Introduction

Digital risk management is about re-defining corporate governance to meet the new demands facing electronic business. New regulations and recently updated Federal Sentencing Guidelines create mandatory corporate governance environments where business leaders are potentially held personally responsible for privacy and information security violations that occur on their watch.

The heightened level of vulnerability and exposure created by e-business necessitates a brand-new level of digital risk sensitivity directed by a hyper-aware board and senior management and permeating throughout the extended organization.

Network-dependent enterprises must create a proactive and systematic enterprise-wide framework for addressing change management and disaster preparedness. Lowering corporate negligence and liability in the digital age is a complex responsibility that requires significant coordination and maintenance.

E-Business Risk - Unprecedented Reach and Scope

The networked economy has changed everything about business risk management and corporate governance. Factors such as globalization, growth in electronic commerce, increased economic and political turbulence have drastically increased the need for intelligent electronic security and risk management.

Companies have grown to depend on Internet communication and web applications in ways unimaginable just a few years ago. Although we intend for e-business initiatives to cut expenses and create competitive advantages, the complexity of e-business processes expose companies to many unforeseen risks that must be appropriately managed. Unprotected and uninsured electronic exposures can destroy even the strongest e-business models. Damage may include direct losses to damaged digital assets, lawsuits arising out of unmet expectations, out-of-pocket expenses due to lost data, and lost income from compromised business activities.

While traditional risks like fire and flood are relatively containable in the physical world, network security breaches can inflict damage and losses on others linked to a corporate network through the Internet at an uncontrollable rate and with an unprecedented reach.

The following statistics illustrate the strategic importance of managing electronic exposure and preparing the enterprise for impending electronic disasters:

• A recent Gartner report shows that 2 out of 5 enterprises that suffer a disaster go out of business within 12 months.
• According to Computer Economics, computer viruses and worm attacks cost business $17.1 billion in 2000 compared to $12.1 billion in 1999.
• In the 2001 Computer Crime and Security Survey, conducted annually by the omputer Security Institute (CSI) and FBI, eighty five percent of the respondents reported unauthorized use of their computer systems. The study also found that of sixty four percent of respondents reporting their organizations suffered direct financial loss because of security breaches, only thirty five percent could accurately determine how much was lost.
• The CERT Coordination Center (CERT/CC) at Carnegie Mellon, a federally funded research and development center that studies Internet security vulnerabilities, recently issued their vulnerability statistics for the first two Quarters of 2001. The current data suggests a dramatic increase in digital risk activity - almost 70% increase in the number of security incidents in 2001 over 2000.

Digital Risk Exposes Everyone

Any organization connected to the Internet, regardless of how they use that connection, must be concerned with several potential points of compromise, such as:

• Data theft - involves unauthorized insiders or outsiders stealing sensitive information and intellectual property
• "Island hopping" - attackers can gain access to an insecure computer network and use it to launch attacks on the other networks. By compromising security weaknesses at multiple points, attackers can use victim hosts as "zombies" to target denial-of-service assaults that are traceable back to the victim's IP address.
• E-mail compromise - places companies at risk of unknowingly spreading a virus or Trojan horse and harboring legally sensitive unprotected e-mail content.
• Web site exposures - occur when a site becomes unavailable or is maliciously altered to include erroneous information.

Perhaps the greatest risk of all in the e-business world is the harm to reputation and the catastrophic, unlimited financial consequences that could stem from liability claims by damaged stakeholders (customers, suppliers, shareholders, etc). As the Internet continues to evolve as a business tool, stakeholder accountability will be the prime motivator. This new commitment to stakeholder accountability requires top-level management and support and attention to detail a mandatory decision-making driver for all strategic, operational, and technical initiatives.

• Will your shareholders forgive you when your corporate secrets are stolen by a competitor and used against you?
• What is the plan when your system crash causes productivity loss throughout the nterconnected supply chain?
• How will you explain when a hacker publicizes intimate details of your customer relationships?
• What will be the impact of lost employee morale when internal hackers gain access to private human resource records?
• How will the capital markets respond when it is revealed that your company failed to initiate an enterprise-wide digital risk management program?
• How damaged will your customer relationships become when you fail to fulfill the terms of your service level agreements?
• How will you defend against liability claims that result from digital risk exposures inherited from corporate acquisitions and outsourcing?

