Propelled to importance by Covid-19, the concept of risk has become highly prevalent, and as such the role of those assessing and mitigating risk has permeated every level and function of general management across organisations.
Risk now has a seat at the top of the table, and the chief risk officer (CRO) has become an indispensable part of the C-suite as a result of far greater overlap between risk and the commercial interests of the wider business.
Covid-19 has forced companies to become more aware of the risk landscape as outside and unforeseen factors have affected performance and profitability. During the internet era we witnessed the rise of the chief information officer (CIO), and more recently as stakeholders considered their personal data – the rise of the chief data officer (CDO). It is now the moment for the CRO to step into the spotlight.
If the risk function is to be effective, risk managers need to champion a cultural shift towards a digital-first mindset across the organisation. In an environment where ransomware attacks surged by 150% in 2020 with the average extortion amount doubling, leaders are more concerned than ever that employees are educated and know how to avoid these kinds of issues.
For organisational change to have a lasting impact however, it needs to be implemented top-down, where all stakeholders develop a habit of thinking about how technology can be used for the benefit of the whole, and chief risk officers are capable of collecting insights and use increasingly advanced data analytics to understand and mitigate risks.
To achieve this, digital fluency within the risk function is key because it not only allows these insights to inform risk modelling, but it also gives the CRO an understanding of the entire organisation and be able to anticipate where problems might arise.
While risk management strategies are devised at board-level, they’re implemented on the front line – digital fluency within the risk function means that from the cloud to the device, the CRO is able analyse the entire threat landscape and anticipate any risks that might arise.
Using data and analytics to inform decision-making
Using data analytics to inform risk modelling allow executives to see into the future and plan for any likely eventualities. Anticipating problems in advance of seeing them realised allows organisations to plan ahead and manage and reduce the costs of issues when they do arise.
From anticipating increasing demand for hybrid working culture, to understanding the challenges presented by rolling out devices to remote workers, data feedback from across the business informs companies on these eventualities before they happen.
For companies that were able to anticipate a hybrid working culture after Covid-19, trialling and iterating a remote working culture over time, and introducing the right mix of devices to allow employees to work effectively provided huge cost savings versus competitors that have had to implement changes at the last minute and issue devices or adopt cloud infrastructure at short notice.
Applying risk-modelling to generate organisational flexibility
Where employees are concerned, regularly analysing data on how they use devices is important. While security leaders have a high level of confidence in staff knowledge, a recent report shows that 81% of leaders feel their employees understand that nine out of 10 ransom attacks originate through email phishing, though just 2% of employees polled felt they knew enough to not open suspicious-looking emails – showing the disconnect between boardroom perceptions and reality.
In this example, leveraging cloud infrastructure as employees use devices remotely gives our customer IT departments a greater sense of security knowing that features like virtualisation-based security (VBS) and hypervisor-protected code integrity (HVCI) are enabled by default and providing increased protection. VBS or HVCI-enabled devices are able to isolate secure regions of memory from the normal operating system and use a “virtual secure mode” to host a number of security solutions capable of providing greater protection from vulnerabilities.
By modelling these risks in advance and putting the infrastructure in place to stop potential threats becoming issues, employees can have an uninterrupted experience while IT leaders know the company’s systems and reputation are kept safe. Using knowledge gained from data insight to build in this kind of flexibility also allows new systems and devices to be more readily adopted.
What can we expect as the role of the CRO evolves?
As the digital topography of companies expands and we see consolidation in the applications and devices used, the value of collecting accurate and actionable data insights is only going to grow. Ensuring organisations have the infrastructure in place to be able to capture that data and the right mix of devices in place to give employees the flexibility they need will be the major challenge of CRO’s as the role matures.
Increasingly, the CRO needs to evolve into a digitally fluent partner to all parts of the business, capable of creating a risk-conscious working culture and at the same time helping leaders create strategies that anticipate threats but are simple enough to adopt by workers on the front line.
Chris Lorigan is surface portfolio product manager at Microsoft
