It is important to manage the organization and consider all risks as part of that management, rather than managing risk.
There’s a huge difference between the perspectives advanced by the National Association of Corporate Directors (NACD), a US organization of and for board members, and those of some of the leading thought leaders.
As explained in this article, “in January 2017, the National Association of Corporate Directors (NACD) released an updated edition of its Director’s Handbook on Cyber-Risk Oversight. In light of increasing pressures from regulators and ongoing cyberattacks, board directors have a key role to play to ensure proper oversight of cyber risks for their organizations”.
The NACD guidance sets out five principles for board members:
“1. Understand and Approach Cybersecurity as an Enterprisewide Risk Management Issue, Not Just an IT Issue”
At first glance, this makes good sense. But enterprisewide risk management should be about helping people make intelligent and informed decisions. It should not be the end itself.
I would prefer to say that cyber-related risk should be considered in business decision-making. It is just one of typically many sources of risk (what might happen) that can affect the ability of the organization to achieve its objectives.
“2. Understand the Legal Implications of Cyber Risks as They Relate to the Company’s Specific Circumstances”
Certainly, a cyber breach can have legal implications, including potentially implications for the board and each of its members. I worry that directors might be so consumed by CYA that they hamper proper risk-taking by management.
“3. Have Adequate Access to Cybersecurity Expertise and Give Cyber Risk Management Regular and Adequate Time on Board Meeting Agendas”
Manage the business rather than manage any single source of risk! Obtain assurance that management has the capability to understand cyber and how it might affect each of its strategies and objectives.
If cyber is a major source of risk, then go ahead and have a discussion – but ensure you understand how it might affect the enterprise strategies and objectives.
But don’t spend time on cyber when it is a relatively low source of risk compared to, say, cash flow, price and product pressure from competitors, and an uncertain economy.
“4. Set the Expectation That Management Will Establish an Enterprisewide Risk Management Framework With Adequate Staffing and Budget”
I prefer to set the expectation that every significant decision will be informed and intelligent, with reliable information (as best we can) on what might happen.
If we focus on what it takes to have quality decision-making, we will achieve effective management of risk.
“5. Management Discussions Should Include Identification of Which Risks to Avoid, Which to Accept and Which to Mitigate or Transfer Through Insurance”
Stop managing risk – manage the business. Stop talking about accepting or managing risk and start talking about taking the right risks through informed and intelligent decisions.
Now for the contrast.
Two of my friends recently met (presumably in Melbourne). Alex Sidorenko interviewed the incomparable Grant Purdy.
This is how Alex describes Grant:
Grant Purdy has specialised in the practical application of risk management to support decision making for nearly 42 years, working across a wide range of industries and in over 25 countries. He has been a member of the Standards Australia and Standards New Zealand Joint Technical Committee on Risk Management for over 14 years and was its chair for seven. He is co-author of the 2004 version of AS/NZS 4360 and has authored many other risk management handbooks, guides and books. He was also the nominated expert for Australia on the Working Group that wrote ISO 31000 and Guide 73 and later Head of Delegation for Australia on ISO PC 262 that revised ISO 31000.
The interview is available on Alex’s Risk Academy blog.
I strongly encourage everybody to either listen to the interview (it is long, at 50 minutes) or read the transcript.
Here are some key points.
- If we can’t agree on what the word ‘risk’ and the phrase ‘risk management’ mean, how can we expect to have a constructive discussion using them. I agree and have suggested that we use plain English (thus the title of my latest book, Risk Management in Plain English); we should talk about ‘what might happen’ rather than ‘risk’ as we need to consider everything that might happen as we strive to achieve our objectives. ‘Risk’ is a word that limits discussion due to its common usage as either something bad that might happen or the likelihood of something bad happening.
- Risk registers, heat maps, and such (including COSO’s risk profile) don’t help us make decisions. They can help you decide on whether to act to address a risk, but not whether you should choose this vendor, go ahead with a new ERP implementation at this time, or even cross the road here or over there.
- Grant talks about achieving an acceptable level of certainty that you will achieve your aims (i.e., your objectives). I know what he is talking about, but disagree with this characterization. You can never be certain and this may lead people to choose an option where they are most ‘certain’ of the results. In a LinkedIn discussion, I asked:
Alex, would you choose an option where you have a 70% level of confidence in your assessment that you are 80% likely to gain $500, or one where you have 90% confidence in your assessment that you are 60% likely to gain $450? Is it about being sufficiently certain? What about where there are multiple potential consequences and you have differing levels of confidence?
If your aim is to earn $300, which option do you choose? One where you are highly confident of achieving your goal or one where you are a little less confident but might surpass that goal substantially?
I much prefer to focus on making the informed and intelligent decisions necessary for success.
Grant and I have discussed this and remain apart – but I expect that in time we will, as we have before, come to a meeting of the minds.
- Grant focuses on assumptions. This is a great point! Whenever we make decisions, we have assumptions. Frequently, we fail to recognize that we are making those assumptions. Instead, we should be clear about what they are, how they affect the decision, and how we will monitor them. If they are critical to the decision, then should things turn out differently than anticipated we should be ready to change or a least modify the decision.For example, when the CFO presents his forecast for the next quarter, it is based on assumptions. The executive team should make sure they understand those assumptions, challenge them as needed, and then adapt as conditions change.
- Towards the end, Grant captures the essence of what we should all be striving for.
…it’s actually very, very simple. And actually, I’ve gone back to the very beginning. It’s what I used to do years and years and years ago, which is I don’t have to worry about definitions. Just make better decisions by exploring scenarios, looking at certain uncertainties. It’s as simple as that. And particularly the assumptions.
What are the key points for you?
Are you a believer in the traditional methods apparent in the NACD guidance or the ideas and philosophies expressed by Grant, Alex, (and me)?
I welcome your thoughts.
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023
- Twitter and risk - January 18, 2023