Manage Tomorrow's Surprises Today

Steven Minsky

ERM Report: Target's Breach a Needless Mishap

user-pic
Vote 0 Votes

[Editor's Note: Organizations have become myopic with GRC solutions, and they can no longer see the forest through the trees. In my prior blogs, I pointed out that over confidence in technology point solutions has been happening since the Great Wall of China, where corporations have not been investing enough in broader ERM programs that can detect non-technical failures like employee collusion, or vendor performance or loop-hole issues. The Board needs to know their true risk monitoring position and the ineffectiveness of a company's processes and systems to prevent these mishaps not only in IT, but across all areas. Our new series, brought to you by the LogicManager Analyst Team, will keep you up to date with real world examples of risk management failures, and how ERM could have prevented them.]

arrows missing targetThe headlines yesterday, "A breach of credit and debit card data at discount retailer Target," may have affected as many as 40 million shoppers. According to Ponemon Institute[1], a data breach incident costs U.S. companies $188 per compromised customer record. This gives the Target breach an estimated cost of over $8 million. Target may also face fines from federal agencies like the SEC for negligence if they do not have an adequate ERM monitoring system in place to manage risk.

Like so many corporations, why didn't Target invest a fraction of this money in an ERM program that might have prevented this and future loss events?

The LogicManager Analyst Team contends, tomorrow's surprises are known and foreseeable. The proliferation of technology has resulted in easily accessed data trails (i.e. email). Inevitably, 6 weeks down the road, the root cause of risk will be found not only known, but well documented at lower levels of the organization.

If Target had a more effective Enterprise Risk Management process and an ERM Software to support it, the risk would have been documented and assessed in a way that provided transparency to upper management, who would have had the time and opportunity to do something about it. Having an effective ERM software system would also have mitigated the inevitable penalties and law suits that are sure to follow this breach. To be fair, Target is not alone, according to RIMS[2], 94% of corporate America have only ad-hoc or initial processes in place to monitor and prevent risks from materializing.

The steps to Enterprise Risk Management success are known and repeatable, but with so much going on with the day-to-day activities of organizations, a software system is required in order to prioritize and elevate risks. Consider, even for an organization like Target, a fully developed ERM software system would have cost less than 3% of the costs estimated by the Ponemon Institute calculation, not including the inevitable fines and lawsuit. In our interconnected world, where multiple departments are involved in the identification and mitigation of a risk, ERM software is a necessity for risk managers to do their jobs effectively.

If you already know your ERM program needs the transparency ERM Software can provide, download our ERM Software RFP Template for a business requirements document to help you chose the right solution.


[1] 2013 Cost of a Data Breach Study, Untied States - Ponemon Institute. 06/13/13. Available here.

Enhanced by Zemanta

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives

Blogs

ADVERTISEMENT