ERM Report: Target’s Breach a Needless Mishap

[Editor’s Note: Organizations have become myopic with GRC solutions, and they can no longer see the forest through the trees. In my prior blogs, I pointed out that over confidence in technology point solutions has been happening since the Great Wall of China, where corporations have not been investing enough in broader ERM programs that can detect non-technical failures like employee collusion, or vendor performance or loop-hole issues. The Board needs to know their true risk monitoring position and the ineffectiveness of a company’s processes and systems to prevent these mishaps not only in IT, but across all areas. Our new series, brought to you by the LogicManager Analyst Team, will keep you up to date with real world examples of risk management failures, and how ERM could have prevented them.]

Missed-Target.jpg?width=320The headlines yesterday, “A breach of credit and debit card data at discount retailer Target," may have affected as many as 40 million shoppers. According to Ponemon Institute[1], a data breach incident costs U.S. companies $188 per compromised customer record. This gives the Target breach an estimated cost of over $8 million. Target may also face fines from federal agencies like the SEC for negligence if they do not have an adequate ERM monitoring system in place to manage risk.

Like so many corporations, why didn’t Target invest a fraction of this money in an ERM program that might have prevented this and future loss events?

The LogicManager Analyst Team contends, tomorrow’s surprises are known and foreseeable. The proliferation of technology has resulted in easily accessed data trails (i.e. email). Inevitably, 6 weeks down the road, the root cause of risk will be found not only known, but well documented at lower levels of the organization.

If Target had a more effective Enterprise Risk Management process and an ERM Software to support it, the risk would have been documented and assessed in a way that provided transparency to upper management, who would have had the time and opportunity to do something about it. Having an effective ERM software system would also have mitigated the inevitable penalties and law suits that are sure to follow this breach. To be fair, Target is not alone, according the most RIMS[2], 94% of corporate America have only ad-hoc or initial processes in place to monitor and prevent risks from materializing.

The steps to Enterprise Risk Management success are known and repeatable, but with so much going on with the day-to-day activities of organizations, a software system is required in order to prioritize and elevate risks. Consider, even for an organization like Target, a fully developed ERM software system would have cost less than 3% of the costs estimated by the Ponemon Institute calculation, not including the inevitable fines and lawsuit. In our interconnected world, where multiple departments are involved in the identification and mitigation of a risk, ERM software is a necessity for risk managers to do their jobs effectively.

If you already know your ERM program needs the transparency ERM Software can provide, download our ERM Software RFP Template for a business requirements document to help you chose the right solution.


[1] 2013 Cost of a Data Breach Study, Untied States – Ponemon Institute. 06/13/13. Available here.

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!