Blogs
Moving From Risk to Resilience – Make Your Organization ‘Anti-Fragile’
- GRC
- 29 July 20
6 min read
Introduction
Moving from simple risk management to real resilience is a critical new capability that organizations are striving to attain. Teams seek to quickly mature resilience as we re-open our businesses, countries and economies in the post-COVID-19 world. Organizations that do this well and become ‘anti-fragile’ will thrive – those that do not will find themselves being driven out and battered by new waves of change.
In our previous posts on Risk Quantification, the Digital Impact Chain and how COVID-19 Has Changed The We Do Risk – Forever – we focused on how to risk management is changing and becoming more aligned with scoring techniques based on multiple factors from both technology and business stakeholders. This blog post takes Risk Quantification a step further and redefines resilience in terms of becoming anti-fragile.
What is Resilience? What is Anti-Fragile?
Traditionally, we think of resilience in terms of how quickly something can ‘bounce back’ from an impact. Business continuity teams focus on metrics such as the number of days or hours to return to operations (RTO) or a recovery point (along a process) objective (RPO). RTO and RPO are typically used to measure resilience goals through business impact assessments (BIAs). Disaster recovery teams execute playbooks that have been tested – often months back in a different environment – and struggle to bring processes back online after an incident.
But all that has changed with the COVID-19 pandemic and the ‘call for change’ that worldwide protests are demanding. In a world where human speed is outflanked by digital transaction speed and decisions are made on real-time analytics – old approaches to business continuity and disaster recovery simply don’t cut it.
Developing real resilience means becoming ‘anti-fragile’ – a concept spearheaded by Nassim Taleb author of Fooled by Randomness, The Black Swan and Antifragile. Organizations and processes become anti-fragile by continually testing with small shocks to the integrated fabric of people, process and technology. Why? Because risks are interconnected. Risks can cascade. A COVID-19 hot spot can close access to a critical single-source supplier. Creating greater diversity and fairness at work can mean reworking resource plans and partnerships – in a good and sustainable way. In a world where rare events dominate the landscape because risks have cascaded in ways we’ve not anticipated, anti-fragile is the route to real resilience.
How Do We Develop Anti-Fragility?
If you have been able to incorporate Risk Quantification, with a the bottoms-up, top-down approach to score risks, by aligning operational, infotech, security and cyber teams, you can now start moving from risk to true resilience. But to develop anti-fragility, your teams must do more – and increase the scope of resilience across a digital environment – not only within your organization but also across your vendors and cloud service providers (CSPs). This means aligning processes such as incident response that now have a larger, wider-spread impact across many distributed, virtual stakeholder groups. Anti-fragile as a goal, especially with increasing digital transformation, assumes your teams see where there can be a chain reaction across the technology and business process workflow – with upstream and downstream processes across CSPs connected to other third and fourth parties.
The best way to start building anti-fragility into resilience programs is to start acting with agility, begin building a strong capability to quickly adapt, leverage early warning signals and have tested, executable plans to bounce back.
Let’s look at some general categories with examples of how our current reactive practice can be transformed by building anti-fragility into our GRC programs and technologies.
CONTROLS
- Reactive practice – Go through a (sometime long and protracted) remediation action plan as a result of a (sometime long and protracted) assessment or audit.
Anti-fragile practice – Fix control/test failures faster and completely – address it as a fix right away prior to it getting tied up in a prolonged process. Look across your environment and fix similar problems proactively: Ask where else could this be happening with the same failed control?
ROOT CAUSE CANALYSIS (RCA)
- Reactive practice – Fix an issuewith a BAND-AID due to resource and budget constraints.
Anti-fragile practice – Fix issues by going deep and wide: Conduct a real RCA by asking the Five Whys involving the right people across the organization and CSPs. Use this a point of real learning.
WEAKNESSES
- Reactive practice m– Wait until an emerging risk shows up as a failure in order to get the remediation budget.
Anti-fragile practice – Be proactive on suspected weaknesses. Forexample: cyber controls are increasing with X-From Home (work, school, medical check-ups, news, recreation, social visits, advice….). XFH has pushed the envelope and hackers have upped the ante. Also look at the infrastructure: If there is a power outage. That’s critical if a doctor is WFH on a call with a patient! What risk can you transfer? Where does your accountability stop and where is it shared? Think through your way of responding.
CLOUD
- Reactive practice – Use your own data center with older apps to run portions of the business.
Anti-fragile practice – Be proactive on cloud modernization: If you have 20 CSPs now, think about everything that could be improved with leading, safer, more secure scalable CSPs. Proactively define your standardization strategy, such as, your SSO strategy across the cloud? You’ll need this kind of standardization to scale as an enterprise.
