Senior teams across the globe confront two stark and often contradictory facts as the information flowing to the average employee doubles every two years. On one hand, this abundance of information promises sharp gains in productivity and intelligence as employees and companies work “smarter.” On the other hand, this abundance of information, distributed across a widening – and socially linked – employee footprint, creates an array of risk management scenarios. Almost every category of corporate risk – from protecting intellectual property, to safeguarding customer and employee information, to insider trading – becomes infinitely challenging against this backdrop. And corporate leaders don’t have the choice of opting out of either of these challenges.
In this quarter’s edition of CEB’s Executive Guidance, we outline how companies should redefine their approach to information risk management in order to maximize the business value of information. The recommendation still relies on risk managers to identify risk, but instead of defaulting to “no,” it encourages them to help the business line understand the implications. Understanding both the hazard and the benefits enables the line to take ownership over their own information and guide decision making to balance growth and risk.
Maximize the Business Value of Information
Traditional approaches to managing information risk have not kept pace with the rapid changes in the business and technology environment. These outdated practices are not doing enough to manage risk. Moreover, these legacy practices are creating friction: hurting the ability of the business to use and leverage information, derailing innovation and critical business initiatives. Ironically, CEB research suggests that the cost of this friction is actually higher than companies’ residual information risk.
A key root cause of this friction is that all too often risk reduction is confused with risk management. The dominance of risk reduction in a company’s approach to information risk coincides with overly siloed roles and an adversarial relationship between the business line and the professional risk managers. The way this typically presents is as follows:
- The business line’s role is seen as making money and growing the business. They often chafe at activities that they believe blindly seek to reduce all risk—especially when those risks feel esoteric or unconnected to their key objectives. As a result, they often fail to consult with or actively avoid risk managers, leaving them unaware of potentially huge risks.
- The risk managers’ job is to reduce risks as a result of the business use of information. Inevitably this ends in misaligned incentives and damaging misperceptions. The personal and professional consequences of an information breach fall more heavily on the risk managers. As a result, they seek to reduce risk without necessarily balancing risk with understanding of the countervailing business reward. At the extreme, their preferred policies are seen as overly restrictive and rigid; failing to reflect the reality of how work is done.
This mismatch in goals – and the resulting misalignment in risk appetite, priorities, and practices – is what causes much of the unnecessary friction in the business. Making risk-adjusted business decisions requires both business leaders and risk managers to have a common understanding of the risks the firm is willing and unwilling to take with its information. To facilitate this common understanding, companies must do two things:
- Task senior leaders with refocusing organizational priorities on maximizing the business value of information by balancing risk and reward:
- Develop and socialize a formal statement of the corporation’s risk appetite.
- Redesign information risk assessments to incorporate business objectives at their core.
- Revamp information and technology use policies to allow “guided” decision making by employees
- Make the business line accountable for information risk management decisions:
- Educate and enable line leaders in their new role and teach them how to make balanced risk decisions.
- Make subject matter experts and risk managers accountable for managing (and coordinating) the processes—not the decisions.
- Focus risk manager responsibilities on key process steps where their expertise is required.
- Restrict the use of steering committees and focus on integrated process management.