As we settle into hybrid work, it’s essential that organizations prioritize and carefully consider the risks involved with these new ways of working.
While we now know much work can be done from home, few leaders want their teams to stay fully remote. According to PwC, three days per week in the office is emerging as the optimal setup. With a permanent hybrid model, there will be lasting changes to digital operations, including increased digitization of processes. Many organizations haven’t fully thought through the implications of emerging risks associated with these new ways of working, creating a daunting landscape to navigate.
In a recent global survey conducted by OCEG, Modernizing Operational Risk Management, risk professionals identified the top areas of digital transformation impacting their risk profile:
- New employee engagement models, such as social media, are increasing digital and privacy risks.
- Evolving regulations – regional and global – are increasing scrutiny on data protection, data handling, and health and safety programs.
- Increased cybercrime exposure is coming from digital infrastructure, services, devices, apps, and third-party dependencies.
- New business processes introduce unknowns and put pressure on areas of the system that weren’t designed for them.
These are long-term changes that represent both a requirement and an opportunity for more effective risk management to be baked into return to work and digitization efforts. IT professionals must identify and manage new IT and operational risks. For instance, IT will be involved in gathering employees’ personal health information, office work schedules will fluctuate, and executives may consider monitoring remote workers’ productivity.
Most enterprises are not prepared to face these new risks. Multiple siloed technologies, manual processes, and poor integration inhibit IT’s ability to fully support their organization’s evolving risk profile.
Here are four ways IT practitioners can reduce their risk exposure in an era of hybrid work.
1) Break down organizational silos with clear guidelines for risk identification and assessment.
Organizations should have a clear set of documented, mature guidelines and methodologies that allow them to confidently identify and assess risks across the enterprise. This includes using frameworks to help normalize, benchmark, and apply a consistent strategy across individual risk requirements. Additionally, formalized plans and policies help liberate employees from the tedious aspects of risk management to enable them to do their jobs better, with more satisfaction.
There are many technology risk frameworks available in the market, such as NIST, ISO, and others. Risk frameworks like these provide the appropriate governance structure and processes, with well-defined roles, responsibilities, and reporting lines. These frameworks establish standards in areas such as:
- Risk identification – surfacing relevant threats, vulnerabilities, compliance issues, and other potential disruptions or areas of exposure, including changes in business strategy, IT systems, environmental, or operating conditions.
- Risk assessment – characterizing the potential impact and likelihood of threats and vulnerabilities to the organization and its information assets.
- Risk treatment – implementing processes and controls to manage technology risks posed to the organization to protect the confidentiality, integrity, and availability of information assets.
- Risk monitoring, review, and reporting – guidance for collecting, evaluating, and communicating risks and trends to stakeholders such as the board, regulators, and auditors.
Formalizing risk management processes and procedures across the enterprise ultimately creates faster avenues to resolution in the event of a risk incident, as well as ensures consistency given all teams are referring to the same guidelines. This is incredibly important, as organizations are still uncovering new risks while employees return to the office.
2) Deploy the right solutions that connect risk data, tools, priorities, context, and decision-making.
To do this effectively, organizations should look towards risk management solutions that offer robust cloud capabilities and understand business impact. Using the cloud for risk management helps consolidate multiple streams of data from across the business while allowing better integration capabilities for third-party apps and data. Quick access to reliable data is essential to achieve business agility. It helps IT teams make informed decisions in real time as issues of risk arise.
For example, managing the influx of personal technology devices and solutions amongst remote workforces has become one of the biggest challenges for IT teams in our new world of work. Employees have invested in their own tools to be more productive while working remotely and will bring those tools – both software and hardware – back to the office. We will never return to a network bound-driven security model.
When unaccounted for by IT, many of these assets expose organizations to security and compliance risks. Overseeing application, access, and device usage through an integrated data model enables organizations to gain visibility into what devices are on their network, which apps are in use, and sensitive data. With visibility, you can create strict guidelines for personal device usage and implement technical controls for monitoring and managing the potential risk.
3) Ensure that all risk management actions are timely and measurable.
To make sure your organization is achieving the desired results when it comes to risk management, business leaders should set measurable goals. Setting predetermined time requirements and metrics enables teams to keep track of their progress and can signal when teams are missing their mark. Each risk should be assigned a risk tolerance or the maximum risk an organization is willing to take for each type of risk. These tolerances are then monitored using key risk indicators (KRIs), which are metrics used to assess and measure a possible risk.
4) Establish reporting and communications that are standardized and reliable.
Organizations must create standardized methods of data collection and collation to consistently understand and share accurate updates on their risk posture. Standardized processes can then be automated, instrumented for thresholds of concern (for compliance or other risks), and monitored by technology. Typical organizations save days and weeks in reporting to executives, stakeholders, auditors, and regulators.
Teams are freed up to focus on higher priority tasks where the human touch is truly vital. Key constructs used in standardized reporting and communications include:
- Risk register – information about each identified risk, such as risk owner and mitigation.
- Risk appetite – the level of risk an organization deems acceptable.
- Risk taxonomy – a comprehensive, stable, and reusable set of risk categories that can be applied universally across the organization.
- Business impact – how critical is the asset or process at risk.
In doing this, teams can create more awareness for risk throughout departments and encourage employees to become more vigilant for incidents that expose the organization.
Achieving business resiliency through risk management
Establishing a clear, enterprise-wide risk strategy, keeping the above guidelines in mind, lays the foundation for an agile risk system to proactively address risks in real time. They create reliable and standardized processes for risk management that remove hesitation teams may have when resolving an issue, enabling them to act fast with confidence.
As we settle into hybrid work, it’s essential that organizations prioritize and carefully consider the risks involved with these new ways of working. Risk management is an organization’s first line of defense for mitigating major business disruptions. As we saw during COVID-19, many organizations were left exposed to downtime, loss of revenue, and more.
Identifying and planning around risks in our new world of work keeps organizations protected in the face of another disruption and supports business continuity. By investing in risk management as part of digital transformation initiatives, you are more likely to identify, monitor, and manage risks cost-effectively and set up the resilience required for the future.