REAL TIME SENSING AND MONITORING
- Reactive practice – Use continuous controls monitoring in isolated areas, not looking at the opportunity to automate the end-end process.
Anti-fragile practice – Up your game on monitoring and sensing mechanisms: We’re seeing more and more utilities, cable operators and other providers using IOT and remote sensing technologies where real-time data is being pulled and continuously analyzed – and proactively avoiding risks. This puts an entirely new view on resilience. Think about your business and technology processes. What needs to be digitalized and what can you continuously sense and monitor?
DATA ANALYTICS AND ARTIFICAL INTELLIGENCE (AI)
- Reactive practice – Use metrics in isolated areas, not looking at the opportunity to build analytics into the end-end process.
- Anti-fragile practice – Get proactive on predictive analytics where it makes sense. Understand your ethical risks and put an AI governance program in place that provides visibility into common pitfalls. Test for bias of the creator or bias in your data. Your organization needs clean, relevant data, transparent algorithms for optimal decision-making.
Summary and Call to Action
Remember, business continuity planning is not enough. Real resilience requires a commitment to developing anti-fragility across the entire fabric of your extended enterprise. We are in an unprecedented age of change – more digitalization and greater diversity, in both people and technologies, transforming our third-party relationships and the way we work. Anticipate and Be Ready to Embrace this Change! Build anti-fragile concepts into your resilience strategy and plans.
Over the coming weeks, we will continue to explore more best practices and how security and cyber teams are adapting to COVID-19, beyond how risk quantification methods tie to the digital asset/impact chain, Moving from Risk to Resilience (this post), to Orchestrating Risk across IT, cyber, op risk, incident and crisis response and other disciplines. Stay tuned!
About the author:
Yo McDonald, Vice President, Customer Success and Engagement, MetricStream, is a seasoned executive in Governance, Risk and Compliance (GRC) consulting and product solutions. She drives customer engagement and retention, while fostering a culture of customer success at MetricStream.
Dr. Vidya Phalke is Chief Innovation and Cloud Officer.
Jump to Topic
Related Resources
Blogs
Social immunity and resilience: Lessons from the world of insects
- Risk Management
- 29 July 20
3 min read
Introduction
I have been always fascinated by the social behavior of ants and bees. Their capacity to adapt and create sustainable colonies in the most disparate environments has demonstrated a major differentiator among other species where the social collaboration has not been developed.
During these past weeks of lockdown, I have been rediscovering some books dedicated to the social insects and their organizations with clearly defined roles and rules for each individual. The parallel with our human organizations and societies is far too complex and different, but the social insects’ responses to crisis situations has some aspects that, I think, deserve attention.
The current COVID-19 pandemic emergency raises a number of unexpected risks and unprepared reaction strategies that we have to consider and re-evaluate for future crisis situations. Some positive learnings can be shared by the social insects, and especially by the colonies’ behavior of ants, bees and termites. They have been demonstrated and are recognized as the more resilient social organisms, able to adapt to extremely hard environments and to react to disruptive crisis situations.
The defenses of a colony against a wide range of predators, parasites and pathogens have been the subject of innumerable researches, but it is only recently, that certain phenomena have begun to be considered, looking at them in an integrated perspective of the colonial response, rather than as the sum of reactions of single individuals. This can be explained by the fact that the individual immune system is partly substituted by the social one. The basic idea is that, by acting collectively, the individuals of a colony can put in place a more effective defense.
Similarly, our reaction to pandemic crisis should be driven by collective procedures and practices that have to be enforced among different individuals. The current COVID crisis forced, probably for the first time in history, a worldwide reaction and coordinated response, imposing the lockdown, social distance, health procedures and security controls that impacted the entire human race, independently by the country or wealth.
Unfortunately, our global reaction was not strictly coordinated and fast like the one social insects are able to apply. If you look at the reaction to external attacks to an ant’s nest, a beehive or a termite nest, you will find the amazing and immediate collaboration and sacrifice of many individuals to protect their colony.
These social immune defenses include both mechanisms that increase the prevention of disease transmission, and mechanisms that are activated when pathogens have already invaded the colony. In any case, the common feature of all these defense mechanisms is that they are based on altruistic behavior or collective actions that provide advantages at the colony level and, only rarely, for the individual. As a consequence, the social immune system can be understood and explained as a group level adaptation.
The mechanism of social immunity develops mainly at two different levels, the first, which we could define as “preventive”, includes all those strategies that tend to keep any parasites and pathogens out of the nest. For example, in a hive, the guardian bees represent the first filter to prevent the entry of parasites and pathogens into the colony.
The second common strategy of social insects could be defined as “restoring” that contributes to creating a real sanitary cordon around the colony is that of the disposal of waste and corpses. This phenomenon is particularly evident in ants which, in some species, constitute real landfills and cemeteries.
