Wouldn’t it be great if someone invented a chip that tells you when to go to the dentist? That way, if something starts developing that could later be deeply damaging, you get a signal months before real damage starts, that tells you to get in that chair. I guess you could always go to the dentist every day—but of course, you can’t. No one would. But that tiny harmless chip could alert you that something’s going wrong, before things start hurting. It would be such a neat way to manage risk. Continuously. Cue the concept of a continuous risk management process.
Onto our topic for today, although not with regard to, uh, teeth. A couple of months ago we talked in this space about responding to risk. We believe in talking about risk because we believe in doing something about it. But like going to the dentist, talking about risk isn’t as popular as you’d think.
Well, filling a cavity is better than getting a root canal. Businesses are often reluctant to talk about risk until they need Compliance certifications that require risk management. One day they realize their business’s growth requires Compliance with PCI DSS, which mandates internal vulnerability scans at least once every three months (see Requirement 11.3.1). Or they need to comply with SOC 2 or ISO 27001 to stay competitive, and those frameworks also require ongoing risk monitoring and management requirements.
So the need to pass an audit or get a certification is the reason many businesses start to perform annual risk assessments.
Of course, that risk assessment gives value to the business beyond the piece of paper that may have motivated it. Let’s say you go once a year to control owners, executives, and whoever else you need to talk to, and ask, “What are the risks you see to our business?” And from talking to these stakeholders, you amass a list of risks, together with their potential impact and their likelihood, and you get a sense of how to prioritize the risks. Now you know what potential problems are out there, and where to invest in risk mitigation.
Why should risk management be a continuing process? Well, if you do a risk assessment just at one point in time over the course of the entire year, your business benefits. But if instead you did that on a quarterly basis, or even a monthly basis, you would get a fresher signal from stakeholders; the information would be more relevant and you would have a better chance to respond meaningfully. Like if you went to the dentist every month, your teeth would be in perfect shape, guaranteed. And if you went every day? Ahhh…never going to happen. That’s why I want that mythical chip that gives an alert as soon as it detects a problem. So much for teeth. But—segue approaching—when it comes to Compliance, risk is a different story. There are systems that allow you to implement ongoing risk management—using automation. Let anecdotes, leaders in Compliance automation solutions, explain.
A continuous risk management process enables you to:
If ransomware attacks are on the rise, your business needs to know about it sooner rather than a year later. Or think of Covid: With all the risks it posed (and still poses) to business, on so many levels, more businesses see that the only way to not be hopelessly behind in assessing risk is through continuous risk assessment.
What if you have controls that were put in place in response to a risk assessment, but your subsequent risk assessment shows that residual risk didn’t go down despite the controls? Now consider how you could have better responded if you’d known this sooner. Continuous risk monitoring can give you up-to-date data at any time, to tell you whether your investment in controls is working—so you can course-correct earlier.
Maybe “love” is a strong word. But maybe not. Quantifying risk depends on data. When you get data more often, you can quantify risk better and prioritize risk more accurately. You can then take your recommendations to leadership and help them decide which risks, based on dollar value, warrant their attention and funding. And through data-driven risk management, you build alignment with leadership by showing them you understand what’s important to the business. So the continuous risk management process lets you help your business make better decisions, and demonstrates your value to leadership.
If you’ve just skipped to the end and you decide to tell leadership to implement continuous risk management because everyone does it, you won’t convince leadership to invest. (I can hear the conversation: “We need controls and they need to be really good.” “What controls? How good?” Crickets.) Instead, show leadership the value of taking practices you're already doing—annual risk assessment and response—and implementing a continuous risk management process. Show how identifying risks earlier allows more timely risk quantification and response; show how continuous, data-based information on the effectiveness of controls helps the business put its money where it’s needed. The key: Show the dollar savings that are at stake. If you can present that argument to leadership, you’ll have their attention.
Not every risk poses an existential threat, but some do. How do you know you’re actually taking steps that are reducing that risk? Through continuous monitoring of your risk, you’re learning about new risks constantly, and you’re getting a sense of where investments that respond to risk are working and where you need to lean in more. Sure, if you only review risk on an annual basis, you do get a sense of where you stand at that time. But why not take advantage of automation and have access to risk intel all the time?
Instead of just getting the one snapshot, you can leverage your risk management to bring you much greater value, without spending much more time per day. With a data-driven, evidence-based, continuous risk management process, such as those offered by anecdotes, you can get a clearer signal about current risks and what to do about them. Give your business the best chance to mitigate risk before real damage happens.