As Technology Industry Evolves, ERM Takes Active Role In Planning
By Ethan Harrington, Director, Insurance And Enterprise Risk Management, H&R Block
However, the IT department is not alone in the fight against threat actors. Enterprise risk management is a partner in identifying and thwarting possible attacks. The enterprise risk management (ERM) team has the responsibility to detect risks that may impact the organization and identify a risk owner for handling. In coordination with the risk owner, the ERM team will help confirm the trend, impact and likelihood (to yield severity), duration, response, and residual effect for the identified risk.
Through this coordination, ERM may better assist with facilitating additional considerations, departments, risk transfer, amongst other aspects. Additionally, a critical function of ERM is preparing the risk owner for discussion with the broader ERM committee, senior leadership, and the board of directors. Therefore, when complex risks such as data security result in the need for the board to become involved, IT should seek partnership with other departments for effective risk management.
These are three ways to manage this process: look at data security differently, use black hat discussions to find solutions, and evaluate organizational needs.
Take a Position – Data Security isn’t Just an IT Problem
With the changing landscape, IT is no longer solely responsible for an organization’s security. Other departments that are significant players in protecting the organization include enterprise risk management, legal, compliance, human resources, sourcing, insurance, senior leadership, and the board of directors. However, who leads the charge? Most would argue IT is responsible for the direction, implementation and protection.
Let’s consider a football parallel: IT is the quarterback, with legal, compliance, human resources and other departments making up the position players.
The enterprise risk management (ERM) team has the responsibility to detect risks that may impact the organization and identify a risk owner for handling
While IT focuses on ensuring all players are in the right position and making critical decisions, the ERM team works with senior leadership to dictate and adjust strategy to ensure the goals are met. Through the ERM function, IT and other departments are unfettered from attempting to be the participant while also managing communication, strategy, meetings, etc. Instead, IT has provided the perfect opportunity to dedicate critical time and resources to resolving the issue.
While IT may be the dominant player, their focus should be on the adaptability and agility of a response plan. The same argument should be made for legal, compliance, human resources and others. As the facilitator, ERM will ensure the relevant parties are completing their tasks to minimize the likelihood, impact or duration of the event and recommend the response plan based on the scenario.
View Black Hat Thinking as a Strategic Solution, Not an Impediment
Many perceive black hat thinkers to be pessimists and negative thinkers. While this may be entirely accurate in some cases, black hat thinkers are not by nature, pessimists. Instead, they consider how a decision or strategy may not be connected to the overall strategy of the organization. This is valuable because someone must consider the risks, issues, and impact of either executing the strategy, or in some cases, of not executing the strategy. The ERM team is often full of black hat thinkers who will consider how slight influences could create large differences in yielding results.
Within IT, this becomes a delicate balance between the CIO and CISO. The CISO is seeking to protect systems, data, intellectual property and services, which may directly contradict the goals of the CIO. Therefore, the ERM team may consider black hat thinking for both parties to accomplish commonality. The CISO may suggest a large portion of a budget for systems protection, but if the CIO believes the budget should largely be spent on development or redundancy, the black hat thinkers can look at the strategy of each and provide input to senior leadership and the board of directors for the ultimate decision. By including ERM in the strategic conversation, a broader perspective can be applied to prevent, mitigate, or plan for potential issues that may occur based on the strategic implementation.
Put the Plan into Action with Balance and Teamwork as Key Goals
These are among the components to consider when developing a plan that incorporates the ERM team:
• What is your organization’s mission?
• What are the goals and objectives?
• What can you do to influence the culture of the organization?
• Also, consider reviewing how employees consider the organization’s reputation – does this align with what non-employees perceive as the reputation?
• The non-employee audience includes shareholders, analysts, clients, etc.
• Setting the strategy based only on our own assessment of our reputation and not considering the assessment of non-employees is flawed
Through the process of answering these questions and doing further analysis on the answers, the findings may provide an additional litmus test to the feasibility and acceptability of the plan. If the plan isn’t consistent with the organization’s culture, re-evaluating it is the next step.
We are all working for a common goal: for the success of the organization while maintaining security for our associates, customers, shareholders, vendors, and other partners. To achieve these goals, we must calibrate the expertise of different departments and with many perspectives. Using the ERM team, open collaboration, debates, and alternative views can result in a stronger overall organization to set, implement and achieve strategic excellence.