Posted by Claston Brown
Modus Operandi - Risky Business
The Modus Operandi Article Series was developed to discuss specific modes of operating that will impact various aspects of a business, whether negatively or positively. The series seeks to provide awareness and insight to business leaders, management, and staff from an information systems audit and risk management perspective. While the general theme of the articles will remain the same, the topics discussed will be thought provoking, relevant to the current business climate and will span across multiple industries. This is the first article from the Modus Operandi Series titled, Risky Business.
Is it still business as usual?
Recent changes in the global business landscape due to the COVID-19 pandemic has resulted in increased reliance on Enterprise Risk Management (ERM) processes. Whether it is the implementation of BCPs, risk assessments, data privacy and protection assessments or responses to cyber threat such as ransomware attacks. The robustness of ERMs globally, have been significantly tested over the last six months. As a result of this disruption, an increased reliance has been placed on ERM as a key enabler of the strategic objectives of established and developing organizations. The resilience of any business is directly linked to its level of effective risk management, whether through formal or informal methods.
Risks are often perceived as hypothetical scenarios that will never manifest within an organization. This occasionally happens without the realization that every action taken within a business involves risks. It is the effectiveness with which these risks are identified, assessed, remediated, and monitored that determines the level of value and reward derived from each business process. If a business is viewed like a vehicle, risk-taking would be the engine that enables it to achieve its objectives or in other words, accelerate in a specific direction. Enterprise Risk Management would then be the safety features that increases the chance of that vehicle arriving at its desired destination. Ineffective risk management, however, would render the safety features useless and in some instances, remove them completely. This creates blind spots within organizations, resulting in management making misinformed decisions due to the absence of a complete and accurate view of enterprise risks. This can have a chain reaction, where management initiates business processes with elevated risks, with the perception that these have been adequately mitigated.
When the risks exceed the organization’s tolerance threshold and sufficient controls have not been implemented to remediate exposures. Consequently, the risks associated with these processes are realized and significantly impacts the organization’s ability to achieve business objectives, which then has an adverse impact on its reputation, profitability, and sustainability. If the entity operates within a highly regulated industry, the risk occurrence might result in penalties and hefty fines. This aggregated with reputational damage (which is difficult to recover from), along with other intangible damage, might be detrimental to the business. Organizations seldom recover from significant risk events without effective risk management. This is unless it has adequate financial support as evidenced by the recent move by the Federal Reserve to provide funding to the US economy, in response to the Covid-19 risk event. The extraordinary circumstances and environment in which businesses are operating today highlights the importance of having a robust ERM program in place.
The method of Enterprise Risk Management employed by organizations should always be based on its operating environment, business objectives and risk culture. It should be noted that misalignment of any of these key areas may negatively impact the effectiveness of the ERM process. The primary goal of any risk management is to ensure the business achieves its objective while deriving value and keeping risk exposures within an acceptable threshold. It is imperative that an organization does not execute business processes where the risk outweighs the reward. In addition, risk appetite should not exceed the ability to withstand the consequences of a risk. Due care should be taken when assessing the risk appetite and tolerance levels of an organization to ensure results are accurate, complete and provides a true representation of business resilience.
As an entity develops and become more mature, streamlined, and optimized, so should its Enterprise Risk Management. A mature ERM process includes the effective management of operating and IT risks to facilitate value creation. The development and maintenance of an updated risk register which provides the status of all risks identified within the organization. This can feed into a risk profile, that provides a holistic view of aggregated risks and the inherent and residual exposure levels associated with each. This allows the business to ensure that low level risks when aggregated do not become significant risks. These can be monitored and assessed via the implementation of Key Risk Indicators (KRIs) which can be used to predict the emergence of risks or facilitate optimized risk response.
In conclusion, with the effective implementation of these key elements of risk management, businesses will see an increase in value creation and realization across business processes. It will also result in process improvements such as effectiveness, efficiency, and a reduction in risk incidents and impact. At a minimum, effective risk management should result in the impact of risk events being within tolerable levels that may sometimes be deemed immaterial to the business. However, regardless of the ERM approach an organization decides to take, it should always ensure that it is tailored to fit their specific needs and unique operating environment.
Topics: Risk and Compliance
Claston Brown is a CISA, CRISC Certified Information Systems Auditor/Consultant with over 7 years experience in IT Audit, Information Security and Data Analysis. His experience covers a wide range of industries including Banking & Finance, Insurance, Telecommunication and Manufacturing. It is with the wealth of knowledge he provides a holistic and unique perspective of the Information Systems Audit and Security landscape.