Organizations of all stripes are feeling the impact of mounting risk. In the past few weeks alone: Wall Street’s big banks reacted to a changing regulatory landscape; a new survey found that many companies do not have an adequate enterprise risk management strategy; and chief information security officers (CISOs) reported that their role is among the most challenging in their organization.
Banks cut assets, boost compliance efforts in response to Dodd-Frank
Pressure from federal regulations such as the Dodd-Frank Act and from the Federal Reserve’s yearly “stress tests” are driving Wall Street’s larger banks to pull away from short-term funding activities. This includes cutting back on certain types of trading, as well as selling profitable businesses and assets that could attract further regulatory scrutiny, The Wall Street Journal reported.
Morgan Stanley slashed its assets by one-third since 2008’s financial crisis and has downsized its fixed-income trading activities. Bank of America Corp. has cut more than $70 billion worth of businesses and assets since 2010, including private-equity investments and some credit-card businesses.
Large banks are also hiring more employees focused on regulatory and compliance efforts. J.P. Morgan Chase, for instance, will add 13,000 staffers dedicated to regulatory compliance by year’s end, while Citigroup plans to end 2014 with about 30,000 compliance-focused employees on its payroll — a 33% increase from 2011.
While these extra compliance efforts might appear promising to bank regulators, many lawmakers worry that more severe measures are necessary as some banks engage in perceived high-risk behavior to compensate for slow economic growth, the WSJ reports. Certain policymakers feel that harsher legislation is needed to counteract banks that are “too big to fail.” Current legislative proposals range from breaking up megabanks to imposing additional taxes on large financial companies.
Survey: Enterprises need stronger risk management strategy
A survey by nonprofit business research firm APQC polled almost 100 senior financial executives from large public and private companies and found that while the majority of these companies have strategic risk management processes in place, fewer than one in five effectively manage them. These “strategic risks” include regulatory and cybersecurity threats, supply chain interruption and failure to innovate.
Furthermore, two-thirds of these organizations reported lacking a method to ensure that their strategic plans account for these risks, and 43% said they don’t have a concrete process for reporting strategic risks to board members.
To avoid problems that could arise from strategic risks, APQC recommends teaching board members and executives a common risk language, as well as improving processes for monitoring, assessing and reporting business risks.
Many CISOs view their job ‘thankless’
The CISO role didn’t exist at many companies a decade ago, but it is becoming an increasingly common — and challenging — job at most organizations. These executives bear the blame in the event of a security breach and must also stay ahead of increasingly sophisticated cybercriminals from all over the globe, ensure compliance with mounting regulations, and manage BYOD, to name just a few responsibilities. On top of these hurdles, many new security products available to CISOs fail, making it tough to discern which tools to trust.
These challenges have made the CISO post more critical than ever, and companies are offering annual salaries that range from $188,000 to $1.2 million. Still, many view the job as a thankless one, The New York Times reported. According to a Ponemon Institute study conducted last year, many CISO respondents rated their job as “the most difficult” in their organization, and most said their job was a bad one or the worst they’ve ever had.
The post is so high-pressure that many CISOs end up leaving it after two years — either voluntarily or not, according to the study. High-profile examples of post-data breach resignations include the CISOs of the state of Utah and Yahoo.
To prepare themselves for the CISO position, candidates ought to accept that there is no cybersecurity cure-all and that their best bet for success is a combination of effective technologies, hiring the best talent and good luck, according to the Times. The CISO must also be ready to communicate to board executives the inevitability of breaches and the need to allocate an adequate percentage of the IT budget to security.