The People Risk Management System

People risk should form part of the risk management system of the organization rather than operate as a separate or silo—in any context including the digital world. The digital environment is, then, part of the overall internal and external context of the organization, which should embrace all of the organization’s economic and social activities. This approach will help to ensure that risk management and associated controls are proportionate, reasonable and achievable. This approach also facilitates the assignment of responsibility for risk across the organization. This approach is not rocket science but common sense. However, digital risks are often left to those who “best understand” them—there is an inherent fear of the unknown. Nobody likes to appear ignorant, and when questions about technology are raised, it is too easy to look the other way and expect those on the technology team to field the answers. Everyone today needs some level of digital knowledge. Effective enterprise-wide people risk management demands upskilling of knowledge in the organization, starting at the board and working up from the front line. As the typical key holders to the lock of training budgets, human resources have a key role to play in realizing this objective. The cross-functional management of people risks will help to ensure that training is appropriately targeted and delivered.

The Digital Governance Gap

Most executives take managing risk seriously. Yet crises continue to emerge as organizations continue to neglect basic oversight and processes and to identify training needs and fulfill them.

The perceived value of both tangible and intangible assets is relatively similar, with just 3 percent difference according to Ponemon Institute research. On average, the total value of tangible assets reported was $872 million, compared to $845 million for intangible assets. When asked to estimate an average figure for the loss or destruction of all their intangible assets (or probable maximum loss/PML), again the estimation was similar ($638 million for intangible assets, compared to $615 million for their tangible assets). In contrast, both the impact of business disruption to intangible assets and the likelihood of an intangible asset or data breach occurring is seen as significantly greater than for tangible assets.”²

According to a report from KPMG the speed of technology change will be exponential with data and data analytics the biggest area of investment. Forty-one percent of the CEOs who responded believing their business will be significantly transformed over the next three years.³ There are deep implications as the world moves toward a demand for business leaders who are more inventive big-picture thinkers, who can create a vision of change and frame it positively in this context. This does not imply that today’s leaders cannot be tomorrow’s leaders, but it does point toward the need for a change in the balance of leadership teams to reflect the knowledge, skills and expertise of the digital world. This change demands a confidence in leaders to manage their reshaped teams and in forging new directions. Yet despite a 56 percent rise in boardroom ownership of cyber risk, the majority of firms are still failing to conduct or estimate the financial impact of a cyber attack, according to Marsh.⁴ The next step for the majority of respondents companies with a basic understanding is to conduct in-depth analyses into the issues, involving multiple groups within the organization, including information technology, executive management, legal, and risk management.

Cyber risk should be approached as an economic risk integrated with the business model and form part of the organization’s risk management and decision-making systems. Forming a cross-disciplinary team to focus on identification of the risks and the impacts they may have on the business was considered an important step organizations should take. However, there was little evidence of the majority making this commitment. The U.K. government used a nontechnical governance questionnaire to assess the extent to which boards and audit committees understand and oversee risk management measures that address cybersecurity threats to their business. The report concluded that U.K. companies have improved their understanding of cyber risks—yet 33 percent of boards have set and understood their appetite for cyber risk, which means 67 percent have not. Sixteen percent of boards have a very clear understanding of where the company’s key information and data assets are stored with third parties, which means that 84 percent do not.⁵ A report from insurer AIG reported that only half of the boards surveyed were taking external views on emerging risks into account.⁶ These reports taken collectively imply that boards are confident in their management of digital governance and cyber risk, while exhibiting a degree of complacency in making this assessment without sufficient command of the subject. Is there a cyber governance gap?

The Digital Quotient

An expression used to describe the needs of the digital age is the digital quotient (DQ). According to Prashant Ranade, the vice chairman of Syntel, a leader can increase his or her DQ through the six following strategies:

• Managing the unknowable. Recognize the boundaries of his/her own expertise and develop a network of experts to provide a strong foundation of knowledge.
• Entrepreneurship. Identify trends so it’s possible to scale strong ideas and cut losses to minimize the damage that comes with taking necessary risks.
• Mind mapping. See the big picture and establish clear boundaries that keep the primary goals in mind.
• Discerning at speed. Understanding quality information and processing it clearly, at the speed of business.
• Succeeding in the customer age. Meeting customer expectations and setting the ground rules for interactions.
• Inspiring with technology. Using technology to tap each individual’s talents, skills, and best work.⁸

For many decades, the notion that the smartest people make the best leaders was a widely held belief. The idea of smartness—as measured by the intelligence quotient (IQ)—was viewed as a primary determinant of success, and it was commonly assumed that people with high IQs were destined for lives of accomplishment and achievement throughout their careers. Traditional leadership qualities like intelligence, toughness, determination, and vision are important, but tomorrow’s truly effective leaders will also need to display a high degree of emotional intelligence, which includes qualities like self-awareness, inspiration, empathy, and social and relationship management skills.

“With digital technologies like mobility, social networks, Big Data analytics, and cloud now deeply embedded in every aspect of our personal and professional lives, today’s business leaders need to possess a completely new set of capabilities in addition to IQ and EQ to succeed in the digital age.”⁹

Digital Leadership and the Emergence of the Digital Risk and Digital Risk Officer

At the end of the 1990s, the role of chief information officer (CIO) was ebbing out of fashion. Technology and information were increasingly viewed as commodities, and if the organization saw the value of a CIO, it was typically a junior managerial position. Everything now looks quite different. Organizations are now hungrier for knowledge about digitization and the ability to mine and manipulate data. Cries for CIOs is not new, but lack of focus on their value has perhaps led to the risk that suitable talent is in short supply. The CIOs that do exist are perhaps not as well equipped today and they need to be for tomorrow. Digital transformation requires expert leadership. According to KPMG, the number of CIOs with more senior reporting lines has doubled in recent years.¹⁰ Recognition of the “Cyber Governance Gap” and the risks associated with this should see the relevance and importance of the CIO to organizations as a trusted expert and advisor.

