Risk management essential for corporate growth
While the IT environment has been enhanced and business efficiency has improved, the risk of information asset loss and business suspension due to cyber attacks has increased. Risks exist not only in external attacks but also in daily operations, and their factors are diversifying. Recognizing and taking measures against risks supports stable corporate growth and enables highly competitive business development. In this article, let's clarify what kind of risks are lurking, and consider the importance of risk management and countermeasures for major risks.
What is risk management?
When a company manages risk, "risk" refers to "uncertain events that may occur in the future." In addition, "uncertain events that hinder the achievement of business goals" and "uncertain events that hinder business continuity" are called risks. Risks vary from company to company, so it is important to define your own risk management.
Management procedure
The following steps can be considered as a step in managing risk.
1: Identifying risks
Identify the risks within your organization. In addition to major categories such as natural disasters, cyber attacks, changes in social and international conditions, and human risks, it is also effective to write down details such as financial risks, supply chain risks, and market risks. In addition, since the status and content of risks differ depending on the department, consider hearing the risks in each department so that the risks can be identified in a company-wide manner.
2: Risk analysis / evaluation
Analyze the risk to determine the probability of occurrence (Probability) and the magnitude of the impact if it occurs (Impact). It is a good idea to fit it into the PI matrix (probability of occurrence / impact matrix) to visualize the risk. Determine whether each risk is acceptable or urgently needed, and consider countermeasures from the most urgent risks.
3: Response to risk
We will review and formulate work manuals to reduce the frequency of risk occurrence. It is also important to consider compensation, such as taking out non-life insurance, assuming that you will lose money economically.
Why risk management is important
Japan is a country that is prone to natural disasters such as topography, geology, and weather. It can be said that social activities are carried out next to natural threats such as earthquakes, volcanic activities, heavy rains, and heavy snowfalls. As a company, it is essential to prepare for various situations in order to ensure the safety of employees and maintain the provision of services to society even in the event of a natural disaster or pandemic.
In addition to natural disasters, there are all kinds of risks such as the leakage of confidential information due to cyber attacks and human errors that are becoming more sophisticated every day, and the effects of coup d'etat and large-scale demonstration activities if the company is based overseas. Don't forget that. For example, as business outsourcing increases, it is possible that the outsourcer will be damaged and the business will be suspended. Under these circumstances, measures to avoid or minimize risks are indispensable for the company to continue its business.
Key types and impacts of risk management
There are many types of risks that you should consider. Let's see what kind of impact it will have, while listing typical ones that can have a significant impact on corporate activities.
Natural disasters
As mentioned above, Japan is a country that is prone to natural disasters due to topographical and geological reasons.
Recently, abnormal weather has become a hot topic, and large typhoons have actually landed in Japan, approached, and flooded rivers due to heavy rain.
The living and business environments have been greatly affected by such sudden natural disasters. For example, in recent years we have experienced not only damage to basic infrastructure such as telephone disconnection, power outages and water outages, but also collapse of houses and offices.
When such a major natural disaster occurs, it affects the daily lives of employees, and in some cases it is not possible to continue working or the means of commuting is cut off. Furthermore, in the event of damage such as a power outage, there is a high possibility that the factory will not be able to operate or business will not be able to continue. Due to these various risks, it is possible that the business cannot be continued.
Cyber attack
A cyber attack is an attack that targets an individual or organization's computer or information system. It invades the target computer or server via the Internet and sends malicious programs to destroy the core system, steal data stored on the computer or server, or falsify it.
According to the "Recent Trends in Cyber Attacks, etc." published by the Ministry of Internal Affairs and Communications, 33.8% of the respondents in the survey on cyber attacks received after April 2020 answered that they "increased" from the same month of the previous year. "No change" was 60.3%, and it is stated that cyber attacks are on the rise as a whole. In addition, after being attacked by malware called ransomware, the victim's important data is encrypted and money is required in exchange for its decryption, and inconspicuous attacks are increasing, and the attack is noticed. It is also pointed out that the damage tends to spread and prolong. Furthermore, as the use of IoT increases, attacks targeting IoT devices account for nearly half of cyber attacks.
These cyber attacks are so complicated that countermeasures cannot keep up, and if you are not careful with the current security measures, important data may be extracted or tampered with. In addition to the damage that requires money, the leakage of customer information may hinder business operations and reduce the credibility of the company. There are many cases of dragging.
Changes in international affairs
When considering corporate risks, it is important to understand the changing international situation and the culture of the country or region in which the business partner is located.
In addition to simply understanding the changes in the international situation, it is also necessary to quickly detect the movements of the company's industry and the policy changes of each country.
For example, for companies with overseas bases or companies purchasing raw materials from overseas, the culture of local security, prices, people's way of thinking and customs is one of the factors that influence the continuation of corporate activities. .. It is also necessary to emphasize the relationship between Japan and the local country. Relationships may worsen, forcing local governments to evict or restricting imports and exports. It is not uncommon for differences in business customs from the local market to lead to troubles related to labor contracts and laws and regulations, which makes it difficult to carry out business smoothly.
When this happens, it's not just about stopping local activities. If you are procuring raw materials locally, your business in Japan will also be stagnant. And the impact of the spread of the new coronavirus infection, which has spread all over the world since the end of 2019, has brought about changes in the policies, corporate activities, and markets of each country. As a result, we are forced to review our supply chain.
Human risk
First of all, there may be cases where employees are injured due to accidents during work or the effects of working styles such as long working hours. Of course, ensuring the safety of working hours and working environment is stipulated by law, but other than that, as a result of the accumulation of invisible stress, attention is distracted, data input mistakes and email mistakes are made. It can also lead to major problems such as sending.
