PrivSec Focus: Enterprise Risk explores business resilience, risk culture, leadership and much more

The livestreaming experience united subject matter experts and thought leaders for a one-day examination of the key challenges and opportunities defining the enterprise landscape.

Professionals in attendance were given a unique opportunity to learn from industry senior figures, and connect to a global network of risk management practitioners.

In the opening sessions, experts looked at generating business resilience – an issue that has been pushed to the forefront of the corporate conscience by large-scale events such as the pandemic and Russia’s invasion of Ukraine.

Ensuring organisational continuity has thus become paramount, with resilience best practice laying the pathway for risk reduction.

Bill Mew, founder at Crisis Team, said:

“Resilience and risk awareness should not be separated, they go in hand-in-hand. When it comes to an actual incident, we don’t have time to sit down and work out a solution, you need to have a crisis management plan and response ready to react immediately. Rehearse so it’s second nature and everyone knows what their role is.”

Max Mirian, Tx Global Risk Practice Lead at ServiceNow, said:

“If you ask me what the main challenge of implementing ER, it would be that when people think about the risk they consider the street language which is different from the meaning in the enterprise context. So, the most common challenge would be the awareness of that meaning and all the elements of this risk”

“Handling a risk is the element required in the skill set of resilience,” Max Mirian added.

Laurent Giezendanner, Head of Legal Operations, Head of Corporate Security at Syngenta Group, said:

“The skills, in general, must be hard skills – technical, although for me the soft skills are more important with resilience, the skill about connecting people and generating collaboration.” 

In the following talk, subject matter specialists at PrivSec Focus: Enterprise Risk turned their attention to sustainability, and how ESG can inform Enterprise Risk Management (ERM).

Opening discussions, David Harper, Head of Enterprise Risk at Fidelity International, said:

“Every business will need to have a team that looks at how the organisation is doing. We should ask if we can sign with these; do you know [the risks] well, and how do you feel about them? I feel like everyone should have the personal liability to sign off on [these risks].”

Michal Jezierski, Compliance, Risk and ESG expert at Susumi, said:

“We should look at two points: Firstly, investors who care about your ESG factors and friendliness. Secondly, the authority in the EU companies will be obliged to comply with ESG and report it. In the EU, we are creating standards for ESG reporting and this will change the way we approach risk management. 

“It is not only environmental factors that are considered the most, but also the social factors. Everything has changed during the last few years; it is about how we approach our employees and their code of conduct.”

Aruna Vaz, Deputy Head- Enterprise Risk Management at Aster DM Healthcare, said:

“While we are evaluating every risk, we need to look at it through an ESG lens, which is key for an organisation. There needs to be more ESG awareness.”

Ransomware fell under the spotlight for the midday session at PrivSec Focus: Enterprise Risk, as speakers considered about how to best use third-party risk intelligence to fortify the organisational attack surface.

Krislyn McDonnell, Senior Product Manager at Recorded Future, said:

“Building trust with third party organisations is much easier said than done. The biggest challenges we face today are: the lack of visibility into the third-party risk landscape; the fact that questionnaires are prone to errors; the fact that manual review assessments are resource-intensive, and finally, the realisation that siloed analysists and security teams’ collaboration can be ineffective.”

The first panel debate of the afternoon centred upon how senior leaders can forge a risk-conscious culture within an organisation.

Katja Rieger, leadership consultant and founder of Ripple Effect, said:

“Create dialogue with the front-end of the business to have good discussions in diverse groups; different perspectives help us to see things in ways we haven’t seen before and this creates risk awareness.

“Leaders can learn how to tell stories around risks – personal stories maybe – [revealing] what they’ve learnt, or about other similar risks taken in the past. Humans are amazingly adept in their judgement and that’s the disadvantage of pure compliance,” Katja added.

“One piece of advice I’d give is to learn to speak the language of the business. Training how to listen and understand others’ perspectives does not just add to the risk culture, but also to relationship building. 

“It’s not culture that you measure, but you define your culture and that you can measure,” Katja continued.

Maria Fernanda Hosken Perongini, Privacy & Data Protection Consultant at UnitedHealth Group, said:

“It’s important to establish which metrics you’re going to use so that you can report it.”

“Most people don’t like KPIs. Often, people who gather the data don’t see the objective, and it can become an unproductive task. Whilst you set your KPIs, you need to set the data point, and show why it’s important and [explain] the outcomes; let [data gatherers know that] what they’re doing isn’t just a boring task, it has an objective and it should benefit them,” Maria added.

Scott Bridgen, GRC Lead at OneTrust, said:

“Everyone works in binary – percentiles – all these different things, yet we very rarely tie it back to [the question of]: ‘If we don’t get it sorted, it’s not about the trust, it’s about [whether or not] we will be perceived as trusted.” 

After lunch, audiences tuning into PrivSec Focus: Enterprise Risk enjoyed a discussion on the pivotal role that leadership plays within Enterprise Risk Management.

Jigar Shah, Head of Identity Access Management at R1RCM, said:

“What makes a very good risk leader is building that trust and honesty in your organisation and having that emotional understanding.”

“The trend is changing. We have been flexible and adaptable to risk management. It’s now becoming more sophisticated and influenced by important factors, including employment compliance, data privacy, financial regulations, your supply chain dependencies, political changes etc, Jigar Shah added.

