Emerging Risk Levels for Enterprises to Watch in 2020
According to over half of risk professionals throughout the world, the risk levels of their organizations have increased significantly in the past year, as has been mentioned in the new research done by ISACA, CMMI Institute, and Infosecurity Group.
As per the ISACA report of State of Enterprise Risk Management 2020, merely 29% of respondents are confident about their enterprise predicting the impact of threats that can come about owing to emerging technologies accordingly. Furthermore, less than one-third, that is, 31% of security pros state that their enterprises will be in a better position to respond to new threats quickly once they are identified. This can be a bit problematic, considering the rapid pace at which business and technology are evolving.
It has been revealed by the State of ERM 2020 that there are three vital categories wherein enterprises face risk in the current times.
1. Cybersecurity risk (29%)
2. Reputation risk (15%)
3. Financial risk (13%)
When it comes to the top five challenges faced in cybersecurity risk management, the primary ones include changes or advances in technology, the varying types of threats, lack of security personnel, and an increase in the frequency and number of risks.
The processes used to identify risks commonly but not properly optimized
According to the results of the study, about two-thirds of respondents have managed to define methods that can be used for risk identification. However, merely 38% among these believe that these processes have been optimized or are being used to the best of their potential. This low optimization trend makes it evident that some serious measures need to be taken for improvement.
The wide spectrum of threats in cybersecurity faced globally
The types of attacks vary in different geographic locations and sectors. For instance, more nation-state attacks are witnessed by respondents in Asia and India compared to Europe, North America, and Oceania.
Around 43% of respondents have enterprises that use insurance for mitigating the threats when faced with a fallout. The highest adopters of insurance are organizations in North America and Africa, while the lowest are in Latin America.
The gap between management and governance
A disconnect is evident between the governance of enterprises and management in dealing with risks. As per the respondents, the boards of directors are notified of cybersecurity quarterly or perhaps less. More frequent updates are given to the chief information security officers of CISOs, wherein around 75% have stated that they get monthly updates. There is a gap in knowledge that can be used by CISOs for expanding their visibility at the level of governance.
As has been stated by Tracey Dedrick, who is the ISACA board director, it is easy to ignore significant risks when the conversation does not happen in front of the right people. Therefore, it is vital to start from the highest level of the organization and address those people who own the risk. This will make sure that the right people are notified of the risks, thereby increasing the chances of organizational alignment.
Measures to mitigate and address risks
ISACA has outlined five crucial steps that organizations can use to address and deal with the threats.
1. Predicting future outcomes by using current trends and technology
The board chair of ISACA, P. Baybeck, has stated that the trajectory of cloud can be pivotal in future technologies, both due to its adoption dynamics and risks. Initially, the cloud was viewed as a means of creating risks and challenges that have to be dealt with; it cannot be denied that it is highly valuable as well. Risk management, along with strong governance, can make sure that value is more than the risk, as is seen in all emerging technologies.
2. Defining risk clearly
If enterprises are struggling with risk management, they can benefit a great deal by defining risk tolerances so that the maturity spectrum can be advanced.
3. Understand your business
It is vital to keep in mind that the level of risk varies from company to company. For instance, manufacturing witnesses more operational risk, which is difficult to predict compared to other industries. On the other hand, for the financial services sector, it is cybersecurity and technology that poses the biggest challenge.
4. Avoid getting siloed
Different stakeholders have different priorities in dealing with risks. Therefore, it is vital that a balanced approach is taken to ensure that multiple perspectives can be catered to, and the planning of mitigation planning can go smooth.
5. Setting expectations and optimizing risks
Organizations need to be clear about their expectations when it comes to risk tolerance. They also need to have corresponding guidance for decision-makers. This can make sure that risk is optimized to a large extent.