I would like to summarize the concepts that can be derived by the social insects’ behaviors to enhance our response capacity to crisis situations:
- Procedures: pre-established reaction procedures, risk assessment on different possible predators
- Prevention: teaching and testing enforced to all individuals, clear assigned roles, multiple levels of defense
- Reaction: immediate, joint effort and response, collaboration of multiple individuals to a single objective
It sounds like a governance and risk process well established in a cooperative organization where the end result ensures resilience and sustainability of the entire colony.
I would like to thank some ideas extracted from “Le politiche degli insetti” di Stefano Turillazzi, Edizioni ETS.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – June 2020
- Risk Management
- 22 July 20
3 min read
Has COVID-19 made us more empathetic?
Since the global workforce shift to working remotely, how have employees accepted and adopted to these new processes and work environment? Is the ability to return to the office a truly reassuring step toward normalcy? Companies leave no stone unturned while trying to bring back their employees to office, but has the focus shifted? – Let’s see what made it to the headlines in June – through the GRC lens.
A new paradigm
COVID-19 has brought in huge changes to the way we work, collaborate, and engage with our peers. Evidently, remote work is here to stay, and that makes it more crucial for both businesses and employees is to identify, understand, and embrace the advantages of agile working. But the rise of remote working, worldwide, has made communication more challenging. While on the positive side we see more adoption and acceleration of newer technologies by a broader audience, electronic means of communication is still alexithymic.
While this can make people feel that they are a part of a larger, although virtual, human experience, the current circumstances have changed the pace and cadence of peer interactions. New methods of connectivity allow face-to-face interactions; however, a sense of intimacy and understanding is lost, in the long run. Ultimately, there is a minimization of emotions, as we are exposed to fewer opportunities to tune into emotions, unlike in physical conversations.
Today, organizations are beginning to think about getting their employees back to office. And while this takes logistical and operational planning related to schedules, seating configurations, elevator usage, cafeteria usage, food delivery, and much more, it’s not just the physical health that they need to consider. The bigger question is, “Are your employees ready to come back?”
This unforeseen crisis, the rapid change in work environments, layoffs and furloughs, and the ever-changing cycles of disruption and adaptation have taken a toll on worker’s productivity and mental health. The new post-pandemic environment has made it imperative for organizations to address employee mental health and well-being more than ever before.
What does this mean for organizations?
A recent survey by Weber Shandwick and KRC found that ‘nearly half of employees are concerned that their employers will bring them back to work before it’s safe.’ In America, IBM polled 25,000 people and found that 75% wanted their employers to allow them to continue to work remotely at least some of the time, while 54% wanted it to be their main form of working after COVID-19, reports Management Today.
Marco Icardi, President for Europe, MetricStream, in his article, ‘After lockdown: Putting people first’, suggested, “While it is important that companies adopt these measures to help reduce the spread of the disease, they should also strongly consider how individuals may be feeling during this challenging time.” “To establish new policies, companies should involve their workforce in the decision-making… Although there are practical measures that companies can take to regain ‘normality’, the priority should be on their employees’ wellbeing,” he added.
With the acceleration of technologies like Zoom, Slack, and Teams, communication has gotten more structured and explicit. “Leaders must ask direct questions about what’s working and what isn’t, “ notes Amy Edmondson, professor, Harvard Business School, in a conversation with McKinsey. “We can’t be positively infectious with others unless we’re feeling inspired and sustained ourselves first. That’s what leaders managing high-stress positions need to do to take care of themselves and to then involve and take care of others,” adds Richard Boyatzis, Professor, Case Western Reserve University.
Enhanced awareness around mental health in the workplace
Although, mental health was a vital topic of discussion prior to the pandemic, COVID-19 helped amplify the issues around mental health and well-being, especially in workplaces. Uber introduced a global ‘Employee Assistance Program,’ that provides confidential counseling services to its employees and their family members to deal with stress and anxiety, Capgemini also started a guided meditation series, Ceat Tyres came up with an initiative called Cofit-20 to offer fitness and mental wellbeing session to employees. We at MetricStream, also started a mindfulness session focused on helping people towards their overall wellbeing.
Perhaps, the COVID-19 pandemic has brought physical and mental well-being to centerstage. Investing in the mental health of employees, will eventually lead to a more productive and engaged workforce. Experts suggest that acknowledging and addressing employee grief helps people build resilience. This probably is the biggest opportunity for companies to rebuild organizational health and overcome the stigma around discussions on mental and emotional health.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – May 2020
- Risk Management
- 18 June 20
4 min read
Is Diversity Driving Innovation During COVID-19 Crisis?
