How are you seeing the Enterprise Risk Management landscape change and how are you redefining some of those key controls?
Sort by:
I think ERM’s next evolution is around scenario analysis. Taking it from business continuity desktop type of scenario analysis to asking what is the business implication? So this is going to hit your bottom line, this is going to cost you money and you need to figure out how to plan for that. And knowing that there's knock-on effects and then making decisions down the road because it's definitely a regulatory requirement that is building steam, especially in the COVID world. People are saying that we can impact climate.
We're at a place where the risk framework can't dictate decisions anymore 100% without considering those compensating controls, the decision. It's just not even realistic anymore.
Yeah. And then on the other hand to NIST CSF gets so prescriptive and there's so many controls that people just go crazy, just blank stares when I just onboarded a vendor and I'm like, "Really, you're going to make me do this?" No. Too many questions, too detailed and so there's got to be a balance. I know the intent is there but you have to make it business friendly.
I used to be in the State of Nebraska many years ago. We didn't even talk about risk, it was a different time. Now, here in the life sciences industry, I'm in pharma. One of the luxuries I have is, I also own security which gives me that capability to do PCPD. I also have governance. So I have security, governance, risk and compliance, which are the bedrock.
I am part of a company that is a strategic partner to other brands and other companies. My team has seen the uptick in the conversation around enterprise risk concerns. We process and respond to over 300 audits a year and that includes client audit, internal audit, external audit, penetration test, and it's increasing. I'm literally having to jump on the call, and have a CSO to CSO conversation to really understand the risk threshold that the client's dealing with and what concerns they're having, and then bring that back to the company. When I entered into this industry, enterprise risk was a pretty stable and consistent practice. We had our rubrics and risk frameworks, and we could just calculate it almost like a statistician. Not anymore. I was sitting on a two and a half hour call today with the Global CSO that I also work with at my parent company and we are redefining our risk models. We're also at the place in time where our risk treatment tools are not going to provide 100% cover, cyber-liability insurance is not going to be a de facto fallback, and business disruption insurance is not going to be able to carry it all because there's too much. So that calculation and the conversation that we pull together to give to leadership now is changing, it's like, "There's going to be some residual risk, and this is what it is. It's in this amount and space."
Our risk landscape is defined based on the security of the data we store. We are constantly re-evaluating what we have in place today and how it will be relevant against tomorrow's threats to determine where we need to re-adjust our plans.