remote working has resulted in more companies pursuing multi-cloud strategies and moving more of their data, workloads and applications into the cloud quickly. However, many companies, particularly small businesses, weren’t ready for such a transition and the increasing IT complexity from multi-cloud environments, coupled with lagging resiliency and backup and disaster recovery measures that aren’t robust enough – is making too many enterprises an inviting target for malicious actors.”
She continues: “There is no doubt that cyberthreats are on the rise. Just recently, a well-known health club experienced a sophisticated cyberattack and data breach, and it is only a matter of time before other companies experience the same fate. We are seeing an increase in ransomware, and with ransomwareas-a-service (RaaS) gaining momentum, which enables cybercriminals to use already-developed ransomware tools to execute attacks, we are likely going to see a spike in the coming months. In fact, even big US tech companies are pushing for ransomware to be designated as a national security threat.”
According to a recent Veritas Resiliency Report, 42% of respondents said that their companies had experienced ransomware attacks and among those that have, on average they say they’ve faced 4.5 attacks, with larger companies being attacked more often. What’s more, 54% of organisations have had flat or decreased funding levels for IT security during the pandemic, at a time when distributed workforces and increased demand for edge data protection has put additional strain on security resources.
It’s not so much about being hit as being able to recover
“More frightening is that 57% of companies haven’t tested their disaster recovery plan within the past two months,” says Williams. “This means that many companies aren’t following best practice. Not only is it critical to have a comprehensive backup approach, but having a system recovery plan in place is imperative to minimise downtime and restore critical operations. After all, it’s not about being hit, it’s about how you recover.”
According to Williams, data protection should be simple, secure and unified. “The resiliency gap is real and widening. Forewarned is forearmed, and with the integrity of data at stake through increased cyber-attacks and an increasing push to regulate how enterprises meet data compliance, businesses cannot negate their backup and recovery strategies now more than ever,” she warns.
Lee-Anne Williams
1. https://www.prnewswire.com/news-releases/ risk-management-market-to-garner-28-87-bnglobally-by-2027-at-18-7-cagr-allied-marketresearch-301282858.html
2. https://www.businesswire.com/news/ home/20210429005907/en/Insider-Risk- Management-Concerns-Rise-as-Security- Priorities-Shift-Post-Pandemic
3. (https://www.gartner.com/en/ information-technology/glossary/ integrated-risk-managementirm#:~:text=Assessment%3A%20 Identification%2C%20evaluation%20 and%20prioritization,of%20an%20 enterprise’s%20risk%20response)
4.https://usa.visa.com/visa-everywhere/ security/forrester-consulting-managingrisk-in-digital-transformation.html 5.https://www.pwc.com/us/en/library/ risk-management-leader.html