Rawda Selim, Advisory Solution Consultant at ServiceNow, said:

“A good leader can accept change, knowing how to efficiently use your resources, including technology, and they need to be really focusing on ESG, as that is the 2022 landmark. There is not a one-stop shop for better leaders; it’s very eclectic. ERM understands now that technology is part of how they want to make their business more efficient.”

Anne Flanagan, Data Policy & Governance Lead, Centre for the Fourth Industrial Revolution, World Economic Forum, said:

“I don’t have a crystal ball, but I can anticipate some things by looking at the recent trends seen in ERM. We see a proliferation of new privacy laws, but also new understandings happening – things that will change the future landscape. Cross collaboration between siloes is a very important part of this.”

“If leadership is not demonstrating that they care about any ERM issues, then that will set a wrong example to the whole organisation. The best leaders are not at the top, they’re at the bottom, and if your C-Suite executives do not care about ERM yet, then make them,” Anne Flanagan underlined.

“When dealing with ERM, you have to remember you are not alone. Perfection takes time, and this is where the whole organisation gets together for the initiative. It’s a partnership of resources, until the point that the success can be shared by the whole organisation,” Rawda Selim concluded.

In the subsequent presentation on risk assessments, Tanner Boswell, CIPP/E, CIPM, GRC Solutions Engineer at OneTrust, delved into best practice and new perspectives on risk insights.

Tanner Boswell said: 

“A lot of the barriers we are seeing in the market concern how risk itself is consistently changing and is fluid. Does the end user fundamentally understand what the assessment is trying to achieve and the knowledge to respond appropriately?”

“What we’re seeing is that multiple stakeholders are involved in the process – HR, legal, privacy, security – and you’re going to have competing interests and differences of understanding. A lack of automation can hinder the process of getting buy-in from the subject matter experts,” Tanner Boswell added.

“You want to have tools and methodologies in place to get timely input when you need it the most. As for best practices for assessments, ISO has good documentation, COSO is a thought leader and outlines all the steps. I identify the risk, I develop assessment criteria, assess and prioritise and then respond,” Tanner Boswell continued. 

Explaining some top tips on best practice, Tanner Boswell said:

“Put the end user of the assessment in context, and don’t use wordy questions that could confuse the end user. Use plain text business language so [users] are more able to respond appropriately. Every questionnaire needs to have insights, so integrate the business process right into the assessment.”

“Engage stakeholders. Once a risk assessment has been performed, communicate results and recommendations as risk professionals back to the business itself.”

“A lot of the times I find teams involved in the response process are not necessarily the appropriate team members. My advice here is to improve visibility across the team. It’s important to have all critical functions that the risk is affecting involved in decision process,” Tanner Boswell concluded.

Cyber risks are rightly top of the agenda for many ERM professionals, and maintaining a robust data breach management policy is a crucial way to prevent and respond to data breaches.

PrivSec Focus: Enterprise Risk devoted a panel debate to this crucial issue, covering data breach management policy, from detection and notification to mitigation and review stages.

Sandy Silk, Director of Information Security Education & Consulting at Harvard University, underlined:

“With preparation, it’s knowing who does what, with what and when so that everything can be accomplished.”

Scott A. Warren, Partner at Squire Patton Boggs, said:

“If you don’t understand where your data is, what your strengths are, and what you want to protect, you won’t be able to make a strong response programme.”

Caro Robson, MBA, LLM, FIP, Senior Consultant Legal Advisor, Data Protection & Technology at Milieu Consulting, said:

“You’re only as strong as your employees’ awareness and practices. Detecting internally isn’t going to happen if staff don’t understand what a data breach is and don’t have the confidence to raise issues. An awful lot of breaches happen through human error or they’re detected through people who notice that something is wrong.”

Sandy Silk added:

“One of the biggest soft skills traits to have with your security team is to be non-judgemental. We all have bad days and we can all fail a phishing test. We’ve all been there and you have to thank that person who is reporting something for bringing it to your attention and minimising the damage.”

Scott Warren added:

“All your employees should have the email line for phishing emails and know the person they should ask to reduce it.”

The final session of the day looked forward to the future of ERM, and the crucial role new technologies may play in developing new ERM frameworks.

Geethy Panicker, Senior Vice President of Risk, HSBC, said:

“We have seen new risks from globalisation. Ensure the people you have in GRC functions are equipped with right skillset to make use of technology.” 

“If you look at Formula 1 as an example, the pit-stop used to be 72 seconds. Over time, the companies invested in technologies and now it’s under 2 seconds. What technology enabled them to improve? In the same way, if you look at competitiveness in the market, there is extreme pressure on businesses. Governance teams can look at innovation to reduce compliance costs,” Geethy Panicker added.

Wajahat Raja, Global GRC and GDPR Solutions at Copenhagen Compliance, and Consultant at Saudi Stock Exchange, said:

“There are emerging trends we must observe. Risk maturity frameworks are consolidating workflows, treating ERM as a competitive advantage. ESG is also an important subject which will change the paradigm in coming years.”

“Risk in uncertainty of the future. My gut feeling is that in upcoming times, random forecast algorithm will have significant value,” Wajahat Raja added.

Riccardo Bua CISO Office - Enterprise Security Architect at DigiTribe, said;

“Empower the business to take a risk-based approach. I think there is ongoing tension in the market shifting from closed system to open system, which drives challenges in control of the data.”

A huge thank you goes out to our experts, thought leaders and subject matter experts at PrivSec Focus: Enterprise Risk, and of course to all those who tuned in to the exclusive livestreaming experience.