Commentators on the professional scene foresee the emergence of a new breed of information and technology oriented professional. The digital risk and digital risk officer are likely to emerge in prominence and in number. Research by Gartner indicates that more than half of CEOs will have a senior “digital” leader role in their staff by the end of 2015 and by 2017, one-third of large enterprises engaging in digital business models and activities will also have a digital risk officer (DRO) role or equivalent.”¹¹

The ability of businesses to keep up with the predicted exponential change in the use of technology and information means it is almost inevitable that technology failures and information breaches will increase and that technology and information teams will struggle to keep pace with disruption and subsequent fixes. Technology, the Internet of Things and more traditional security technologies will have interdependencies demand a risk-based approach to governance and integration as part of the business model and the management of this. “Digital risk management is the next evolution in enterprise risk and security for digital businesses that are expanding the scope of technologies requiring protection. Digital risk officers will require a mix of business acumen and understanding with sufficient technical knowledge to assess and make recommendations for appropriately addressing digital business risk,” said Paul Proctor, vice president and distinguished analyst at Gartner. “Many traditional security officers will change their titles to digital risk and security officers, but without material change in their scope, mandate, and skills they will not fulfill this role in its entirety.”

The DRO is, however, not “more of the same”—the responsibilities of a DRO are not the same as those of the chief information technology officer (CTO) or chief information security officer (CISO). The DRO and CTO and CISO are complementary, and these roles are likely to continue and to co-exist. Think of a financial function analogy and the responsibilities of the chief financial officer (CFO) and the head of management accounting and the head of financial control. The responsibilities are similar but also different—the seniority and reporting lines are radically different. The DRO will become the natural “go to” person for the board on technology and information as regards risk and controls assessment and as regards the executive or C-Suite addressing future business opportunities and strategy. The DRO will work with peers including the CFO, general counsel (GC), Data Protection Office (DPO), compliance, chief risk officer (CRO), and digital marketing, and sales and operations team leaders.

Where will this new breed of DROs come from? DROs are likely to surface from the community of CTOs and CISOs. What will set the DRO apart is management. This is not only a technically informed role; it is a leadership role. New knowledge and skills will be required and not all current role holders will be able to rise to the fresh challenges of operating at a higher level.

Technology and information teams have been allowed to “do their own thing.” These functions were viewed as operational or “support” and as long as business could be maintained, disruptions avoided and “yes” was uttered when new developments were demanded, the functions were left alone. Now they are in the spotlight. For organizations that have already taken the leap of change, life will evolve albeit change and the pace of change will quicken. Elsewhere there will be a “churning” of talent as organizations seek to increase their digital talent pool.

A new “superset” of technology and information professionals will challenge current organization structures, the definition and division of responsibilities, knowledge, skills, and the tools and language required to systematically, effectively, and efficiently identify, assess, define, and manage technology and information risks and opportunities. Modifying existing teams to include the spectrum of digital risk is not an option. Future technology demands skills and tools deployed in a different cultural context to current technology, information, and security teams.

Digital enterprise risk management (DERM) will demand the adoption of enterprise-wide risk management (ERM) and the collaboration this demands. The potential to deliver the performance benefits recognized by adopting ERM opens up to the digital world as regards cost efficiencies, greater risk assurance for business processes, and quality of business performance. Digital risk management capability requires a demolition and reengineering of current organization structures and responsibilities and development of new capabilities in security and risk assessment, monitoring, analysis, and control. Demolition is a powerful word, but the transformational changes predicted in the digital age will not wait for evolutionary change.

“By 2019, the new digital risk concept will become the default approach for technology risk management,” said Proctor. “Digital risk officers will influence governance, oversight, and decision making related to digital business. This role will explicitly work with non-IT executives in various capacities to better understand digital business risk and facilitate a balance between the need to protect the organization and the need to run the business. However, the cultural gap between IT and non-IT decision makers presents a significant challenge. Many executives believe technology—and therefore technology-related risk—is a technical problem, handled by technical people, buried in IT. If this gap is not bridged effectively, technology and consequent business risk will hit inappropriate levels and there will be no visibility or governance process to check this risk.”¹²

Cyber Crisis Management Can Have a Number of Unique Characteristics

Typically the domain of the information technology function, cyber-related incidents must be managed at an enterprise-wide level. An effective digital business model bridges including technology and information, the business, finance, human resources, legal, and risk management. Accountability and solid decision making are essential to facing cyber threats. Before disaster strikes, it is absolutely necessary to have a clear operating model in place.

The Dynamics of a Successful Crisis Management Team

• Strong but consultative leader.
• A pool of potential team members with competence and skills mix suitable for a portfolio of crises.
• Relevant team members deployed according to the needs of the crisis.
• Optimum size between 6 and 10.
• Trained and rehearsed against multiple scenarios.

Some organizations have found that crises emerge when they neglect to manage “front-line” behavior and culture (which is the first line of defense against risk). Having a strong risk culture does not necessarily equate to taking less risk—risk confident organizations may feel able to take more risk and at times of stress and pressure following an incident are likely to have a higher “chance” of survival. McKinsey has undertaken research which indicates that some people have characteristics which enable them to respond quickly.¹³

A crisis can help an organization to integrate risk management and digital risk management including crisis response, but this is better tested in rehearsal than in real time!