Pierre Noel, Chief Security Officer-Asia, Microsoft Corp
All organisations face unprecedented levels of risk either arising from incidents that they can anticipate and measure, or from those that go beyond its control and influence such as natural disasters, political disturbances, cyber security incidents…
"Organisations should be prepared to bend like a bamboo against a strong wind as opposed to a big oak tree which would simply get blown down"
Risks have significantly evolved over time and this can be attributed to several factors such as climate change, erratic geopolitical affairs, major macroeconomic shifts and advancements in technology. The latter has spawned sophisticated threats such as hacking, cyber espionage, phishing and malware, among others.
As the bar rises, executives are under increasing pressure to improve their organisation’s resilience by strengthening their capability to address and manage risks.
A tell-tale sign to know when an organisation is resilient is when executives demonstrate an understanding of the potential risks they face, properly evaluate them and strategise how the organisation can effectively manage and respond to it.
An understanding of potential risks leads to the deployment of controls, technologies and governance necessary to ensure resilience in the organisation.
Starting with the right mind-set
To achieve resilience, organisations should first and foremost embrace a mind-set that incidents will happen no matter how much time and effort is placed in securing critical business infrastructures. This mind-set needs to be translated in terms of effective goals and incentives within the teams responsible to handle risks: the reward should be in making sure the organisation is resilient to a risk, not that the organisation is immune to a risk.
Among the organisations I met over the past decades, I would rate not more than five percent of them as “almost fully resilient”, a figure which presents a grim picture of how “vulnerable” many organisations are today.
Many people believe that their job is to make sure they prevent incidents from happening, but the reality is while they exert efforts in protecting the organisation against risks, they have not devoted the same amount of time and energy in figuring out how to respond should an incident occur.
Being resilient refers to an organisation’s capability to efficiently respond to an incident and minimise any adverse impact to the organisation, as opposed to putting up and building a fence around the organisation hoping that threats won't get through.
Resilience echoes strongly with the concept of enterprise risk management. Organisations should learn how to manage risks effectively so that they can cope with accidents and other unforeseen events whilst leveraging business opportunities along the way. What is pretty well understood and measured by finance organisations in terms of credit and market risks, very seldom encounter the same quality when it to operational risks, reputational risks, or ICT risks.
Since unforeseen events are difficult to list down, organisations should have the right “reflexes” to ensure the company can efficiently respond to any problem that may arise. Examples of “reflexes” are business continuity plans, contingency plans and risk governance strategies among others.
Organisations should be prepared to bend like a bamboo against a strong wind as opposed to a big oak tree which would simply get blown down. They have to be nimble, agile and highly adaptive to their environment.
Once the mind-set has been clearly established, the next step would be to establish a governance team to facilitate a conducive environment for the organisation to be resilient.
The team translates this mind-set to several initiatives or activities that enhance the organisation’s adaptability and turns challenges and disruption into opportunities for innovation.
A mobile workforce, for example, is already an element of resilience. By being mobile, employees no longer need to be in the office to do their job. However, to achieve such a goal, it is necessary to have an underlying infrastructure to support it, such as cloud.
With cloud computing, employees are able to maximise their time available to work with and update business systems. In addition, it makes them much more efficient as it enables more “real time” decision making and knowledge sharing environment in a secure way.
Embracing the idea of resilience does not mean throwing everything you currently have in place. It is a matter of thinking somewhat differently. The task required to convert an existing environment to a resilient one is not that much of a huge task. It is a matter of identifying what needs to be changed.
This also leads to the need to organise risk dialogues with the top management, so as to have an accurate view of risk exposure. Without risk dialogues, the organisation runs the greater risk of missing opportunities to expand the business and as well as ignoring tell-tale signs of risks that can substantially affect the services or products you deliver.
A common denominator of risk-aware companies is the kind of organisational culture they have – it is honest, open and one that leverages the best skill sets to fire fight risk.
Oftentimes, the biggest challenge is getting people to talk about things without the worry that they will be ridiculed, adding that by having this culture, the organisation can avoid making the same mistakes and minimise the impact of unforeseen situations.
This kind of culture allows organisations to identify risks, figure out how it is going to affect the company compared to how it will affect its competitors in the industry.
Executives and leaders also need to engage with experts who have substantial experience in building resilient infrastructures, so that they can identify the tasks and processes that need to be changed in order to improve their organisation’s resilience.
Looking back at several events such as the financial crash in 2008 and the Christchurch earthquake in 2011, it is important that we derive lessons from these experiences and incorporate that in the organisation’s risk assessment system.