Understanding Risk: How To Translate Into Actionable Tasks For The Board

By: Matthew Hammerstone

February 28, 2020


News -

Image 2


Change is inevitable and this cannot be understood any better than today, when technology has changed the face of the world. New technologies like artificial intelligence, cloud computing, blockchain, Internet of Things and many more have transformed the way we execute our daily activities across our personal and professional settings. While technology has brought about some really mind-boggling and wonderful changes, there is one problem: It alters the risk profiles.


As is the case with everything new, next-generation technologies come with their own set of challenges and risks. As we adopt new age technologies and move our world to the digital ecosystem, we are coming face to face with newer risks, with cybersecurity being the most prominent of all.

Cyber risks have grown several times over the years, with a recent report by Risk Based Security suggesting a 54 per cent year-over-year growth in reported breaches in the first half of 2019. This resulted in the leak of 3.2 billion records. When drilled down to the segments, the business sector accounted for 67% of reported breaches in the concerned period, responsible for 84.6 per cent of all the records exposed.

This is quite alarming for the business community, which is risking its business critical information, wealth, reputation and even its existence by adopting incompetent risk management strategies or neglecting implementation of a robust and apt cybersecurity plan.


Cybersecurity: An Essential Function Across The Organisation


Cybersecurity is not just a function of one department but the entire organization, from top to bottom. Although employees across all levels and in all departments should be trained and educated on good cybersecurity practices, it’s also highly important that high level management executives are adequately educated and apprised about the latest forms of cyber threats in order to devise and implement a comprehensive cybersecurity strategy and make judicious investments aimed towards improving the security defenses.

C-level executives, who have privileges and access to company’s sensitive information, have become the biggest targets of cyber-attackers. Hackers predate on C-level executives to acquire the privileges vested upon these executives and execute their cyberattacks more seamlessly. According to Verizon’s 2019 Data Breach Investigations Report, senior executives were nine times more likely to be the target of social breaches as compared to the previous years

To help combat cyber risks effectively, it is essential to conduct risk assessment to determine the risks that a company is individually exposed to. This helps the C-level executives and the company’s Board to define the risks, create security measures, devise mitigation plans and finalize investments for security solutions.


Cyber Risks, the Board and the Management


While the risks have been identified and profiled, it is the responsibility of the company’s Board to ensure that the management team understands the risks clearly, potential impacts of the risks and the measures that need to be taken to effectively combat the issues. This is the first and the foremost task of the Board.

The Board also needs to gauge the capabilities of the management team, including the skills of every individual, their preparedness and the available resources. The management should be well positioned to tackle foreseeable risks as well as have the capabilities to respond to any unforeseeable issues well in time to avoid significant damages. It should name an executive to lead the cyber risk management functions. Boards should monitor these efforts and intervene, whenever required.

The Board should also closely monitor the cyber risk management program and the developments within it. Meanwhile, the management should ensure that the risk management program is in line with the identified risks and doesn’t deviate.

A strict and strong dialogue with the management in case of any deviations or shortcoming should not be ruled out by the Board, as clear communication and understanding of risks can help in better management and prevention of cyber risks.