
Reinventing Risk as Opportunity


Adrian Brown, Chief Risk Officer, Seibels
Enterprise Risk Management is like a good coat of paint. It should provide protection as opposed to covering a multitude of sins.
As a former CIO and VP of IT, most risks look like an IT opportunity waiting to be implemented in my new role as Chief Risk Officer. I know this is a bias that I need to broaden but certainly cannot afford to ignore. So many risks reveal themselves in the data, and working back from that point to the sources and processes associated with that data allows the problem to be looked at from an enterprise perspective.
A “wake up in the middle of the night in a cold sweat” example would be credit card information.
No, it should never be stored unencrypted (if it is stored at all, and no, I have no credit card information at all in any of my databases, or files, anywhere!) but it opens the door to thinking about how this data is handled and the risks associated with it. If you accept credit card payments over the phone and you record phone calls, this part of the call needs to be deliberately not recorded. This becomes a training issue. If the information is entered onto a processing web screen, then you need to have the PCI certs for that vendor, and ensure that anti-virus software is sufficient on that terminal and that the employee entering the data has been properly screened and trained on how to handle the data. You have to ensure that this training is regularly repeated, and that audits of the phone conversations are performed to ensure compliance. The rules associated with this area change and need to be kept up with so that processes and training can be adjusted accordingly. And this is an easy one.
Constant testing, questioning, and involvement of independent parties to look at the enterprise with a fresh set of eyes is needed
How do you inculcate an awareness and culture that encourages people to be proactive in enterprise risk management? Clearly, one person or even a small department will be hard -pressed to keep up with all the external and internal changes that need to be addressed. If, on the other hand, you had a large and clearly competent group dedicated to this, wouldn't the rest of the enterprise become complacent and assume that everything was being handled by that group? Harkening back to my IT roots, even the best risk manager doesn't have that much insight into what a few lines of poor coding, poor patching practices, and emergency fixes could do to your organization.
Constant testing, questioning, and involvement of independent parties to look at the enterprise with a fresh set of eyes is needed. Often people new to the organization can see things that are obvious to them but just aren't seen by the people doing the everyday work.
Yes, asking your new employees to become de-facto auditors is a daunting thought. How do you encourage questioning of what is without introducing witch hunts and lower productivity?
An approach could be to draft people from the organization to participate in enterprise risk management committees. Yes, another hated committee distracting people from their work! As a young college student, I passed a billboard at a small church each day that had new sayings posted regularly. One that confused me at the time but which later become painfully clear was “And God so loved mankind, he didn't send a committee.”Still, recruiting good people for very short sprints of efforts in this area could prove helpful. When something is found this way, recognition should be given to encourage everyone to help. Rotate new people through to get as wide a view as possible.
From the technology viewpoint, the ability to add outside services for IPS, Intrusion Prevention System and Web Access Filters, WAF’s, is a very real plus. Multiple layers of protection from multiple vendors to enhance internal resources, people, and machines adds to security and protects the company from data breaches. Not being dependent on too few people but being able to rely on them to manage and backstop for these services works well. Getting the most from the devices and services is not a “set it up and forget it” type of thing. Understanding the updates and enhancements in relation to your company’s needs is critical. Communication between security techs, network techs, database administrators, developers, and business analysts is needed. Someone keeping track and documenting issues that are brought up is needed. Sharepoint can be a great repository tool for keeping track of issues and effort but it should not be relied upon as a single solution, as it can also be a black hole that things go into never to be seen again.
For electronic and paper data retention, there are specialists out there who devote their business lives to keeping up with regulations and technology to address this area. They are available for contractually designing and implementing sound practices, training people, and then coming back and auditing and training regularly.My company is using one of these firms to get a firm handle on where documents and data are stored and ensure that they are stored where they need to be and have the proper destruction dates and processes.
Microsoft’s O365 opens up new possibilities with the tools available.The ability for employees to keep data in the cloud is another area of concern. Planning for using this tool is critical in not letting it get out of control.
As you add new technology, applications, processes and people, you need to respond to the risk factors inherent in each.
Again, it is not just the job of the Risk Officer. But is is the job of everyone in the company because everyone’s job is riding on this being done well.
Check Out: Top Risk Management Solution Companies
ON THE DECK
Featured Vendors
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
The Journey to Swift Digital Transformation
Will data protection law reform open the door to easier international...
Virtual Immersive Learning: The Next Frontier in Higher Education
Making the Case For Moving from Health IT to Health Analytics
Data as a Business