As companies begin to think and draft new strategies and policies for business continuity, resilience, and workplace management in the “new normal”, they are presented with an opportunity to create and foster a new workplace environment that is free of gender prejudice, biases, or discrimination. Leaders are rethinking the new reality in newer perspectives, while understanding and addressing challenges in diversity and inclusion. Let’s see what made it to the headlines in May 2020, through the GRC Lens.
With the uncertainty of an economic slowdown, the demand for innovation and resilience is increasing at an unprecedented rate. The COVID-19 crisis has taught businesses more about themselves as they try to chase business goals in the new reality. Business leaders are starting to understand that equality is not only the right thing to do, but also the smart thing to do. Businesses, while on the verge of an “economic reset”, are now beginning to rethink their steps to increase diversity, equality, and inclusion.
Business executives around the world are facing the perhaps some of the greatest leadership tests of their careers today. They must navigate through the disruptions, plan for disaster recovery and business continuity, rebuild a business model for the new normal, and ensure they protect the health of their employees and customers.
However, gleaning lessons from the COVID-19 pandemic has shown organizations that the value of science, crisis preparedness, and effective leadership, are not the only major areas of reflection, diversity is also imperative to our survival.
McKinsey’s recent report, “Diversity Wins: How Inclusion Matters”, states that companies with greater gender diversity were 25% more likely to experience above-average profitability compared to their counterparts.”
Unfortunately, only a third of the companies surveyed by McKinsey have achieved real gains in top-team diversity, most have made little or no progress, and some have even gone backward. This means that there is a widening gap between I&D leaders and companies that have yet to embrace diversity.
How COVID-19 is forcing organizations to rethink diversity?
The COVID-19 pandemic proved that an employee’s contribution is not measured by the quantity of time spent at the office desk, but by the quality of their contribution. In an interview with Forbes, SV Nathan, Chief Talent Officer at Deloitte India, said, “Because organisations are more flexible about how roles are executed, women, who earlier felt disenfranchised when they got married or had a child, will feel more empowered.”
It now appears that a lot of conventional gender workplace biases are being put to rest during Covid-19.
“What Covid-19 has done is present an opportunity for business leaders to learn that the only people who are going to excel are the ones that share empathy, compassion and are able to lead teams even when there is a huge amount of uncertainty,” said Johanna Beresford, CEO of In Diverse Company, in conversation with Forbes.
Recently, in an open letter to employees and customers, Microsoft CEO Satya Nadella said that Microsoft would be made more diverse and inclusive. “As a company, we need to look inside, examine our organization, and do better. For us to have the permission to ask the world to change, we must change first. We have to embrace the same speed and mindset that we do in anticipating and building for future technological shifts”, he wrote in the letter.
We need to understand that diversity and inclusion are about more than just gender. “To produce an environment that champions individuality and difference, organizations must inspire and support those previously underrepresented as well as those who have always been represented. This is the only way perceptions change, and a culture of togetherness and inclusivity thrives,” said the World Economic Forum while it also suggested inclusion and women’s participation as two of the 4 important ways to promote diversity within an organization.
Business leaders are now beginning to realize that integrity, along with compassion, ethics and inclusion, is going to drive consumer behaviour and empower brands and performance now and in the years to come. Ajay Banga, CEO of Mastercard, in a conversation with Gaurav Kapoor, COO, MetricStream, sharing his expert opinion at the GRC Summit 2020, said, “You have to lead by setting an example, by making your company a place that your employees want to be a part of.”
Speaking about the Decency Quotient (DQ) he adds, “Make your employees feel that you have a hand on their back, not on their face…Employees don’t want to miss out opportunities that they deserve because they look different or they come from a different background. Decency Quotient has everything to do with how you lead, the practices you follow in your company, the rules you’ve set, and the manner in which you treat people. DQ is what makes people follow you to the end of the world.”
Understanding that collaboration through diversity can bring unprecedented energy and resources to the table is important. In the current scenario, while the world is fighting its battle with unknowns, organizations can leverage diversity to build resilience. Corporate leadership needs to understand the larger consequences and impacts of deprioritizing I&D efforts. This crisis has delivered many crossroads to businesses, using this they can either take measurable steps ahead or go backward.
It is now imperative for leaders to embrace and reinforce diversity and inclusion, as a key driver for organizational culture change and future planning.
Jump to Topic
Related Resources
Blogs
Risk Quantification Heightens Value in Cyber Vigilance
- IT Risk & Cyber Risk
- 22 May 20
4 min read
Introduction
In this “New Normal” of COVID-19, where we rely more than ever on the digital world of virtual meetings and get-togethers, online shopping and delivery alerts, tele-medicine visits and triage – our security and cyber teams are on high alert to protect both regulated and sensitive data.
