The digital enterprise is here. Digital risk is too.
The business processes in the enterprise and in government organizations have become “digital” at an accelerated pace in the past few years. In most industries, many business functions that were conducted on premises or that were paper-based are now being performed online and via digital processes. Also, many processes that were managed via proprietary IT systems have been extended to improve accessibility, manageability and communication, and can now be accessed via a multitude of digital devices across the cloud, including your own smartphones.
While this trend has led to a dramatic improvement in productivity and business at all levels, it is also leading to a new set of risk factors that executives within enterprises and government organizations have to quickly start taking into account. In digital businesses, digital risk in no longer limited to threats to traditional IT systems. Operational technology and physical security have been digitalizing and are becoming increasingly interdependent with the IT systems and the Internet of Things, which requires a risk-based approach to governance and management.
Gartner shared the following findings and predictions at their 2014 Security & Risk Management Summit:
Digital Risk Management – The next evolution in enterprise risk
Gartner sees digital risk management (DRM) as the next evolution in enterprise risk and security and digital risk officers (DROs) leading the new discipline. “By 2019, the new digital risk concept will become the default approach for technology risk management” says Paul Proctor, vice president and distinguished analyst at Gartner. He adds: “Digital risk officers (DROs) will require a mix of business acumen and understanding with sufficient technical knowledge to assess and make recommendations for appropriately addressing digital business risk.”
We agree with their prediction and believe that the ultimate goal for DRM is to build digital resiliency, where an organization’s systems and operations are designed to detect threats and respond to events to minimize business disruption and financial losses.
We also believe that the DRO will report to a senior executive in a line of business such as the executive in charge of the digital business, the COO or the chief risk officer. His or her role will be very different from the role of a chief information security officer (CISO). The DRO will manage risk from a business perspective and will directly work with his or her peers in business operations, compliance and IT security. It is possible that in many companies the CISO and the head of physical security will start reporting to the DRO.
Many CISOs will want to evolve into the role of DRO, but will have to grow in a few dimensions to get considered for the job. They have to understand their company’s business function and develop some level of business expertise so that they can speak the language of the business executives, articulate digital risk factors in operational and financial terms and provide recommendations on risk mitigation initiatives. In doing so, they need be keenly aware of their role in developing a new risk management culture across functional silos and start forming partnerships with a new set of functional leaders within the line-of-business including sales, marketing, operations and legal.
Bridging the cultural gap between the business and IT
The cultural gap between business executives and IT leaders presents a real challenge. Business executives for too long have believed that technology-related risk is a technical problem and have delegated it to technical people operating in IT, separate from the business. Technical people don’t understand their organization’s business function well and don’t know how to articulate risk in financial and operational terms. This has led to situations where business executives don’t understand the problem and where technical people blame executives for insufficient attention and funding of their security initiatives.
Resolving this cultural divide requires a strong commitment by business leaders and the empowerment of a DRO in building the necessary organizational processes and best practices to measure and manage digital business risk, including the mapping of the most important business processes, the assessment of their exposure to threats, the quantification of business risk as well as the prioritization of risk mitigation initiatives. Building a DRM program will be complex, but a worthwhile investment for companies that want to achieve the right balance between protecting the organization and running the business.
Business leaders will lead this transition towards a more consistent and unified approach to managing digital risk for two main reasons: the promise of better cost efficiencies (investing where it matters) and greater risk assurance for their digital business processes.
*** Nicola (Nick) Sanna is the President for the DRM Institute, a not-for-profit organization formed to identify and communicate best practices for managing digital business risk. Previously, Nick served as CEO and COO of enterprise software and services companies in IT security, IT analytics and performance management.