Risk management – J. Howard, CDO & CPO

COVID-19 has had a horribly disruptive effect on almost all people and aspects of society. This paper starts a dialog around an admittedly tiny aspect of that and a view to the future. It in no way should be seen to marginalize or trivialize the pain and suffering endured by the millions of people directly impacted by the pandemic.

On May 1^st, CNBC published this article that discusses how some businesses are re-evaluating their need for physical office space in light of their experience with a majority of their workforce working remotely.

The rapid shift to work-from-home has served as a catalyst for change. Many years ago, when video conferencing first became available, companies started to invest in equipment that was office-bound, hoping to reduce business travel. That never happened because the technology was temperamental, brands didn’t interoperate very well, there were never enough facilities, and the equipment required expensive point-to-point T1 lines.

Since then, there were advances in the technology along many orientations, including high speed internet to homes, corporate adoption of laptops, smartphones, and importantly, audio conferencing. This enabled a shift toward work-from-home, and corporate shared office space – “hoteling” (universally adopted by consulting firms and hated by employees), smaller offices/cubicles sold euphemistically as “open concept” workspaces. But many were still reluctant to use video (Dilbert summed it up well with a series of comics depicting people “working from home” taking video calls wearing their bathrobes). Workers were far more comfortable with audio conferencing than video, but it still did a lot to get companies and workers more used to remote working.

The needle moved further toward remote workforce with the dramatic increase in off-shoring, leverage of contractors which in itself lessened the feeling of permanence of employment, and perhaps contributed to workers feeling more comfortable as individual contributors working from anywhere. Paradoxically, there was a simultaneous shift toward urban living, as the number of young people wanting to drive or commute went down, which one might have thought would shift them back to offices.

Powerful Disruptor

All these shifts were gradual, and the net result was tidal shifts in the work model. Leave it to nature to provide a dramatic disruption, which has resulted in remote working suddenly accounting for 95+% of non-essential workers. The points raised in the CNBC article are not at all surprising, given how the experts are bracing for periodic reemergence of Corona, but are also supported by:

The high cost of commercial real estate and the need to manage costs
The remarkable advances in technology enabling remote working
The quality of life impact of time-wasting commutes

A shift to predominantly remote working has immediate benefits, including the opportunity to hire the most qualified workers without regard to their physical location, which helps address challenges businesses have faced hiring the right talent. It also has consequences, such as the inevitable glut of empty office space. The sudden reduction in the concentration of office workers has a significant impact to businesses relying on them – restaurants, shops, laundry, shoe-shine, even metropolitan transportation – as large portions of their customers stop coming.

Opportunities

In the past, there have been dramatic disruption to business leading to the shrinkage or elimination of entire industries. Yet over time, business comes charging back. Before Corona, unemployment was at record lows, and companies were clamoring for skilled workers. This is after gloomy predictions of unemployment after waves of off-shoring everything from manufacturing to call centers to highly skilled workers.

What has to happen for remote working to become as effective as working from a managed location?

Physical space: Many people don’t have home offices and take over the dining room table instead. This isn’t sustainable, since asking people to shift from a company managed location to home involves a level of disruption and the only financial beneficiary is the employer. Wouldn’t it make more sense for the employer to provide each employee a remodeling budget (funded by savings resulting from reduced commercial real estate costs)? Small contractors could build-out home offices based on guidelines or specifications defined by the employer.

Technology infrastructure: When someone works in an office, the employer provides a laptop and a portfolio of business applications, but also the infrastructure to provide access to those applications – physical connectivity, wi-fi, deskside support. They establish standards that they are able to support in a cost-effective fashion. This needs to be replicated in some fashion at home, at least for a portion of the workforce. It’s not realistic to expect the worker to solve all their home technology issues and not impact their efficiency. Solution? A ramp-up of home technology service-providers (e.g., Geek Squad) who set up and support home offices.

Improved wireless: There is a race underway to roll out 5G infrastructure and public wi-fi 6 that promise high-speed performance that rivals (or beats) home-based/cable internet access. This may be a boon for remote workers and their employers because it simplifies the support model by eliminating the so-called “last mile” connectivity to the individual house in favor of a more controlled infrastructure using transmitters on towers in public spaces.

