Risk Management: Top Management Must Take The Lead

Information security risks at organisations are perennial in nature. If not managed well, they can result in putting the brand reputation at stake. If the ramifications can be as serious as this, then risk management must have a top down approach. Indian organisations are moving from a reactive to proactive mode for managing risks. Not surprisingly, this is being driven by the business rather than the CISO’s office.

L S Subramanian, President, NISE says, “There is a fundamental difference now - earlier risk management used to be something after the horse had bolted, something to check after the event happens - more of forensics, but today risk management is taking action ahead of the situation. Hence, it’s becoming a strategic partner to the business, which means that enterprises would run a risk check before drawing a business plan, in terms of what are the risks involved for the company and the how can they be remediated.”

CISO Moving to the Boardroom?

“It’s surprising to know the amount of risk involved before the launch of a new model of a car and such situations apply to most verticals. The paradigm is changing and the CISO is moving to the boardroom,” says Subramanian. Surely, it’s not far when organisations will depute a separate Director on the Board to take care of business risk.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

“The business is more aware of the facts of customer data getting leaked because the sales force get calls from irate customers once that happens,” says Sunder Krishnan, CRO - Reliance Life Insurance. These incidences get escalated. Such incidents worry the business about the security of the customer database, which would result in the IT guys being driven to mask off customer information at various points in the Information Lifecycle. Access management and ’need to know’ becomes important where the premise is that everybody doesn’t need to know everything about the customer. The information is thus selectively masked for select individuals.

So, information access would be restricted to only those who need to use it for operational reasons. This is a typical scenario where the business drove security features, processes etc. “Businesses becoming serious about managing risks is also because the newly amended IT Act brings the onus on the enterprise itself for any instances of data breach,” explains Krishnan.

Risk Management Contributing to the Company’s Top and Bottom Line

Risk Management is important not only from an Information Security perspective but also is a contributor to the company’s top and bottom line. From an Insurance perspective, companies have dashboards that list the information about various aspects of the business - targets, performance delivered etc. “The dashboards could be about whether Insurance policies are delivered on time. All this information is depicted by the Green, Red and Brown channels. These channels represent deliverables such as whether the policies are delivered within 48 hrs, 72 hrs etc; are claims being met within 72 hrs of submission of documents and so on,” informs Krishnan.

“We have analysed each function and the processes are set on the dashboards with the deadlines for deliverables and an explanation is summoned in case of deviations,” says Krishnan. There are targets for percentage adherence to these processes. Reliance Life Insurance is slowly moving up the ladder. We had started with 70 - 80% adherence, which now stands at 95%. Now we are going for Six Sigma that demands 99.9% performance. We have also been doing Lean Six Sigma where cost reduction is also targeted, which signifies whether they are managed well in each of those sub process functions," informs Krishnan.

From an approximate employee count of 22,000, the company has shrunk its workforce to 10,000 employees. By reducing the staff by half, Reliance Life Insurance has still managed to increase the output. This is an evidence of the fact that risk management, cost cutting initiatives and quality drives have delivered on their word.