The past several years have reshaped supply chains, customer interactions and the manner in which employees work. We have moved beyond a mere digital world to an integrated ecosystem, and enterprises are now an interconnected web of technology, processes, staff and services.
This shift has also reshaped (and increased) the complexity and level of risk organizations face every day. In this integrated world, it is no longer enough for an enterprise to manage risk strictly within its own borders. To truly mitigate and manage risk, organizations must look beyond their traditional business process walls and at the ecosystem as a whole—the entire supply chain. To do this, risk management processes must change and be adapted to meet new risk and compliance requirements.
The State of Risk Management Today
The world is currently in the midst of the Fourth Industrial Revolution (4IR), during which technologies are fusing across physical, digital and biological domains. In this interconnected world, risk is no longer bound to traditional business structures, people and processes. It is the risk outside enterprise walls—within the supply chain, and at times, third- and fourth-party service providers—that needs attention.
In this interconnected world, risk is no longer bound to traditional business structures, people and processes.
While there are many examples of this in action, the 2021 grounding of megaship Ever Given1 in the Suez Canal provides insight into how business/process integration can greatly impact enterprises if ignored. In a mere 6 days, the Ever Given being out of commission had an international impact and froze as much as US$10 billion in trade every day that the ship was stuck.2 This catastrophe stemmed from a single ship blocking a canal, which has happened 5 times before in the canal’s history.3 The Ever Given situation is an example of how third- or fourth-party risk can have dramatic impacts, because modern enterprises often utilize multiple parties to deliver products and services.
Technology Is Changing Risk Management
The new digital world has also resulted in the crowning of a new king: the cloud. It keeps people connected, enables transformation and agile working, and increases productivity. However, being in the cloud—or using a service hosted by a third-party provider—does not guarantee that the environment is safe. Many enterprises still have a “not my organization, not my problem” mentality. This attitude is dangerous and creates the perfect breeding ground for risk, because many potential external risk factors are left unaddressed until it is too late. The cloud can be a brewing storm for organizations that do not continuously verify and monitor their levels of security, mitigating potential risk sources as they are identified.
Being in the cloud—or using a service being hosted by a third-party provider—does not guarantee that the environment is safe.
Technology shapes the customer experience, speed to delivery and services provided. This intermingled web relies on third-party and cloud-hosted services to survive. However, if organizations were asked what risk stems from these services (and what steps they have taken to mitigate this risk), most would not be able to provide answers.
While 88% of enterprises consider cybersecurity a business risk,4 there has been an increase in cybercriminals using third-party services for their attacks.5 This could take the form of something as simple as a ransomware attack or as serious as a patient’s pacemaker being hacked. Reliance on cloud and third- and fourth-party cloud-hosted services requires organizations and risk management professionals to consider risk on a much wider scale.
Is Integrated Risk Management Obsolete?
As the risk landscape changes and extends beyond traditional enterprise walls, it raises an important question: Are integrated risk management (IRM) practices obsolete?
While IRM enabled risk professionals to break down departmental silos and look at organizations as a whole, the risk business (and how business is conducted) has evolved. With more technology, vendors and suppliers, there is a need to take risk management controls a step further. They can no longer be managed at arm’s length.
To do this, risk professionals need to move into environments where they can work together with external stakeholders to manage and mitigate risk. Looking at the entire supply chain, it becomes clear there is a need to take risk management approaches to the next level and embrace a transformative approach to risk.
A transformative risk approach focuses on identifying, managing and mitigating risk across the entire ecosystem. By focusing on integrating risk management across the ecosystem and embedding it into processes, risk professionals are able to manage risk across the supply chain. However, it is not always easy to do this effectively without impacting productivity and the agility the digital world demands. This is especially true for industries such as healthcare, in which the quality of care is heavily reliant on healthcare vendors, suppliers and technologies.
Embedding a Transformative Risk Mindset
While digital advances have enabled the healthcare sector to enhance its level of care, the reliance on technology and third- and fourth-party providers has introduced new risk that goes beyond financial and reputational impact. In this industry, third- and fourth-party risk can impact patient safety.
