Establishing the role of the risk manager in the organisational approach to technology risks
Last month we featured 'Lost in Translation' by Jonathan Blackhurst of Capita - the winner from the twelve high-quality dissertations submitted by students who took part in the first City Business School leadership course supported by Airmic. There was also an outstanding entry from Georgina Wainwright, Airmic's market development manager, who examined how risk managers can support boards faced with the demands of digital technology.
At a time when the opportunities and exposures associated with technology are greater and faster-moving than ever, what is the role of the risk function? The paper points out that, whilst it is clearly responsible for the oversight of more 'traditional' risks such as damage to physical assets, there appears to be no common approach to the management of technology risks. The paper analyses the role of the risk manager in managing cyber risk, considering how their specific knowledge, position and skill set can support the conversation.
Inevitably, much hinges on the relationship between the risk manager and the IT or technical function, specifically the chief information officer (CIO) and chief information security officer (CISO) in managing cyber risk. These are not always the easiest of relationships, with both parties being protective of their roles and not fully understanding each other's roles.
The paper identifies a number of deficiencies in many corporate structures, including a lack of sufficient understanding by the Board, an excessive focus on cybersecurity and the continued tendency of people to think and act in silos.
It concludes that the most effective technology risk management is underpinned by close collaboration across the business, fuelled by the risk manager establishing a robust system of cyber risk reviews and flows of risk information. It says the risk manager must also act as a 'translator' supporting the Board and executive in understanding the impact of digital developments in the business of its overall mission, strategy and stakeholder priorities.
So far so good, at least in theory, but what can the risk manager do in practice?
The paper was based on, among other things, a survey of risk managers investigating their roles and opinions of the management of digitisation. This data is supplemented by a series of interviews with individuals with cyber risk responsibilities and consultants providing external cyber risk support and advice.
It finds that risk managers are well placed in terms of their knowledge of broader risk management techniques and their links across the business to bridge the silos that exist in most organisations in four fundamental ways:
- Embracing cyber risk within an established enterprise risk management framework;
- Translating technical issues into business risks and impacts;
- Driving the enterprise-wide response to cyber events;
- Using cyber insurance to quantify risks and engage external support.
Providing this support is not easy, the paper acknowledges, and risk managers will need to penetrate the business and tackle established unconscious biases. This can include overcoming authority bias, where businesses have overconfidence in technical cyber experts, and triviality law where Boards focus on 'trivial issues' such as the social media errors rather than the complex implications of a new system migration. Risk managers will also need to challenge the negative connotations associated with risk management.
To do so, they must demonstrate where risk fits into the overall value chain and avoid talking in worst case-scenarios instead explaining how a risk management framework can support the function in meeting its objectives. "CIOs are high risk takers and naturally protective of their role and budget and do not want to feel threatened," explained the CISO of a technology firm, "however, they are inherently rational people and will welcome a well-communicated case for risk management."
The paper points out, though, that CISOs, see themselves not just as technical people, but as business leaders. This mirrors the development of risk managers into more strategic roles.
When working with the technology and information security, risk managers must:
- Articulate: Clearly articulate the role of the risk function in linking the individual functions to the business strategy
- Be open but credible: Demonstrate a willingness to learn about specific functions and their activity and be upfront on where their own knowledge in limited
- Support rather than protect: Focus on how a structured approach to risk management can assist the function in gaining resource.
- Focus on service rather than financial protection: Highlight both the support services associated with insurance and the financial protection.
The paper concludes with a quote from Airmic CEO John Ludlow: "The strategic risk manager must be an accomplished networker with an overview of the enterprise. They must use risk management explicitly to support corporate strategy in a positive way…such a person should be the eyes and ears of the Board."
You can view Jonathan Blackhurst's winning dissertation here.