[Editor’s Note: Organizations have become myopic with GRC solutions, and they can no longer see the forest through the trees. In my prior blogs, I pointed out that over confidence in technology point solutions has been happening since the Great Wall of China, where corporations have not been investing enough in broader ERM programs that can detect non-technical failures like employee collusion, or vendor performance or loop-hole issues. The Board needs to know their true risk monitoring position and the ineffectiveness of a company’s processes and systems to prevent these mishaps not only in IT, but across all areas. Our new series, brought to you by the LogicManager Analyst Team, will keep you up to date with real world examples of risk management failures, and how ERM could have prevented them.]
The headlines yesterday, “A breach of credit and debit card data at discount retailer Target," may have affected as many as 40 million shoppers. According to Ponemon Institute, a data breach incident costs U.S. companies $188 per compromised customer record. This gives the Target breach an estimated cost of over $8 million. Target may also face fines from federal agencies like the SEC for negligence if they do not have an adequate ERM monitoring system in place to manage risk.
Like so many corporations, why didn’t Target invest a fraction of this money in an ERM program that might have prevented this and future loss events?
The LogicManager Analyst Team contends, tomorrow’s surprises are known and foreseeable. The proliferation of technology has resulted in easily accessed data trails (i.e. email). Inevitably, 6 weeks down the road, the root cause of risk will be found not only known, but well documented at lower levels of the organization.
If Target had a more effective Enterprise Risk Management process and an ERM Software to support it, the risk would have been documented and assessed in a way that provided transparency to upper management, who would have had the time and opportunity to do something about it. Having an effective ERM software system would also have mitigated the inevitable penalties and law suits that are sure to follow this breach. To be fair, Target is not alone, according the most RIMS, 94% of corporate America have only ad-hoc or initial processes in place to monitor and prevent risks from materializing.
The steps to Enterprise Risk Management success are known and repeatable, but with so much going on with the day-to-day activities of organizations, a software system is required in order to prioritize and elevate risks. Consider, even for an organization like Target, a fully developed ERM software system would have cost less than 3% of the costs estimated by the Ponemon Institute calculation, not including the inevitable fines and lawsuit. In our interconnected world, where multiple departments are involved in the identification and mitigation of a risk, ERM software is a necessity for risk managers to do their jobs effectively.
If you already know your ERM program needs the transparency ERM Software can provide, download our ERM Software RFP Template for a business requirements document to help you chose the right solution.