Maturing Business Resilience Through Integrated Risk Management

Sam Abadir, LockPath

Sam Abadir, LockPath

With a new year comes a clear-eyed and optimistic perspective – a clean slate, a new leaf, a fresh start. It’s important to leverage these moments of clarity and opportunity into better planning before we are once again swept up in the muddle and rush of the daily grind.

The punishing disruptions of 2017 — hurricanes, massive data breaches, global ransomware attacks, and revelations of gross misconduct across many industries — should compel executives to focus on business continuity planning as they steer their enterprises into the uncharted waters of 2018. The list of new risk management priorities is already growing: GDPR compliance, cryptocurrency hacking, Shadow Brokers exploits, rapid Internet of Things proliferation, and Meltdown/Spectre vulnerabilities.

The disruptions, outages, and disasters capable of significantly impacting a modern enterprise can originate from many sources — internal and external, cyber and physical. The fallout can include damage to property and infrastructure, financial health, operations, and reputation, often in toxic combinations with cascading and unpredictable effects.

Careful, comprehensive risk assessment and detailed incident response planning are crucial to sustaining operations, revenue, and public trust in such a pressure-cooker environment.

Intelligent Risk Assessment

Business continuity/disaster recovery (BC/DR) planning optimizes the capabilities an organization needs to transition expeditiously from business interruption to business-as-usual. Modern enterprises dependent on a hybrid web of digital technology infrastructure and global supply chains cannot expect to respond and recover efficiently without well-rehearsed procedures and enterprise-wide systems.

The number of companies that have done little to none of this essential risk management work is astonishing; EY reports that 40 percent of businesses that experience a disaster go out of business within five years.

Thanks in part to Shadow Brokers exploits, a record-breaking breach at Equifax, and a cover-up scandal at Uber, board members are more attuned to their IT risks and more focused on BC/DR.

Business and IT leaders need to put data-driven processes in place so they know what to expect when risk becomes reality, and can communicate these insights to stakeholders. It’s important to model a variety of scenarios that include predictions about how long outages will last, how services, products, and revenues will be affected, what remediation will cost, and what the regulatory consequences might be.

Begin by planning around common threats and risks and mapping out possible scenarios specific to your company or industry. Prioritize risks such as hacking, fraud, and vendor failure.

Large-scale threats that are less likely but have potentially devastating consequences should still be addressed, especially if your business is particularly vulnerable to hurricanes or geopolitical strife. Initial efforts to mature business continuity should focus on identifying and planning for risks related to cybersecurity fundamentals, internal threats, and third parties.

Prepare for Things to Get Complicated

How do you plan for the unpredictable? This question goes straight to the core of integrated risk management. Only by acknowledging the complexity and interdependencies of modern enterprises – and implementing comprehensive systems and processes designed to find, define, and mitigate risks on a continuous basis – can we begin to develop greater control and agility.

Business continuity and incident response should be continuously optimized through coordinated planning, testing, and evaluation efforts. Controls should be implemented based on risk assessments and implemented through systematized processes that can be tracked and analyzed.

BC/DR plans should be kept up-to-date, incorporating software, infrastructure, vendor, personnel, and regulatory changes in addition to shifts in enterprise offerings, consumer priorities, and markets. To address third-party risk, include resiliency-oriented planning up front in contracts, negotiations, and acquisitions. Consistently enforce high standards for security-by-design, especially with IoT vendors and implementations.

Finally, when considering how to mitigate the impact of negative events, don’t forget to think through the cascading effects. Business operations depend on an ecosystem comprised of people, process, and technology and controlled internally and externally.

In the midst of executing core BC/DR plans to get operations back to normal, executives and managers will also have to communicate with various stakeholders and resolve issues related to employees, customers, supply chain partners, health and safety, and regulatory compliance.

Resiliency Builds Trust

In times of opportunity, disruption, and disaster, the best outcomes are only possible when everyone pitches in. Resiliency requires vision, leadership, and investment. Because BC/DR program effectiveness impacts everything from the bottom line to brand reputation, initiatives should involve a broad selection of business and operations managers.

Our digitally transformed economy relies on public trust. Vulnerabilities evolve and overlap, attackers grow more sophisticated, and the public becomes wary (and weary) as headlines highlight dangers around every Internet corner.

As partners and consumers become more aware and discerning, they begin to see insufficient risk management, sloppy security protocols, and non-compliance with industry standards as willful negligence.

There’s a lot of work to be done. Business resiliency start with good governance practices. Governance, risk management, and compliance (GRC) initiatives may not be perceived as exciting, but they are essential. We use automation and advanced analytics to enhance marketing, R&D, infrastructure management, logistics, and so much more.

We must similarly support GRC and IT security teams by investing in intelligent, flexible software platforms that streamline and centralize the systematic assessment, tracking, and remediation of risk across the enterprise.

Data and digital systems are critical to business operations. To keep everything running, we have to achieve levels of visibility and control that are only feasible through a combination of technology support, responsible leadership, and an enterprise-wide commitment to maturing resilient response and recovery capabilities.

Sam Abadir is the vice president of Industry Solutions at Lockpath, a leading provider of compliance and risk management software