To better identify and manage this risk, healthcare provider Advocate Aurora Health adopted a transformative risk management approach. Using this approach, the cybersecurity governance, risk and compliance (GRC) team introduced a new risk management process that incorporates stakeholders across the implementation process and integrates transformative risk management practices at all levels of the organization.
The secure solution development life cycle (SSDLC) process has enabled the organization to ensure risk, compliance and security are assessed from concept to implementation and beyond. This risk lens is also used for any third- and fourth-party vendors and suppliers, ensuring that proper due diligence is taken while still in the solution assessment stages.
Using SSDLC, the organization is able to identify and address risk and security issues long before they become serious problems. SSDLC has also enabled regulatory and industry compliance requirements to be incorporated into each step of the enterprise’s procurement and IT processes.
The Aurora team has taken it a step further by implementing this approach into other risk, security and compliance frameworks, including monitoring activities. The result? Risk is continuously assessed, audited and reevaluated on an ongoing basis, enabling Aurora to reduce and mitigate risk across its supply chain. It has also been able to better vet third- and fourth-party solution providers and enforce security and risk protocols to stay in compliance.
By adopting this transformative risk management approach, the Aurora team has been able to break down internal and external silos and better manage risk as a whole. In turn, the organization has created a more agile approach to its risk management processes and contributed to a more secure (and compliant) ecosystem.
Stakeholders: The Key to the Risk Puzzle
To create a robust risk and governance framework, risk professionals must engage with stakeholders across all stages of business processes and beyond their own organizations’ walls.
As Aurora has showcased, there is a need to implement governance, risk and compliance (GRC) steps at both foundational and implementation levels to sustain a truly proactive risk management approach. The key: stakeholder engagement.
By engaging with stakeholders across the ecosystem, risk professionals can realize several benefits:
- Enhanced governance processes
- More refined risk management approaches
- Thoroughly identified and incorporated compliance and regulatory obligations
- Continuously improved processes
These accomplishments help shape risk processes, assessment criteria and risk management plans. In turn, risk professionals are motivated to work together with stakeholders (both internal and external) toward a common goal: reducing and mitigating risk across ecosystems.
While many enterprises such as Advocate Aurora Health are embracing more transformative risk management approaches, risk management practitioners have been left behind. It is time to break down our own risk management walls and start looking at the entire risk process. Otherwise, we run the risk of becoming stuck in our own risk management canals—with no way out.
Endnotes
1 BBC, “Suez Canal: Ships Stuck in 'Traffic Jam' as Salvage Efforts Continue,” 27 March 2021
2 Ibid.
3 Dzhanova, Y.; “The Suez Canal Has a Contentious History and Has Been Blocked and Closed Several Times Since Opening,” Business Insider, 28 March 2021
4 O’Driscoll, A.; “30+ Data Breach Statistics and Facts,” Comparitech, 4 January 2023
5 Ibid.
Jannie Wentzel, CISA, CRISC, CA(SA)
Is a thought leader in risk transformation, specifically integrated risk management processes and technologies. He advises clients on the development of risk and compliance processes, and on enablement through technologies to reduce complexities and minimize compliance cost. He is a frequent speaker at regional and national conferences and events.
Elissa McKinley, CRISC, CDPSE
Is a cybersecurity leader focused on GRC, framework and process building, secure solution life cycle development, physical site security and eDiscovery/incident investigations. She began her career in the background screening industry and eventually transitioned to healthcare. McKinley has more than 8 years of experience in cybersecurity, 5 of which are in healthcare. She currently serves as the ISACA® Milwaukee (Wisconsin, USA) Chapter vice president and director of SheLeads. She is currently employed by one of the largest not-for-profit health systems in the United States and is the director of the cybersecurity GRC team. McKinley can be reached on LinkedIn at https://www.linkedin.com/in/elissa-mckinley-233ab749/.