Making the move to proactive risk assessment and crisis managementDate: Mar 06, 2014
When it comes to business risk assessment and crisis management, a reactive approach -- wherein "Band-Aid" controls are put in place after an incident occurs -- just isn't working anymore, according to Brian Barnier, a principal analyst and advisor at ValueBridge Advisors LLC. Instead, when it comes to risk and crisis management, businesses must be looking ahead in order to thwart future threats.
Barnier was in Boston earlier this month at the 2014 Governance, Risk Management and Compliance Summit to deliver the keynote speech on managing crises and making the transition to proactive enterprise risk assessment.
Following his keynote, Barnier joined SearchCompliance Editor Ben Cole to further discuss the benefits of proactive risk assessment and crisis management, and why this approach is necessary as business capabilities -- and threats -- rapidly evolve.
Why do you think the proactive approach to risk management is so important?
The main thing is the reactive one just isn't working. The reactive one works for financial reporting because look at what you're doing: You're asking 'how accurate are our numbers that reflected something that happened days, weeks or months ago that we're reporting now, at the end of a quarter, end of a year?' When you're dealing with strategy, when you're dealing with operations like are my servers up and running, operationally-stable, available, protected and recoverable, or project management, I need to know now. It's forward-looking, and that's why you've got to be in that proactive mode, especially for crisis management.
What are some of the obstacles to proactive risk management? Why aren't more companies doing it?
First of all, they don't understand it. Different materials that OCEG's using or some of ISACA's risk content are trying to get people to think in terms of scenarios. Asking 'what if,' not 'let me go and stick another control bandage here, there, and everywhere.' Remember, controls are inherently dangerous. They cause silos, they cause people to give up responsibility. The only time they really work is when you really have a malicious issue that you're working with and you need a padlock, or when it's a temporary measure.
The big reason that we're seeing difficulty is that you have people hanging onto Linus's security blankets that have difficulty thinking 'what if?' That's why we talked about playing video games, playing basketball, skiing, and scuba-diving, all the fun things that people in the room did. It gets you thinking ahead. What's around the next turn?
You mentioned communication and how important that is to proactive risk management. Can you talk a little bit about that and why communication is so important to managing risk?
First of all, on the strategic level we all have to be on the same plan. If something bad happens to me, let's say it's a cyberattack and you're in Europe and I'm in Chicago, and somebody else is in San Francisco. You need to pass information on and be able to engage. The more that we're connected, the more steps we can take independently but in a coordinated fashion because we've planned and we've got our act together.
Once we get past that, the other aspect of communication comes into play. That's when we're really firefighting, and we're dynamic, and things are changing. Our environment's changing, our capabilities are changing, we're using up resources. Now we've got to be in sync in a whole different way, where we've worked together enough that we can share and allocate resources, move things around. Communication becomes critical, and the same terms cannot be used on different continents or in different businesses in different ways. This is why emergency responders in the U.S. are required to use clear, open, common language on emergency radios.
How can companies improve that communication?
There's lot of ways. This is one of the big things that ISACA is trying to get through to their training, or the OCEG material with this new black book that's coming out. It's making it easier for people to implement all these excellent management methods out there that they've been struggling with. A lot of people are just afraid of change. We want to make it very clear that this is an easier, smoother path. It not only helps with a crisis, but helps with all those day-to-day things that unfold much more slowly than a crisis does.