Risk management: From future scenarios to safety-related issues
True to the motto "close your eyes and ears and get through it", risks are documented from a rear-view mirror perspective and preserved in the form of risk accounting. The gain in knowledge is small, because potential future scenarios are thus faded out.
In other words, for risk accountants, these threats lie outside their imaginations, away from Excel spreadsheets and dashboards. The result? Bankruptcies, bad luck and catastrophes. The media are full of such examples - especially from renowned corporations that should know better from their experience.
- The hacker attack on the servers of the US bank J.P. Morgan Chase & Co was more serious than previously thought. According to the bank, the contact data of 76 million households and 7 million small businesses were stolen in the cyberattack. The hackers gained access to the servers only for a short time and stopped their activities after an hour.
- An American IT security firm has uncovered what could be the biggest data theft of all time. Russian hackers are said to have stolen 1.2 billion login details. User names and passwords for all kinds of Internet services, from e-mails to social media and shopping sites. Experts advise changing passwords.
- The damage caused by the attack on Sony's Playstation network was enormous. Hackers obtained data such as names, e-mails, login data and addresses of 71 million users. They may even have been able to tap credit card data. The financial damage to Sony is estimated at $24 billion.
- At software manufacturer Adobe Systems, 100 million usernames, including encrypted passwords and password hints, were stolen.
The list will grow much faster in the future, especially for SMEs ...
Naivety and careless handling
Cyberattacks have been on the rise for years. Empirical studies show that information technology (IT) failures in particular have a direct impact on a company's costs. What is exciting is that it is possible to protect oneself, but for many companies the topic is not yet on the agenda. The often unprecedented naivety of companies and careless handling of their data and backup systems mean that cybercrime is a "crime with a future." When it comes to crisis management and their own security, companies are unfortunately often naive and lull themselves into a false sense of security - economic and cybercrime are too often seen as "someone else's problem." This is despite the fact that, according to the recent study "Net Losses - Estimating the Global Cost of Cybercrime" by the Center for Strategic and International Studies (CSIS), cybercrime causes global annual damage of over 400 billion US dollars.
Especially with regard to data recovery, the recovery of important company data, a lot of valuable time is unnecessarily lost that could be saved by optimized data protection, especially in data recovery. Trivially, the longer the downtime, the higher the associated costs.
Scenario-oriented approaches
But only when companies have said goodbye to looking in the rearview mirror and look to the future with scenario-oriented approaches does risk management offer a solid navigational tool for companies. The main challenges for risk management in a company are the definition of scenarios as well as a "battle plan" for the event of a crisis. Such a crisis plan is the most important tool a company can use to respond quickly and appropriately to sudden attacks. For example, a company should analyze what problems the company may face as a result of the data theft, as well as the extent of any potential loss of reputation. A strategy must be in place that defines how to deal with customers, the press or the public prosecutor's office in the event of a crisis. Or how the company behaves in public and, last but not least, how it behaves towards its own employees. Shifting risk to the insurance industry only works to a certain extent. It must be clear to the policyholder that only the financial damage can be covered by so-called cyber insurance policies. However, the actual damage, for example loss of reputation, remains and is the responsibility of the company.
Taboo subject
Crisis communication is still considered a taboo subject in many companies. Many companies forget to adapt existing crisis communication plans to the new communication channels. What is even more important: It is not uncommon for there to be a lack of the accompanying reconsideration in corporate culture that makes open, fair and de-escalating dialog with angry shareholders possible in the first place in the event of a crisis.
Fear of spreading waves of protest in social media leads to the "ostrich principle" being applied. Companies waste the communication potential of Twitter, Facebook or YouTube because they are afraid of becoming victims of an uncontrollable shitstorm at half past two in the morning, when their own communications department is asleep. The consideration of playing dead online is becoming a conscious management decision - in the equally false and incontrovertible belief that one can protect oneself from the potential of social media conflagrations simply by not being present in them. Yet the shitstorm launched by Greenpeace against the food company Nestlé should have made every manager aware that this strategy fails miserably in a crisis. In 2010, the environmental organization Greenpeace launched a campaign against Nestlé's Kitkat product because it uses palm oil from Indonesia, which is grown on cleared rainforest land. Indonesia has one of the world's highest rates of virgin forest destruction. After the launch of the Greenpeace campaign, Nestlé first tried to take the protest off the net with legal means: a strategy of strength and threat that might still have been successful in print media. Online, however, this approach was doomed to failure. In the end, Nestlé had to give in and change its production.
The risk world map has changed massively in recent years. Times for risk managers have become anything but boring. Companies should increasingly address the issue of crisis management in the future. The crisis management tool must remain a "living document" and crisis team exercises should be conducted at least once a year with a seriously prepared scenario script and thoroughly analyzed.