Strike Just the Right Balance in Enterprise Risk Management
What do CEOs need most right now? According to a recent survey mentioned on a Game-Changers radiocast http://news.sap.com/board-to-cfo-need-better-risk-management-data-now/ with panelists Elvia Novak, director of cyber risk services at Deloitte; and Bruce McCuaig, director of solution marketing for governance, risk, and compliance solutions at SAP, CEOs require more – and more reliable – information on enterprise risk management. And they expect this information to come from the office of the CFO.
Novak addresses the gap between what the CFO is delivering and what the CEO needs. The focus is currently on financials and regulations, with risk residing in the background. “But have we taken a step back [to] say what really matters to us from a risk perspective? What’s critical to my business? And how am I protecting that?” The panelists go on to detail three major concerns in the current risk landscape.
1. Dealing with reason in an evolved threat landscape
The face of risk has mutated in the last decade. Network systems today run online in real time. Even more significant, hackers are determined to penetrate these networks and access your information. For example, a consumer products company might be concerned with people gaining access to its materials or formulas. An entertainment company needs to protect information on how much it pays its actors.
Of course, you must protect your data. But Novak cautions against overprotection – creating so many checkpoints that coworkers within the company can’t see what their colleagues are doing. You never want caution to turn into paranoia and completely disrupt your business.
2. Appointing risk arbiters and developing a consistent framework
McCuaig outlines what he believes to be the biggest challenge to improving risk management: “I don’t think we have any consistency in methodology – we don’t have any consistency in tools. I think, generally, people in the business are conscientious and responsible and they want to do the right thing. But it seems to be very difficult to put consistent framework around the business of managing risks in a way that is comprehensible.”
Both he and Novak agree that the CFO cannot be the sole voice and decision maker in risk management policies. A committee of leadership is necessary to create the best possible policies.
“You look at risk management and it’s all over the map,” McCuaig observes. “There isn’t any one set of standards. There isn’t any one set of capabilities. There is no consistent reporting framework. What I think we need is [to] introduce the kind of discipline and framework and rational approach that CFOs have developed over the years in financial management, and apply that to the risk management business.”
3. Relying on the human firewall
All the regulations and preparations in the world won’t mitigate risk if your staff isn’t fully on board. This means providing them with proper training. It’s a strategy McCuaig calls the people factor: “We have to make sure that people understand how to do their job and are motivated to do so.”
When workers view themselves as the first line of defense against major intrusions, you’re ahead of the curve. A mix of trained, passionate employees, common sense policies, and cutting-edge technology can go a long way in delivering the kind of risk management your CEO expects.
Want to learn more about strengthening risk management for your business? Listen to the full radiocast http://news.sap.com/board-to-cfo-need-better-risk-management-data-now/