When implemented smartly, new technology provides huge business benefits. The cloud and social media, for example, greatly increase the speed of communication, help with customer interaction and can even save companies money by consolidating resources. These new technologies also present huge risks, however, when these benefits are offset by data management hurdles and customers expressing dissatisfaction online for all to see.
In part one of this three-part video shot at the Marcus Evans Enterprise Risk Management Conference in Chicago earlier this year, SearchCompliance Editor Ben Cole sits down with five risk-management professionals to discuss how the cloud and social media are influencing businesses' approaches to enterprise risk management strategies.
How does technology such as the cloud or social media complicate risk management for the modern organization?
Adi Agrawal (executive director, enterprise risk management, Chicago Mercantile Exchange): I think that any new technology is a new set of uncertainties that gets introduced into how we do business on a day-to-day basis. So, I think cloud and social media are just the two most recent phenomena, and we've always had phenomena come in. What these two technologies do, in particular, is take the rate of communication and how fast things can move to a whole new level. Companies have traditionally relied upon a new communication technology to take time to embed, to take time to play out, and that gives you time to measure the uncertainty and catch up with how you're going to deal with it.
We just have to get used to technologies coming in, and the use getting explosive very quickly. I think it's a whole new paradigm to deal with.
Adi Agrawal, executive director, enterprise risk management, Chicago Mercantile Exchange
With social media and with cloud technologies' option at home, these are low-cost, almost-free technologies available to people. The spread has been almost, potentially, that almost every citizen on the planet's going to have access to these. So, I don't think the company's got a chance to really think about and get caught up during the uptake phase.
So the real challenge is, companies need to very quickly study how this uncertainty impacts them. They have to study the regulatory, privacy and other implications, and then come up with a way to deal with it. A lot of companies in the financial industry, for instance, have just said no. And I don't think that's a feasible response to these technologies.
So, that's the complication, but it's no different from any other. We just have to get used to technologies coming in, and the use getting explosive very quickly. I think it's a whole new paradigm to deal with. It's high-velocity risk, and companies need to start thinking about how they're going to deal with this risk.
Frank Fiorille (senior director, risk management, Paychex Inc.): That's a great question. I think the issue with those technologies is new risks, risks around the corner, risks that you don't deal with every day. They say it's the bus you don't see that is the one that runs you over, and risk managers need to be concerned about those technologies and the what kind of risks that they present.
I know in our company, we do spend some time thinking about that, and I think why companies are concerned about that is because, again, these are risks that presently create an exposure or a risk to them. They have not experienced them until now, they haven't written anything off, they can't quantify it. They categorize those as that unknown or unknowable risk. And because they're new, because they're emerging, because they're developing, quite honestly, the sales guys and the marketing guys on the other side of the ledger haven't even figured out how they're going to leverage and utilize those. It's hard for the risk guys to make sure that we've got mechanisms in place, that we can make sure that we're controlling those risks. So, I think it's really that new and emerging "what is it going to bring down the road?" that concerns companies.
Sean Browning (director, enterprise risk management, Vectren Corp.): I think it depends on the type of organization that you have. For us, as an electric utility with a large customer base, I think social media can have a dramatic effect in terms of what our risks are, in terms of the type of threat that we might see. We see social commentary around not liking us, or not liking the bills. In other situations, in the event that we have a severe outage, then we see a rapid flare-up of people commenting about their services and not being online as quickly as they'd like.
So, I think, what this ultimately does is act as a catalyst to really make us need to respond in a much different way than we would have in the past. We see with Hurricane Sandy, the utilities that were affected there, there was much more of an outcry than there has been historically. So, I think that it really amplifies the voices of people, with respect to whatever your service offering might be, and the need to be strategic about how you're going to respond to those voices.
Victor J. Haddock (senior vice president, internal audit, Magellan Health Services): Those are very new, recent trends that complicate things in three ways. One, it created a new avenue that didn't exist before for people to communicate and share information, and share things that they feel. Before all this, maybe it was email, or other methods of communication, that are more controlled.
Now you have social media, the Facebooks and the Twitters, and people when they come out of a meeting are able to immediately share some information that could put a position at risk. Or people would state personal opinions through the media that reflect on the organization. There's a lot more accessibility; it's a lot easier to share all this information. As we've seen recently in the news, all the misinterpretations of what people post in Twitter or Facebook or any of those social media creates a lot of risks for the organizations and affects reputation.
More on risk management strategies
Q&A: The keys to corporate risk management
In the big data era, BYOD and cloud complicates risk management
Cloud computing certainly brings the risk of cybersecurity, and organizations being able to gather intellectual property from us if you don't have the right firewalls and the proper processes in play.
I think, certainly, our tools are very effective for reaching members or potential customers and identifying trends, but also they pose a lot of risks any way you do so. I think organizations need to be smart and develop some internal policies in how they're going to use those technologies and what is the purpose of those technologies going forward.
Tate Mitchell (director, internal audit, Aegion Corp.): When you look at cloud and social networking, probably about 10 years ago, as you can imagine, there wasn't a big concern with it -- just because of the growth -- as [there is] right now. Ten years ago, you were easily able to manage the exposure of having data going out the door.
Now, you've got all these avenues for data going out the door, and so most companies have shifted from having that probably be a top 20 risk to now being, a top two or three risk. A lot of them are developing policies, they're developing mechanisms to monitor that type of activity within the organization, monitoring social networking activity and strengthening their cloud technology versus just having a third-party provider giving them a tool like that. They actually try to end up tightening up the reins a little bit more, to make sure that if there is data that goes out, that it's controlled and they can monitor it as it goes out.