We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Why Did Home Depot Need More Risk Assessments?

Vote 0 Votes
Pensive Businessman.jpg

How can the 33rd largest company in America compromise the personal data of 56 million customers? And how can a company that spent $1 billion dollars to "digitize" itself take nine months to identify a breach? Most importantly, how can a company once cited for leadership and success in risk management fail to...well, manage risk?

Cyber-crime expert Brian Krebs asks "Are we spending most of our money on trying to keep the bad guys out or trying to detect as soon as possible when the bad guys get in?" Krebs feels that Home Depot was too focused on identifying potential threats and wasn't prepared to deal with the actual manifestation of one.

For companies concerned with cyber security, Krebs question is a good one. When technology moves at a pace nearly impossible to keep up with, how can organizations structure their control environment to mitigate risk? The answer isn't found in your company's IT infrastructure, but rather its ERM process.

Embracing Risk

Home Depot's risks may have been inevitable, but they were also known. As early as 2008, employees warned management of a range of cyber-security threats. The company was working with an "outdated Symantec antivirus software," and "did not continuously monitor the network for unusual behavior."

Blaming the IT team for not prioritizing a system upgrade isn't digging deep enough into the problem. Hidden behind the out-of-date software and the sporadic monitoring procedures is a failure of Enterprise Risk Management. Home Depot's front-line employees, often the most knowledgeable of a company's risks, were unable to communicate their concerns to a level in the organization that could assess the cost/benefit decision. The solution to this - a solution that benefits every company, whether large or small - is the use of comprehensive risk assessments.

With hundreds, maybe thousands of processes relying on IT applications, where could the business case have come from to make the upgrade an easy and high-priority decision for management? Risk Assessments would have equipped management with the input of the most knowledgeable individuals as part of a formalized process (rather than a one-off, red flag situation that can leave employees feeling vulnerable). Assessments at this level can provide the business case for change even when the current system "met industry standards for protecting customer data."

The Power of Risk Assessments

Especially in the field of IT Security, change is too rapid for organizations to be comfortable relying on standards, policies, and compliance to manage risk. ERM bridges the gap. By not reaching down to the front-lines, Home Depot's management wasn't in a position to take action on risk. A fully-implemented ERM program - supported with Risk Management Software - would have provided the company with a more connected risk picture, and more data to ensure the proper mitigation activities were in place.

Not sure where to start? Download our Risk Assessment Template or eBook on 5 Steps for Better Risk Assessments.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives