Fusion Risk Management Has Been Named a Leader in the Forrester Wave™: Business Continuity Management Software Report
Blog
TSPs: Making the Case to Invest in Risk and Resiliency
Posted on: September 12, 2022 Author:
Lauren Kornutick
Technology has evolved rapidly in the past 20 years.It connects us across digital platforms, automates low-value repetitive tasks, and allows us to have better insights into the world around us. Metaphorically speaking, technology is the backbone of our digital world.
Technology and data service providers (TSPs) have become critical contributors in the successful operations of every organization. Think about it: if your technology or data warehouse were to fail, could you continue running your most critical business services? If you experienced a data breach, could your organization survive the reputational damage and loss of consumer confidence? Are you able to respond to and manage all of the SLAs (service-level agreements) that you’re required to adhere to contractually?
But as much as technology has evolved, the regulatory climate that provides guardrails has not quite caught up. Yes, there are some aspects of technology and data protection that fall within the parameters of privacy and cybersecurity laws. There are also some digital platforms that provide information and serve as a digital meeting place or marketplace that are subject to regulations on content. There are even emerging regulatory requirements on the horizon such as the Digital Operational Resilience Act (DORA) that will extend regulatory reach to some technology and data service providers. But even if these rules do not apply to all technology firms, it makes solid business sense to plan for this eventuality. Even if it is difficult to use that regulatory hammer to secure funding for budget to purchase technology, this should not stop a progressive organization from using effective risk management disciplines to run their programs and serve their customers. Or, as so well articulated by the great British writer C. S. Lewis, “Integrity is doing the right thing, even when no one is watching.”
Investing in Risk and Resiliency is the Right Thing to Do
Many corporations have defined their corporate values centering around doing business with compliance, trust, or ethics and integrity as a core value. Closely tied to those values are programs that enhance an organization’s operational risk management, compliance, and governance procedures; ESG (environmental, social, and governance); and reputation and perception in the market. A recent study by OCEG indicates that operational risk programs are viewed as unnecessary overhead by business units. So, how do you tie back the value of your program to the company’s bottom line? According to research performed by Ethisphere’s Ethics Index, “the listed 2022 World’s Most Ethical Companies honorees outperformed a comparable index of large-cap companies by 24.6 percentage points from January 2017 to January 2022.” This is the return on resilience: by investing in risk and compliance programs that are tied to your core value of trust, you’re better able to sense, prevent, detect, and respond to the risks that are developing in the world around you.
Lead with a Top-Down and Bottom-Up Approach
Operational resilience – like cybersecurity and corporate compliance – is everyone’s responsibility. Many of our own customers have said that having a “tone at the top” from leadership is critical to get their business team’s buy-in, as no one really wants to take a time out to work on their continuity plans or risk mitigation strategy.
To help you build the business case for investing in best practices for operational resilience, top-down and bottom-up approaches should be used within the organization. Top-down approaches ensure that the organization is taking the necessary steps to advance maturity, ensure that everyone receives the same message about resilience policy and procedures, and instill a culture of integrity within the organization. A bottom-up approach occurs when teams are issue spotting via speaking up about issues that they are encountering, control testing, or remediating audit findings. To have a holistic view and ensure that everyone is engaged and enabled for operational resilience, teams should be encouraging two-way communication between the leadership team who is accountable for governance and the team members who are responsible for execution.
Supply Chain Ecosystem
Technology firms that do business in the supply chain ecosystem of highly regulated entities must respond to RFP (request for proposal) requests understanding their back-end IT security, disaster recovery, compliance, and privacy programs. Organizations that have already made the investment in developing robust policies and procedures or worked toward their ISO IT security, business continuity, and risk management certifications are able to prove to their customers that they care about mitigating risk. Having these programs makes it more likely to get through the RFP process without customer requests for program improvement and pass customer audit requirements after initial onboarding.
Contractual Obligations
Closely related to being viewed as a better partner are the many contractual obligations that can be imposed upon your organization. A contractual obligation is a legal obligation that must be fulfilled in exchange for goods or services and covers payment, delivery, and quality. Here are some examples of instances that may arise in the contracting process:
Your customer may ask you to meet a specific SLA in the event of a data breach so that they can activate their incident management processes
Your customer may ask you to sign contractual language stating that you will provide ESG–related data because they have chosen to monitor their supply chain’s emissions, diversity, or governance
Your customer may impose audit requirements on you to determine whether your security and continuity controls are operating as expected and in accordance with their risk management policies
In all cases, having already made the investment in your risk and resiliency program will make it easier to say that you can agree to the terms that your customer is trying to impose upon you, get the customer the data they are asking for, or at least give you a good basis for which to negotiate more favorable terms.
Ability to Procure Cyber Insurance
According to an article in Insurance Business America, the cyber insurance market started to harden in 2020 after a surge in ransomware events. This means that insurance underwriters are re-evaluating how they rate cyber insurance to maintain profitability because the amount of claims they are paying has increased. The underwriting process is also becoming more onerous for insureds as questionnaires related to basic cyber hygiene and risk management programs have become more detailed. Having a robust resiliency program can help you prove to your insurance carriers that you are going beyond basic program management, making it more palatable for the carrier to offer you higher limits or lower rates.
The Regulatory Landscape is Always Changing
Remember, the only constant in resiliency is change. It is critical to keep your eye on what regulators are pushing down the pipe. While your organization may not be subject to direct regulatory scrutiny today, regulatory changes could carve you into some or all of the requirements that financial servicesproviders are subject to.
How Can Fusion Help?
It is critical to leverage technology to gain insight into your organization’s risk frameworks and compensating controls that your customers care about.
Using Fusion with our new partner UCF, you can import risk frameworks and other authority documents and their corresponding control objectives and controls with a push of a button.
Fusion’s solutions serve as a data hub for risk and resiliency, enabling you to:
Leverage key indicators to continuously track the most important risk and performance metrics
Surface key metrics for the vendors which are most critical to your operational landscape
Deploy incident management to direct teams’ responses to incidents
Meet your customers’ requirements on scenario testing and other obligations
For more information on Fusion’s solutions, contact your Account Manager or request a demo today!
Subscribe to our Newsletter
Stay up-to-date and receive our monthly insights!
Categories
Industries
Financial Services, Insurance, Technology
Solutions
Business Continuity Management and Disaster Recovery, Crisis and Incident Management, ESG, Information Technology and Security Risk, Operational Resilience, Risk Management, Third-Party Management
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Cookie Authorization Preferences
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Third-Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!