With such benefits, naturally, comes increased risk. And, in this case, it is a type of risk many, if not most, risk managers are only casually familiar. Thus, even more risk.
The "cloud" has been an emerging exposure for some time, as computing power continues to exponentially escalate to levels few could anticipate. This computing power and its lure of speed and capacity has drawn a growing population of users out of their internally crafted and managed technology safety zones (think intranet and on-site servers) into this potential abyss.
I put it this way because, to me, it appears as a bit of a black hole of sorts where my knowledge and understanding of the direct and indirect exposures is undoubtedly significant but difficult to pin down.
On the one hand, this as a relatively simple construct: Data once tightly controlled by its owners is now "in the cloud" floating outside this safe zone, bringing with it a sense of greater vulnerability. What's a risk manager to do? Buy more insurance? Tighten up third-party contract obligations? Yes, to both and more.
I would suggest that this is the exposure area where global supply chain risk may be the greatest. As a result, risk managers need to take action on numerous fronts to better prepare them to be substantive players in controlling this exposure. It is likely to continue to get high level attention and visibility especially as, not if, major data breaches continue to occur. So what should a risk manager do?
First, risk managers need to build a close relationship with their CIO and technology team. They need to lay the groundwork for entry to the technology inner sanctum and ideally make the case for their regular participation in technology risk profile development and regular assessment.
From this access should flow an improved ability to not only understand the exposures associated with technology infrastructure (and the external supplier aspect of that is increasingly exacerbating the exposure), but to be able to help mitigate their effects. The better relationship and frequency of communications with external suppliers, the more likely you'll be able to size the exposure and ensure an appropriate mitigation strategy is in place.
As with supply chain risk generally, but all the more importantly in this area, it is critical that risk managers take aggressive steps to ensure a tight strategy is developed and implemented to optimize the typically supplier controlled treatments of these risks.
These run the gamut from contract terms and conditions that go beyond insurance and indemnification language to an audit capability and strategy that allows one to confirm that suppliers have their purported controls in place. As with insurance, it's easy to provide a document showing it's in place at a moment in time, it's another thing altogether to have such assurance downstream when losses present themselves.
Similarly, suppliers can provide many assurances of sufficient control over data and technology risks, but knowing you will look to verify those assertions will increase the chances they are in place. Trust is great, but verification is more likely keep you employed through the next big event.
CHRIS MANDEL is president, Excellence in Risk Management LLC; and executive vice president, rPM3 Solutions LLC; a long-term risk management leader and former president of RIMS. He can be reached at firstname.lastname@example.org.
November 1, 2012
Copyright 2012© LRP Publications