In recent times cyber risk has become a crucial risk area for many organisations. Although it has been widely topical, the managing thereof faces multiple challenges as many still believe it to be an IT issue – which is not the case. This article will explore the impact that cyber risk has on an organisation as well as the strategies which can be utilised to manage Enterprise Risk Management effectively to bring about resilient and sustainable organisations. It will also answer the critical questions: Why do we want to build resilient organisations and manage our cyber-crime risk?
Firstly, we need to focus on building a resilient organisation to ensure that we are in business tomorrow. This concept of business resilience should be carried out and monitored holistically, starting with the ability to anticipate risk. Far too many organisations have been seen in ‘fire-fighting’ mode due to the radical changes constantly occurring in the operating environment as well as the advancement of cyber threats. Too many also choose to focus on dealing with today’s threats and issues, thus ignoring what future risks may arise and fail to plan for this. It is essential for you to anticipate the risk management process and to have an emergency response, strategy as well as a crisis management plan to take the business through recovery and ensure business continuity.
Cyber risk should also not just raise red flags when it receives attention in the news – it needs to be a constant focus. It’s not about ‘if’ we experience an attack, it is ‘when’ will we experience an attack. The ability to respond is critical.
When responding to a cyberattack businesses need to follow key strategies to ensure their continuity. Responding timeously and honestly to the threat, providing clients with clear, concise and accurate information regarding the violation as well as the company’s ability to recover are all vital aspects. Customers not only want to know that you are dealing with the incident but also expect the business to resume as speedily as possible. It is vitally important to thus have a fit-for-purpose and well-rehearsed disaster recovery and business continuity plan. Through continuous updates and communication with consumers and the public, this can be reached.
As we mentioned before, the concept of business resilience should be carried out and monitored holistically to be effective and value-adding. It should be utilised in providing information for better decision-making, promoting pro-active behaviour and innovation, minimising the impact in the case of an attack, providing assurance, decreasing losses and incidents, and finally, creating stakeholder trust.
In recent times it has been evident that leading organisations have started to change how the operate, starting with integrated thinking to support similarly integrated reporting where stakeholder expectations, technologies and strategies are considered in all decision making.
Technology has also allowed for businesses to interact with customers more readily than ever before. Customers trust us with their data and expect us to safeguard this information. Failing to do so will lead to a loss of trust from them and ultimately their business. Therefore reputation management is crucial as it is the first aspect to suffer in the case of an information breach or cyber-attack. We also need to realise that technology is no longer just an enabler, it forms part of the corporate DNA of the organisation and is also the source of an organisation’s future opportunities and potential for disruption.
Another critical component is a strategy. Traditionally risk has been seen as something negative that can occur, an ‘uncertainty’. But King IV now defines it as ‘risk and opportunity management’. Thus consideration of risks and opportunities form an integral part of any organisations strategy. This includes cyber-risks.
Looking at an organisations ERM framework, certain areas within the framework are essential for the integration of cyber-risk. You need to incorporate cyber-risk into the ERM policy, strategy and risk appetite as well as tolerance statements.
A clear understanding of cyber-risk and its impact on the organisation needs to be assessed, and escalation processes and procedures need to be in place. By providing ongoing training and awareness we are also able to prepare for a potential cyber-attack. It is vital to consider cyber-risk during risk assessment and establish whether the risk is owned by the business or whether it is an IT issue.
In the South African business landscape, it is seen that 80% of time is spent on the implementation of ERM frameworks, leaving only 20% for creating a risk-aware culture. This should be reversed with 80% being spent on mitigating cyber risk. This comes down to two elements: technology, and people. Correctly harbouring an organisational culture is just as important as protecting your systems and data, and an effective control. You should also realise that knowledge is power and increased awareness among staff regarding cyber risks is key. It is important to consider that staff want to feel that they are a part of the organisation. By elevating inclusivity, staff will feel that they have a purpose and understand the value that they add to the organisation. When staff feel included, there will be more ownership of their responsibilities.
The values, ethics and leadership commitments need to take risk seriously and realise the true risks surrounding a cyber-attack. Clear internal communication is critical and a powerful tool to constantly raise awareness of potential risks among staff. There is no place for blame-shifting, something that many corporations are guilty of. Never assume that the next person will notice the problem or that it is someone else’s responsibility – take ownership.
In conclusion, the challenge remains to create organisations in a ‘business-unusual’ environment – thus employing integrated thinking approaches where cyber risk is not dealt with in isolation. Cyber risk management should be entrenched not only into the ERM framework and programme but into the organisation as well, establishing a risk-aware culture across the entire organisations.