Ordinarily, most security and cyber teams patrol and prod an organization’s infrastructure, analyzing weaknesses and locking down IT assets to close gaps. Remediation comes in many flavors, from restricting access to tightening configurations based on recommended security settings, to partitioning networks to sequester sensitive information.
Getting a bee line on what ‘crown jewel IT assets’ need high priority attention is the mantra of these teams. It’s an ongoing challenge with the attack surface becoming more complex with third parties, cloud service providers and layers of software and technology blurring the lines of demarcation between what is ‘inside’ and ‘outside’ the organization. It is widely understood now that the concept of a ‘fixed perimeter’ is dead. With the advent of Work for Home, Distance Learning, and the dramatic increase in the use of digital solutions, the threat landscape is growing exponentially. And with it, risk to process, people and technologies.
Risk Quantification is Now Critical to Prioritize Successful Asset Protection
So how can teams understand what remediations to prioritize and where to apply scarce resources to lower risk by closing gaps?
A best practice that is quickly emerging in IT, security and cyber programs is risk quantification.
Risk quantification strives to create an operating risk score, based on multiple factors, in the context of business processes, current events and likely future events, network use and user behaviors with characteristics of data. Properly executed, teams can continuously calibrate and tune algorithms that produce scores. Ideally, scores produce a forward-looking view based on changes in the external environment, business processes and technologies.
For example, cyber risk postures are shifting with as threat actors target attacks on video conferencing and VPN traffic due to the uptick in the number of people working and learning from home. At the same time, the internet is stressed with an increase in streaming and gaming traffic. Spear-phishing and scams are on the rise. If email comes through that looks legitimate, pertaining to personal finance or health issues, employees working from home are apt to click and be trapped, increasing the risk of a bad actor penetrating their organization and threatening information and assets.
How to Quantify Risk With a Top-Down, Bottom- Up View
Teams strive for a top-down and bottom-up 360 view of risk to recommend mitigation investments. The diagram below shows how operational risk, resilience teams and cyber teams can get on the same page to do just that. Driving to a common risk score is a way to make sure teams use aligned techniques and methods.
Top-down views take information from the business in terms of dollars rather than just the days or hours to return to operations (RTO) or an recovery point objective (RTO). RPO and RTO are typically used to measure in resilience through business impact assessments (BIAs) and aren’t sufficient for risk quantification.
Cyber teams can work hand-in-glove with operational and resilience teams that look at inherent and residual risk within a high priority business process. Operational risk teams understand concepts like annual loss expectancy and can put a value of the criticality of a process – say keeping the order processing system up 24×7 – in terms of real dollars.
From a bottom-up perspective, security and cyber teams map threat and vulnerabilities to assets that support critical business processes. They strive to estimate the real cost of mitigating vulnerabilities; for example, strengthening access controls, patching software, replacing an unsupported application, implementing automated controls through firewalls, re-architecting and segmenting networks, outsourcing some apps to a 3rd party operating in the cloud, or taking on cyber insurance. There are limited options. With a risk score supported by a top-down view, cyber teams will be able to weigh one or a combination of mitigation strategies for optimal defense in depth.
For example, a team will have insight into the dollar amount to invest in and deliver the mitigation, such as deploying stronger anomaly detection software on a critical business process.
Risk Quantification Creates Agility and Speed in Remediation
With Risk Quantification, teams can increase their insight, agility and speed in remediation efforts. They can use scores to compare a forward-looking risk with dollar investments to mitigate against dollar impact. Teams can prioritize efforts based on the risk quantification score and the dollar magnitude of impact.
The leverage best practice, security and cyber teams must continue to diligently deploy and refine risk quantification methods – as a scalable discipline – and use them effectively to invest in the just the right areas as our cyber programs evolve with increasing digitalization.
Stay tuned!
Over the coming weeks, we will explore more best practices and how security and cyber teams are adapting to COVID-19, outlining how risk quantification methods tie to the digital asset/impact chain, how to move from risk to resilience, and orchestrate risk across IT, cyber, op risk, incident and crisis response and other disciplines.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – April 2020
- IT Risk & Cyber Risk
- 21 May 20
3 min read
Has “work-from-home” opened the door to more cyber-attacks?
In the last few months, the COVID-19 pandemic redefined risk management, forced businesses to review their cyber-attack mitigation strategies to understand the gaps in their approach to cybersecurity. Today, the world seems to be gradually re-emerging from the crisis and getting a grip on understanding the aftermath. Globally, businesses are beginning to prepare themselves for their return to work, anticipating the mid- to long-term implications of the crisis and working towards strategically responding to the challenges. While the world gets ready to adapt to the New Normal, let’s find out what made it to the headlines in April, through the GRC lens.
