Corporate risk managers don’t grasp the risks associated with technology, and their companies lack the means to prevent bad things from happening.
That’s the finding of a recent survey of executives at 1,500 companies in the U.S. and Europe, released by the St. Paul Companies, a Saint Paul, Minnesota-based business insurer.
Four in 10 risk managers admit they have a “fair” to “poor” understanding of technology risks, according to the survey, which polled 1,350 corporate risk managers and 150 U.S. insurance agents and brokers. Only about 10 percent of the risk managers say their understanding is “excellent.”
Just 25 percent of the companies surveyed had risk management committees or other formal structures to identify and monitor technology risk, the survey found. Of those companies with such a committee or other formal structure, only half deemed it effective.
Technological risks, including computer, Internet, and E-commerce risks, were rated as a top priority by the survey respondents, just second to employment-related risks.
“Exposures involving intellectual property, privacy and first-party risks from computer fraud, business disruption, and denial of service pose significant financial risks to companies doing business on the Internet,” Kae Lovaas, a technology vice president with the insurer, says in a St. Paul release.
But risk managers don’t have to be technology whizzes to effectively manage the technology risks of their organizations, says Susan R Meltzer, assistant vice president of insurance and risk management at Sun Life Financial, a financial services organization in Toronto.
What’s important is that they know who does have that expertise and then include that person in a risk management committee, which should be run by the CFO or the corporate risk manager, Meltzer tells CFO.com.
Rather than put just one person in charge of managing risk, however, the trick, says Meltzer, “is to get all of that corporate knowledge in a room together in a common structure.” The representatives of many different corporate departments should take part in the committee’s efforts.
Companies that outsource a lot of their business functions should enable the outsourced workers to participate on the technology-risk committee, and form partnerships with them “the same way you would [partner with] internal people.”
Whether they realize it or not, many companies already have a good foundation for establishing an effective risk management plan for technology concerns, says Meltzer. For example, “a lot of information collected while creating [Year 2000] plans could be converted to respond to almost any technology risk,” says Meltzer.
Yes, says Meltzer, “technology issues are a very difficult risk to understand,” and the management of that risk will have to evolve with the technology changes. “But there is a pretty basic method of looking at ways to control risk,” she says.
During a risk management committee meeting, she advises, “try to strategically position your company in E-commerce, posing questions such as, `What happens if [we] don’t do it properly?'”
During the committee meeting, members should also employ “what-if” scenarios involving “pure technology problems” such as hackers, Meltzer thinks.
The key to preventing disaster from striking is to be the “pessimist” who imagines the worst possible scenarios and then designs a plan to defeat them.
Most important, says Meltzer, is to “keep the lines of communication open.” Ensuring the ultimate effectiveness and security of a risk management plan requires that everyone in the company—from entry-level employees to senior managers—be informed and understand the significance of a risk management plan, she says.