Comforts and conveniences: As people get used to working remotely, their appetite for convenience goods and services will likely return. This means the retail services that had been located near office buildings will cater to home-based workers. To be sure, it won’t look the same, given that the density of customers is different. There will be more home delivery or curbside service. Will it be the same in terms of volume? Probably in an overall sense, but the concentration will differ. But it seems reasonable that the businesses that can cater to distributed remote workers will benefit.

Challenges – Privacy and Data Protection – a tiny slice

There is no doubt that as with any fundamental disrupter, there will be challenges to be met before we move to equilibrium – the so called “new normal”. Among many others, information protection and privacy faces challenges. Some years ago, a colleague authored a prescient paper entitled “Privacy in a Pandemic” that explored the reasonable tradeoffs to be made when balancing individual rights against the needs of society, famously captured by Spock as he sacrificed himself believing “the needs of the many outweigh the needs of the few… or the one”. But the new equilibrium has implications for privacy and data protection in a more corporate setting. While privacy regulation accommodate these priorities, privacy and data protection programs will have to re-calibrate their risk assessments and place new weight on risks made more prominent by the shift away from office-based workers, to one where the line between personal life and professional activity is blurred to the point where you can hardly tell the difference. Clear desk policies went from being a constant real and philosophical debate to now being completely unenforceable, and therefore mostly moot. Implementing sound technical controls that don’t disproportionately interfere with the ability to work will take time, and likely require new technology deployments.

Understanding purpose: A key enabler to pivoting data privacy will be a mature data governance program. Making assumptions around higher level enterprise controls is no longer safe. Instead, knowing the nature and location of data is far more important in order to protect while enabling use. Providing more discrete permissions around the use of data will help lessen the risk of loss and unauthorized disclosure. Understanding the purpose behind proposed use of data will enable assigning more discrete permissions. Since preserving privacy is a lot more than just ensuring protection, the philosophy of understanding purpose also helps ensure appropriate use of data.

Fundamentals: Implementing new controls will take time and carries the risk of creating more frustration and confusion that benefit until the edges are smoothed out. Privacy leaders should step back and consider the full breadth of their programs, leveraging all techniques to manage risk while avoiding unnecessary disruption. An effective awareness program, for example, can go a long way to encouraging people to make safe decisions when handling data.

Summary

COVID-19 has created havoc in unprecedented ways, and has affected the lives of billions of people. The human toll cannot be measured, and the suffering by so many should not be swept aside. Experts are working through the optimal medical strategies while economists are still trying to model the short, medium and long term impacts to business. Entire books will be written and college classes will be structured around the Coronavirus pandemic. This paper has taken a very narrow slice of that and will hopefully start an open-minded dialog around how to help enable the future operating model for business. The dialog can and will continue in months and years to come.

Introduction

Risk is a real concept that manifests across life. Within a business context, risk management is a valuable tool to help improve the probability of success. This paper explores the role of a risk manager, and is applicable across the board – whether business processes, technology, security, privacy, information or enterprise. The reader can easily extrapolate the ideas to any aspect of life.

Definition and Reporting

Definition of risk: The probability or threat of quantifiable damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.

The key word is “probability” – the likelihood that the event will occur. In some instances, that can be calculated empirically, if all inputs and effects are known, where triggers can be identified – even if random (roll of the dice). Other times, probability can be estimated based on historical data around similar conditions (50% chance of rain).

Other times, especially in business settings, there are more variables than can be practically tracked and quantified. In those settings, Risk Managers use judgment to assess the risk of an event occurring. The risks are usually classified in a 3 or 5 point scale – say, red, yellow, green or severe, major, moderate, minor and insignificant. And the more knowledgeable the Risk Manager, the more insightful their assessment of risk, but it still remains a probability.

Challenges

Communicating risk gets complicated when we start factoring in risk mitigating strategies – avoid, reduce, transfer, accept—and reduction techniques – controls, TOD/TOE, residual risk, control risk, etc.

Even within the mitigating strategies there are grey areas – avoiding has consequences (lost opportunities), acceptance doesn’t mean the adverse event will occur, reduction doesn’t mean eliminate.

While some leaders claim they are comfortable navigating uncertainty, there is no question that business hates risk: markets react to uncertainty, and “punish” companies that operate with too many unknowns, and reward those that demonstrate clarity.

