4 Focus Areas in Enterprise Risk

Management for 2016

Posted by Infinitive Difference Blog
March 11, 2016 0 comments

With data breaches continuing to

dominate the news cycle on a regular basis, data security was clearly a priority in
2015 for risk management and security professionals. Not surprisingly, we believe
that data security will continue to be a key issue in 2016.
What else will be top-of-mind challenges for enterprise risk managers in 2016? We
asked our ERM experts to share their thoughts on where risk managers should
spend their energies in the year ahead.
Without further adieu, here are our thoughts on what companies need to focus on
in order to have solid risk management strategies in place in 2016 and beyond.

4 Things Enterprise Risk Management Leaders

Should Do in 2016
1. Carefully Cultivate an Appetite for Risk

Theres a good chance that we could see fall-out from natural disasters, as with
the rains in Chennai in December 2015, as well as from financial instability in
domestic and world markets. Then, of course, there are always the opportunities
for data breaches targeting different types of companies and industries.
Regardless of the cause, risk management should start with defining what a
companys appetite for risk is, and then quantifying those risks. A good risk
management strategy will clearly define KPIs that can be tracked and measured
and identify incidents that pose a real or apparent threat of financial losses. Its
important to consider what could go wrong for a company, including natural
disaster, competition, corporate espionage, and the worst possible outcome of
product or service failure.
Risk appetite also plays into business continuity. Running a successful company
requires an understanding of how to serve customers, regardless of market
conditions. Business continuity plans help companies keep going through natural
disasters, economic downturns and bad publicity.
While some business owners like to believe that they can quickly come up with a
Plan B to work through a crisis, the worlds best corporate leaders spend
time making plans for events they hope will never happen.
Heres one example: the lessons learned from Hurricane Sandy back in
2012 showed how a weak infrastructure in the Northeast was crippled by a storm.
Had local government officials had a more developed risk appetite and better

business continuity plans in place, the response would have been more robust and
the recovery would have been swifter.
Americas East Coast has already seen a major weather event in the form of
Januarys blizzard (and the West Coast is in the midst of a significant drought)
who knows what else the year has in store? Preparation will be key.

2. Honor Data Privacy Day 365 Days a Year

We celebrated Data Privacy Day in January, and we continue to maintain that the
key tenets of data privacy should be on a companys radar every day of the year.
Were still firmly in the Age of the Hack and its important that companies have a
robust data loss prevention posture.
Through all the security breaches of 2015, hackers were able to steal sensitive
data from organizations, ranging from banks and multinational conglomerates to
online dating services, affecting millions of customers and employees. It was
a(nother) terrible year for data privacy and security and a wake-up call for boards of
directors, company executives, and corporate legal departments everywhere.
Strong data loss prevention (DLP) means identifying, monitoring and protecting
data in use, data in motion on your network, and data at rest in your desktops,
laptops, mobile phones or tablets. Through deep content inspection and a
contextual security analysis of transactions, DLP systems act as enforcers of data
security policies.
These are must-have items for any business that has dataAnd these days,
thats just about every big company out there. As weve stated time and again:

hackers go after any data they perceive to be valuable, meaning any company
could be a target but not all have to end up as victims. Weve got more on what
effective data loss prevention looks like outlined in this free checklist download it
now.
Dont forget about third parties, either. Maintaining good third-party due diligence
can pay dividends when you consider that many recent breaches occurred
because of third-party risk. The recent incident at Experian that exposed the data
of millions of T-Mobile customers is a prime example. Effective monitoring starts
with the identification of those third parties that present the greatest risks.

3. Secure Your Information Systems

The security of todays information systems go far beyond the general protection
measures that were once considered ample security against intrusion. For many
companies that are implementing new technologies, one of the top priorities during
the planning phase is security. There are many different aspects that define the
overall security of a companys infrastructure. One area which cant get enough
attention based on the risk involved is patch management.
Patching is the process of repairing system vulnerabilities that are discovered after
the infrastructure components have been released on the market, and its one
of the key things organizations need to have as part of their approach to data
security. Patches apply to many different parts of an information system, which
include operating systems, servers, routers, desktops, email clients, office suites,
mobile devices, firewalls, and many other components that exist within the network
infrastructure.

The number of patches, which are required on a consistent basis, can be

overwhelming. This is why it is necessary to devise a patch management process
to ensure the proper preventive measures are taken against potential
threats. Verizons 2015 data breach report found that just ten vulnerabilities
accounted for 97% of breaches and most attacks exploited known vulnerabilities
where a patch has been available for months, often years.
On the topic of information security, its also key to make sure you consider the
human factor, i.e. your employees. One of the best ways to make sure employees
will not make costly errors is to institute company-wide security-awareness training
initiatives including classroom-style training sessions, security awareness
website(s), helpful hints via email, or even posters. These methods can help
ensure employees have a solid understanding of company security policy,
procedure and best practices.

4. Take a Strategic Approach to Risk Management

Its clear that the time for a broader adoption of strategic risk management has
come. Generally speaking, there is a clear platform and foundation for further
focusing ERM teams on the strategic and high-value aspects of ERM. In other
words, its time for businesses to get more strategic about their approach to risk
management. The good news is that strategic risk management is gaining traction
in a range of industries, largely because its delivering results.
A 2015 Harvard Business Review blog post, How to Live with Risks revealed
that strategic risks have caused 86% of significant losses in market value over the
past decade. Despite this fact, only 6% of auditors time was spent reviewing and

analyzing strategic risks. What we take away from this article is that strategic risks
have been the greatest source of significant losses in market value in the past
decade, and if history is any indication, they will continue to hold the same or
greater importance moving forward.
Our take is that organizations must assess their approach and previous strategy
regarding strategic risks and ensure organization-wide and business-level strategic
plans account for, and incorporate, handling, monitoring and management of
strategic risks. At the end of the day, strategic risk management starts at the top
the leadership needs to understand the value of risk management and make it a
priority.

Learn more about the hottest

topics in todays digital world at #DigitalBrainFest
Check out www.digitalbrainfest.com for complete agenda, speaker line-up and
registration.
Filed Under: Enterprise Risk Management, NewsTagged With: Business Continuity, Data
Loss Prevention, Data Privacy, Data Security, Information Security, Patch
Management, Risk Appetite, Strategic Enterprise Risk Management, Third-Party Risk
- See more at: http://www.infinitive.com/2016/03/11/4-focus-areas-enterprise-riskmanagement-2016/#sthash.OL66d4cu.dpuf