Enterprise Risk: What if vs. What is

Home / From the War Room / Enterprise Risk: What if vs. What is

Risk Management experts suggest that 70% of an organization’s value is tied to their brand and reputation.

Plenty of things can damage your company’s reputation; social media indiscretion, nasty front-line sales people, a product defect etc… On the IT side, our enemies are downtime, slow performance, and information security breaches. Those are the things that corrode customer confidence and embarrass your brand. And yet, it keeps happening.

Industry and mainstream news were coloured with high-profile stories of huge companies (Home Depot, Target, the US Postal Service) scrambling to contain information breaches and save face this past year. It makes you wonder, are they doing enough to prevent these incidents? Maybe not. In the mid-market sector, studies show that DR and security are chronically underfunded and underappreciated at the boardroom table. So why do executive teams seem to marginalize investment into security and DR stuff if they are so important to the life of the brand?

I think it comes down to the way we deal with “what is” and “what if” scenarios.

If you have limited time and money, you need invest in the sure bets. You know your servers are going to die eventually. You know that your software licenses expire next year. These are clear “what is” issues with clear and real consequences for not acting. And more importantly (for the CFO) these things are tied to a clear and real “what is” dollar figure required to fix them. But now, consider the CFO’s thoughts when she considers the what if of someone hacking your network and snatching a bunch of client data. How much is preventing that worth? What if it was only a few customer profiles that got stolen? What if everything was leaked …including your HR and payroll info? What do we spend to prevent that? How likely are these scenarios? All these uncertainties make your head spin. I don’t envy the CFO. Sure bets are easy, what ifs are hard.

Times are changing. There are plenty of tools (risk assessment frameworks, downtime calculators) and plenty of opportunity to help educate the executives.

As IT carves out a bigger place at the strategy table – you can raise awareness and help your colleagues make sense of the uncertainty. More importantly, you can paint them a picture of what could be – and THAT is what inspires commitment and investment.

Related Posts