Enterprise risks, such as supplier failure and client non-payments, are far more likely to occur in tougher economic times. Consumer confidence is at an all-time low, and companies should be conscious of what business continuity plans they have in place should these risks materialise.
Moreover, with the recent surge in ransomware that has been hitting SA businesses, executives need to invest in best practices and cutting-edge cyber security defences to protect their organisation's most important asset: data.
"Risk officers need to embrace thorough digital risk management strategies which include filtering, assessing, prioritising and responding to threats across the Web," says Alex Roberts, regional director of Sales and Operations at Cura. "Spending money on perimeter-focused cyber security is not enough. More advanced and complete strategies that analyse threat intelligence, monitor the activity on the deep Web, and constantly survey for sensitive data must be implemented."
Risk strategy
When developing an enterprise risk management (ERM) strategy, Roberts says a regular, defined reporting period helps to engage the risk officers and to gain traction. "Ideally, the deadlines for the rollout of the ERM process should coincide with the reporting period for the first two to three periods."
Managers should use the information that is reported at the risk management meetings to manage their own activities, and those activities may be delegated to, or closely involve input from, persons close to the impact or root cause of the risk event, he explains.
"Risk management should be embedded in the business processes throughout the organisational hierarchy of accountability and progress of all action plans, and risk treatment should be tracked and reported against a risk register. The periodic risk management meeting is a forum for discussing all updates to the risk registers that were performed by the risk officers."
He adds that emphasis should be placed on any unacceptable risks that exceed the risk appetite of the organisation. "The risk response and risk treatment plans for those risks that do not match the organisation's appetite should then be reviewed and adjustments planned."
Multiple methodologies
Roberts says it is essential for a business's risk management strategy to have support for multiple methodologies and frameworks to allow them to manage risk using popular standards and approaches while ensuring compliance against myriad regulations. "The option of interactive dashboards and reports provide real-time visibility into the state of risk management to all levels of the organisation. Flexibility is important too, as it enables business users to configure the system to perfectly match the existing risk management processes, including workflow, field names, rating scales, naming conventions, page layouts and other best practices."
He says roles-based security and audit trails ensures the integrity of data and tracks all changes to records in the system. "Flexible deployment options allow organisations to host compliance information on-premises or deploy in the cloud as a hosted solution."
Finally, over and above risk management, he says there are a few small changes organisations can make to build cyber resilience. "Firstly, segmenting network data on different locations and ensuring there are adequate firewalls to restrict traffic and data access to and from these segments."
Next he says employees should be trained periodically regarding their roles and responsibilities when it comes to protecting data security. In addition, he recommends introducing two-factor authentication to prevent brute force hacking attempts, and says data should be consistently backed up to a cloud server.
Share