Managing Enterprise Risk in a Risky World
Today, we find a common thread in our net-centric world: Business opportunity and information dependence breed business risk. In particular, risk to security and privacy is present in huge doses every day. But how should we best manage the information risk coming through the door, over our firewall and through our software on a continual basis?
We all realize that the risk to our national security, business and personal data is growing. Our information networks and means of storage are increasingly vulnerable to attack and compromise. Is it any wonder that new terminology such as enterprise risk management (ERM), risk intelligence, risk assessments and business risk have become so common? Today’s business environment is full of risk, whether it involves national security, intelligence gathering, transportation, operations, medical, logistics, sales or any other business activity.
It is the rare organization that intelligently manages the full spectrum of risk; that adequately assesses and addresses risk from all angles; that breaks through organizational barriers that prevent an objective assessment; and that systematically anticipates and prepares a holistic plan to manage potentially significant risks. The ugly fact is that every organization is becoming increasingly vulnerable to data loss—both internal business and private client—from cyberattacks, espionage, crime, exploitation, disruption, manipulation, natural disasters and terrorism. The risk to data entrusted to organizations today is real and intensifying daily, thanks to the very same technology applications and accessibility that provide improved ability to use the data. The upside to gaining insights into the risks threatening our organizations is that, besides just defending ourselves, we also can be more proactive based on the risk intelligence gathered.
The value of any information network to a user is exponentially proportional to the number of other users in that network. Thus, for improved operations, it is natural that government and industry users want to be more widely connected. New capabilities, such as Web 2.0 services, are used not only for information sharing and collaboration but also increasingly as a social forum. Thus, personally identifiable information is even more susceptible to unauthorized access and abuse. These information-networking factors are affecting every organization, every society and the global economy.
Technical standard formats such as OpenID now are allowing users to sign up for a one-time username and password that will work at any compatible OpenID site. The result will be improved data and information access across the Internet. This will allow convenience and speed but will also be a breeding ground for increased cyberthreats and potential misuse of secure and private information. Interestingly, many companies moved forward with e-commerce but suffered losses to their reputation and customer base because they failed to protect online customer data.
When asked what their plan is for managing risk to the critical information and data being transmitted and stored by their organization, some people respond, “I don’t know. That’s our CIO’s responsibility.” Others don’t have a clue. What has developed over the past several years is that ERM has become a critical element for every organization and an increasingly necessary art and science form for successful enterprises.
Are you willing to bet your nation’s security, your client’s personal data and the viability of your business on the processes you have in place today for assessing and managing the full spectrum of risk that is all around you? Does your organization have an ERM plan? If so, does that plan explain the means for providing appropriate security and privacy through layered defense? Is every employee of your organization adhering to the ERM plan for protecting the data entrusted to you, your clients and your brand? In case of compromise, do you have a contingency plan that can be quickly implemented? And, can you proactively capitalize on the risk intelligence you gather to better posture your organization for greater success?
Risk is unavoidable. Nation-state espionage and information exploitation continue to pose risks to national security. Terrorist attacks expose business continuity risks, and cybercrime continues to increase security and privacy risks. Expensive asbestos settlements highlight the dangers of public health and safety risks. Corporate crises illustrate poor preparation and clumsy responses—quite often through the national news media.
Overall, organizations that are most effective in managing risks will, in the long run, outperform those that are less so. For the business world, it is simple: Companies make money by taking risks and lose money by failing to manage them. The secret for every organization is to have a smart risk-management strategy, but many will ignore this business essential.
Will you sleep well tonight knowing that each employee of your organization is following the instructions, processes and mandates of your ERM plan? I hope so, because your clients, your business and, in many cases, your nation are depending on you.
Lt. Gen. Harry D. Raduege Jr., USAF (Ret.), is chairman of the