Every organization in operation today faces a barrage of risks – from cyberattacks aimed at stealing data to geopolitical threats that could disrupt operations.
Yet security experts say executives at many organizations don’t know which specific risks pose the greatest threats to their business’s survival, which would wound them, and which could cause mere operational hiccups.
Sure, large companies with chief risk officers and an entire risk department can identify, classify, mitigate and monitor risks. Organizations in highly regulated industries also tend to have highly mature risk management practices.
Most others, however, are much further down the maturity scale.
“The average company deals with risk ad hoc. It’s just done by gut,” said Candy Alexander, a veteran security executive now serving as president of ISSA International, a nonprofit international association for information security professionals.
Findings from the National Association of Corporate Directors speak to this point, indicating a general desire to better understand risk.
In its 2019 Governance Outlook: Projections on Emerging Board Matters report, the NACD found that 82% of respondents to its annual survey of public company directors were confident in management’s ability to address known risks, yet 70% believed they need to better understand the risks and opportunities affecting company performance.
Similarly, security experts say many organizations need to better manage risk. They say the process starts with knowing what risks threaten them and how significant those risks are to the ability to do business.
“Risk is something that could potentially introduce harm or a negative aspect to the business,” Alexander says. “So you should know that if something were to happen, how much of an impact that would have on your organization. You need to know what your risk appetite is, or where you position yourself on risk, what’s your threshold.”