Last week, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40-50 board members very actively involved – because this is a hot topic for boards.
I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.
The set of questions can also be used by executive management, risk professionals, or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.
This is my list.
- How do you identify and assess cyber-related risks?
- Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk, and so on) and not just “IT-risk”?
- How do you evaluate the risk to know whether it is too high?
- How do you decide what actions to take and how much resource to allocate?
- How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
- How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?
- Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
- How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
- Can you respond appropriately at speed?
- What procedures are in place to notify you, and then the board, in the event of a breach?
- Who has responsibility for cybersecurity and do they have the access they need to senior management?
- Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?
I am interested in your comments on the list, how it can be improved, and how useful it is – and to whom.
I am interested in the topic of “leadership”. I have chosen to define it in terms of whether people willingly follow (or stay with) an individual.
While others identify as effective leaders those who have been at the helm of successful organizations, in my experience leaders are not limited to those whose organization’s succeed. CEOs with poor leadership skills have seen their organization excel – perhaps by luck or the ability of others within the organization. CEOs with excellent leadership skills have seen their organizations fail, through no fault of their own.
I have had the pleasant experience of working with several that I would call effective leaders. These are people I would willingly follow.
But, they are all different. The have different qualities, each of which have made me want to work with and for them.
Is that your experience?
What has made you want to stay with or follow a leader?
The world continues to buzz about cyber security (or, perhaps we should say, insecurity). Now we have the Chinese government apparently admitting that they have a cyberwarfare capability: not just one unit, but three. Other nations, including the United States, Japan, and some European nations, are talking about their ineffective defenses and the need to develop an offensive capability.
What can the targets, not only any public or private company, but each of us as an individual target (yes, our personal devices are constantly under attack), do about this?
The first step is to get our collective heads out of the sand and understand that we are all, collectively and individually, at risk. The level of successful attacks is enormous (a billion records with personal information were hacked in 2014 according to IBM, as reported here). According to a survey discussed in Fortune, 71% of companies admit they were hacked last year and the majority expects to be hacked this year. However, nearly a quarter, according to Fortune, has not only kept their heads in the sand but do so with unbelievable confidence; they think a successful cyber attack is “not likely” in the next 12 months. The trouble is that very often successful attacks are not detected! It took a long time before JPMorgan Chase found out they had been hacked, and even longer before they knew the extent of damage.
Organizations need to be ready to respond effectively and fast!
The JPMorgan Chase article reports that “The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.”
All is for naught if successful intrusions are not detected and responses initiated on a timely basis. In the Target case, reports say that the security monitoring service detected suspicious activity but the company did not respond. According to ComputerWeekly.com, many companies make the mistake of “Over-focusing on prevention and not paying enough attention to detection and response. Organisations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones.”
Another insightful article discusses the critical need for pre-planned response capabilities. IT cannot do it all themselves; business executives need to not only be involved but actively work to ensure their operations can survive a successful intrusion.
What else should we do?
We have to stop using passwords like ‘password’, the name of our pet, or our birthday. Password managers are excellent tools (see this article on the top-rated products) and merit serious consideration. I have one (BTW, I don’t plan to replace it with the latest idea from Yahoo of one-time text messages. However, I do like the fingerprint authentication on my iPhone.)
A risk-based approach to cyber security is the right path, in my view. But that does mean that organizations have to continuously monitor new and emerging risks, or new observations about existing risks. An example is a new article on insecure mobile apps – both from in-house developers and from external sources.
Organizations need to allocate resources to cyber and information security commensurate with the risks, and individuals have to take the time to update the software on their personal devices. Internal audit departments should make sure they have the talent to make a difference, providing objective evaluations and business-practical suggestions for improvement.
Companies and individuals, both, need to make sure they apply all the security patches released by software vendors. They address the vulnerabilities most often targeted and when there is a breach, very often it’s because the patches have not been applied.
As individuals, we should have a credit monitoring service (I do), set up alerts for suspicious activity on their bank accounts, and all the anti-virus and spam protection that is reasonable to apply.
Finally, as individuals and as organizations, we need to make sure we and our people are alert to the hackers’ attempts through malware, social engineering, and so on. It is distressing that so many successful intrusions start with somebody clicking where they should not be clicking.
