“The more you know, the less you fear.” - Chris Hedfield, former Commander of the International Space Station
These days, our family does “home movie night” a few nights a week. We recently watched Apollo 13 and my 5th grader was amazed everyone made it home safely (spoiler alert!), given how archaic the technology seemed. He also wondered if he would have the courage to do what they did. Those astronauts willingly risked their lives in order to advance scientific knowledge, inspire millions of people, and explore new frontiers. And they relied on a team of experts to understand, quantify, prioritize, control, and mitigate the enormous risks that come with space travel. Just as the Apollo 13 astronauts put their trust in these experts, so must business leaders collaborate with their risk and compliance peers...so they take the best, smartest possible risks to achieve their goals.
This strategic shift from reactive to proactive risk management— in collaboration with the leaders of the business—is key to Emily Heath’s continued success. As the Chief Security and Trust Officer at DocuSign, she is a true advocate for the customers, partners, and employees who, in her words, “trust DocuSign with their secrets” via the millions of contracts and agreements that DocuSign processes every year. She acts as a fulcrum in building and maintaining that trust, and has a strong vision and practical advice for how other CISOs and CSOs can achieve this as well.
We hosted Emily on LogicGate’s GRC & Me podcast, where she shared insights on her leadership philosophy, the evolving role of the CISO, where she sees the GRC industry going, and practical steps to adopting a proactive mindset when it comes to risk.
GRC at a Crossroads
Business leaders tend to think of GRC as mostly compliance (the “C” in GRC), and their role starts and ends with submitting evidence to satisfy an audit; harping on their team to complete the company-required training and attestations; or making sure everyone reads the employee handbook. They often ignore or downplay the risk that they actually create through their business practices. I wrote a blog that chronicles my folly in ignoring GDPR as someone else’s problem, so I know first hand this is a habit of many P&L owners.
This mindset has to change, and Emily knows where it starts: the Risk teams—IT Risk, Infosec, Enterprise Risk, Compliance—must drive a risk-aware culture in collaboration with the company’s business leaders. In other words, the “R” in GRC must be the priority. As Emily puts it: “compliance is the byproduct, and governance is part of how you manage and mitigate, but really, we need to think about risk first. And how you define, scope, and measure it is the key to building trust and ultimately affecting your bottom line.”
The reality is that the volume, variety, and velocity of risk increases constantly. And without making a strategic mindset shift to proactively managing risk, companies could be left behind.
CISOs are Business Leaders First
CISOs must understand what matters to the company: the strategic, operational, and financial fundamentals. This is the first and most crucial step to properly defining the categories of risk so you can align them to the priorities of the organization. Only then can you scope and determine owners of the risk programs aligned to these categories. Being a business leader first drives alignment and trust with other P&L owners in the organization and helps establish a risk-aware culture.
As Emily puts it, “As a CISO, by understanding and aligning programs to what matters most, you’re an advocate for your customers, your employees, and your partners.” And it’s not a one-size-fits-all approach: when Emily served as CISO for United Airlines, the most important risk management priorities ensured that human lives were protected: aircraft safety and maintenance and the like. At DocuSign, data security is a top priority.
The next critical step is to align on definitions of risk. Emily notes, “if you ask 10 different people their definition of risk, you’ll get 10 different answers.” It’s important for CISOs to frame up the categories of risk so business leaders can understand what their responsibility is and how they should think about the risk they bring to the business. Emily cites these categories as examples to drive alignment with stakeholders:
- Financial risk
- Technology risk
- Operational risk
- Third-party risk
- Regulatory risk
- Security risk
- Data risk
The risk teams then work with business stakeholders to:
- Define what these categories actually mean
- Agree on the risk “appetite” for each
- Determine what is in scope for each...and more importantly, what’s NOT in scope
- Determine how to measure each risk
What Gets Measured, Gets Done
Risk professionals need to use two lenses when defining the metrics that spell success for risk programs. The first lens is outward facing: how do you report the impact of your risk programs to your business stakeholders, to your CEO, and to your board? For this, Emily recommends working with the executive team on the impact-related metrics, and aligning on those metrics with the board. Again, they should align with the top priorities of the company and reflect the company’s determined risk appetite.
The second lens is internal facing: what are the KPIs the risk team must monitor to flag issues before they become problems? Sample metrics can include number of incidents; how much of the environment is being monitored; and number of vulnerabilities. Emily suggests that CISOs create thresholds for each of these KPIs so they can be notified when a threshold is breached.
The systems and processes CISOs use to enable their risk programs is crucial. Risk programs that run without an agile system designed for workflows and reporting capabilities are inherently risky. Risk has become so complex and enormous that managing via spreadsheets, email, or clunky systems is no longer feasible. As Emily puts it, “high standards mean you have to produce evidence fast. Having everything in one place and accessible is key, as is a history of who’s touched it.” You can’t do that without agile tech.
The Bottom Line is...The Bottom Line
Risk and compliance professionals are long overdue for a seat at the table in strategic planning. After all, it’s their work that allows the business to take the necessary and smart risks to reach their full potential—just as it's the astronauts’ job to reach new frontiers through space exploration.
It’s time that risk professionals’ wisdom and skills are better used in collaboration with business leaders to make more profitable decisions...because risk professionals are business leaders themselves. Risk professionals have earned their seat at the table. How will you make your presence known?
Learn more about launching into the Future of GRC today, and ask your LogicGate team about joining your peers on our Slack Community “The Risk Crowd”.