There is an old proverb which goes: ‘After the ship has sunk, everyone knows how she might have been saved.’ This proverb befits our rapidly changing and increasingly complex world, hinting at both failures in risk management and the benefits of hindsight. Risk management offers the comfort of a structured approach to the identification of business risks, a verifiable process of engaging with those risks and a hierarchical reporting process up through the organisation. All of which reassure us that such risks are being dealt with effectively so we can sleep soundly at night. Oddly, many people can still seem to be surprised when failures do occur, whether it’s an industrial accident or a major cyber-security breach. This might suggest that we don’t quite have the handle on exposure to tail end risks that we hope – and there is a series of factors which might help explain why. First, comes bureaucracy. At its worst, risk management can degenerate towards a process of box ticking and spreadsheet filling. As risks are reported upwards through the organisational hierarchy, individual risks become aggregated and diluted into amorphous blobs on heat maps or, worse still, executive boards are deluged with lengthy but irrelevant risk reports. Less is often more. Second, comes culture. In some organisations independence of thought is still seen as a challenge to the orthodoxy of process and compliance. Pressure is placed on staff not to ‘rock the boat’ or, worse, management is incentivised to reduce cost without due appreciation of the increase in risk. Too often, performance is geared toward a reduction in spend rather than an increase in efficiency or a smarter allocation of limited resources. As a result, risk likelihoods are scaled back and impacts downplayed. Glaring REDs become tinged with AMBER and hints of GREEN. Why create unnecessary noise? Third, comes imagination. People give greater emphasis to recent events and ignore occurrences outside their own experience. They reason that multiple failures of controls are literally unthinkable, all the while ignoring potential common mode failures and underestimating our human propensity for incompetence or malice. All of this matters because security and resilience help sustain competitive advantage. They enable us to protect staff, customers and our brands in a rapidly changing and increasingly turbulent world. So how can we address these issues? By taking a different view of resilience. Step back from the routine of risk management – and start with the fundamental questions of what makes you special as a business. What keeps you ahead of the competition, what keeps your customers coming back, what makes your investors buy your stock? The answers may not be just hard cash. Often, more subtle issues such as reputation, trust and goodwill come into play – setting the scene for a broader and more robust assessment of risk exposure. As an example, the negative impact of major cyber security breaches on share prices frequently tends to be a result of how poorly the incident was handled rather than the nature of the breach itself. As consultants, KPMG’s role is often to question whether the emperor is indeed wearing clothes – benchmarking against other organisations, surfacing scenarios which might not have been considered, but most of all building bridges between senior executives and the staff within their organisation who harbour real fears based on deep knowledge of the systems and processes which lie at the heart of their business. In our modern and complex environment it is sometimes not enough to look at a risk heat map. Simulation exercises can prove invaluable, while executives need to invest time to better understand the real risks and challenges they face and just how these could manifest themselves. And so we come to cyber security… Curiously, people often see business resilience and cyber security as distinct. The former is a mere re-branding of business continuity and is still pre-occupied by recovering from natural hazards and physical threats; the latter with a virtual world that recognises no boundaries, grabs media headlines and seems to change from one minute to the next. The disciplines seem to lack a common ground and even less a common language. But imagine our world 10 years from now. Our business is dominated by e-commerce, computerised infrastructure, industrial robotics, knowledge economies and the internet of things. Organisations need to retain the same level of trust and confidence with their customers online as they do in the physical world. So our approach to business resilience is about enabling organisations to prevent, withstand, detect and respond to these digital threats. What organisations should be most concerned with is the potential speed, scale and complexity of impact from attacks. Motives vary of course, but they boil down to two main things: stealing money (or stealing data to steal market share to steal money); or disrupting service to damage reputation for political or ideological reasons. Cyber security is dominated by a tactical fight at the moment. We struggle to counter the latest cyber-attacks, we agonise over how to protect against the advanced persistent threat (a euphemism for state-sponsored cyber espionage), and we try to contain the fallout when thousands of customer records are stolen overnight. Technology and security awareness can provide a partial solution to these challenges, raising the bar for the attacker – but ultimately the answer lies in taking an organisational approach to resilience rather than a siloed approach to business continuity or cyber security. A resilient business model is more agile, more aware and better co-ordinated to deter, detect, defend and respond to the continuous cyber-attacks many organisations now suffer. In our new digital world, businesses have become more inter-dependent, generating new systemic risks and the potential for cascade failures. These risks demand collective action, forcing businesses to collaborate to counter attacks and improve community resilience. This is a very different mind-set for many businesses that had previously managed risk within their own boundaries. Executives are right to demand that cyber-security professionals demystify and de-jargonise. For their part they have a responsibility to invest time to understand how cyber-space is reshaping their business opportunities and threats. Organisations are best protected when they learn from others. The most resilient organisations are those that treat complacency as a threat in itself and obsess about failure. Past incidents have taught us that we often miss the weak signals that could and should have helped prevent the disaster. Of course, hindsight is a wonderful thing but if history has taught us anything it is indeed that after the ship has sunk, everyone knows how she might have been saved.

#Cyber #Technology #Resilience #Business #Strategy #Cyberattacks