Bringing Risk to the Heart of Strategy

Combating the perfect storm in the wake of the pandemic requires an alignment of risk with business strategy

"Without understanding and being able to measure, manage and mitigate cyber risk, digital transformation and sustainability efforts can be jeopardised"

Some years ago, there was much debate about how IT strategy and business strategy had to be aligned, and this was to be led by the new breed of CIO.

With the CIO at the heart of the development of business strategy, business ambitions could be aligned with the latest technology, enabled and multiplied in effect to ensure competitive advantage.

Today, with the accelerated pace of technological change, multiplied by the trend for digital transformation, which in itself has been accelerated by the global pandemic, there is a need to further develop that alignment position to include cyber risk.

In recent years, many businesses have begun transformation journeys prompted by new opportunities emerging through technological developments, or to exploit new markets. Some transformations have been driven by the need to increase competitiveness due to the emergence of disruptive new entrants to the market. Other transformations have been driven by changing consumer preferences and the need for sustainability. Whatever the drive, the effect of fundamental change, in culture, in people, in process, has the potential to introduce new levels of risk.

The risk assessment of any business change is now as fundamental as its business case, and the cyber element of risk must be addressed at the earliest stages.

Digital transformation has affected the cyber crime world as much as it has the legitimate business world and the creeping professionalisation of cyber crime has been multiplied by technological developments too.

The coping measures employed by organisations around the world in the face of the pandemic increased cyber vulnerability, and put pre-pandemic attacks, such as the rash of ransomware that crippled the likes of Maersk, the UK NHS, and here at home the HSE, in a new context.

The ability of a cyber crime gang to cripple a major enterprise, public service or other such organisation, was a clarion call to look differently at risk.

New business models must take into account the cyber risk exposure due to the increasing reliance on digital systems to deliver them. The increasing need for demonstrable sustainability, so heavily reliant on data and data processing, is also increasing digital reliance. Without understanding and being able to measure, manage and mitigate cyber risk, digital transformation and sustainability efforts can be jeopardised.

The conversation must be changed from cyber security to cyber risk if the issue is to be truly understood and woven into the fabric of the organisation.

In the same way that the CIO became a central part of the business strategy team, the chief information security (CISO) and chief risk officers (CRO) must now take their places in that strategy team too.

As CEOs have had to become technologically informed to responsibly lead their organisations, they must now also ensure that those who measure and manage the digital risk to the organisation are involved in the strategy, planning and execution of transformation.

Failure to align cyber risk with transformation efforts will predictably result in the same kinds of stalls and failures so well documented previously. Lack of return on investment, underutilisation and increased exposure to threats were all seen when investments were misplaced or inappropriate in the early days of transformation.

The oft quoted stat from McKinsey that 70% of transformation efforts fail to produce expected results has the potential to be multiplied in the current context, and from a cyber risk perspective.

If an organisation embarks on a transformation initiative, with digital at its heart, that introduces an entirely new element of risk, it could represent an existential threat to that organisation. While the business risk of such a transformation, and even the risk of not transforming, is often well documented and understood, the cyber risk aspects of such initiatives are still poorly expressed, explored and factored into strategies.

Just as security is baked into application development early to make more secure products, cyber risk, properly explored and understood, must be included at the earliest stages in any transformation efforts.

The global pandemic has thrown a new light on many things, but chief among them is just how interconnected, interdependent and cooperative our modern world is. Digital technologies have given us a glimpse of how much more interconnected and interdependent we are likely to become in the near future, and beyond.

The pace of change, the transition of every business towards being a digital business and the increasing need for data and analysis to meet sustainability goals, are all driving new elements of risk that need to be understood, communicated and managed at the highest level. The alignment of business strategy with risk management - with cyber risk at its core - is the only viable means to ensure that resources are properly deployed to protect the critical assets of the organisation.

Paul Hearns is an author, journalist and presenter of more than two decades experience.