Redefining the remote work environment
In early March, JP Morgan, experimented by allowing 10% of their employees to work from home. A month later, JPMorgan’s Co-president Daniel Pinto, said that staff could work from home on a rotational basis more permanently, in line with the bank’s future vision of work. Recently, tech-giant Facebook also announced that most of its employees will be allowed to work from home through the end of 2020 and Twitter made WFH permanent for all its employees.
After witnessing no significant drop in productivity with the WFH regime, organizations around the world, seem to be getting comfortable with the idea. The new social distancing policies have also got organizations reconsidering their plan to get back to office.
Arguably, COVID-19 proved to be the greatest catalyst for rapid change in workplaces. According to the Bureau of Labor Statistics, only 29 percent of Americans were able to work from home before the COVID-19 era. It now appears that this could outlast the lockdown. However, this growing shift to virtual ways of working dramatically altered the cyber threat landscape, with a potential for greater risks, this year.
Strengthening the cyber defense
In the beginning of April, Marriott International revealed that a security breach may have exposed the personal information of 5.2 million guests. Soon enough, Cognizant was hit by ‘Maze’ ransomware attack, causing disruptions to some of its clients. Zoom, a heavily-used video-conferencing app, was again compromised by credential stuffing and over 5,00,000 credentials were sold on the dark web. Recently, Unacademy, an India-based online learning platform also suffered a data breach that exposed details of 22 million users.
Phishing increased by 350% since the coronavirus outbreak started (between January to March 2020), according to data gathered and analyzed by Atlas VPN. It goes without saying that remote work inevitably brings a new set of risks and challenges.
While we can’t solely blame the shift from office spaces to work from home for the increase in cyberattacks, organizations need to step up their cyber game to align better to this new way of working.
In a recent virtual conference, hosted by Global Cyber Center of NY, William Altman, the company’s Senior Analyst, said, “Organizations of all kinds are facing an uptick in email-based threats, endpoint-security gaps and other problems as a result of the sudden switch to a fully remote workforce…It’s now more important than ever to consider both the security practitioner as well as ethical-hacker perspectives in order to stay secure, that’s what this is all about.”
Looking at the brighter side, we can believe that every crisis comes with opportunities for reinvention and differentiation. Although, no one could have predicted the upheaval caused by the COVID-19 pandemic which disrupted businesses and economies around the globe, it has now become imperative for organizations to pay extra attention to the blind spots in risk management and strengthen their cyber defense.
Jump to Topic
Related Resources
Blogs
In the rush toward tech tools to manage COVID-19, societal and ethical risks must be center stage
- Risk Management
- 12 May 20
6 min read
Introduction
We are in a defining moment. The global coronavirus pandemic has now affected three million people globally, and the world is desperately seeking ways to manage its toll on society. The speed and depth of the pandemic is forcing us to adopt drastic crisis management strategies. Using data-driven technologies, artificial intelligence (AI) and health tech applications are incredibly promising, especially when they are cross-fertilized. But low maturity and insufficient understanding of the ethical and societal impacts of these technologies pose risks to democracy and the right to privacy. We need to better understand the dangers of rushing toward these tech solutions without fully considering the societal and ethical implications.
Many are scrambling to find solutions and adequate responses that can save lives and ease suffering, track the spread of the virus, and find a way forward. While it is tempting to rush toward quick tech solutions, we need to think about the long-term threats and implications of the choices we make. We lack the tools to detect, measure, and govern how these tech solutions for COVID-19 are scaling in broader societal and ethical contexts. And, we can’t lose sight of potential threats to democracy and the right to privacy in deploying AI surveillance tools to fight the pandemic. Citizens need transparency in how their personal data is collected and used, and assurance that tech solutions which use a more privacy-intrusive surveillance approach to track the disease, are not normalized in post-crisis times.
Even before the emergence of the novel coronavirus that causes COVID-19, the field of digital health was a highly fragmented ecosystem. Multiple technologies demonstrate incredible promise and potential in the field of health. Smart phones can provide information via apps that help you learn about or track your own health data. Mobile location data can provide valuable information as to how a disease spreads, and location information and social media can be used for contact tracing. AI can help identify drugs that can cure or predict a disease, indicate the effectiveness of diagnosis, or track genetic data, similar to big data. Telemedicine enables doctor-patient consultations anywhere in the world. Blockchain (a growing list of records, called blocks, that are linked using cryptography) will help us keep track of medical records, supply chains, and payments. Along with these technologies’ promise, however, is the allure of data as the new gold which everyone wants to monetize. For example, in digital health, insurance companies are using data-driven technologies and AI without sufficiently considering and understanding ethical consequences. Furthermore, the tech giants are set up to maximize their profits and governments are set to act bold and fast.
