Many organizations adjust their risk appetite in an economic downturn, as risk is expanded to include supplier and customer insolvency, not to mention cash-flow changes.
Many organizations have gone through unprecedented changes in the past year. While some have struggled to cope, others have proven resilient in the face of uncertainty. To handle adversity gracefully and emerge from a period of hardship in good shape requires a deep understanding of your business. To manage operational risk effectively, you must identify threats, craft incident response plans, and establish visibility.
Underpinning a successful strategy is the agility to act swiftly in the face of rapidly changing circumstances. There are various steps any organization can take to gain deeper insight into operations and establish a holistic picture of the threats that matter most. The urgency that a downturn creates can be an opportunity for positive change to build greater resilience.
Many organizations also find the need to adjust their risk appetite in a downturn as operational risk is expanded to include potential risks directly related to downturn such as insolvency of suppliers and customers, and changes to cash-flow patterns, all of which may have been based upon more predictable trading periods.
Understand Your Risk Appetite
It’s crucial to have a clear picture of the risk that your business is prepared to endure. Different businesses will have different tolerances, in terms of the downtime they can handle and what their customers will put up with. The process of identifying where the major risks lie isn’t just about informing mitigation strategies, it can also be a catalyst for necessary change. A dynamic landscape and shifting external pressures can shine a light on areas that require investment, or even parts of the business that must evolve.
Be pragmatic and realistic; risk appetite may have to shift significantly during a downturn.
As consumer behavior changes, organizations must look beyond maintaining current customer experiences and cater to emerging demand. Traditional retail might close their brick-and-mortar stores, for example, and transition to exclusively online business.
Take a Risk-Based Approach
While compliance is essential, and easily digestible for company boards, a box-ticking approach to cybersecurity cannot cater to the unique risks that each business faces. Transitioning from a compliance-based approach to a risk-based approach is challenging, but the two are not mutually exclusive. What’s vital here is that you align your approach with the overall business strategy and demonstrate the benefits to secure board buy-in.
Monitor the Threat Landscape
Before you can craft an effective risk-based approach, you must build a clear picture of the threats your organization faces. There are many commonalities, but the precise make-up of the threat landscape is unique to each business. Geopolitical instability has precipitated an enormous change in recent months with a rapidly shifting cast of bad actors with an ever-growing capability to harm.
Any snapshot of the threat landscape will be rapidly out of date. Organizations must continuously monitor the situation and keep tabs on trends in organized criminal gangs and nation-states. This is complicated when your business operates across multiple jurisdictions because you must learn not only what different threat actors are doing in those geographies, but also what the regulatory landscape is like.
Plan Crisis Management
With a clear plan in place and responsibilities delineated, you can work through any crisis. Make sure that you craft policies and incident response plans to cater to a diverse range of scenarios. When a problem emerges, employees should know what’s expected of them. Empower individuals to take charge and to report back regularly to upper management and the board. Knock down roadblocks to swift action and demolish walls between silos to ensure that different people across your business can work together effectively to resolve issues and guard against any repeat. The whole business must be accountable to spread the load and build understanding across departments and geographies.
Establish Transparency in the Supply Chain
While internal visibility is crucial, you can’t afford to leave third-party partners to their own devices, but sending suppliers many streams of audit forms is not effective. Security becomes a tick-box exercise where partners have an incentive to tell you what you want to hear. It’s better to share specifics and make your expectations of partners crystal clear. Ensure your supply chain is transparent and fully informed by your risk appetite and threat monitoring to effectively manage risk and enable the agility to drive future success.
Share Intelligence and Foster Collaboration
We’ve highlighted the importance of transparency across your business and throughout the supply chain so that everyone takes responsibility and works together, but this spirit of sharing and collaboration can spread further. Work closely with partner organizations, establish intelligence-sharing in your sector, and talk to government departments and even other industries about the threats they have encountered.
Cybercriminals and other attackers share tactics and success stories. When we fail to share intelligence, the only real winners are the bad actors. They can deploy the same attacks successfully with a range of organizations unless we discuss our experiences and collaborate on defensive strategies to shut them out.
Coping with heightened operational risk during a downturn is a challenge for every business, but it’s far from insurmountable. Strive for transparency, plan for the worst, and pull together across departments, third-party partners, and the wider business community to create a united front.
Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management. He is a frequent speaker on the Board’s role in cybersecurity and … View Full Bio