Transcription of EIU DIGITAL RISK
1 DIGITAL risk The challenge for the CRO. An Economist Intelligence Unit white paper sponsored by Ace, Cisco, Deutsche Bank, IBM and KPMG. DIGITAL risk The challenge for the CRO. Preface DIGITAL risk: The challenge for the CRO is the third in a series of reports from the Economist Intelligence Unit's Global Risk Briefing, a research programme targeted at senior executives responsible for managing corporate risk. James Watson was the author of this report, and Gareth Lofthouse was the editor. The Global Risk Briefing is sponsored by Ace, Cisco, Deutsche Bank, IBM and KPMG. The research for this paper is based on a survey of 218 senior risk managers, as well as interviews with senior risk managers and information technology (IT). risk managers. The Economist Intelligence Unit bears sole responsibility for the content of this report. Our thanks to everyone who shared their time and insights in this report. We are also grateful to the Professional Risk Managers International Association (PRMIA) and RiskCenter for their help in reaching CROs and other risk managers to support this research.
2 September 2005. The Economist Intelligence Unit 2005 1. DIGITAL risk The challenge for the CRO. Executive summary D. igital risk a term describing the risks arising interactions and processes. It draws on a survey of from increased dependency on information senior executives from a cross-section of industries, as technology (IT) systems and DIGITAL processes well as interviews with senior risk managers. This has become a major challenge for risk managers today. research sheds light on why IT has become a major As firms have implemented complex IT systems to source of risk, and on what professional risk managers automate much of their businesses, so the risks are doing about it. The report includes the following associated with those systems have risen, ranging main findings: from system failure to data leaks and electronic security breaches. IT risk is now a board-level issue. IT risk is one of Managing those risks creates several new the most significant threats posed to companies'.
3 Challenges for chief risk officers (CROs). First, most global business operations today, with 48% of senior risk managers don't have a technology background, so risk managers saying it represents a high or very high managing DIGITAL risk requires tight collaboration threat to their businesses. IT is now sufficiently between the risk and IT functions. Second, the same important in more than one-third of firms to require technology that enables firms to digitise their close oversight from the chief executive officer (CEO). business processes also allows criminals and insiders Although the chief information officer (CIO) remains to commit new forms of fraud and theft. Third, new the primary person responsible for IT risk in most technologies create new threats, requiring firms companies, one-third of CROs now spend at least 15%. constantly to reassess and adapt their strategy for of their time dealing with it, according to the survey. managing DIGITAL risk.
4 This report focuses on the challenge of dealing with DIGITAL threats are putting companies'. the risks posed by the increased dependency on DIGITAL reputations and customer relationships at risk. One-third of respondents say their firms have suffered significant financial damage as a result of electronic Survey and ranking methodology security breaches, such as hacking, in the past year;. 18% don't know if they have or not. Almost 60% have The findings in this report are based on a survey of incurred financial losses as a result of major system 218 senior executives responsible for managing failure and downtime over the past year, with nearly risk; 32% of the participants were based in the US, 33% were based in Europe, and 24% were based in one-quarter experiencing three or more such outages Asia-Pacific. All survey findings in this report and over the same period. Executives in the survey say they press release are drawn from a survey conducted in most fear the impact of such problems on their August 2005.
5 Of the companies participating in the relationships with customers, along with damage to survey, 40% were from the financial services the reputation of their firms. sector. Respondents from 16 other industries participated in the survey, including professional services, IT and technology, manufacturing, energy The enemy is becoming more sophisticated. More and natural resources, and entertainment, media than anything else, executives worry about the and publishing. growing sophistication of hackers and other cyber criminals. Fully 55% of respondents cite this as a major 2 The Economist Intelligence Unit 2005. DIGITAL risk The challenge for the CRO. difficulty in managing DIGITAL risk. The emergence of Consequently, 69% of CROs are now involved in the new, organised attacks on corporate targets, combined selection of an outsourcing provider, while 38% have a with increasingly professionalised hackers, means the significant involvement in the matter.
