Risk Awareness & Employee Feedback Mechanism Effectiveness Assessment

Many risks cannot be avoided completely. Despite an ever-expanding array of threats and a steady increase in protection spending, humans continue to be the weakest link of most organizations. Raising the Risk IQ of any organization or ecosystem is a difficult task. Many organizations rely on rudimentary, static content focused on compliance requirements to drive their employee and partner risk awareness programs. This approach provides little understanding or insight into an organization’s risk appetite, tolerances, mitigation, and acceptable treatment options. The cultural aspects of risk treatment are often lost in program elements that focus too much on ‘what’ often expressed as ‘Do’s and Don’ts’ versus the much more critical aspects of ‘why’ and ‘how.’ It is an ineffective use of time and resources to try to address all but the most common and impactful risk scenarios as part of formal employee training. Nevertheless, developing a ‘Risk Aware’ culture should be an organization’s aspirational goal.

Many organizations view risk, cyber, and physical security awareness training as a required operating cost. Most finance professionals treat the activity as a mandatory expense that should be minimized. Market leaders realize that time and money spent proactively educating key stakeholders on these threat vectors have a dramatic impact on their team’s effectiveness in the identification of risks and avoidance of disruptive events. While some technical countermeasures can be deployed to address aspects of social engineering, corporate email-based fraud, spear-phishing and ransomware attacks, most are rendered useless if user communities don’t know how to proactively detect and avoid the majority of these attempts. Key aspects of effective risk awareness programs include:

• General concepts are universal, but specific audiences are provided content, interactive training and testing scenarios specific to their roles and responsibilities
• Everyone participates on an on-going basis
• Access to resources and assets are restricted until the required training is completed
• Leadership continually reinforces the importance of being a ‘risk aware’ organization
• Board of Director oversees the creation and dissemination of an enterprise risk appetite statement to all key stakeholders, including supply chain partners
• C-Suite and key stakeholders establish and continuously update an integrated risk register
• Key Performance & Key Risk Indicators (KPIs & KRIs) provide leading and lagging indicators to reflect the effectiveness of the program
• Risk treatment plans include communications, training, testing and awareness components
• Effective risk treatment and mitigation are considered at part of performance reviews
• Incident response lifecycle includes a mandatory event post-mortem on all significant risk events that resulted in the activation of the Continuity of Operations (CoOP) plan

Similar to ethics, fraud, and compliance hotlines, mechanisms must be in place to allow anyone to easily and effectively highlight and report a potentially impactful risk. As business processes evolve, and digital transformations modify how an organization interacts with its key stakeholders, consideration should be given on how to engage them most effectively. Applications on smartphones or cloud-enabled publicly accessible web portals can provide easy access to report and document critical risk from both internal employees as well as concerned external stakeholders. Monitoring resources outside the organization’s immediate control can also provide valuable insight into the effectiveness of your risk management program. Sources ranging from social media to dedicated industry rating sites can serve as a check and balance to help you determine if there is any disconnect between your risk management programs intended ‘tone at the top’ versus the modern water cooler gossip that makes up the ‘buzz from the bottom.’