The incentives to pursue these solutions clash with public skepticism and concerns about privacy protections. Four out of five Americans are worried that the pandemic will encourage government surveillance, according to a just-released survey from CyberNews. The survey also revealed 79 percent of Americans were either “worried” or “very worried” that any intrusive tracking measures enacted by the government would extend long after the coronavirus is defeated. Only 27 percent of those surveyed would give an app permission to track their location, and 65 percent said they would disapprove of the government collecting their data or using facial recognition to track their whereabouts.
Lack of governance and transparency will surely lead to an erosion of trust. Companies’ rush to develop technologies to track coronavirus infections is outpacing citizens’ willingness to use them. About half of Americans with smartphones say they’re probably or definitely unwilling to download apps being developed by Google and Apple to alert those nearby they came into contact with someone who is infected, according to a Washington Post-University of Maryland poll. That’s primarily because they don’t trust the tech companies to treat their data securely and privately.
We need to find ways to balance smart solutions with a surveillance economy. We must consider through an ethical and societal lens who is benefitting – it may not always be the patient, the nurse or the doctor. Being thoughtful about the potential ramifications is especially urgent with little to no supporting policy or regulatory frameworks. We need to be careful not to act impulsively and regret it later.
There are ways to approach this ethical dilemma responsibly. For example, researchers at Lund University in Sweden have launched an app (originally developed by doctors in the UK) to help map the spread of infection and increase knowledge of the coronavirus. It is called the COVID Symptom Tracker and it makes it possible for the public to report symptoms and thereby provide insights into the national health status. The free app is voluntary, does not collect personal data and the user’s location is based only on the first two digits of the postal code to protect the user’s identity. No GPS data is collected and the app does not in any way attempt to trace the user’s movements. Further, it is used for research, not commercial purposes.
Another example is Swedish telco company Telia Company, providing mobility and data insights to cities, with anonymization features designed to protect citizen privacy. The solution can track where the disease is moving, but it is not privacy intrusive as the data is anonymized and aggregated and does not identify individuals.
So, what is the best way to use tech to fight COVID-19? There is no panacea, but these recommendations can be helpful in addressing this dilemma going forward.
- Despite the obvious risks, like privacy intrusion, bias, and discrimination, companies and other developers should take active measures to protect and preserve privacy and should use and manage tools wisely.
- Companies should be transparent and publicly state how they are – and aren’t –using the data they collect as part of their pandemic response. A higher level of transparency is a growing expectation from employees and consumers alike. Recent Digital advertising trends survey by Choozle.com found that 89 percent of consumers wish companies would take additional steps to protect their data. Governments should act swiftly to make these technologies available but ensure appropriate frameworks and compliance tools are in place to prevent misuse or overuse of data.
Companies should explore methods and tools which can help to identify and characterize data-driven risks. AISC and MetricStream have launched an AI Sustainability risk scanning self-assessment tool which does just this.
For more information about AISC and MetricStream’s partnership, and how we jointly offer tools to detect data-driven risks, visit our website.
About the author:
Elaine Grunewald is an expert in the technology sector and effects of digitalization, as well as the global sustainability and development arena, where she has had leading positions and roles, including Chief Sustainability & Public Affairs Officer at Ericsson. Today she is also a Board member of SWECO AB and the Whitaker Peace and Development Initiative. Elaine has worked with digital health initiatives for over ten years. From implementation projects in Africa exploring the most basic use of mobile phones for Community Health Workers to collecting health data in rurally impoverished villages, to using cell phone data to track the spread of Ebola in West Africa, to more recent industry and policy initiatives such as the Broadband Commission for Sustainable Development and the Digital Health Initiative.
Anna Felländer is one of Sweden’s leading experts on the effect of digitalization on organizations, society, and the economy. She recently had the role as Chief and Digital Economist at Swedbank and has spent 10 years working for the Swedish government. She has been affiliated to the Royal Institute of Technology, and has had advisory roles in government, the digital start-up scene, and large organizations focusing on Artificial Intelligence and Ethics – including the Minister of Digitalization. Anna has served in the Swedish Ministry of Finance and Prime Minister’s Office in the Crisis Management Coordination Secretariat during several global and national crises and has been an advisor to the Minister of Digitalization in Sweden.