Here are a couple of articles worth reading and a publication by COSO (written by Deloitte) on how their Internal Control Framework can be used to address cyber risks.
As always, I welcome your comments.
A new paper from RIMS (the Risk Management Society) carries the title Exploring the risk committee advantage. RIMS is an interesting organization. While it has some excellent members (including Carol Fox), when I attended their meetings I was struck by the number of people whose understanding of enterprise-wide risk management is limited. I hope the association continues its strong efforts to educate the many who started as managers of their organization’s insurance function and are now stepping up and leading their organization to an enterprise risk management system.
This new paper is a reasonable discussion of the role of a risk committee. It explains that a risk committee can take multiple forms, from a board-level committee (such as is becoming common in financial services organizations) to a C-suite committee, to an operational risk committee.
Because the paper has taken on these three different topics, it is not possible for the authors to dwell on any of them at any length. Instead, it sensibly suggests that each organization should determine what form of committee would add value in its specific circumstances (and that may mean it has one, two, or all three forms), define its objectives, develop a charter, and so on.
The paper then suggests how the risk officer can make use of these committees and what it should be doing to support them.
When I established risk management at Business Objects, the CEO agreed to a C-suite level risk committee. This small group of business leaders helped me ensure that we had a common process and language for risk management and were excellent ambassadors for integrating the management of risk into and across the organization.
But it was always clear that management was responsible for the identification, assessment, and treatment of risk. I was a facilitator, mentor, and so on.
I am not sure that is clear in this paper. I suspect that the authors see more ownership of risk by the CRO than I do.
At Business Objects, we did not have a risk committee of the board. The audit committee oversaw the risk management system, and the full board considered strategies and risks to those strategies together.
Do you have a risk committee (or multiple risk committees)? How well do they work for you?
MetricStream has shared with us a November, 2014 report from the analyst firm, Forrester: Predictions 2015: The Governance, Risk, And Compliance Market Is Ready For Disruption (registration required).
I have had serious issues in the past with Forrester, their understanding and portrayal of risk management and GRC, their assessment of the vendors’ solutions, and the advice they give to organizations considering purchasing software to address their business problems.
However, they do talk to a lot of organizations, both those who buy software as well as those who sell it. So it is worth our time to read their reports and consider what they have to say.
I’m going to work my way through the report, with excerpts and comments as appropriate.
“…the governance, risk, and compliance (GRC) technology market is ripe for disruption”.
I have a problem with the whole notion of a GRC market. For a start, the “G” is silent! The analysts seem to forget that there are processes, each of which can be enabled by technology, to support governance of the organization by the board and others. For example, there is a need to enable the secure, efficient, and useful sharing of information with the board – for scheduled meetings and throughout the year. In addition, there are needs to support whistleblower processes, legal case management, investigations, the setting and cascading of business objectives and goals, the monitoring of performance, and so many more.
In addition, organizations should not be looking for a GRC solution. They should instead be looking for solutions to meet their more critical business needs. Many organizations are purchasing a bundle of GRC capabilities, but only use some of what they have bought – and what they do use may not be the best in the market to address that need.
Finally, I have written before about the need to manage risk to strategies and objectives. Yet, most of these so-called GRC solutions don’t support strategy setting and management. There is no integration of risk and strategy. Executives cannot see, as they review progress against their strategies and objectives, both performance progress and the level of related risks.
“A Corporate Risk Event Will Lead TO Losses Topping $20B”
What is a “risk event”? This is strange language. Why can’t they just talk about an “event” or, better still, a “situation”?
I agree that management of organizations continue to make mistakes – as they have ever since Adam and Eve ate the apple. Some mistakes result in compliance failures, penalties, reputation damage, and huge losses. I also agree that the size of those losses continues.
But what about mistakes in assessing the market and customers’ changing needs, bringing new products and services to market, or price-setting (consider how TurboTax alienated and lost customers)? I have seen several companies fall from leaders in their market to being sold for spare parts (Solectron and then Maxtor).
Management should consider all potential effects of uncertainty on the achievement of objectives.
“Embed risk best practices across the business…Risk management helps enhance strategic decision-making at all organizational levels, and when company success or failure is on the line, formal risk processes are essential.”
