Original article published in French on Benoit Grenier’s blog
In my last articles “CEO’s and The Blind spot of Cybercrimes” and “CEOs and cybercrimes, the solutions” I presented: many types of risk which confront organizations today; the communication problems between the CEO and the CIO; the perception problems CEO’s have when it comes to cybercrimes; complete IT security risk audits; and the importance of having a CSIO (Chief Information Security Officer). Today I will continue to talk to you about proactive solutions to cyber risk management by introducing you to the CRO (Chief Risk Officer). For some time now financial institutions have included one of these officers in their organizations. In fact given the requirements laid out by the Basel Accords (International), Sarbanes-Oxley Act 2002 (U.S.A.) and the FRC Guidance 2014 (U.K.) they did not have a choice. Initially the role of the CRO was to protect organizations against the risks associated with the evolution of the regulatory frameworks imposed on financial institutions by these various initiatives. However these CROs have also begun to analyze internal audits, insurance coverage, fraud detection, corporate investigations and information security. It is this last point that I will address today.
Information security (also known as Infosec) has evolved greatly over the years. Initially it was concerned about the safety, warranty, and the protection of physical data or information, but has since evolved to include data and information in digital forms. In addition the CRO has become interested in telecommunications, software, IT hardware, networks, databases, mobility, encryption, human and physical security processes, terrorist threats, environmental issues, personal information privacy, legal frameworks and other issues. All in all a CRO’s plate has become quite full.
Another huge concern that was virtually unknown just a few decades ago is cybercrime, particularly the threat of hacking by those interested in stealing company secrets or customer data. According to a 2014 report from the Center for Strategic and International Studies, cybercrime drains some $375 billion to $575 billion per year from the global economy.
In recent years, data breaches at major companies in several different industries have cost CEOs their jobs. The risks intensify when companies merge and integrate their IT systems. A BCG report in February noted, « While these concerns hold true for all companies, they are acute in A&D [aerospace & defense], in which companies often are dealing with issues of national security.
As the technological dimension of this new CRO position came to the forefront so the natural first reflex was to work with the company’s traditional IT suppliers. They could provide antivirus, firewall and other “Computer Tools”. However the threats have evolved dramatically and looking at them strictly from an IT perspective is no longer sufficient.
An enterprise-wide approach
While cybersecurity was once relegated to a technical or operational issue handled by IT, a cross-departmental, enterprisewide approach to cybersecurity is necessary, according to the Cyber-Risk Oversight, Directors Handbook Series, produced by the NACD. The publication suggests that cybersecurity should be evaluated and managed in the same manner as the organization considers physical security of human and physical assets.
Then we have the CFO being the guardian of “cash” which can enter or exit (especially in the case of proven risk) the organization. He naturally turned toward the company’s historical financial advisors: the CPAs and the management consulting firms. After all, they are already in the habit of audits and claim to have an expertise in IT risk management.
Therein lies a conflict of interest. Organizations are relying on those who provide the hardware and software to criticize their own products and services and on accounting firms to analyze the failures of their own professional work. Complicating this is the irony that accounting firms themselves seem to have difficulty managing their own risk.
New research shows yet again, accountants are taking sometimes potentially disastrous risks with their firms and – worse – with their clients.
The recent “Accounting Firm Operations and Technology Survey,” published by CPA Trendlines Research, shows these risks go beyond merely “falling behind” the technology curve because of traditionally penny-wise, pound-foolish spending. At one time, “falling behind” risked obsolescence, or worse, maybe irrelevance – either of which was a business risk, but a risk that could only be measured by benchmarking against “the competition,” whatever that was.
Today accounting firms are taking on a whole new category of risk – the risk of sudden, unforeseen and irrecoverable disaster. The black swan event.
So organizations having decided to internalize the role of the CRO are taking a step in the right direction but must be aware of the conflicts of interests mentioned above. There is a risk of creating a clear tension between the risk detectives and the inertia and the guilt inherent in those who would become possibly guilty of breach or of weakness. We are therefore talking about a problem of “independence”.
Formal reporting lines may vary across banks, but regardless of these reporting lines, the independence of the CRO is paramount.
While the CRO may report to the CEO or other senior management, the CRO should also report and have direct access to the board and its risk committee without impediment.
Also, the CRO should not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions.
Interaction between the CRO and the board should occur regularly and be documented adequately.
Non-executive board members should have the right to meet regularly – in the absence of senior management – with the CRO.
Successful CROs acknowledge the possible tension with their new peers and look for opportunities to show that their position can complement what the CFO and CAE already do, take some of the load off their already full plates, and create synergies that benefit the organization and the CFO and CAE. What does the new CRO get from taking this cooperative and conciliatory approach? The CRO gains two strong allies and proponents for ERM and support for creating a risk aware culture, as well as the insights he or she will need to do the job most effectively.
For all these reasons, we remain convinced that having an external CRO has many advantages and that moreover, that they must have experience, methodology and technological expertise, and financial, management experience. Several organizations (including that of your humble author) specialize in the management and analysis of organizational risks, without having the bias of being a supplier of technological or accounting products or services. However, if the decision is to internalize the CRO in your organization, we can certainly aid in the transfer of knowledge and expertise necessary to accomplish this strategic mission.
Questions for the CIO Before an attack
- What are our major IT risks? Do we understand them? How do these compare with other enterprise risks?
- What is our mechanism for reviewing major IT risks and adjusting defence strategies accordingly?
- What are our most critical data elements? Where are they held within our enterprise or partner data system? How are we protecting them? What is our approach to cloud computing?
- Have we evaluated our supply-chain risk?
- Do we have a social media policy? Are all employees trained on it? How do we monitor its application?
- Do we have daily cyber threat intelligence/information that is customized for our environment and systems so we can prepare for threats before they strike?
- What is our response plan in the event of a cyber breach? Do we have access to professional cyber incident responders – internally or through service providers – who can help us manage and contain a breach? Do we know who to call in the government and law enforcement communities for assistance? How would you evaluate our business continuity program?