Is there really a correlation between effective risk management and profit margin growth?

Everyone knows that IT is a cost center. What many people don't know is that recognizing and leveraging the connection between security risk mitigation and profits can create profit margin growth.

While 73 percent of executives surveyed believe risks are on the rise, according to the new survey, "Risk in review: Decoding uncertainty, delivering value", PwC, April 2015, only 12 percent of those are successful risk management leaders. Over the most recent three-year stretch, 41 percent of that 12 percent produced an annual profit margin growth of more than 10 percent, according to the survey. Risk management doesn't simply mitigate risk, it magnifies net income.

CSO explores the relationship between risks and profits and how enterprises can use information security risk management to increase profit margin growth.

The risk management & profit margin growth relationship

"Information security risks affect profit margins by impacting enterprise reputations, share prices, and the ability to operate effectively," says Bill Sweeney, Financial Services Evangelist for BAE Systems Applied Intelligence. Good risk managers and management methods can counter that impact, producing profit margin growth.

"Effective risk management is more like brakes on a car. You don't have brakes to drive slowly, you have brakes to allow you to drive faster and stay in control," says Sweeney. Banks for example use capital to stay in control. Some financial institutions retain capital to guard against losses that are due to security breaches.

These capital set asides in the banking space are a great example of how the relationship between effective risk management and profit margin growth are a direct cause and effect relationship. "Effective risk management frees up capital for money making businesses. Ineffective risk management reduces capital available to the business," says Sweeney.

Using risk management to increase profit margin growth

"Because criminals continue to penetrate companies resulting in increased costs for protection and incident response, cyber risk is now an operational risk. Increased cost equals reduced profits. Enterprise information security risk management, which means operationalizing security, reduces loss and increases profit," says Sweeney.

To use risk management for profit margin growth, isolate the risks that are particular to your enterprise and industry vertical using best practices like those published by NIST or in the Federal Financial Institution Examination Council's IT Examination Handbook InfoBase for example. If there is a recognized security risk assessment for your industry, consider using it or a blended assessment including steps from other tests as well. Then follow these mantras as you use risk management to stir profit margin growth. First, know that the price of security is typically less than the cost of catastrophic network invasions.

This has never been truer than now when--as everyone knows--every company will eventually be infiltrated by cyber criminals. Attackers using automated programs to continually run port scans on hosts across the Internet looking for vulnerabilities will eventually find holes in your systems and exploit them. Enterprises must likewise automate security as a part of risk management or simplify it enough that security staff can demote some tasks to operations staff. This is operationalizing security and can include using log management and SIEM tools that put security tasks within reach of operations professionals.

From the 3,000-foot view, you need to adopt a combination of enough risk mitigation techniques and technologies to answer those risks that will cost your enterprise more than the mitigation does. DLP is a great example of a technical solution that is less expensive than a massive breach that leaks millions of examples of private, personally identifiable, financial account information.

Boards of director must decide when the cost of the risk is greater than the cost of risk management and deploy cyber security down through the C-suite accordingly. They must include lost revenues and the potential for profit margin growth in their calculations.

Second, risk lives and changes like a growing organism undergoing constant metamorphosis. "In particular, risk changes in response to your actions," says Sweeney. Every time you take action, risk responds in a manner comparable to the equal and opposite reaction of Newton's Third Law of Physics. So the dynamic nature of risk makes sense intuitively.

Risk mitigation must be equally fluid, nimble, and dynamic in order to respond to information risk events quickly and efficiently. For example, risk mitigation must be flexible enough to close the vulnerability first, whatever kind of hole it may be, so that no more damage is done.

[ ALSO IT leaders share tips on managing security risks ]

Third, like time, risk does not wait. Losses due to realized cyber risk events increase as the event continues, and many cyber criminals intend their attacks to go on indefinitely or until someone stops them. Enterprises that want to increase profit margins need to move fast to adopt a reliable, targeted risk management plan as soon as possible.

Finally, know that someone in the business is causing the risk by design. They are accountable for the risk as the risk owner. Find out who they are. Then find out what they are doing to mitigate the risk. "You have to look at the controls and constantly test them," says Brian Schwartz, Governance, Risk, and Compliance Leader, PwC. If the controls are not sufficient, look into stronger controls.

Profitable risk management leaders

"The leaders who formally address risk management and actually embed it into the rhythm of the business are the ones who show better profit margin growth," says Schwartz. These leaders share certain specific risk manager activities and traits in common.

In particular, they extend themselves well beyond the initial risk assessment that enterprises use to simply compile and rank information security risks. After conducting a risk assessment, these leaders connect the risk management program to the strategic business unit planning process. In fact, the boardroom initiates this leadership and presses it upon everyone in the company starting with the C-suite.

"They include it in active discussions and tie it to forecasting for every business process they run," says Schwartz; "it's all by design and very transparent and obvious."

Supporting the business

Risk never dies. That doesn't mean you have to merely transfer it when you can translate it into profits. "Suffering negative impacts from risk is not inevitable. By integrating risk management into the business lifecycle and developing an effective strategy, the enterprise can achieve an enormous competitive advantage," says Schwartz.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsBAE SystemssoftwarePwCCSOinteldata protection

More about BillCSODLPLeader

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts