Cyberattacks and Small Businesses: A Lethal Combination
What does a cyber attack mean to a business? The answer may depend on the size of the business targeted, according to Accenture’s Cost of…
This post is the first of our GRC 101 series, which will provide an entry-level overview of the business of governance, risk, and compliance. The first three posts will unpack GRC itself, starting with Risk Management.
Governance, Risk, and Compliance, typically shortened to GRC, refers to a company's coordinated strategy for managing the broad issues of corporate governance, risk management, and compliance with regulatory requirements.
In this post, we’ll take a closer look at one of these pillars: Risk Management.
It’s easy for most people to answer that in a generally applicable way. At its absolute highest level, it involves any measure taken to avoid or limit the chance of a bad outcome—such as wearing a hard hat in a construction zone or buying insurance in case of a flood.
In a business context, things get a bit more specific. Let’s start with a definition:
Definition 1: Risk management is the ability to effectively and cost-efficiently mitigate risks that can hinder an organization's operations or ability to remain competitive in its market.
Meanwhile the Open Compliance and Ethics Group (OCEG) offers a more comprehensive definition:
Definition 2: Risk management is the system of people, processes, and technology that enables an organization to:
The application piece is where things get complicated. Firstly, think of all the potential risks a business should think about. Examples of potential risk areas include financial risk, credit risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, information security risk, technology risk, compliance risk, and natural disaster risk. Just within information security risk, you have security breaches, data loss, cyber attacks, and system failures—to name but a few.
An effective risk management process will help identify which risks pose the biggest threat to an organization and its resources, and provide guidelines for handling them. But that’s just the start. Risk Management can be divvied up into three steps: risk assessment and analysis, risk evaluation, and risk mitigation. Let’s take a closer look at each.
It depends on the company.
At small companies, there may not be anyone designated to assess and manage the company’s risk. At larger enterprises, typically there’s a department whose sole job it is to monitor the company’s changing risk profile and put processes in place to manage it. The heads of such departments often have titles such as Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). Lower-level employees will have titles like Risk Analyst or IT Security Manager.
Effective assessment, analysis, and management of an organization's risks pays dividends in a multitude of ways. It helps protect assets, improve decision making, and optimize operational efficiency. As a good steward of risk, the company can invest time and resources with a clear understanding of all potential outcomes—including the downsides. It’s a fundamental part of any company’s strategy to attain its goals.
For more on Risk Management, check out LogicGate's enterprise risk management solution or download our eBook below on How to Build Organizational Support for ERM.
At LogicGate, we take National Cybersecurity Awareness Month pretty seriously. Now that we’re a couple weeks in, our Information Security lead, Heath Anderson, has put…
Food delivery company DoorDash announced that information belonging to customers, delivery workers, and merchants was stolen by hackers late last week. The breach affected 4.9…