The focus on decision-making across the enterprise is absolutely correct. Risk management should not be a separate activity from running the business. Every decision-maker needs to consider risk as he or she makes a decision, so they can take the right amount of the right risk.
“Read and understand your country’s corporate sentencing guidelines.”
This is another excellent point! Unfortunately, the authors didn’t follow through and point out that the U.S. Federal Sentencing Guidelines require that organizations take a risk-based approach to ensuring compliance; those that do will have reduced penalties should there be a compliance failure.
“Build and maintain a culture of compliance.”
Stating the obvious. It is easy to say, not so easy to accomplish.
“Review risks in your current register and add ‘customer impact’ to the relevant ones.”
All the potential consequences of a risk should be included when analyzing it. Rather than ‘customer,’ I would include the issues that derive from upsetting the customer, such as lost sales and market share.
Further, it’s not a matter of reviewing risks in your risk register. It’s about including all potential consequences every time you make a decision, as well as when you conduct a periodic review of risks. Risk management should be an integral part of how decisions are made and the organization is run – not just when the risk register is reviewed.
Forrester makes some comments and predictions concerning GRC vendors. I don’t know whether they are right or wrong.
However, I say again that organizations should not focus on which is the best GRC platform. They should instead look for the best solution to their business needs, whatever it is called.
I do agree with Forrester that there are some excellent tools that can be used for risk monitoring. They should be integrated with the risk management solution, with ways to alert appropriate management when risk levels change.
What do you think of the report, the excerpts, and my comments?
Should we continue to talk about GRC platforms? Is it time to evaluate risk management solutions? How about integrated strategy, performance, and risk solutions?
 By way of complete disclosure, I have a relationship with a number of vendors of “GRC” solutions, including MetricStream and Resolver. I no longer have a relationship with SAP.
According to McKinsey, “executives’ current perceptions of IT performance are decidedly negative”. An interesting piece, Why CIOs should be business-strategy partners, informs us that the majority of organizations are not benefitting from an effective CIO, one who not only maintains the infrastructure necessary to run the business but also works with senior management to drive new business strategies.
For example, the survey behind the report found that:
- “..few executives say their IT leaders are closely involved in helping shape the strategic agenda, and confidence in IT’s ability to support growth and other business goals is waning”.
- “IT and business executives still differ in their understanding of the function’s priorities and budgets. Nearly half of technology respondents see cost cutting as a top priority—in stark contrast to the business side, where respondents say that supporting managerial decision making is one of IT’s top priorities.”
- “In the 2012 survey on business and technology, 57 percent of executives said IT facilitated their companies’ ability to enter new markets. Now only 35 percent say IT facilitates market entry, and 41 percent report no effect.”
With respect to the effectiveness of traditional IT functional processes, few rated performance as either completely or very effective:
- Managing IT infrastructure – 43%
- Governing IT performance – 26%
- Driving technology enablement or innovation in business processes and operations – 24%
- Actively managing IT organization’s health and culture (not only its performance) – 22%
- Introducing new technologies faster and/or more effectively than competitors – 18%
There was a marked difference when the CIO is active. “Where respondents say their CIOs are very or extremely involved in shaping enterprise-wide strategy, they report much higher IT effectiveness than their peers whose CIOs are less involved.” McKinsey goes on to say:
“We know from experience that CIOs with a seat at the strategy table have a better understanding of their businesses’ near- and longer-term technology needs. They are also more effective at driving partnerships and shared accountability with the business side. Unfortunately, CIOs don’t play this role of influential business executive at many organizations. The results show that just over half of all respondents say their CIOs are on their organizations’ most senior teams, and only one-third say their CIOs are very or extremely involved in shaping the overall business strategy and agenda.”
The report closes with some suggestions. I like the first one:
“The survey results suggest that companies would do well to empower and require their CIOs and other technology leaders to play a more meaningful role in shaping business strategy. This means shifting away from a CIO with a supplier mind-set who provides a cost-effective utility and toward IT leadership that is integrated into discussions of overall business strategy and contributes positively to innovating and building the business. Some ways to encourage such changes include modifying reporting lines (so the CIO reports to the CEO, for example, rather than to leaders of other support functions), establishing clear partnerships between the IT and corporate-strategy functions, and holding both business and IT leaders accountable for big business bets.”