Organizational Stakeholders @ Risk

• Employees
• Senior Management and Board of Directors
• Industry Peers and Affiliations
• Customers
• Suppliers, Service Providers and Contractors
• Financial Institutions
• Insurance Organizations
• Regulators and Government Organizations
• Politicians
• Local Communities and Society as a Whole

The Strategic DigitalRisk Management Plan - An Interdisciplinary Approach to Corporate Governance

In the past, most e-business risk decisions and budgeting focused primarily on the technical exposures while traditional risk managers separately focused on operational risk and insurance. What's needed now is a strategic risk management perspective that primarily focuses on the business exposures and brings alignment among all corporate governance efforts. Utilizing an enterprise-wide, top-down methodology that can properly address and manage all of the complex digital risk issues simultaneously, a Strategic DigitalRisk Management Plan incorporates business strategy, technical, operational and cultural considerations under a single, unified framework.

Critical Success Factors - Adding Value, Creating Advantages

There are several factors which lead to the successful implementation of a Strategic DigitalRisk Management Plan:

Focus on overall business strategy and senior management commitment

Board Members, CEOs, CFOs, CIOs, Information Security Officers and Risk Managers are accountable for both operational performance and achieving strategic objectives need to understand the direct alignment of digital risk with the strategic business goals of the enterprise. With guidance from senior executives and due regard to the overall strategic goals, true digital risk management professionals will integrate all aspects of information security (risk identification, protection, control, and reaction) with traditional risk management (risk analysis, avoidance and transfer) to ensure that the complex demands of the e-business strategy are adequately met.

Partnerships between technical and business managers

In the wake of increasing technical and organizational complexity facing today's e-business initiatives, it is clear that decision makers relying on traditional risk management strategies are failing to keep pace with the digital risk demands. Why? Risk managers, who are usually found in the financial silo, are disconnected from technical and operational managers, and decisions regarding preemptive security measures remain at a distance from traditional risk management and insurance decisions. The partnership of information security with traditional risk management is a strategy that blends strong corporate policy and proven risk management practices with the realities of information security in the emerging e-marketplace. The emerging new breed of digital risk management professionals must work closely with e-business leaders to maximize their information security ROI while transferring residual risk to an insurer.

Effective "extended enterprise" management practices

By its nature, a multi-enterprise e-business initiative requires heightened levels of trust and accountability among all the parties involved; at any given time each e-business partner has care, custody, and control of another's tangible and intangible assets. For example, the risks of outsourcing can be enormous because the decision places outsourced vendors in ultimate control of critical business relationships. And with every strategic and technical decision, stakeholder relationships become weakened or strengthened according to the level of assurance, safety and accountability the organization provides. All digital risk management communication comes to life in the organization's service level agreement (SLA). The SLA sets the tone for what will happen in the business relationship, matching strategy, expectations and execution.

Communication paradigm shift

The digital risk paradigm requires senior executive teams to begin defining proactive risk management strategies and solutions in a common way using a common language that stresses enterprise-wide awareness, knowledge sharing, and training.

The DigitalRisk Paradigm

• Risk Management must evolve moving from brick & mortar to brick & click
• "Prudent Man" rule still applies
• Enterprise-wide controls must be consistent with business model
• Managing perceptions & stakeholder expectations is critical
• Consistently support "trust and accountability" behavior
• Intangible assets / knowledge process become the focus

Digital Risk Insurance

A comprehensive insurance program that covers the major e-business exposures needs to be part of every organization's digital risk management plan. The goal is to protect corporate stakeholders, clients, customers and the general public against loss due to failures in e-business initiatives. First-party insurance absorbs direct losses that policyholders sustain to their information assets while third-party insurance helps to pay for losses policyholders cause others. An important element addressed by liability insurance is the rising cost of defending against stakeholder claims and litigation, which places an increasing burden on even the most robust e-business initiatives. An all-inclusive, top-down digital risk management strategy must also include insurance solutions that protect against direct losses including hardware failures, software bugs, downed telephone lines and overloaded networks.

Changes in Corporate Culture

Managing digital risk include managing stakeholder trust, managing expectations, managing communication, and sharing knowledge. If the organization fails to communicate consistent expectations, and set the tone for managing relationships, all digital risk initiatives are at risk of failure. Achieving an environment where true digital risk management exists requires that all senior managers and decision makers raise the level of conversation from that of tactical, information security techno-speak to one of corporate governance and enterprise-wide accountability.

Quite unlike a single event like the Y2K problem, effective Digital Risk Management is an ever-evolving "best practices" process that never ends. In order for today's e-businesses to survive, it is therefore mandatory that all organizations adhere to best practices and proper planning both internally and between interdependent trusted partners. It is an undeniable fact that if current and future business models are to survive and achieve their financial objectives, it is essential for corporate boards and senior leadership teams be constantly vigilant in the quest for trust, stakeholder accountability, and proper corporate governance.