Well, the first word in the headline is not a foul word in any Indian language. It simply refers to yesterday’s Blue Screen of Death (BSOD) incident that has given us shocking lessons on enterprise risk. It simply highlights the fragility of our digital dependencies and underscores the pressing need for a more rigorous approach to Enterprise Risk Management (ERM). Historically, risk management has been relegated to a checkbox exercise, often deferred and addressed superficially in management presentations to the Boards.
According to the World Economic Forum’s Global Cybersecurity Outlook 2024, 39% of surveyed organisations have faced significant cyberattacks, with third parties being responsible for 41 per cent of these incidents. The report also notes the dual nature of emerging technologies like artificial intelligence (AI): while AI can enhance defensive capabilities, it also exacerbates threats such as phishing, malware, and deepfakes. Only a small fraction of organisations believe AI will tilt the balance in favour of defenders in the near term. Furthermore, the shortage of digital risk skills remains a critical issue, with only 15 per cent of organisations optimistic about future improvements in cyber risk education and skills.
The CrowdStrike debacle underscores the need to assess ‘secondary’ or ‘compensating’ risks—those that arise as direct consequences of implementing risk mitigation actions. This concept, similar to ‘side effects’ in medicine, must become a standard part of risk management. Understanding these secondary risks is crucial for anticipating and mitigating potential adverse outcomes from risk management strategies.
Incorporating ‘Risk Velocity’ into the ERM process is another vital step. Risk velocity refers to the speed at which a risk event can impact an organisation. Prioritising risks based on their potential speed of impact allows organisations to better prepare for high-speed, high-impact events. Given today’s rapid technological evolution, the gap between risk emergence and its potential disruption is increasingly narrow.
The core of ERM should be a culture that continuously questions ‘what can go wrong’ with every decision. The BSOD crisis reveals a significant flaw in this approach: the failure to adequately anticipate and assess the downsides of large-scale security updates. This situation demands a more rigorous risk assessment, including scenario analysis, stress testing, reverse stress testing, and impact forecasting. Utilising tools like Failure Mode and Effects Analysis (FMEA) and conducting comprehensive impact assessments are essential for identifying potential failure points and strengthening resilience.
Furthermore, fostering a risk-aware culture ensures that all stakeholders are aligned in their approach to risk identification and mitigation. This cultural shift is vital for bolstering organisational resilience. The recent crisis also exposes a governance gap: regulators and governments have repeatedly failed to effectively manage these risks despite numerous tech outages. This regulatory shortcoming highlights the need for more proactive and comprehensive oversight.
As digital reliance grows, so does the potential for severe disruptions. Corporate India must focus not only on current risks but also engage in forward-looking scenario planning to anticipate and prepare for future uncertainties. This proactive approach involves evaluating various potential scenarios, including those related to technological advancements and geopolitical shifts.
Questions Boards should ask :
1. How do we currently identify and evaluate not only inherent and residual risks but also secondary and compensating risks in our risk assessment framework, and what improvements are needed?
2. What specific technologies and processes are we using to integrate AI and machine learning into our risk management, and how are we addressing the new threats these technologies could pose?
3. What are the details of our backup and disaster recovery plans, how frequently do we test them, and what were the results of our most recent tests?
4. How do we assess the speed at which potential risks could impact our operations, and what are the established procedures for rapid response to high-velocity risks?
5. What training and communication strategies are in place to promote a risk-aware culture across the organisation, and how do we ensure that all departments are effectively engaged in managing digital and cyber risks?
Testing digital and cyber risks for resilience is crucial. As outlined in the IRM’s Cyber Risk Resources for Practitioners, organisations should regularly perform penetration testing to uncover vulnerabilities throughout their value chain, including their own Business Continuity Plans (BCPs) and those of their third-party vendors. Leveraging real-time threat intelligence is essential for staying informed about emerging threats, while evaluating team capabilities against rapid technological advancements is equally important. Red teaming exercises, which simulate sophisticated attack scenarios, further bolster defenses. Continuous monitoring allows for the prompt detection of anomalies, and frequent incident response drills ensure readiness and effectiveness. Adopting these comprehensive strategies will help organisations better anticipate, identify, and mitigate potential cyber risks, thus enhancing their overall resilience.
Checklist for CXOs
1. To build risk resilience, companies should conduct comprehensive risk assessments by engaging in thorough scenario analysis, stress testing, and reverse stress testing. This process involves identifying and evaluating inherent, residual, secondary, and compensating risks. Employing tools like Failure Mode and Effects Analysis (FMEA) and impact forecasting can help pinpoint potential failure points.
2. Incorporating risk velocity into the risk management process is crucial. Organisations should prioritise risks based on the speed at which they can impact operations, developing rapid response plans for high-velocity risks to minimise disruption. Regular updates to risk velocity assessments are essential to account for evolving threats.
3. Implementing robust backup and recovery plans is fundamental to resilience. Regular testing of backup systems for critical data and operations ensures their effectiveness. Redundancy in IT infrastructure is necessary to prevent single points of failure. Additionally, a clear disaster recovery plan, including communication protocols for all stakeholders, should be developed and maintained.
4. Strengthening cybersecurity measures is vital. Regular updates and patching of software protect against vulnerabilities. Conducting frequent security audits and penetration testing helps identify and mitigate risks. Implementing multi-factor authentication and robust encryption protocols adds an extra layer of security.
5. Cultivating a risk-aware culture within the organisation is essential. Training employees on risk identification and response procedures is a key component. Fostering an organisational mindset that continuously asks ‘what can go wrong’ with every decision helps ensure proactive risk management. Alignment and communication among all departments regarding risk management strategies are crucial for overall resilience.
Disclaimer: The views expressed in this article are those of the author and do not necessarily reflect the views of the publication
