Drivers like compliance and cyber liability are affecting the way organizations think about risk management and rely on trusted partners like MSPs to help them manage it. In this episode of the Insider series, I sat down with Ben Tercha, VP of Operations at Omega Systems, to discuss industry drivers, insurance requirements and how formalizing an internal risk committee can help ensure risk management processes run smoothly.
James Mignacca (JM): What are the current trends in risk management and what is the role of MSPs?
Ben Tercha (BT): The volume of inquiries about risk management and the level of detail that customers and clients require has increased over the years. Our customers, especially in vertical markets with many regulatory requirements, are becoming more and more demanding. You need to ask these questions when working with a provider like an MSP that has access to the network.
Risk management has evolved to a level at which companies ask their suppliers process-related questions. They ask their vendors about their risk management policies; their risk register and how often they assess risks. This happens a lot with our financial institutions and banking customers – they ask us questions regularly because they want to follow some kind of process themselves, but also want to do some kind of due diligence and supplier management.
JM: What drivers do you see affecting risk management? Is it conformity? Is it due diligence?
BT: Risk management is more of a compliance activity. It is a bank accountant or insurance agent who initiates the conversation. Cyber liability extensions are a key driver behind these questions and discussions.
We don’t see many clients who want to do what I call risk transfer or where the client wants us to take over their entire risk management strategy. They continue to run internal processes and have committees to support them. We’ve sat on committees for customers to make sure they assess risk with software, how they mitigate risk, and what they will do if the software fails. It’s kind of like your business continuity and disaster recovery (BCDR) strategy, but instead you focus on the risk side of the business.
JM: That’s interesting because of course different industries have different drivers, especially in finance and government. Do you find that clients’ risk profiles differ depending on their industry or what they want to get out of a risk management exercise?
BT: There’s a common theme across all clients – it’s probably a gradient scale. Financial institutions and large, potentially publicly listed companies have their own regulatory requirements, so there is a high interest in risk management.
Large insurance providers have a vested interest in risk management and in particular how we as an MSP support the customer. You want to understand what services we offer and what happens when our services or employees are not available – what kind of risk does this situation create? They want to know if our mutual customer is calling our service desk and the phone system is down or our agents are unavailable. What does that mean? How is this affecting business?
JM: If a client comes to you and (arguably) does nothing on the risk management side, what is their starting point? How do you lead them?
BT: It’s an ongoing process. Clients who don’t have a risk management framework in place today are wondering how and where to start. This process begins with creating a risk management policy that is unique to the organization and outlines anything that could disrupt business operations. The next step is to develop a risk committee.
JM: Does the risk committee include different people within the organization?
BT: Board members do not attend risk committee meetings, but you may have an executive who sits on the board and reports to the board, which then participates in the process by chairing the risk committee or leading the process itself.
The committee includes people with diverse perspectives and business knowledge to ensure the company can fully identify physical, software, vendor and people risks. It takes a lot of brainstorming to closely examine probabilities and consequences or risks across the spectrum.
Some risks cannot be prevented. It’s about being prepared to react when an event occurs. You are never 100% sure and that is the reality. So, as a leader, you must select a threshold that the organization deems acceptable in terms of risk and take mitigation actions if and when an event occurs.
The key is to ensure the quarterly cadence. There are always new ways to better protect and isolate ourselves. This is the constant evolution of risk management – it never stops.
*** This is a Security Bloggers Network syndicated blog from Cavelo Blog and a press release written by James Mignacca. Read the original post at: https://www.cavelo.com/blog/insider-series-how-risk-management-committees-can-support-compliance-and-insurance-requirements