Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Steve Durbin
Steve Durbin
Connect Directly
E-Mail vvv

6 Tips for Managing Operational Risk in a Downturn

Many organizations adjust their risk appetite in an economic downturn, as risk is expanded to include supplier and customer insolvency, not to mention cash-flow changes.

Many organizations have gone through unprecedented changes in the past year. While some have struggled to cope, others have proven resilient in the face of uncertainty. To handle adversity gracefully and emerge from a period of hardship in good shape requires a deep understanding of your business. To manage operational risk effectively, you must identify threats, craft incident response plans, and establish visibility.

Underpinning a successful strategy is the agility to act swiftly in the face of rapidly changing circumstances. There are various steps any organization can take to gain deeper insight into operations and establish a holistic picture of the threats that matter most. The urgency that a downturn creates can be an opportunity for positive change to build greater resilience.

Related Content:

The Yellow Brick Road to Risk Management

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

Many organizations also find the need to adjust their risk appetite in a downturn as operational risk is expanded to include potential risks directly related to downturn such as insolvency of suppliers and customers, and changes to cash-flow patterns, all of which may have been based upon more predictable trading periods.

Understand Your Risk Appetite
It's crucial to have a clear picture of the risk that your business is prepared to endure. Different businesses will have different tolerances, in terms of the downtime they can handle and what their customers will put up with. The process of identifying where the major risks lie isn't just about informing mitigation strategies, it can also be a catalyst for necessary change. A dynamic landscape and shifting external pressures can shine a light on areas that require investment, or even parts of the business that must evolve.

Be pragmatic and realistic; risk appetite may have to shift significantly during a downturn. 

As consumer behavior changes, organizations must look beyond maintaining current customer experiences and cater to emerging demand. Traditional retail might close their brick-and-mortar stores, for example, and transition to exclusively online business.

Take a Risk-Based Approach
While compliance is essential, and easily digestible for company boards, a box-ticking approach to cybersecurity cannot cater to the unique risks that each business faces. Transitioning from a compliance-based approach to a risk-based approach is challenging, but the two are not mutually exclusive. What's vital here is that you align your approach with the overall business strategy and demonstrate the benefits to secure board buy-in. 

Monitor the Threat Landscape
Before you can craft an effective risk-based approach, you must build a clear picture of the threats your organization faces. There are many commonalities, but the precise make-up of the threat landscape is unique to each business. Geopolitical instability has precipitated an enormous change in recent months with a rapidly shifting cast of bad actors with an ever-growing capability to harm. 

Any snapshot of the threat landscape will be rapidly out of date. Organizations must continuously monitor the situation and keep tabs on trends in organized criminal gangs and nation-states. This is complicated when your business operates across multiple jurisdictions because you must learn not only what different threat actors are doing in those geographies, but also what the regulatory landscape is like.

Plan Crisis Management
With a clear plan in place and responsibilities delineated, you can work through any crisis. Make sure that you craft policies and incident response plans to cater to a diverse range of scenarios. When a problem emerges, employees should know what's expected of them. Empower individuals to take charge and to report back regularly to upper management and the board. Knock down roadblocks to swift action and demolish walls between silos to ensure that different people across your business can work together effectively to resolve issues and guard against any repeat. The whole business must be accountable to spread the load and build understanding across departments and geographies.

Establish Transparency in the Supply Chain
While internal visibility is crucial, you can't afford to leave third-party partners to their own devices, but sending suppliers many streams of audit forms is not effective. Security becomes a tick-box exercise where partners have an incentive to tell you what you want to hear. It's better to share specifics and make your expectations of partners crystal clear. Ensure your supply chain is transparent and fully informed by your risk appetite and threat monitoring to effectively manage risk and enable the agility to drive future success.

Share Intelligence and Foster Collaboration
We've highlighted the importance of transparency across your business and throughout the supply chain so that everyone takes responsibility and works together, but this spirit of sharing and collaboration can spread further. Work closely with partner organizations, establish intelligence-sharing in your sector, and talk to government departments and even other industries about the threats they have encountered. 

Cybercriminals and other attackers share tactics and success stories. When we fail to share intelligence, the only real winners are the bad actors. They can deploy the same attacks successfully with a range of organizations unless we discuss our experiences and collaborate on defensive strategies to shut them out.

Coping with heightened operational risk during a downturn is a challenge for every business, but it's far from insurmountable. Strive for transparency, plan for the worst, and pull together across departments, third-party partners, and the wider business community to create a united front.

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management. He is a frequent speaker on the Board's role in cybersecurity and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-08-07
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
PUBLISHED: 2022-08-06
Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a NULL pointer dereference when this.Span is used for oState of Collab.addStateModel, because this.Span.text can be NULL.
PUBLISHED: 2022-08-06
Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow an exportXFAData NULL pointer dereference.
PUBLISHED: 2022-08-06
A vulnerability was found in SourceCodester Expense Management System. It has been rated as critical. This issue affects the function fetch_report_credit of the file report.php of the component POST Parameter Handler. The manipulation of the argument from/to leads to sql injection. The attack may be...
PUBLISHED: 2022-08-06
A vulnerability classified as problematic has been found in SourceCodester Wedding Hall Booking System. Affected is an unknown function of the file /whbs/?page=contact_us of the component Contact Page. The manipulation of the argument Message leads to cross site scripting. It is possible to launch t...