People publish dashboards and discuss numbers of controls, as though they were currency – more controls must be better – even though one good (strong) control could replace many poor (weak) controls. Even auditors are reluctant to rely on process controls and would rather verify every transaction instead (assuming they could).

So what’s the issue?

To some extent, we, as Risk Managers, are the issue. When asked about risk, we articulate it in our own language:

Risk Manager to Client (or internal business stakeholder): “there is a risk that such-and-such could happen that has these consequences”

Client: “how likely?”

RM: “moderate”

Client: (thinks: “huh?”) “what can we do about it”

RM: “implement x-y-z control”

Client: “will that make it go away”

RM: “implementing this control will reduce the risk, but it leaves a residual risk”

Client: (thinks: “huh?”) “Is that a ‘yes’? Why wouldn’t you just do it? And what’s that mean?”

RM: “here – sign this ‘residual risk acceptance document’”

Client: “ok – done”. (thinks: “thank god that’s over!”) Back to business as usual.

Let’s face, this exchange isn’t very helpful. The Client clearly doesn’t understand the risk as a potential impact to his/her business, and the “residual risk acceptance document” is a rubber-stamp.

Who owns the risk? Risk Managers say that their business process stakeholders own the risk, and the Risk Manager’s role is to explain the risk, options for control, and residual risk. However, it’s fair to say that the business process stakeholders often doesn’t truly accept their role, or if they did, they would engage in a more meaningful dialog. And the residual risk acceptance document effectively nullifies the dialog.

If the controls are effective, or for whatever reason, the risk fails to manifest, then what? How often does the client step back and acknowledge that RM did their job and issues were avoided? Or does the client question why the risk management exercise was undertaken? On the other hand, if an adverse event takes place, despite controls, does the client look at RM as though they failed? The cynical reader would point out that if the on-going processes of managing risk management were part of core operations, then you wouldn’t see a spike in RM funding after an event takes place; you might see some refinement or realignment, but not a huge uptick in funding…

An alternative approach

So the challenge is how to meaningfully communicate risk to leadership in a way that puts risk in a business context.

First, one must keep clear: generally speaking, risk can’t be eliminated if the business wants to undertake the activity that introduces the risk. That said, the Risk Manager can keep the following in mind as these points might promote meaningful communication:

Articulate the risk in familiar business terms (“speak English!”). Explain what would have to happen to trigger the risk. If you describe a chicken-little event without explaining the triggers, you might get dismissed.
Be realistic when describing the risk and the likelihood. The likelihood should include realistic related events.
Propose options for mitigating the risk, including avoid-reduce-transfer-accept. Bring a reasonable amount of research to present viable options, and be able to articulate the residual risk.
Understand appetite for risk at an appropriate level. A mid-level manager may have a different appetite for risk than the CEO.
Consider what kinds of risks needs to be escalated and to what level: Don’t present a risk to a CEO in a “Enterprise Risk Management” setting that should be addressed by a mid-level manager.
Be realistic in evaluating the consequences of the risk. Walk the stakeholder through understanding the various consequential outcomes to help determine an appropriate mitigating strategy.
Make clear who owns the risk. Get rid of “risk acceptance” documents – if a risk is significant enough to warrant action, it should be pursued. Risk Acceptance documents are an attempt to shift/assign responsibility, and if they are needed, then they will also be ignored in the post-mortem.
Acknowledge that business environments are dynamic, and events rarely unfold negative risks occur. People intervene. Processes engage. The outcome is rarely what was predicted when the risk was recorded. And the more catastrophic the risk, the more it morphs as it unfolds.

Many of these considerations apply in the post-mortem stage. One of the big challenges in the risk management community is one of appropriate hindsight. When evaluating changes to make in risk management in light of an event, it’s important to remember what was known and considered at the time risks were assessed.

The overarching themes in this article is that risk managers need to be realistic when articulating risks, consequences and controls. Risk managers must recognize they need to bridge the communications gap to their stakeholders by describing risks in business terms that will resonate.

Risk is a fact of life in every aspect of business. Bad stuff happens, and risk management is not risk “elimination”. Risk managers play a critical role, and by thoughtfully supporting their stakeholders, they can help business accelerate forward.

Tag: Risk management

Looking Ahead: The New Operating Model for Business