Embedding Sound Risk Management Practices into an Organization
Core principles for risk management adoption within an organization.
Most of the people who sit on the board of directors don't really want to intimately know all the risks facing the company they are being paid to supervise. It's simply a lot easier and safer from a liability perspective to leave everything associated with risk management in the hands of the executive management team.
But Oracle President Mark Hurd says that the days when the board of directors could sit above the risk management fray are coming to a close. He says it's becoming apparent to him that it's only a matter of time before corporate boards routinely evaluate potential risks to business and the gaps between those risks and the company's actual ability to mitigate them.
Speaking at an Oracle Chief Security Officer Summit in New York, Hurd said IT security alone will most likely force the issue. The number of attacks against companies is increasing at a staggering rate, which now also includes highly sophisticated attacks orchestrated by foreign governments that are attacking corporate assets as part of an overall cyber warfare strategy. All it takes is for one of these attacks to lead to a significant breach to make risk management a real board-level issue, says Hurd. That significant breach is inevitable, says Hurd, given the complexity of the systems that IT organizations are trying to manage today. With each new system brought online, the potential risk to the business increases exponentially with the presentation of yet another attack surface to the outside world. And increasingly, the target of those attacks are financial applications and the key intellectual property of the company.
Once that inevitable breach happens, risk management will become the next great business consulting practice as companies struggle with what needs to be disclosed in proxy statements versus what can remain within the confines of the company. This will lead to the appointment of chief risk officers who will play a role roughly akin to what a chief accounting officer does within most major corporations.
Of course, the federal government may spur all this along with new legislation. But the fear that folks in the security industry have about regulations is that they will become overly prescriptive, resulting in companies doing the bare minimum to be compliant while not actually keeping pace with a rapidly changing security threat landscape.
The issue that internal IT organizations are going to have to come to terms with, however, is that once risk management becomes a board-level issue, the level of scrutiny from above will increase tenfold. So if you think security issues are already sapping the life out of IT, you haven't seen nothing yet.