Freely subscribe to our NEWSLETTER

Changes in risk perception

The perception of risk in society has changed. We live in a world which paradoxically is less dangerous
but holds a greater degree of risk, sporting as a backdrop the 20th century utopian ideal of “zero risk”.
Today our capacity for risk identification is fast outpacing our capacity for risk management, and the
resulting discrepancy is worrying.
More generally, experts tend to focus on the specific risk they have to manage and are not always
sufficiently aware that individuals exposed to that particular risk may also be subject to other constraints
or even exposed to other risks.
Risk management must be seen to support business lines and encourage innovation
Enterprises are exposed to an environment where vastly differing risks affect their strategy, business and
information systems. These threats originate in the ecosystem or stem from changes in the enterprise,
such as increasing demands from clients, partners and users, tougher regulations, mergers and/or
restructuring, or growing awareness of technological and environmental risks.
Regrettably, risk management measures to counter these threats are usually seen as constraints holding
back business lines in their moves to develop initiatives and create value. No matter how difficult it may
seem, a delicate balance must be struck between the potential losses and gains involved in risk taking.
Efficient risk management must be an aid to decision-making, delivering a carefully considered,
commensurate response to threats. Collaboration with business line managements is therefore crucial as
they alone can evaluate the impact on their activities.

Set out the enterprise’s objectives in order to identify risks and their carriers
To identify, evaluate and manage risks, an enterprise must formally commit its objectives to paper. Only
by doing so can it pre-empt threats and prevent them from taking on more concrete expression. As risks
affect all levels of an enterprise, they are borne by different players: strategic risks by Top Management,
business line risks (involving customers and sales) by Sales Management, procurement-related risks by
Logistics Management, etc. Such risks may differ from sector to sector, but there are also operational risks
common to all enterprises. These may affect an enterprise’s processes, people and systems and include
risks relating to the information system, security, business continuity, HR and fraud.

The information system is the backbone of an enterprise and key to risk management
Of all the operational risks, those involving the information system have changed more significantly and
more rapidly in recent years. They must be given full risk management treatment.
There are three large interdependent fields of risk concerning information:
– information system risks across all functions of the enterprise, including business lines and
operational risks with an information system component;
– information security risks with a large information system component but also covering the oral
and paper dimension of information;
– business continuity risks, also including disaster recovery and the logistical, HR, legal aspects,
etc.

How to coordinate the four main players to manage information-system-related risks

According to a survey conducted among a panel of 50 large French organisations, the Risk Manager, IT
Risk Manager, Chief Security Officer and Business Continuity Plan Manager emerge as the main players
in risk management. These various stakeholders still all too often act independently of one another, thus
making a common perspective difficult to achieve. This silo approach results in over-solicitation of
business line managements and generates redundancies. It is therefore essential to promote collaboration
among the various risk management players if management of information system risks within an
enterprise is to be efficient.
In the study carried out with the same panel, over half the enterprises consider their risk management
approach to be “reasonably efficient”. However, in 95% of cases, there is still room for improvement with
respect to maturity and optimum risk management.

Within enterprises there are three “typical” organisational set-ups which address the challenges posed by
risk management with a greater or lesser degree of efficiency: the Tower of Babel, where everyone talks a
different language and so no comprehensive picture of the risks is possible; the Tower of Pisa, reflecting
an unbalanced situation where decisions are taken in tiers; and the Control Tower, regarded as the
optimum form of organisation and symbolising a common perspective together with shared, consolidated
information.
Key factors in building a “Control Tower” organisation

A number of steps are necessary to lay the first stones in the edifice:
– Use a common metric to measure risks objectively;
– Build a risk portfolio by analysing the current situation, identifying overlap zones and thus defining
a single management frame of reference;
– Better coordinate and optimise relations with business lines;
– Share action plans.

A common authority must be put in place to guide integrated risk management. It must include
representatives of the various risk management channels and business lines without forgetting the IT
department. The risk management approach must consequently be cross-functional: overall risk control
can only be improved if everyone moves forward together towards an integrated “control tower” type of
organisation and adopts shared tools.
The IT Risk Manager – a brand new function interfacing with the channels dealing with information-related
risks – is the right player to steer this approach. Twenty per cent of enterprises have already understood
this and have created a dedicated role.