How to build a risk-based company in 4 Steps

Cybersecurity experts will tell you that the 2020 hacking of SolarWinds (and the regulatory fall-out that came after) sent shivers down their spines. But you’d be wrong to think that those fears have subsided over time, as a recent SEC move to sue the company has brought the shivers right back.

In the filing, the SEC contends that the company defrauded its investors by not being completely truthful about their vulnerabilities and risk management plans. The complaint specifically calls out SolarWinds CISO Timothy G. Brown for “failing to disclose known risks.”

While the lawsuit will take months to play out, one thing is already clear: risk management is not only important to a company and its business interests, the leaders of a company are increasingly being singled out should that risk not be understood, documented, quantified, and managed. In other words, companies need to build strong risk management solutions (or revisit them) if they haven’t already.

For me, this is news decades in the making.

Risk as a liability

As I look back on my career as a risk expert, I feel privileged to have acted as both a Managing Director at one of the world’s largest financial institutions and also now as the President and co-founder of Thoropass, a rapidly scaling compliance and audit platform.

Within this range of experiences–from one of the world’s most successful companies to a nascent start-up–I’ve been a part of a lot of different, yet overlapping, conversations about how risk is managed by various stakeholders. At Citi, for example, I engaged in wide-ranging risk topics on behalf of my internal customers with regulators and the C-Suite. Now, at Thoropass, I oversee our Risk Committee, and am ultimately responsible for managing those risks as we help other companies manage theirs.

In a recent meeting with the Risk Committee, our CISO shared the following table, paraphrased from IAPP’s DPO Liability Whitepaper. As is becoming clear, mismanaging risk can now be seen as both a civil and criminal liability depending on the jurisdiction:

IAPP DPO Liability Whitepaper

This data is already slightly out of date, but as the recent SEC filing against SolarWinds shows, the trends are firmly in place and aren’t likely to retreat.

Continued reading
The 10 risks you should be monitoring at your organization

While you consider which methodology to adopt, understand the risks every business should be tracking to maintain their security posture.

Top 10 risks you should include in your infosec compliance risk register icon-arrow-long

Prioritizing risk management at every level

Having seen times when risk assessment programs have failed and those times when they have flourished, it is clear that certain key attributes are critical to building a strong risk management program, one that ultimately builds and enhances business value.

Unfortunately, I have also seen the opposite: where a poor understanding of risk and mitigation of risk destroys value, impacting shareholders as well as employees, their jobs, retirements, and the company’s ability to survive and grow.

Guiding a business requires alignment from top to bottom. And in the case of aligning a business with appropriate risk management approaches, it starts at the top with the Board.

In today’s world, public boards are increasingly being held accountable for cyber risk so much so that they are being asked to ensure that they have expertise on their board of directors. These positions will go to people who will ask the right questions and ensure that a company’s risks are properly being managed and prioritized. These desired people are in tune with emerging threats, and have a network to rely on to continue to evolve their own thinking.

As seen in the SolarWinds example, the C-Suite may ultimately be held responsible for successful risk management. But from the boardroom to the cubicle, companies that foreground risk are being seen as the surest bet for investment and trust.

But, even with proper top to bottom alignment, what are the key attributes to building a strong risk management program that is successful?

4 steps to building a business through risk management

Based on years of experience, conversation, and reflection, I’ve come to see the following checklist as essential for any company serious about their risk management:

1. Build an open and transparent culture that supports risk awareness

  • Companies that are transparent and share information with stakeholders regularly about matters affecting the business, are best suited to having a strong risk culture. This helps ensure that every employee at every level feels like a co-owner and collaborator for the business’s future direction.
  • An open and transparent culture around risk is critical, starting with the CEO and down to the Executive team. This type of culture encourages people to have open dialogue, to share concerns or areas of the business that “keep them up at night,” and ultimately ensures that employees know they are expected to raise red flags when warranted.
  • This doesn’t mean that every risk is critical or high and needs to be prioritized and mitigated. But it does mean that raised issues are documented and the right people are debating the issues’ validity, including the likelihood of a risk occurring based on data and facts, and ultimately the impact of the risk.
  • Above all else, transparency is key to fostering such a culture. What you don’t want are people hiding things under the rug, perhaps fearful for their jobs or afraid to admit past mistakes. Sunlight is the best sanitizer in this type of culture.

2. Establish strong governance and accountability

  • Identify a clear independent owner for a governance process and someone who has credibility with their peers and business partners. This means they have a deep understanding of the business, the technology, and the potential financial, reputational, regulatory and other risks that need to be managed.
  • This individual/function should have access to data and information to support the risk process that starts with risk identification.
  • Establish a risk taxonomy that can allow for risks to be properly identified and tracked from any business level or product level and aggregated to the organization level. Measures should be taken to properly quantify the impact of risks. This should be customized and unique because, for example, a payment platform that handles and stores credit card data has different risks than a chat application that is used by hospitals to share personal health information with patients.
  • Tracking risk levels over time is critical, as is a well-documented process acknowledging risk acceptance versus risk mitigation. This material needs to be shared on a quarterly basis, at a minimum, with the C-Suite and Board of Directors in order to ensure decisions are understood and acknowledged at the executive levels.
  • Finally, the company must make a regular review of historical decisions. Planning for the future always starts with examining the past.

3. Invest in tools and measure

  • For years I have shared the phrase “people respect what you inspect, not what you expect.” I know this from experience, and this philosophy extends to many facets of any business. Having the right data, reporting, monitoring trends, and setting expectations and creating visibility is critical to having awareness and making the most informed business decisions.
  • Establish Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs), and monitor trends that signal there may be changes in the risk profile of a business or functional area.
  • Invest in tools to help track risks across the company, improving risk identification, trends, and overall reporting and monitoring.

4. Tie responsibility to compensation

  • Any performance-based culture that factors in risk management for every business head will more likely avoid the perils experienced by SolarWinds. P&L performance, Risk, and Customer Satisfaction are three core tenets that I believe are important to a balanced scorecard approach for executive compensation.
  • Finally, if there is a failure that causes financial or reputational damage, compensation for accountable executives (and others) should be impacted. Especially in the situations where escalations have been repeatedly deprioritized, executives need to be held responsible for the business/risk decisions they make (or don’t make), and the organization needs to demonstrate that they take these responsibilities seriously.

Taken together, these four (admittedly robust) steps can lead to better business decisions by properly prioritizing risk management as part of a larger strategy. Tools, such as a Risk Register, help, too. However, breaches and hacks can happen to nearly anyone, but by establishing these basic fundamentals, any organization can be safer and more secure as it builds toward uncertain futures.

Share this post with your network: