Some of the top benefits of risk management at an enterprise level are:
- No surprises: This is particularly important to the investment market where predictability is viewed as a sign of being well managed.
- Early detection: Identifying potential risks at an early stage permits intervention at a lower cost. This is analogous to individual health, where early detection of a disease and action can save lives.
- Improve the bottom line: The risk management process reveals operational inefficiencies and surfaces less obvious cost-saving measures.
Why You Need a Plan
Overall, a methodical, repeatable, and consistent risk management process engages more inputs and promotes a better understanding of any type of risk for decision makers. This is especially important for cybersecurity risks, which are emerging risks. That means the risk isn’t just new, it’s also still evolving and its associated threats are increasing in potential impact.
However, there’s a learning curve associated with integrating cybersecurity risks into the traditional risk management systems that many larger hospitality companies have already established. Smaller companies shouldn’t be reluctant to build this process. Any size organization will benefit from developing an enterprise risk management approach because no one ever arrives in risk management.
A ZERO RISK SITUATION DOESN’T EXIST.
This resonates with cybersecurity measures, which require constant, ongoing attention. A zero risk situation doesn’t exist. Just as fire, life, and safety risks in the hospitality industry require ongoing attention, cybersecurity needs even more diligence because it continues to escalate. Also, it doesn’t have established statistical or actuarial tables, which are normally used to transfer residual risk with insurance.
The strongest motivation to give attention to stepping up risk management practice is that all industries, especially hospitality, have a high operational dependence on technology software, devices, and communications. In short, cybersecurity risks now have the potential to impact the enterprise mission or business objectives. In the past, these risks have been managed at a department level such as information technology.
Where to Get Help
Guidance for this effort is available from a free, publicly available report published by the U.S. National Institute of Standards and Technology (NIST). Titled Integrating Cybersecurity and Enterprise Risk Management, US NISTIR 8286, the report maintains that the starting point is to use an existing enterprise risk management (ERM) framework and process, then build and adapt cybersecurity risk registers. The result should be a broader view and deeper understanding of risks to the entire organization.
Other suggestions relevant to the hospitality industry include: Begin with a risk profile of previously identified risks. A risk profile is a summary of known risks that have been previously identified and mitigated. The Office of Management and Budget (OMB) Circular A-123 describes a risk profile as “a prioritized inventory of the most significant risks identified and assessed.” One important aspect is to include plans for success and opportunities, as well as potential negative impacts on mission or business objectives.
Examine your organization’s contexts. Identify the different types of risks contexts:
- External contexts include expectations of outside stakeholders such as guests, clients, business, and legislators.
- Internal context addresses factors that influence cybersecurity risk management, like organization objectives, governance, culture, risk appetite and risk tolerance, policies, and practice.
Build risk registers. Next, organize and collect inputs for cybersecurity risk registers. You can set them up using a spreadsheet or governance, risk, and compliance (GRC) tools and customized file formats. These risk registers are simple and proven tools. Consistency is the critical success factor.
Risk registers capture these phases of the ERM process:
- Identify risks
- Analyze risks
- Prioritize risks
Once your risk registers are complete, you’ll need to do some follow-up work to assign, plan, and execute response strategies. Even when risks are mitigated to an acceptable level, you’ll still need to conduct continual monitoring so you can make adjustments as risks change or new ones are identified.
It can help to supplement risk registers with a detailed record including scenario descriptions like a ransomware attack with a multilocation scope. It’s also helpful to document risk assessment results, roles involved in risk decisions and management, when the risk was first identified, most recent risk assessment and any plans, status, or risk indicators.
Cybersecurity risks do have subsets (data breach, cyberattack, phishing fraud, non-compliance, etc.). Keep in mind that this is just one portion of the spectrum of core risks. A good way to sort the totality of risks is to group them. Commonly used groupings are: operational, reputation, brand, strategic, compliance, financial, and legal. Additional hospitality categories might include guest experience or franchisee relationships.
Obstacles to Integrating Cybersecurity Risk into Traditional ERM
Recognized shortcomings in integrating cybersecurity risks make tackling this topic a daunting effort. But the result is still valuable to decision making. One of the top challenges is the lack of standardized measures for digital assets. While there are some low-level measures established (such as estimated likelihood and impact of a specific software vulnerability being exploited), there are no standard measures for most aspects of cybersecurity risk. This makes it difficult to analyze risk or express risk in comparable ways across digital assets.
Another challenge is the inconsistency of informal risk analysis. Inputs for likelihood and impact generally are left to the discretion of vendors, who provide a scoring system. Or it may be up to an individual’s instinct and knowledge of conventional wisdom and typical practices.
Potential Outcomes
The outcomes for accomplishing an enterprise risk management process that integrates cybersecurity risk management include improved communications across business functions and departments, an awareness of opportunities as well as potential negative impacts and – best of all – better decisions benefitting the organization’s bottom line.