REDEFINING RISK: Move Over Liability, Here Comes An Asset

By Deborah Wallace

Today’s most successful businesses understand that defining and managing risk go far beyond a mandate for compliance. Rather than coping with risk as an inevitable drain on resources, these companies understand that risk, strategically managed, has potential as a source of competitive advantage. One reason that the CEOs, CROs, CIOs and boards of these businesses are able to entertain such a counter-intuitive view of risk is because they have an integrated view of their organizations’ functions and processes. They see their organizations as systems in which one compromised function can easily lead to another and ultimately to failure in meeting both short and longer-term goals.

The ability of the most forward thinking executives to view risk as a possible source of competitive advantage also lies in their ability to anticipate consequences and outcomes of future events. Wayne Gretzky, one of the greatest hockey players of all times, understood how important this was to his success. “A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be.” His observation easily translates to one of the most fundamental principles of a well-run business: keep your eyes ahead while your nose is to the grindstone.

Examples of how misguided risk management methods in a single organizational function can ripple across the organization abound. The rash of recent high profile IT security leaks in financial institutions provide a disquieting example of the consequences of a shortsighted and narrowly focused risk management. The findings of a risk management survey conducted in 2007 by EMC’s Security Division, RSA, produced some sobering results. (1) One troubling but not so surprising finding is that only 19% of respondents understand that perimeter security is no longer an effective model for protecting their banks’ vast and complex information systems. Perimeter security provides only a single level of security and represents the most traditional “boundary” model of safeguarding information. It is a model that supports a silo view of organizations, and therefore one that will always fail to locate the most problematic and common areas of security breaches – those at the intersections of an organization’s functions. While there is no hard data to support it, I think we can comfortably assume that perimeter security is not an extant model for CEOs, CIOs or CROs who manage risk systemically.

While one aspect of risk management will continue to be defined as the avoidance of threats to the success and integrity of a business’s, another will be defined as a potential source of competitive advantage. Perhaps more than the ability to view an organization as an interdependent system, the ability to anticipate outcomes is key to leveraging risk for competitive advantage.

Leveraging risk for competitive advantage begins with the proper assessment, measurement, and monitoring of risk, activities routinely conducted to satisfy compliance standards. These activities also provide invaluable data about the environment, internal and external, in which a business operates. With the increasingly sophisticated modeling and scenario-planning capabilities of today’s information technology, this same data is the foundation for strategic decision-making and ultimately for achieving and maintaining competitive advantage.

(1) The RSA Information Risk Management Survey, conducted by Datamonitor, October 2007. The goal of the research was to understand how banks manage information risk “in a climate where high profile security breaches occur on a weekly basis. . . .”