
Enterprise Risk Management Transforms C Roles and Drives Brand Protection


Michael Meyer, CRO & CSO, MRS
Do you remember the old nursery rhyme where two pigs didn’t prepare for the wolf’s huffing, puffing and trickery…but one pig did? So what did the one pig do differently than the others? He evaluated all of the current and future “wolf risks” better, decided what needed to be done - and did it!
While the nursery rhyme is quite old and simplistic, it perfectly illustrates why, even today, some businesses end up in the news like Sony, Target and Home Depot and some don’t. We all know why these things happen: the world changes and we as business leaders don’t react fast enough because we haven’t incorporated and embedded enterprise risk management into our corporate DNA.
With the risks such as data breaches increasingly becoming more common, complex and disparate in nature, our response, if it is to be successful, demands a broadly integrated approach that multiple roles in a business aren’t able to handle and manage. This, coupled with the need for decreased reaction time to events and threats (both internal and external), requires a streamlined reporting structure. So what we are seeing now for the first time is that many risk related tasks and job roles are being consolidated as the pace and breadth of digital interconnectivity quickly expands.
This accelerating consolidation and associated increase in span of control for risk management personnel has been years in the making via different waves and iterations of integration. The first wave where physical security merged with information security took years to happen. Next came risk, compliance, and privacy merging. Today all of these previously diverse areas are merging together quickly into a centralized enterprise risk function to improve risk recognition, clarity and response speed. Depending on company size and the industry, this function usually falls under a Chief Security Officer (CSO) or the Chief Risk Officer (CRO) role.
Protecting the brand is the most important responsibility of this new role
While some industries are still in the midst of this process, and grappling with these integrations, other industries, such as the financial sector have blazed the way. The financial sector was the first industry to experience this accelerating wave of risk and security mergers into a CRO function. This was brought about as a necessary, purpose-driven, survival response because of increased targeting by hackers and near constant government regulatory oversight and enforcement activity.
This consolidation of multiple risk roles under the umbrella of enterprise risk management and a single C role has had a number of very important, and to this day, underappreciated transformative additions to the business. The most important addition is that, for the first time, companies now have a single C role responsible for brand protection. While you could say that the CEO or Executive team is responsible for this vital function, the truth is, before now when an event occurred, it was at best a nebulous hierarchy of responsibility with finger pointing everywhere. To put it bluntly-protecting the brand is the most important responsibility of this new role.
Another addition that is realized by consolidating these different organizational roles into one C role is that it yields a new way of thinking about standardizing enterprise risk management and choosing or building an associated risk management framework. While there are many frameworks out there for businesses to model, most are guides on how things should work academically or in theory, instead of being based in day-to-day practicality for most businesses to use. Some provide great structural and organizational foundations like ISO 31000, COBIT or COSO, but lack the narrow focus that most businesses can use or start to apply quickly.
While each framework has its ardent adherents who can argue the pros of each, the best place to start in order to protect the brand is by looking at the business as a whole and finding which parts of these frameworks (or a combination of them) are closest to where you are now or to where you want to be. The next two steps in the process are the hardest. First, mapping your existing business processes and risks to the chosen or built framework and second, creating your plan to address the identified risks in priority order. While these steps are easy to say, they aren’t easy to do.
One of the things that we discovered going through this brand protection process is that client and customer data are the most important asset that we have to protect. We addressed this risk through three major steps. The first was to encrypt client / customer data at rest. The second was to treat every PC as a major risk point. In addition to having anti-malware, we added an additional preventative step by installing the Enhanced Mitigation Experience Tool (EMET) from Microsoft. This tool is one of the most important and useful security tools that most security people have never heard of and it is provided at no cost. The third was to have different brands of external and internal firewalls, block countries inbound and outbound where we weren’t conducting business, and for those that we did, to set threshold and frequency alerts on exfiltration of data. While we have many other security and enterprise risk management processes in place as a result of our brand protection process, the previous three building blocks represent foundational security measures that any organization can use to help protect their brand.
In the end, the organization that prepares itself holistically to handle modern day risks by consolidating all enterprise risk management functions under one dedicated C title—Survives.
Check Out: Top Risk Management Solution Companies
Featured Vendors
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Securing Telco Cloud for the 5G Era
The New Face of Mobile: Yes, It Should Have a Face
The Epic battle for the Digital Wallet
Empowering Animal Welfare through Sound Science-based Solutions
Technological Advances in Food Safety
Proactive Strategies to Keep Container Fleet Intact
