Measurement as a Foundation for Communicating Risk
Megan Phee: Hi, I'm Megan Phee, and this is GRC& Me, where we interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends, and more to learn about your methods, solutions, and outlook in the space. Hello everyone and welcome to another episode of GRC& Me. Today I sit down with Anthony Riley, he's the Director of Security Risk Management at Okta. And we talk about the different factors that go into measuring risk, how to effectively report on risk and all of the benefits that can come from it. And now here's my insightful conversation with Anthony. Anthony, welcome. Thank you for joining us on another episode of GRC& Me.
Anthony Riley: Thanks for having me.
Megan Phee: Yes. Okay. So I think a great place to start. A lot of folks always want to know more about you and your journey to this role of a Director of Security Risk Management at Okta. I'm always keen to understand how do people get into this space, what set winding path that folks take to their current role. So if you'd be so kind walk us through that. Where did you start your career journey and how has it led you here?
Anthony Riley: Yeah, so I graduated college at James Madison University with a degree in computer information systems. And my first job out of college was at KPMG and I did risk consulting, which is basically external audit. And my last job, or my last client at KPMG was creating an internal audit program for a hospital in Cleveland. And that was very interesting to me. I really liked being able to help the team build out this function. They were very appreciative of that. And so I was like, " I actually, the internal audit space, I think I'm going to like that a little bit more than external audit." And so then I went into internal audit at a few financial institutions and then I quickly realized that it wasn't the audit piece, the internal audit piece that I liked. It was more the advisory piece and working with the customer, working with the teams to actually implement what your recommendations were. So then I moved into first line risk management, and so then I was able to help teams identify what their risks are and then being able to implement and help fix the risks I guess. So yeah, then from financial institutions, it's kind of a small network within the security world. So I saw an opportunity arise and I knew some people that worked at DocuSign and I reached out to them to learn more about the company and to learn more about the role. And they were like, " Actually, I think you'd be a really good fit for this. You should apply." And I was like, " Okay." So I did. And then I was at DocuSign for about a year and there were some leadership changes and that was really why I joined DocuSign. So then I joined Okta.
Megan Phee: Great. So you went, yeah. And so you've worked in the space in a financial services sector and now you're in a technology sector. So you've seen probably different risk cultures too and different methodologies use and all of that. So how has that deepened your understanding or maybe shaped the way of the work that you do now? And tell us a little bit about that. And then also think about sharing with us when you think about risk, what are the factors that you should consider when you're measuring risk? So tell me a little bit about that. How has cultures changed a risk awareness based on these different industries you've worked in?
Anthony Riley: So financial institutions are very highly regulated as you would probably expect and want so that people don't sell your money. And then SaaS companies are not usually that focused on risk. They're usually focused on, let's get this product out very quickly, let's make sure the uptime is near a hundred percent if possible. And they're not that regulated. You obtain certifications through different like ISO certification, FedRAMP certification, PCI, things like that. But it's not really regulated. It's not like the OCC or the SEC coming in and being like, " Hey, you have to follow these rules." But having that mindset knowing that, that really kind of shaped my foundation for risk management. So I kind of knew based on that regulations what was kind of right and what was kind of wrong. And kind of-
Megan Phee: It's almost like you knew how to be very critically aware because you came from a very rigid structure to probably environments where they weren't as obviously they weren't as regulated.
Anthony Riley: Correct.
Megan Phee: So it's probably great experience because you could bring a little bit of that structure.
Anthony Riley: Correct.
Megan Phee: Maybe a lot of that structure into teams that weren't familiar with it. And that's really great. That's interesting. Okay, so my next question for you is just what are the different factors that you would consider in measuring risk?
Anthony Riley: So it kind of depends on the organization you're in. I mean, different teams are going to measure risk differently, but things that should be considered is the likelihood of the risk. How frequently could that happen? What the impact of that risk is going to... what would the impact of that risk be if it were to become realized? What type of risk is it? Is it like human capital? Is it cybersecurity? Is it change management? Because all of those are going to have different impacts and that what's going to help with reporting as well because those going to be what you're going to want to think about when you're measuring risk as well as doing maybe a scenario analysis. So if this type of risk were to come to fruition, what's going to be the impact of the company? What's going to be the impact to your team potentially? So these are different things you're going to want to consider one when you're measuring risks.
