Mishandling Cyber Risk Management is Risky Business

It looks like a lot of enterprises need to get their acts together when it comes to managing risk, and particularly the risk associated with cyber security threats and vulnerabilities.

There’s no question that awareness of threat vectors and the need for stronger defenses has increased in recent years. How could it not, with all the highly publicized data breaches? Yet recent research shows that many organizations continue to struggle with managing the risk associated with cyber activities.

For instance, the 2018 Cyber & Data Security Risk Survey Report by insurance firm Marsh & McLennan Agency (MMA) noted that there is a gap between perception and understanding of cyber risk. Digital technology, which has made it possible for enterprises to gather vast amounts of data, has also made it possible for attackers to gain access to that data, the report noted.

The firm surveyed 1,141 executives from small and middle-market organizations across North America, and found that they are clearly concerned about cyber risk but by their own admission do not have a grasp of how to protect themselves. Nearly 60% said they consider cyber attacks to be one of the top five risks they face; 78% said they were highly or at least fairly confident that their organization would be able to manage and respond to a cyber attack; and 82% said they were highly or at least fairly confident that their organization would be able to understand and assess a cyber attack.

On the other hand, only 18% said they had developed a cyber incident response plan, 34% had conducted a cyber security gap assessment; 36% had implemented a plan to train employees to recognize phishing emails; and 23% had conducted penetration testing of their online defenses.

“The disparity is considerable,” the report said. “Executives are clearly worried about cyber risk, but admit they do not understand the range of protective steps available to them. Notably, when senior executives were asked if their organizations carried cyber insurance, more than a third said they did not even know.”

Managing cyber and other risk well is not only prudent, it can lead to business growth. According to a report by consulting firm PwC released earlier this year, Managing Risks and Growth in the Age of Innovation, a distinct set of risk management practices can help organizations capture value from their innovation efforts and better manage related risks for further growth.

The firm surveyed more than 1,500 senior risk executives at organizations in 76 countries, and more than half (60%) said they manage innovation risk very effectively or somewhat effectively—a group of the survey population that the study refers to as “adapters.” 

The adapters outperform their less effective peers in several areas, including their level of influence over decision-making about innovation including implementing new technologies to develop new products, and the value they say their risk management function brings. Adapters are also two-to-three times more likely to express confidence in their risk management program’s ability to effectively manage risk from new technologies including artificial intelligence (AI) and the Internet of Things (IoT), and more likely to expect revenue growth.

Organizations are embracing the potential of emerging technologies such as big data, AI, and IoT, said Jason Pett, leader of PwC’s U.S. Risk Assurance practice. But risk management is often overlooked during periods of innovation. Adapters are the exception. “They are tackling risk differently, and are three times as likely to say their function contributes significant value, better positioning their organization to succeed in today’s quickly evolving business environment,” he said.

Given the many benefits of embracing innovation in a risk-conscious manner, PwC notes five distinctions that separate adapters from non-adapters:

• They engage early and often across the innovation cycle, being twice as likely as non-adapters to advise on innovative activities before the planning stage. 

• They take multiple actions to address their risk exposure from new initiatives, often taking four or more actions ranging from revisiting objectives and strategy to sharing the risk. 

• They adjust risk appetite and tolerances for various innovative activities, and most often when creating new products outside their core offerings and implementing new technologies. 

• They harness new skills, new competencies and new tools to support innovation. 

• They monitor and assess effectiveness of risk management in multiple ways, with more than half of adapters using external parties to assess their risk management capabilities. 

Organizations need to understand that risk management and innovation go hand-in-hand, the PwC report said. Awareness of the necessary actions to address both known and unanticipated risks that accompany innovation can help risk executives succeed in a fast-changing environment.