In addition, low awareness of risk can lead to major damage. For example, in the current situation where the use of SNS is increasing, casual posts by employees are regarded as a problem by many people on the Internet, and they are in a state of being criticized by society (flaming), which may damage the corporate image.
Measures by risk management type
Natural disasters
For natural disasters that are difficult to predict or avoid, it is important to take measures (BCP) to enable quick business recovery and continuity after the occurrence. Many SMEs do business as a supply chain for large companies, so efforts to continue business in SMEs have also helped stabilize the Japanese economy.
For example, it is also necessary to create guidelines that anticipate possible situations in the event of a disaster, such as the inability to communicate between bases. Include a means of confirming the safety of employees and contacting business partners.
It is also important to establish a system for sharing information by digitizing the materials used in business from normal times. Building an environment in which operations can be resumed at an early stage for the entire company is directly linked to reducing the risk of natural disasters.
In addition, by moving to a work style that is not tied to any place or time using telework or mobile terminals, we will be able to respond to the situation without hassle.
Cyber attack
It is important to think about countermeasures against cyber attacks from the two points of gateway and endpoint. Gateway is a network term used to mean gateway. A router that connects different networks and a device that performs protocol conversion processing.
Since the contact point between the internal network and the Internet is also a gateway, it is thought that if the security level here is increased, the internal network environment can be kept safe. The most common gateway security is a firewall. It monitors network traffic from the Internet to the corporate network and vice versa, and blocks any unauthorized communication detected. Another option is to take advantage of technologies that exchange data using secure networks such as VPNs.
Endpoints are terminals such as PCs, tablets, and smartphones. It can be said that the endpoint is a place where you can directly work inside and outside the company, such as exchanging emails, creating proposals, and connecting to the Internet to collect information. Since it is used so frequently, it is a part where threats such as malware can easily invade.
In addition, with the spread of cloud services and Wi-Fi, and the spread of telework, cyber attacks cannot be prevented only by security measures at gateways that companies have taken their own measures. If an endpoint such as a PC is infected with a virus, there is a high possibility that the infection will spread to the company or business partners. Therefore, it can be said that endpoint security measures are quite important.
At present, it is said that even if the security level of each gateway and endpoint is increased, cyber attacks cannot be completely prevented. It is important to have a high level of security in both.
In addition, let's understand the concept of "zero trust" as a next-generation security model. Zero trust is an alternative to traditional perimeter security, where security is considered on the assumption that all traffic is untrustworthy.
Zero trusts will evaluate the credit for all traffic by scoring and take appropriate measures. For example, in the traditional perimeter security model, traffic that is evaluated as trustworthy by gateway security such as a firewall can freely communicate within the perimeter (internal network). If an internal endpoint is infected with a virus or malware, it will spread.
On the other hand, the zero trust security model evaluates each time even if the access is from within the boundary that was once evaluated as safe, so it is possible to prevent the spread of infection within the boundary.
In this way, it is necessary to understand and utilize the latest security concepts such as the zero trust security model as well as gateway security and endpoint security.
Changes in international affairs
In order to mitigate geopolitical risks (risks due to geographical, political, military, and social relationships), the latest information on changes in the political and economic conditions, security, laws, etc. of the countries and regions in which we operate. You have to keep in mind.
To do so, it is necessary not only to look at the current international situation, but also to identify geopolitical risks that may affect the company's corporate activities, and to continue to grasp the international situation. Analyze each risk, estimate what kind of impact it will have in the worst case, and reflect it in your medium- to long-term strategy. By doing this, you can consider how you can recover from a temporary significant impact and how you can minimize the impact.
It is necessary to consider risks company-wide by understanding the risks of each department within the company and then crossing the departments. To that end, provide opportunities to consider risk countermeasures through communication that transcends departmental boundaries.
By strengthening collaboration with policy makers, employees, customers, NGOs, etc. and exploring directions for risk control, risk can be turned into an opportunity.
Human risk
As a measure against human risk, it is important to thoroughly review the working environment first. Consideration for the health of employees also needs to be expanded as a system.
In addition, in order to prevent input mistakes and device erroneous operations when operating a PC, which can be considered as careless mistakes during work, let's introduce RPA to automate routine work and simple work.
RPA is an abbreviation for Robotic Process Automation, which is a tool for automating work processes using software robots. By introducing RPA, it is possible to reduce the work load of employees and mistakes caused by human work. If the work load of employees can be reduced, they will be able to focus on work that makes the best use of their abilities, and will be able to create time and mental leeway.
It is also effective to create a business manual and provide regular training opportunities. Use webinars and web conferencing tools to distribute training videos and build a system that enables education according to the work level of employees.
Furthermore, raising awareness of compliance throughout the company should not be forgotten as a measure against human risk.
There is a high possibility that casual SNS transmission by employees and information distribution by corporate public relations will cause problems.
In addition, it is important to set up training sessions to deepen understanding of political statements, discriminatory statements, various types of harassment within the company, intentional information leaks, etc. as contents included in compliance.
Achieving growth business continuity in both risk management and crisis management
With the globalization of corporate activities and the fact that the world is connected via the Internet, it has become easier to do business with various parts of the world. On the other hand, it seems that they are often not fully aware of the existence of various risks. As a result of being relieved by the current security measures or neglecting to collect information on new cyber attacks, events that may cause great damage may occur. In addition, it will be easier to continue the business by considering measures and system development to recover from natural disasters in advance. For human risks, corporate efforts to raise morals as a business person, such as reviewing business operations and corporate culture and constitution, are also required. In particular, awareness of compliance will become more and more necessary in order to expand corporate activities.
In order to take such risk countermeasures, we must review our corporate activities from an objective perspective, such as what is considered a problem globally or socially. You need to start by thoroughly identifying what risks are where.
Comments