While 73 percent of executives surveyed believe risks are on the rise, according to the new survey, "Risk in review: Decoding uncertainty, delivering value", PwC, April 2015, only 12 percent of those are successful risk management leaders. Over the most recent three-year stretch, 41 percent of that 12 percent produced an annual profit margin growth of more than 10 percent, according to the survey. Risk management doesn't simply mitigate risk, it magnifies net income.
CSO explores the relationship between risks and profits and how enterprises can use information security risk management to increase profit margin growth.
The risk management & profit margin growth relationship
"Information security risks affect profit margins by impacting enterprise reputations, share prices, and the ability to operate effectively," says Bill Sweeney, Financial Services Evangelist for BAE Systems Applied Intelligence. Good risk managers and management methods can counter that impact, producing profit margin growth.
"Effective risk management is more like brakes on a car. You don't have brakes to drive slowly, you have brakes to allow you to drive faster and stay in control," says Sweeney. Banks for example use capital to stay in control. Some financial institutions retain capital to guard against losses that are due to security breaches.
These capital set asides in the banking space are a great example of how the relationship between effective risk management and profit margin growth are a direct cause and effect relationship. "Effective risk management frees up capital for money making businesses. Ineffective risk management reduces capital available to the business," says Sweeney.
Using risk management to increase profit margin growth
"Because criminals continue to penetrate companies resulting in increased costs for protection and incident response, cyber risk is now an operational risk. Increased cost equals reduced profits. Enterprise information security risk management, which means operationalizing security, reduces loss and increases profit," says Sweeney.
To use risk management for profit margin growth, isolate the risks that are particular to your enterprise and industry vertical using best practices like those published by NIST or in the Federal Financial Institution Examination Council's IT Examination Handbook InfoBase for example. If there is a recognized security risk assessment for your industry, consider using it or a blended assessment including steps from other tests as well. Then follow these mantras as you use risk management to stir profit margin growth. First, know that the price of security is typically less than the cost of catastrophic network invasions.
This has never been truer than now when--as everyone knows--every company will eventually be infiltrated by cyber criminals. Attackers using automated programs to continually run port scans on hosts across the Internet looking for vulnerabilities will eventually find holes in your systems and exploit them. Enterprises must likewise automate security as a part of risk management or simplify it enough that security staff can demote some tasks to operations staff. This is operationalizing security and can include using log management and SIEM tools that put security tasks within reach of operations professionals.
From the 3,000-foot view, you need to adopt a combination of enough risk mitigation techniques and technologies to answer those risks that will cost your enterprise more than the mitigation does. DLP is a great example of a technical solution that is less expensive than a massive breach that leaks millions of examples of private, personally identifiable, financial account information.
Boards of director must decide when the cost of the risk is greater than the cost of risk management and deploy cyber security down through the C-suite accordingly. They must include lost revenues and the potential for profit margin growth in their calculations.
Second, risk lives and changes like a growing organism undergoing constant metamorphosis. "In particular, risk changes in response to your actions," says Sweeney. Every time you take action, risk responds in a manner comparable to the equal and opposite reaction of Newton's Third Law of Physics. So the dynamic nature of risk makes sense intuitively.
Risk mitigation must be equally fluid, nimble, and dynamic in order to respond to information risk events quickly and efficiently. For example, risk mitigation must be flexible enough to close the vulnerability first, whatever kind of hole it may be, so that no more damage is done.
Third, like time, risk does not wait. Losses due to realized cyber risk events increase as the event continues, and many cyber criminals intend their attacks to go on indefinitely or until someone stops them. Enterprises that want to increase profit margins need to move fast to adopt a reliable, targeted risk management plan as soon as possible.
Finally, know that someone in the business is causing the risk by design. They are accountable for the risk as the risk owner. Find out who they are. Then find out what they are doing to mitigate the risk. "You have to look at the controls and constantly test them," says Brian Schwartz, Governance, Risk, and Compliance Leader, PwC. If the controls are not sufficient, look into stronger controls.
Profitable risk management leaders
"The leaders who formally address risk management and actually embed it into the rhythm of the business are the ones who show better profit margin growth," says Schwartz. These leaders share certain specific risk manager activities and traits in common.
In particular, they extend themselves well beyond the initial risk assessment that enterprises use to simply compile and rank information security risks. After conducting a risk assessment, these leaders connect the risk management program to the strategic business unit planning process. In fact, the boardroom initiates this leadership and presses it upon everyone in the company starting with the C-suite.
"They include it in active discussions and tie it to forecasting for every business process they run," says Schwartz; "it's all by design and very transparent and obvious."
Supporting the business
Risk never dies. That doesn't mean you have to merely transfer it when you can translate it into profits. "Suffering negative impacts from risk is not inevitable. By integrating risk management into the business lifecycle and developing an effective strategy, the enterprise can achieve an enormous competitive advantage," says Schwartz.