No-one would argue that a cyber attack doesn’t pose a potentially catastrophic threat to any company, however other less obvious interconnected risk vectors can stack up – and pose as big a threat says Gary Lynam.
Overlooked risks in an unpredictable world
If the COVID-19 pandemic has taught us anything, it is that once in a hundred-year events do happen and it is near impossible to predict when with any accuracy. This harsh fact has made us acutely aware of unforeseen threats that could be lurking anywhere. Top of that list for many businesses are probably cyber threats, which can manifest themselves in many forms (phishing, malware, ransomware, DDoS attacks etc.) and can strike at any time.
Although cybercrime grabs the headlines, it would be a mistake to focus on cyber risk alone rather than as one of the many interconnected risk components of any organization. Risks travel in clusters, so when a cyber threat emerges, whether it is due to perimeter penetration, unauthorised data access or malware, it is already associated with risk-related outcomes. It can provoke GDPR issues, which can lead to regulatory risks and result in remediation activities, financial loss and reputational damage. It is these consequential risks that businesses often spend too little time thinking about. The question is: how do we ensure we are well placed to mitigate such risks?
Identifying the key indicators for cyber risk management
Start with a risk appetite statement (RAS), a stated definition of the amount and type of risk a company is willing to take to safeguard or enable its strategic goals, broken down into subcategories, such as cybercrime, geopolitical, economic, or financial. Identify the associated metrics and assign a traffic light system to indicate the level of risk and whether it brings an upside or downside.
For example, if you were to map the risk metrics associated with a land war in Europe, you might measure supply chain implications, energy impact, and the consequences these will have on you and your partners/suppliers. This is all part of a bigger mapping process, whereby you document in detail the entire end-to-end process for your business. Identify each step at the most granular level and attach the requisite resources, such as person, software, hardware, supplier, data and location. Then, flesh out the vulnerabilities and apply red, amber, or green.
All this data is useful in and of itself but it becomes more valuable when you add a layer of smart analysis. Using a centralised, integrated repository, with an inbuilt analytical engine, provides output via a dashboard that can be easily digested and acted upon. However, it is essential that this approach is reproduced across the entire business and not just one unit. When it comes to metrics, insight is useful but not if the organization is running different processes in different areas; everything must be joined up, consistent, and integrated.
Be prepared for disruption at any time
As noted above, the COVID-19 pandemic has reinvigorated the use of scenarios, and shifted mindset to recoverability; organizations are now more accepting that disruption will occur. Recent events such as the TSB Bank’s record fine for operational resilience failings highlighted that organizations need to be prepared: don’t plan under the assumption something might happen; plan assuming that it already has. What next? What do your crisis management and business continuity plans look like? How do you ensure critical service maintenance?
Desktop simulations can be very helpful here to get people more engaged and involved with the scenario process. However, we are also seeing a significant rise in organizations seeking external help from independent experts to run live simulations, during which they knock off live critical systems to see what happens and whether contingency plans actually work. Just as airline pilots learn from actual airtime and not just simulations, this on-the-job approach yields impressive results and will best prepare you for the unexpected.
In addition to running real-world tests, it's helpful to have a conceptual view of your risk profile. We recommend what is known as the Risk Bow Tie technique, which helps provide a rational and pragmatic view of risk. This methodology analyses risk logically so we can adopt sensible responses and ensure a robust framework to understand and manage it. This approach can be broken down into four primary components:
- The root causes – where the risk begins
- The risk events – the events that link the causes to the impact
- The risk impacts – the impacts on your objectives
- Controls – measures that maintain and modify the risk.
Next steps to prepare for every eventuality
Ultimately, we need a deeper understanding of the interconnected nature of risks so we can be better protected against any downside coming our way. By encouraging a dynamic, open approach to risk we can boost operational resilience. Stop thinking about probabilities and act as if the worst has already happened. Prepare staff to be offline for a day when you purposefully stress test your systems; establish a satellite office to add capacity; set aside money on the balance sheet for a stormy day. These are a few ways to ensure your business is best placed to withstand another one in a hundred-year event.
Gary Lynam is Director of ERM Advisory, Protecht.