Is your CIO effective, both in supplying the infrastructure to run the business and in working in partnership with business leaders to enable strategic progress?
Is this a risk that is understood and being addressed?
I welcome your comments.
I am used to seeing some new thinking from our Canadian friends. That is hardly the case when you look at a recent publication from KPMG Canada, Audit Trends: The official word on what’s changing and how audit committees are responding.
That title not only sets the expectations high, but sets KPMG up for a fall.
This is how they start us off, with an astonishing headline section:
ACs TODAY DEAL WITH A BROAD RANGE OF ISSUES, AND ACCOMPANYING RISKS, THAT ARE BEYOND FINANCIAL STATEMENTS, REPORTING AND INTERNAL CONTROLS OVER FINANCIAL REPORTING – THEIR TRADITIONAL AREAS OF RESPONSIBILITY.
These include CFO succession management; forecasting & planning; liquidity; M&A; environmental, social and governance factors; fraud and more.
My first audit committee meeting, as the chief internal auditor, was about 25 years ago. If memory serves me well, the only audit committee meetings that focused only on “financial statements, reporting, and internal controls over financial reporting” over those 25 years were short calls to review earnings releases, and so on. Not a single in-person meeting was limited to these few topics.
THE DAYS WHEN THE AC AGENDA WAS SOLELY DOMINATED BY AUDIT MATTERS AND TECHNICAL ACCOUNTING DISCUSSIONS ARE GONE.
Sorry, KPMG, but the world does not spin around the axis of the CPA firm.
Here’s another silly profundity, a highlighted quote from the Vancouver practice leader:
“Organizations today rely heavily on technology to manage internal processes and external customer relationships, it is therefore essential for ACs to understand what management is doing to mitigate IT risks.”
In 1990, my company was totally reliant on technology. Not only was it relied upon for internal business processes, but our oil refineries were highly automated. So-called IT risks (so-called, because the only risks are risks to the business – which may come from failure in the use or management of technology) were so extensive that I dedicated a third of my budget to IT audit. Going back even further, the savings and loan companies I worked for in the mid to late-1980s relied “heavily on heavily on technology to manage internal processes and external customer relationships”.
So what are the changes that should be happening at the audit committee? Here are six ideas:
- The audit committee should be asking management to provide assurance that it has effective processes for addressing risk (both threats and opportunities) as it sets strategies and plans, monitors performance, and runs the business every day. The audit committee should not be limited to a review of the “risk de jour”; it should require that management explain how it has embedded the consideration of risk into the organization’s processes and every decision.
- The audit committee should insist that it obtain a formal report, at least annually, from the chief audit executive, with an assessment of the adequacy of management’s processes for managing risk, including the adequacy of the controls over the more significant risks.
- With the enormous potential for both harm and strategic value of new, disruptive technology, the audit committee can help the full board by challenging management on its approach to new technology. Does the IT function have the agility, resources, and capability to partner with the business and take full advantage of new technologies, while managing downside risk?
- Continuing with that theme, is the organization hamstrung by legacy infrastructure and systems that inhibit its agility, its potential for moving quickly as business conditions and opportunities change? Is it able to change systems and processes fast enough?
- The COSO 2013 update of the Internal Controls – Integrated Framework is an opportunity to revisit a number of issues. One that should be high on the agenda is whether the company is providing decision-makers across the organization, from Strategy-setting to Marketing to Finance to Operations, with the information it needs to drive success? This is not just about the deployment of Big Data Analytics because that is just a tool. It is about (a) understanding what information is available and can be used to advantage, (b) obtaining it at speed, and then (c) delivering it everywhere it should be used in a form that enables prompt use and action.
- With all the demands on the audit committee, there is a need to re-examine its composition and processes. Do its members have all the experiences and skills necessary to perform with high quality, addressing issues relating to the management of risk, the use of technology, the changing global world, and so on? Should it receive more periodic briefings from experts on these topics? Do its members even have the ability to dedicate the time they need? Are they receiving the information they need to be effective (studies say they do not)?
If the audit committee is spending more than 20% of its precious time on “financial statements, reporting, and internal controls over financial reporting”, something is seriously wrong.
I welcome your comments – especially on these six suggestions.