#2 Use Risk Management to Prepare for What’s Ahead
Two real-life examples demonstrate the importance of using risk management strategies to prepare for crises. In the first case, a bank faced a safety and soundness review during the recession. To ensure their stability, they conducted a risk assessment of their vendors and identified their rating agency as a potential risk. This led to an evaluation of their assets and investments, which helped them avoid risky mortgage-backed securities. By demonstrating their risk management maturity to regulators, they gained approval to expand and protect their customers' capital.
In a more recent example, during the peak of the pandemic crisis, banks had the opportunity to offer PPP loans but had to manage the associated risks. One organization had already established a governance process and controls for their lending operations, allowing them to quickly evaluate the risks of PPP loans and implement the necessary governance. By proactively assessing their vulnerabilities and planning for risks, they were able to effectively navigate the new loan program.
The key to success in both cases was the readiness and application of a risk-based approach. To replicate this, organizations can follow these steps:
- Identify the areas where they are most vulnerable and anticipate future changes.
- Understand how these changes will affect available resources.
- Update policies and connect them to controls through risk assessments.
- Ensure that responsible individuals follow the established processes.
By proactively preparing for unexpected risks, organizations can create a blueprint for responding to changes and ensuring business continuity. This goes beyond physical locations and call trees, encompassing a comprehensive strategy that adapts daily operations to any circumstances.
Business continuity is crucial in today's rapidly changing environment, encompassing remote work programs, reputation risks, customer expectations, technology advancements, and partnerships. Failing to reevaluate policies with a risk-based approach leaves organizations exposed. Given the complexity of organizations, it is essential to have a holistic view of how different elements connect and impact risk. Policies must address the root causes of regulatory concerns to satisfy stakeholders and regulators.
By adopting risk management practices, organizations can effectively prepare for the future and ensure compliance with regulations and expectations.
#3 Cut Your Vendor Spend While Beefing Up Your Security
As part of your 2023 risk management execution plan, consider cutting your vendor spend while beefing up your security. When most companies think about recession, they usually consider cutting expenses through employee layoffs and/or vendor contract re-negotiations. Unfortunately, both strategies have hidden risks and may not achieve their objectives. There's a better way to mitigate the risks and save money in the current fiscal year.
User Access Rights and Vendor Due Diligence are closely linked, as demonstrated by past news headlines. For instance, Société Générale allowed an internal employee to transfer to a trading role and execute unauthorized trades by maintaining access rights from their prior role, which resulted in one of the biggest trading scandals in banking history. Similarly, the mismanagement of a Third Party Management case of an HVAC vendor at Target resulted in one of the largest security breaches in history. These real-world cases emphasize the importance of conducting thorough User Access Reviews and Vendor Due Diligence Analysis to mitigate such risks.
Both cases require you to think about the largest source of unmanaged risk for your organization. Start by following the money flows to find the systems that manage the company's main source of revenue. For example, Target's Credit Card System was their main source system, and they needed to look at what integrates with it, which was an insignificant HVAC vendor among many others. We all have software vendors. Think about how many technology systems they have. You likely require SOC2 audits from them and may have been ratcheting up their certification levels. This is like putting a fourth fence around Fort Knox. The money system in the software industry is their CRM and all the myriad of small vendors that do not have single sign-on or even two-factor authentication that hang off it. These are the HVAC system equivalents.
Take these recommended steps to optimize vendor spend and strengthen security measures:
- Categorize vendors based on their importance and impact on your business.
- Conduct a thorough analysis of each vendor by linking them to the applications they use, the processes they support, and the controls they rely on.
- Review your access rights, vendor onboarding, and offboarding policies, and vendor access management protocols to ensure they are up-to-date and aligned with your security needs.
- Verify that there is a principle of least privilege in place, which reduces or eliminates unnecessary access.
User access rights (UARs) can be challenging to manage, as employees often request access to software that they do not necessarily need for their role. To take a risk-based approach to UARs, it is recommended to begin from the top down, as part of the departmental budget review process. This allows for a more comprehensive evaluation of access needs based on security risks, as well as the needs of the business to achieve its objectives.
When undergoing a reduction in force, it is essential to manage excess license expenses by ensuring that UARs are coordinated with vendor due diligence reviews for renewals. This helps to prevent unnecessary expenses by paying for more licenses than required.
To streamline Vendor Due Diligence & Analysis, it is recommended to evaluate your vendors and consolidate any duplicate or unnecessary ones. This can be achieved by using technology that connects people and resources to policies, risks, controls, and monitoring activities. By utilizing a multi-dimensional approach, based on risk, objectives, processes, assets, people, and systems, you can efficiently manage your vendors while reducing costs and strengthening your security posture.
Take the First Step Today to Prepare for Tomorrow
In a rapidly changing and uncertain world, organizations face a multitude of risks that can impact their success. To prepare for the future and enhance resilience, the Risk Maturity Model provides a valuable framework. Engaging the Risk Committee and Board of Directors with the RMM enables organizations to evaluate and improve their risk management program, fostering accountability and proactive risk mitigation. By leveraging risk management strategies, organizations can anticipate and mitigate potential risks, as evidenced by real-life examples. Moreover, optimizing vendor spending while bolstering security measures ensures effective risk management in vendor relationships. By adopting the RMM and implementing these strategies, organizations can strengthen their resilience, enhance their value, and navigate uncertainties, positioning themselves for sustained success in an ever-changing landscape.
Take the first step today to prepare for 2024 by completing the Risk Maturity Model Assessment for free online. After assessing your organization’s risk management maturity you will be provided with a best practices benchmarking report to share within your organization summarized on 7 key attributes, 25 success components, and 71 competency drivers. This report recognizes the strengths of your ERM program and provides a roadmap for improvement.
For a deeper dive, watch the keynote presentation of LogicManager CEO, Steven Minsky, from IMPACT 2023 on engaging risk committees, preparing for the future, and optimizing security to thrive in 2024 and beyond.
1The Valuation Implications of Enterprise Risk Management (Farrell, Gallagher, 2014)