As an IT, data management, or infosec & compliance leader, you handle finding potential risk, reducing it, dealing with its aftermath, and reporting what you should, or have, done about it to your CEO.
Risk from the CEO and Board Perspective, written by two former KPMG executives — Mary Pat McCarthy (currently on the board of Micron and Palo Alto Networks) and Timothy P. Flynn (currently on the board of JPMorgan Chase and Walmart) — includes some still-relevant information to help you level up your risk planning and understand your top executives’ perspectives.
How Much Risk Can You Handle?
The first step for improving operational risk is recognizing that there is a profound chance for loss caused by deficiencies in IT systems, business processes, and internal controls. Risk management that addresses all three of these deficiencies can help you improve your risk profile.
Executive Questions
The book suggests these as basic questions top executives should ask themselves as they factor risk into their business plans and agendas:
- What’s your perspective? Is the primary concern reputational risk? What are the complex interrelationships among risks? For example, how might global expansion affect operations risk, and how does that relate to market risk?
- What’s at stake? Many is the corporation that failed because it failed at risk management. Two examples: Barings Bank in the UK, sold to Dutch bank ING for one pound sterling in 1995, failed due to action by a rogue trader and insufficient internal controls. Cendant, created through merger of HFS and CUC International, owned Century 21, Coldwell Banker, Avis, Days Inn, Howard Johnson, Ramada, Super 8, Travelodge, and other businesses, failed due to an accounting error resulting in a shareholder selloff that was traced to fraud started at CUC.
- What’s your risk appetite? “A corporation’s risk appetite is really that of the people responsible for its consequences: executives, managers, shareholders, and stakeholders,” write the authors.
- Who’s managing your risk? It may be the CEO who’s ultimately responsible, but most likely the brunt of risk management efforts lye with another: CSSO, CFO, CRO.
- Where are you on the risk continuum?
Stage 1: There is no formal process for finding and managing risk other than physical asset insurance policies.
Stage 2: Risk identification and management is a formal process flowing through the company’s silos and embedded to a degree in business and operational planning.
Stage 3: Enterprise risk management is integrated into business and operations processes that force alignment between the corporate vision and line-of-business goals. It includes knowledge of your goals, environment, strengths, weakness, options, and what you know and don’t know. - What’s your risk profile? The authors quote David McNamee (currently professor of leadership at University of Arkansas Grantham). “Managers often spend so much time dealing with the significant risks in the present that they find it difficult to deal with risk in a longer time horizon. If risk planning encompasses longer planning horizons, we have greater potential to take advantage of opportunities.”
Other gems from the book:
‘Near Misses,’ Internal Controls, and Opportunities to Improve Risk Management
Catastrophic events are often preceded by ‘near misses’ that present opportunities for improvement. The more attuned your organization is to tracking indicators, the more time and maneuverability you’ll have to respond when a problem arises. This blog sets out how near misses (compliance violations, data theft, court-ordered data holds) were found using global file system log monitoring. The system surfaced outlying events (near misses) and prevented the problems.
The authors site requiring better passwords as another example of internal controls that can greatly impact risk, writing that network security can be bolstered as much or more with this control than by installing millions of dollars in security detection systems. Their thinking is that if you can reduce the chance for internal operational-risk events, you can at least reduce the probability and the severity of disastrous external events.
Risk Management Executive Sponsorship
To be effective, every risk-management project needs an executive sponsor; Otherwise, teams can easily get caught up in the details while missing big-picture issues. High-level sponsorship is also needed because many risks — especially those that could affect your data — can affect multiple functions and departments. The right executive will also have the best sense of the broader risks, such as the impact of a crippling virus on your brand and reputation. This person should also be in the position to advise on possible monetary consequences.
Processes and Communication Make the Risk Management Difference
Operational risk management needs an organization-wide understanding that risk is managed through processes linked to business strategy and the ability to generate returns. Companies that are good at expressing their global aims, that encourage internal communication and cooperation (collaboration), and that use checks and balances for decision-making are less likely to be blindsided. And of course, in planning the review and response to risks, there will be myriad trade-offs related to security, costs, and convenience.
Contingency Plans for Data Handling and Related Operational Risks
Business continuity plans are, of course, crucial. And multifaceted. If you experience an earthquake, it isn’t just the buildings at risk. Leadership is going to have to decide if the organization carries a billion-dollar property insurance policy or not. For your part, how could a disaster affect data access and your ability to keep the business running, to continue developing and producing your products and services? Among other problems, without proper planning, your company could find itself the defendant in a shareholder lawsuit.
Obviously, the most important contingency plans are those that cover your most important assets. Your data and access to it are high on this list. The following contingencies for business continuity and data protection jump out. If you haven’t investigated the file management space lately, new innovations to improve data management are contributing to enterprise productivity, efficiency, cost-optimization over the long term, ransomware resilience, and multi-cloud flexibility, and data archive portability.
The risks of data loss, degraded data access time, and poor data quality
With the Panzura CloudFS global file system, there is no risk of data loss from external sources. How can we make this claim? With network snapshots that capture the state of the entire network’s content, secure cloud object store, and metadata stored everywhere, unstructured files are always safe and secure.
Further, the system enables team members, regardless of location, to access and/or work on the same document at the same time without the risk of losing or splintering data into multiple copies. In addition to monitoring to preserve data security (see Near Misses above), version control and file sharing capabilities drastically reduce the risk of internal and external data loss and help preserve data integrity while upholding local-like access times.
The risk of cyberthreats
US Department of Defense-grade security from edge to core to cloud, always-on governance, comprehensive data management, and detailed file activity reporting are some of the tools needed for regulatory audits and cybersecurity monitoring and protection.
The risk of disaster
Disaster Recovery (DR) without data duplication is a new concept. Why duplicate your data store and pay for that storage if there is a better way? The hybrid cloud is ideal for DR and other problems. In case of disaster, frequent network snapshots, continuous local-feeling replication, and full encryption can ensure nothing is ever lost. With the latest versions of your critical files secured off-site in the cloud, and with the help of Panzura support teams, if disaster strikes, you can quickly set up emergency access and recovery.
The risk of cloud and site outages
Cloud object stores do occasionally suffer from outages. Cloud mirroring doubles cloud availability by simultaneously writing data to multiple object stores. In addition, the convenience of a completely portable vendor-neutral archive (VNA) gives you flexibility to move your data to any cloud or multi-cloud. High availability (HA) nodes for local and global failover supply protection against abrupt shutdowns.
The risk of ransomware
You can protect against data loss and damage from ransomware by bolstering data resilience in cloud storage. Instead of restoring from a backup repository, lightweight network snapshots enable fast restoration through a straightforward process of selecting a state before the attack began. Panzura snapshots supply a recovery time/recovery point objective (RTO/RPO) of 60 seconds.
The risk of always-increasing storage costs
Without the need to duplicate data for DR or backup, or create multiple versions of a file, storage costs are reduced. Furthermore, by continually deduping and compressing files—as well as by storing only changes (in lightweight metadata)—as your data grows in volume, your storage footprint grows at a much slower rate.
Approached with the appropriate people, tools, and policies, risk management helps achieve corporate goals with fewer surprises. The only alternative is the much more embarrassing, expensive, and time-consuming crisis management.
Risk is as pervasive as your data, one of your most valuable assets. Managing the risk of cyberthreats and ransomware in only a start. Get full value from your data treasure by making it visible, quickly accessible, usable, and always available. Watch this webinar on Keeping Unstructured Data Secure, Visible, and Compliant.