Megan Phee: Well, I appreciate that because I know you had talked not too long ago about what should people do in measuring a risk effectively, how should they prepare to do that? And then how do you then communicate that measurement of risk? So what advice, what best practices, what do you do to measure risk and communicate that risk?
Anthony Riley: Yeah. So for the inherent risk rating, you'd look at the likelihood and severity and that's going to help you with measuring that risk as well as what controls are in place to help mitigate that risk. And then based on those two scores, that's going to help drive the residual risk rating or that's going to drive the residual risk rating. And then based on that, that's what you're going to prioritize with the mitigation. So each risk, well that's depending on your risk appetite, you might actually choose to accept that risk, to transfer that risk, avoid the risk, or to mitigate it. If it's critical, you're probably going to want to mitigate it. That's probably going to be the priority for your team. They're going to want to focus on that. And so when you're reporting that out, you want to make sure your audience, because reporting to the board of directors versus reporting to the risk owners versus reporting to your team, they all have different knowledge of risk management, they all have different knowledge of the process probably whereas my team helped me perform that risk assessment, whereas the board has no idea that we even probably performed that risk assessment. So providing them those results. So yeah, definitely know your audience, you want to make sure that you provide enough information but not too detailed of information. I think details are very important. However, if you want to provide the raw data or the analysis, I would suggest putting that in the appendix so that way you're not overloading them with data because then it can again be overwhelming and they might just get lost. And other things that you would probably want to consider. Not everything is critical, so don't say the world is not always on fire. If it is, then is it really?
Megan Phee: I like that you just call attention to the conversation that needs critical response. Bring attention. Don't assume everyone understands what impact and likelihood even mean or inherent and normalize it for the board. Normalize it into the context of business terms that they might understand. What would you say if you can effectively do this, if you can effectively measure and report on risk, what are some of outcomes that a business can benefit from or what are the impacts of that in your opinion?
Anthony Riley: So some of the benefits of effectively reporting risks to the board and to management is helping prioritize work. Because if it's a critical risk, you're going to want to prioritize those mitigation so that you can help reduce that risk. It helps give insight into how the controls are operating, so then you know which controls are insufficient or which ones are effective. And you're probably going to again, prioritize the ones that are ineffective so that you can help with switching the controls from insufficient to effective that will help reduce residual risk. So again, that's prioritizing work. I also think that reporting on risk consistently helps provide a risk culture because that's actually one thing that was very different from the banking world versus tech companies is that in the banking world, risk management was required. We had to do this, everyone was aware of it. Whereas in a technology company, people don't really know what risk management is. They might not know what those terms are. And so that's actually one thing that I would've put in my decks as well and probably the appendix is depending on who you're reporting to, you might want to put terms and definitions because they might not know that. So reporting on risk consistently will help provide a risk aware culture so that when the employees are doing something, they're like, " Hey, that actually might be a risk. Maybe I should let the risk management team know this." And so they're proactively identifying those risks and providing them to us. And then we're not just identifying risks through risk assessments. That's when you know that your program is becoming mature. And that's key. That's golden.
Megan Phee: I was going to say that's like the gold standard. It's like when you got your business leaders participating in the conversation, collaborating in it and owning it with you, say LogiGate risk is a team sport. And I love that you'd mentioned that. Yeah, that's incredible. And to learn more about how you can measure and report on your risk management efforts, visit logigate. com today. And until next time, this is Megan Phee with GRC& Me.
Properly measuring risk is the most important ingredient in effectively communicating risk, and communicating risk leads to a richer risk culture at your organization. On this episode of GRC & Me, we sat down with OKTA’s Anthony Riley to hear his best practices for measuring and communicating risk.