How are you seeing the Enterprise Risk Management landscape change and how are you redefining some of those key controls?

1.1k views3 Upvotes6 Comments

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
I am part of a company that is a strategic partner to other brands and other companies. My team has seen the uptick in the conversation around enterprise risk concerns. We process and respond to over 300 audits a year and that includes client audit, internal audit, external audit, penetration test, and it's increasing. I'm literally having to jump on the call, and have a CSO to CSO conversation to really understand the risk threshold that the client's dealing with and what concerns they're having, and then bring that back to the company. When I entered into this industry, enterprise risk was a pretty stable and consistent practice. We had our rubrics and risk frameworks, and we could just calculate it almost like a statistician. Not anymore. I was sitting on a two and a half hour call today with the Global CSO that I also work with at my parent company and we are redefining our risk models. We're also at the place in time where our risk treatment tools are not going to provide 100% cover, cyber-liability insurance is not going to be a de facto fallback, and business disruption insurance is not going to be able to carry it all because there's too much. So that calculation and the conversation that we pull together to give to leadership now is changing, it's like, "There's going to be some residual risk, and this is what it is. It's in this amount and space."
Executive Director, IT Risk and Compliance, 1,001 - 5,000 employees
I used to be in the State of Nebraska many years ago. We didn't even talk about risk, it was a different time. Now, here in the life sciences industry, I'm in pharma. One of the luxuries I have is, I also own security which gives me that capability to do PCPD. I also have governance. So I have security, governance, risk and compliance, which are the bedrock.
VP, Enterprise Risk Management in Software, 10,001+ employees
I think ERM’s next evolution is around scenario analysis. Taking it from business continuity desktop type of scenario analysis to asking what is the business implication? So this is going to hit your bottom line, this is going to cost you money and you need to figure out how to plan for that. And knowing that there's knock-on effects and then making decisions down the road because it's definitely a regulatory requirement that is building steam, especially in the COVID world. People are saying that we can impact climate.
1 2 Replies
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees

We're at a place where the risk framework can't dictate decisions anymore 100% without considering those compensating controls, the decision. It's just not even realistic anymore.

VP, Enterprise Risk Management in Software, 10,001+ employees

Yeah. And then on the other hand to NIST CSF gets so prescriptive and there's so many controls that people just go crazy, just blank stares when I just onboarded a vendor and I'm like, "Really, you're going to make me do this?" No. Too many questions, too detailed and so there's got to be a balance. I know the intent is there but you have to make it business friendly.

Chief Information Officer in Manufacturing, 10,001+ employees
Our risk landscape is defined based on the security of the data we store. We are constantly re-evaluating what we have in place today and how it will be relevant against tomorrow's threats to determine where we need to re-adjust our plans.

Content you might like

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.28%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.57%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.10%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).3%


8.9k views9 Upvotes1 Comment

Yes, AI has significantly reduced costs and improved customer experiences.4%

Somewhat, there have been some cost reductions and customer benefits, but there's room for improvement.81%

No, AI implementation has not yielded noticeable cost savings or substantial customer enhancements.12%

Not sure / I don't have enough information to assess AI's impact.4%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.4k views133 Upvotes323 Comments

Community User in Software, 11 - 50 employees

organized a virtual escape room via - even though his team lost it was a fun subtitue for just a "virtual happy hour"
Read More Comments
13.3k views27 Upvotes67 Comments