As Chief Risk Officer, you know that critical events happen anytime and anywhere, and that risk management is a holistic effort. But how well is your organization prepared to react when a critical event happens?
Risk Aversion vs Cost of Recovery
In 2017, Erie County Medical Center was hit with a ransomware attack that brought down 6,000 computers, plunging the hospital back into the pre-digital age of paper charts and face-to-face communication. Heeding the advice of cybersecurity experts and law enforcement officials, the hospital declined to pay the $30,000 ransom. But the ransom itself was pennies compared to the estimated $10 million cost of recovering from the incident. Included in the expenses was the cost of new computer hardware, software, and assistance to respond, as well as increased expenses from staff overtime pay and lower revenue from loss of business. On top of that, the hospital is also investing $250,000-$400,000 a month in security upgrades and employee education to reduce the risk of future attacks.
Why Critical Event Management (CEM) is a Must-Have Risk Mitigation Strategy
What happened to ECMC was not an isolated incident — the FBI reported 1,500 ransomware attacks in 2018 alone. But cyberattacks represent only a fraction of an increasingly complex risk landscape, and the challenges for Chief Risk Officers are evolving. The growing scope of risk today goes beyond credit risk, market risk, liquidity risk, capital, or stress testing to include new operational, financial, and compliance risk from critical events that were not on the CRO agenda – or anyone’s agenda, even a few years ago.
Critical events are disruptions to the operations, safety, or security of a business. And they happen every day: think active shooters, natural disasters, IT outages, and supply chain disruptions, to name a few. Anybody with a passive interest in current events knows these events are on the rise. Weather-related disasters have more than quadrupled since 1970, and with climate change exacerbating the intensity of such events, experts agree the problem will only get worse. Meanwhile, active shooters have become frighteningly commonplace, and businesses are increasingly the targets. IT systems are another common locus of disruption for businesses, who lose $400 billion a year to hackers and $8,900 per minute to IT outages. With each critical event, businesses are losing an average of $350,000.
Businesses today will likely suffer multiple critical events every year, resulting in millions of dollars in unexpected costs to the business, disruptions to their operations, and real threats to their workforce, customers or suppliers. As a result, scrutiny of risk management practices has intensified. Boards are under huge pressure from regulators to continuously demonstrate effective risk management. Given the growth and prevalence of critical event risk, it is no longer an option for CROs to reactively address this risk or let their C-suite peers, such as the Chief Security Officer, be the only one responsible for managing this risk.
Building Organizational Resilience through a Unified CEM Strategy
Critical event management (CEM), therefore, has become one of the new Risk Management imperatives, calling for a new unified and technology-enabled approach for risk leaders to prepare, train their company and employees and be ready to respond swiftly to critical events. Now is the time for leading CROs to embrace a unified approach to CEM, enabled by tested, purpose-built technology, to anticipate, manage and curb the future impact on their business.
A single, unified approach to CEM involves the right software solutions to ensure that siloed information can be analyzed quickly and efficiently and coordinated along with a business’s other resources to create a better plan, improve response time and streamline auditing. An automated solution significantly reduces the number of errors and provides a foundation for delivering a cost-efficient response to crises.
There may be no greater benefit to the unified approach than the improved ability to protect the lives of employees and customers in crisis. However, the benefits don’t stop there. More than half of companies adopting a unified approach to CEM see improved critical event reporting, improved communication workflows, and better-defined roles and responsibilities of the personnel involved in CEM – all of which contribute to a more efficient and resilient organization overall.
The Path to Unified CEM: Building an Organization-wide CEM Strategy and Approach
CROs cannot do it alone — to effectively manage risk, they must build alliances across the organization, with the chief security officer (CSO), chief information security officer (CISO), chief information officer (CIO), Chief Operations Officer (COO), and even their Chief People Officer (CPO). Combining the experience, insights and intelligence from across the organization ensures that CEM is not just a CRO imperative, but an organizational imperative.
For more information, download our CRO Executive Brief to help you make more informed decisions regarding CEM.
If you’re ready to accept the challenge of moving your company to a unified approach to CEM, talk to us. We can show what a difference it can make in the lives of your employees and the health of your business.