Insurance against risk is essential, but today software systems can be put in place that might mean not having to claim on a policy.
Gerard Joyce, co-founder of governance, risk and compliance (GRC) software solutions provider CalQRisk, said that one of the greatest dangers is in the fact that reputations can be destroyed by a single attack.
“We’re not in insurance, we’re in risk management, and the fact is that not all risks are insurable. You can’t insure your reputation for example,” he said.
Indeed, a major data breach might destroy a business, not through fraud or financial loss, but through customers losing trust and walking away.
This risk is increased today with post-Covid workforces displaced around the country and in many cases labouring in less than ideal circumstances.
“One risk that has increased with remote working is cyber attacks,” said Joyce. “Not too long ago, IT departments perceived protection as being like a moat and a castle, but organisations are more like airports: you need to spot the person walking though. Now, however, with working from home, you can’t even find the borders of the company, because they’re out, dispersed,” he said.
Simple things like a lack of understanding of consumer-grade equipment have suddenly become a problem. For instance, any worker connected to the internet via a router could be using a default password.
“That is insecure by default and then you’re connected in to the company. The truth is, not everybody is connecting through a VPN,” said Joyce.
The ad hoc approach to remote working is a real problem, and while it may have been understandable in March 2020, when the pandemic hit, it now risks catastrophe.
“An awful lot of people thought remote working would be for three months, so they didn’t put the infrastructure through. We now need to fix that,” he said.
The problem of cyber risk is not solved by locking the stable door, however. Especially given that the horse long ago bolted.
Instead, Joyce said, the right approach, as with other risk vectors, is to understand the nature of the risk and any individual company’s risk appetite.
“It’s not about being risk averse, it’s about being risk aware,” he said.
Indeed, risk is at the heart of business as it is risk that brings reward. Unacceptable risk, however, tips over into gambling.
“If you take risks without being aware then you're on dodgy ground. If I’m crossing a busy road, I’m not going to do it blindfolded; I will look left and right and maybe go to the zebra crossing,” he said.
Joyce, who chairs the National Standards Authority of Ireland committee on risk and sits on the ISO’s technical committee, said his goal is to promote better decision-making.
“Risk management brings that focus on things that matter. A lot of people manage performance, but we're trying to look ahead, look at trends,” he said.
Unfortunately, a lot of companies are not dedicating enough spending to minimising risk, despite the fact that today hardly any department in any organisation is independent of technology.
CalQRisk’s software helps companies understand their risk by looking down the road and seeing what could go wrong.
“You absolutely can do things to lessen the risk, and we provide software to help people better manage risk,” said Joyce.
Indeed, CalQRisk recently released a module for handling third parties, with over 400 questions in its knowledge base. Now on version seven, CalQRisk’s software has evolved over the past decade, and acts as a cloud-based front end to a database, allowing users to record and store their risk assessments, control assessments, incidents, and other information that links back to risk.
The correct approach, Joyce said, is to build risk analysis in rather than bolt it on, and compliance standards should be seen as a minimum.
“You need to look upon the regulations as a minimum standard,” he said.
Joyce compared this with driving: “The government says that I have to have tax, insurance, an NCT, a certain tread on my tyres. It doesn’t say I have to get my car serviced at certain intervals, but I do. The government standard is the minimum standard,” he said.
“We all want certainty, everyone wants certainty, but risk management is about reducing uncertainty.”
Still, the fact is, and Covid has demonstrated it, growing uncertainty is the nature of the world we live in today, and organisations need to understand that.
“You can't say you have good governance if you don’t have risk management,” Joyce said.