6 Cost of security breaches will continue to grow. CIOs and CROs must clearly stake out their roles Mobile workforces are expanding the boundaries to deal with IT risk most effectively. There is a grey of risk. Senior risk managers say remote working, area between the responsibilities of the CRO and CIO in wireless networking and related technologies such as dealing with IT risk, partly owing to the complex Internet-based telephony are all adding significantly nature of technology and the challenge of to their firms' exposure to electronic threats. Fully communicating technical issues. Two-fifths of risk 57% say rising levels of remote working are adding to managers rate their understanding of IT risks as the overall risk levels faced by their companies. moderate or poor, and 42% cite poor communication Traditional security solutions, such as electronic between the IT and risk functions as a significant firewalls, are becoming less effective as more difficulty in managing technology risk.
7 But leaving employees interact via open networks and carry DIGITAL risk entirely to the IT department is not sensitive data on portable devices. advisable: 48% of respondents say that one of the chief difficulties in managing IT risks is over-reliance Outsourcing is adding to the burden. IT on IT management to come up with effective risk outsourcing, especially when it is directed overseas, is management solutions. As firms place more reliance significantly increasing companies' exposure to risk, on IT, it will be in their interest to ensure that the bringing new complexity to the challenge of managing company's risk specialists understand their respective DIGITAL risks . In the survey, 42% of respondents say it roles in managing DIGITAL risks . adds some level of risk to their firms' overall exposure. The Economist Intelligence Unit 2005 3. DIGITAL risk The challenge for the CRO. Introduction O. ver the past decade IT has become inseparable password and account details, is just the latest from the way companies conduct their business.
8 Addition to an array of DIGITAL evils ranging from Money has been poured into IT systems to viruses to so-called denial-of-service attacks. Add to digitise finance and accounting systems, enterprise this non-malicious sources of IT risk, such as the resource planning, human resources and every other damage caused by system failures or accidental element of the business. Few firms are able to ignore disclosure of sensitive data, and it is clear that IT risk these advances, for fear of losing competitive now constitutes a sizeable risk domain in its own right. advantage to nimbler rivals. It's a trend that risk managers are still coming to But these tremendous innovations bring with them terms with. Three years ago IT risk was seen as part of a diverse range of threats threats that evolve and the IT function, says Paul de Hoest, CRO at Egg Bank proliferate with every new technological advance. The in the UK. Risk didn't have an overriding role to play, relatively new phenomenon of phishing , where so the IT function focused on developing the next criminals create precise copies of a company's website project.
9 There's no doubt that there's been a big and then convince unwitting customers to enter their change, he adds. How signi cant a threat do the following risks pose to your company's global business operation today? (% respondents the see items as high or very high risk). Very high High Reputational risk (eg, events that undermine public trust in your products or brand). 12 38. IT network risk (eg, network security breaches, IT systems failure). 7 41. Foreign exchange risk (risk that exchange rates may worsen). 15 33. Human capital risks (eg, skills shortages, succession issues, loss of key personnel). 11 34. Regulatory risk (problems caused by new or existing regulations). 11 33. Country risk (problems of operating in a particular location). 7 33. Credit risk (risk of bad debt). 12 26. Market risk (risk that the market value of assets will fall). 8 30. Political risk (danger of a change of government). 5 29. Financing risk (difficulty raising finance).
10 11 21. Terrorism 7 22. Crime and physical security 3 25. Natural hazard risk (eg, hurricanes, earthquakes). 3 17. Source: Economist Intelligence Unit, 2005. 0 10 20 30 40 50. 4 The Economist Intelligence Unit 2005. DIGITAL risk The challenge for the CRO. Angus Burden, director of IT security at Barclays executives in the survey incurred at least one major Bank and the person responsible for assessing IT risk system failure or downtime. Firms are also having to within the business, agrees. Three or four years ago, battle with internal damage to or misuse of data or IT. IT was one of those yes, it's important' functions, but systems. Nearly 40% reported incidents of this nature. it didn't have the visibility it needed. But new There is also evidence that electronic crime is regulations, cyber-crime and the increasing use of becoming more commonplace and professional. About technology as a factor in the race for competitive one-third of survey respondents experienced a breach advantage have brought IT risks to the forefront, he of their systems as a result of some kind of hacking or says.
