Does your business have a Risk Management Process appetite?

Risk is part and parcel of business. CNBC’s most innovative companies list¹, actively recognises and rewards those organisations and leaders that take smart risks. They make big bets that are high-risk but also high-reward. While this isn’t the right approach for everyone it is demonstrative of the trade-off that’s required when delivering innovation at market-speed.

Despite security climbing higher and higher up the corporate agenda, those charged with delivering it, the CIOs and CISOs of the world, have started to develop a reputation for inhibiting progress as legislative concerns take precedence over innovation.

The effects of risk management

Simply put: organisations have to take some risks and avoid others. To do so, they need to be clear about what successful performance looks like. The answer will vary based on an organisation’s industry or the function within a business, but security professionals today should see themselves as enablers of progress. Information security risks should be viewed as manageable and no greater a problem than other forms of business risk.

In other words, security risk management requires accepting that certain risks will always persist and certain breaches will always occur, so businesses should have a strategy in place for dealing with them when they do. Rather than focusing on threat reduction, many CIOs are focusing today on threat education.

Steps involved in Risk Management Process

Effective risk management starts with identifying the immediate risks to your business and educating the board and your seniors on what these are and what they could mean. Effective risk management is everyone’s responsibility. A data breach can cause huge financial and reputational damage and CxOs and line-of-business employees should understand potential costs and likely steps in the event of a leakage.

Some organisations use incident or crisis simulation to help with this. This not only exposes any blind spots, it can also leave teams feeling more confident and better prepared for breaches should they occur.

Just as the cyber threat evolves, so should the governance and policies have associated with it. While a senior executive should lead attempts to modify the risk management strategy, everyone across the organisation should be able to contribute suggestions and help the business create the best possible coping mechanisms.

Risk Management Process checklist

• Remember that the wider business strategy can change quickly. Growth into new markets can lead to new financial and informational risks.
• The use of digital technology, such as social media and the cloud, can also have an impact.
• Your risk management strategy must scale with your business’ appetite for growth.

Managing the risk appetite between departments

For this reason, security policies need to allow for the acceptance of a certain level of risk in order to maintain cohesion within the organisation. Security breaches can and do happen¹, and just as important as preventing them is having an agreed process in place to deal with them when they occur, based on an understanding of what’s involved.

Risk management should be part of a holistic program to assess risk appetite, apply risk management principles and, finally, educate the business that a realisation of a risk is not a failure but a validation of an agreed process.

¹ Exclusive articles by CNBC cover BCG’s annual Most Innovative Companies report.