In recent years, Enterprise Risk Management has become increasingly focused on cybersecurity risks. In a pre-COVID 2019 survey report by Harvard Business Review (HBR) Analytic Services and pwc, survey respondents were asked what the CISO/cybersecurity leader’s principal responsibilities should be in the next three years. The top two responses were to build an organization-wide cybersecurity culture (63 percent) and formulate strategy for cybersecurity (51 percent). Next, tied with build and maintain threat-resistant systems, was work with the risk management function to integrate cyber risk with broader risk strategy (47 percent).
While this focus on cyber is understandable, the current COVID crisis has demonstrated that the unpredictable nature of cascading risks requires viewing risk through a much wider risk aperture. One way forward to successfully navigate this new risk frontier is the establishment of a Risk Operations Center (ROC). The ROC enables enterprise and technology leaders to have the continuous monitoring they require to proactively mitigate all cyber issues. Additionally, it fully supports the CISO/cybersecurity leader's principal responsibilities identified by the HBR survey.
Why cascading risks require a wider risk aperture
It's important for enterprise risk and technology leaders to consider risks that go beyond a singular cyber focus. As the current pandemic progressed, we witnessed many location events quickly cascading into financial and people risks before becoming significant technology and cyber issues.
For instance, the original location-based Wuhan epidemic risk quickly spread around the globe and cascaded into absenteeism risks and regulatory risks as governments enacted massive shutdowns. The shutdowns resulted in an unprecedented and previously unimagined rapid shift to work from home. This shift resulted in considerable technology and cybersecurity challenges, including technology and hardware shortages, poor internet bandwidth, the volume of remote logins and increased cybersecurity risks related to remote work. Looking forward as this crisis is prolonged, more suppliers' financial stability will be under threat. As a result, solutions maturity risks will increase that could result additional technology and cyber susceptibility issues.
Staying ahead of the curve requires continuously monitoring a broad risk framework that includes location-based risks like epidemics, natural disasters and social unrest as well as third-party risks like people, financial, solutions maturity, governance, regulatory and compliance risks. But it's not enough to anticipate what's coming next - enterprises need the structure to proactively act on this intelligence in order to effectively mitigate business disruption risks.
Presenting the Risk Operations Center (ROC)
The ROC proactively stays ahead of cascading risks by continuously monitoring for changes across the enterprise’s entire risk landscape. But it also assesses the potential impact, identifies risk mitigation actions, tracks incident resolution and identifies risk trends. As the risk landscape changes, it can be staffed up or down as needed but is always active, capturing real-time risk intelligence, fully prepared and ready to act proactively to enable faster, more effective risk mitigation responses.
The ROC is comprised of four components: the Risk Intelligence Monitoring Post to continuously collect real-time risk intelligence, a Workflow Tool to route relevant information to the right people, the Response Center to assess the intelligence for relevance and trigger internal and external actions, and a Feedback Loop to track risk mitigation actions until incident resolution. The ROC is staffed through a combination of technology, tools, analytics and people.
Within the ROC's Response Center, multiple specialized workstreams are assigned different areas of responsibility such as incident progression, workforce, technology, location, finance, authority, facility, third party and communications. This specialization creates subject matter experts with unique strategic insights. The workstreams communicate with each other and across the enterprise's business functions to share relevant risk intelligence, risk trends, anticipated cascading risks, expert guidance and risk mitigation action steps for both third-party and internal responses.
ROC benefits for CISO and technology leaders
In the same 2019 HBR/pwc survey report, the respondents were asked which leadership skills are most important for the success for CISO/cybersecurity leaders. Ranked most important was the ability to educate and collaborate across the business (84 percent), followed by the ability to communicate (82 percent), and tied for third the ability to make data driven decisions/take smart risks and strategic insight and ability (79 percent). All of these critical leadership abilities are supported by the ROC.
At its very core, the ROC functions to enable communication across the business functions for risk education and mitigation collaboration. As a result, integration of cybersecurity culture into the broader risk strategy should be a given. The ROC identifies the risks and provides risk intelligence and strategic insight. Security and technology leaders can thereby focus their attention on risk mitigation strategies and actions instead of risk identification. A ROC provides the risk intelligence and strategic insights that enterprise and technology leaders will need to successful navigate the challenges of ever-increasing security threats and risks.