Both Anna and Elaine have deep knowledge and experience from industry, academia, and policy on the impact of digitalization on society. They are the founders of the AI Sustainability Center. Their full bios are available online at www.aisustainability.org
See the AISC Risk Scanning Offering
See the AISC Risk Scanning demo video
Try our the AISC Mini Risk scanning survey
Jump to Topic
Related Resources
Blogs
How to Create a Robust Business Continuity Plan
- Risk Management
- 11 May 20
4 min read
Introduction
The sudden outbreak of the ‘black swan’ event COVID-19 is prompting most business leaders to brace up for the toughest phase in their careers. The biggest challenge facing them right now is business continuity. They are revisiting, testing, and reworking their business continuity plans to proactively figure out the best-suited approach for their unique situations. The key here is the speed of response to a situation in these uncertain times. Hence it is imperative to have 360 degrees agility assessment of resources, systems, policies, procedures and capacities in hand to mitigate risks.
Your business continuity plan should be able to mitigate the adverse impact on critical assets, have guidance to bounce back after initial disruption quickly, have the ability to launch new processes specific to the particular crisis i.e elements defined which can be quickly assembled and customized to take care of that specific situation.
Below is a rundown of various factors to watch out for and skillfully navigate the impact of the crisis that remains for a considerable time, even after it is over.
Here are key steps to build the plan
- Define purpose and objectives clearly
- Build accountability for implementing the plan
- Gather input – risk matrix and risk scores
- Assess the risk of potential consequences on functions and operations
- Ensure they are included in the risk register
- Put measures in place to ensure the safety and security of employees, assets, and operations
- Activate the plan
- Monitor, up-date as needed
If you have a comprehensive corporate risk management policy, and tool, its principles still hold good. If your tool facilitates you to identify, assess risks, and develop the preparedness and response actions to the identified risks, escalates them to the c-suite, and monitors all the levels, you can do the planning under the corporate risk management policy. However, understanding the process greatly helps build a robust plan.
- Define your purpose and objectives for the business continuity plan clearly
Your goal can be very focused on increasing the company’s resilience in case of potential disruptions. After defining the purpose, enlist your key objectives of the plan in clear terms. Elements may include:
- To ensure continuity of critical business operations and IT operation essential for conducting business during the crisis
- To minimize the disruption of critical operations to a near-zero level with a resilient business continuity strategy and framework while meeting regulatory requirements
While executing each of the following steps of the business continuity planning process, make sure to document them. They can be verified and revised before releasing the final plan.
2. Build accountability for implementing the plan
While the ultimate responsibility may rest with the board, accountabilities for management and execution must be defined. A senior executive accountable must:
- help employees to understand and become familiar with the plan so that they can effectively carry out their roles when the plan is ready.
- ensure that the plan is maintained, reviewed, tested, and revised regularly
- approve and signoff off every time the revisions or updates are made
BCP Roles
3. Gather inputs, Identify and score risks
- To start planning, invite the head of each function including representatives from operations, supply chain function, human resources, administration, IT, and communication, security, and other departments of your business.
- Use a risk matrix as shown below to identify and record key risks. In the same matrix, record the potential consequences on staff, operations, assets, and facilities. Obtain the risk levels by defining the impact of the characteristics and likelihood of occurrence.
Using the risk scoring table, determine the risk criticality levels. These scores will allow you to prioritize addressing of risks.
4. Assess their potential consequences on functions and operations
Once you have scored the risks, classify which risk actions you need to start, and which risk actions are already in effect. For those risk actions already effective, check and ensure if you need to bolster or improve them. Consider the following examples:
- During this time of COVID –19, banks may have to make adjustments in operating models and make swift innovations due to the misaligned revenues and cost. Also, there is a huge change in customer service preferences. Customers are increasingly looking to run their financial life through apps and online banking. And so, banks are expected to act swiftly to increase awareness and take other response actions.
- A retail store that focused on offline sales might choose to increase the focus on online sales.
5. Then ensure that the critical risks and risk responses are included in the risk register
This step mainly will help in budgeting and finance allocation.
6. Put measures in place for the safety and security of employees, facilities, staff, and operations
Examples include:
- Policies and SOPs for remote working
- Policies and SOPs the safety and protection of employees of some essential roles that need to be conducted from an office or on location
- Cancellation of business trips, meetings and events and the arrangements for virtual meetings
- A taskforce to continuously assess the COVID-19 situation and a clear command and control matrix, covering all functions with a needed backup
- Engagement with the third parties and partners who support to strengthen the continuity of your operations further and minimize the impact
- SOPs for communicating emergencies
- Facility specific security plans
- Asset protection policies – ex. Inventories, information technology resources, etc.
7. Activate the plan
Use risk assessment and possible scenarios as triggers for activation or deactivation of the plan.
8. Monitor, up-date as needed
Monitor and regularly update the plan according to the evolving risks and needs.
Apart from the plan when all comes to normal situation people expect businesses to be more aware of social responsibilities and particularly during pandemic situations how the company is aligned with environment, health and safety-related activities, that will play a big role in brand building and hence it needs to be well thought out and documented.
Here’s to your business continuity planning success!
Jump to Topic
