James Lam, one of the world’s foremost experts on enterprise risk management and corporate governance, is joining the board of directors of RiskLens as an Independent Director. Lam was recognized in the 2017 National Association of Corporate Directors (NACD) Directorship 100 as one of “the most influential directors in the boardroom community.” He sits on the Board of Directors at E*TRADE Financial Corporation where he serves as the Chairman of the Risk Oversight Committee and as a member of the Audit Committee.
In nearly 35 years in the risk management field, Lam has held the Chief Risk Officer job at both Fidelity Investments and GE Capital Markets Services. He is currently President of James Lam & Associates, a risk management consulting firm he founded in 2002, working with corporate directors and senior management across all major industry sectors.
Lam is the author of Enterprise Risk Management (Wiley, 2003; second edition, 2014), a standard text and Amazon best seller in the ERM field, and more recently Implementing Enterprise Risk Management (Wiley, 2017).
RiskLens CEO Nick Sanna commented “We are on a mission to provide a level of risk understanding never seen in cyber but core to the broader practices in enterprise risk management. Against that backdrop, we are absolutely thrilled to welcome James to our Board of Directors as there are few in the world who understand ERM the way that he does. James has been in the trenches for decades, he understands what organizations need in terms of better cyber risk visibility, and we are confident he will help us continue our evolution as the leading provider in this space.”
Here’s some of James Lam’s latest thinking on RiskLens and the state of cyber and enterprise risk management:
Q: What appealed to you about joining the RiskLens board?
A: My strong belief is that good risk management has to be preceded by good risk quantification. Look at interest rate risk, market risk, credit risk, operational risk, strategic risk – in each and every risk discipline, more mature and effective risk management was preceded by good risk quantification, whether that was value at risk, economic capital, or stress testing. I still believe in the adage ‘what gets measured, gets managed’.
I see RiskLens as the right product at the right time. The demand is there, and in terms of value, I think it’s best in class. The association with the FAIR Institute gives the company a distinct advantage in terms of having a widely accepted risk quantification methodology.
Q: Why do you think the demand is growing for a risk quantification solution?
A: In the past, the information that boards, risk committees, audit committees, even executive management got from the CISO or CIO was mainly qualitative reporting, such as risk assessments and heat maps that are not actionable. Or they might be provided with a gap analysis against a maturity model like NIST or ISO. Those kinds of gap analyses always lead you to think more is better. The average CISO at a large company has over four dozen security solutions – more is not always better.
And it doesn’t answer some basic questions: What is our cyber risk exposure in economic terms? How is it trending? What is our exposure relative to our capital? Without answering those questions, it’s hard to make informed decisions on cybersecurity investments or insurance strategies.
On the strategy side, companies are dealing with digital innovations and disruptive technologies. No company can be timid about implementing new technologies such as blockchain, big data analytics, artificial intelligence, and IoT. But the downside is cyber risk. Without a good value at risk measurement you can’t make those risk return tradeoff decisions.
One of the most important components in enterprise risk management is establishing a clearly defined risk appetite. And you need to have quantitative risk exposure metrics to measure against risk appetite tolerances, otherwise you are looking at qualitative judgements.
Finally, one of most important questions that the board should ask is ‘How do we know if our cybersecurity program is working effectively’? Negative proofs, development milestones, and qualitative assessments are not sufficient. To adequately address this central question, we need data-based analytics, value-based metrics, and objective feedback loops.
Q: Are boards pushing management in this direction?
A: If you look at recent board surveys, directors are generally not happy with the quality of cyber risk reporting. They don’t get a sense of their cyber risk profile in business and economic terms. They don’t get benchmark performance data relative to peers. They don’t get risk exposure trends tracked against risk appetite tolerances.
The quality of cyber risk reporting needs to go up dramatically and that’s where RiskLens fits in, being able to give directors and senior management quantitative risk metrics on their cyber risk profile and measuring that against a defined risk appetite.
Q: Is the regulatory environment also driving this change?
Yes and I am very encouraged by recent developments. If you look at regulatory guidance from the SEC and from other regulators, those have also evolved from a risk assessment and maturity model basis to a much more quantitative approach. That’s going to be a real driver for industry practices and risk disclosures.
Q: You are an expert on enterprise risk management – should cyber risk management be brought under an ERM umbrella?
A: I would strongly encourage it. The two major gaps in cybersecurity programs today are one, the lack of risk quantification and two, the lack of integration into an overall ERM program.
The history of ERM indicates that managing risk by silos doesn’t work because risks are dynamic, they have critical interdependencies, and they need to be aggregated at the enterprise level. Unfortunately, cyber being the new kid on the block in many situations is managed as a silo with different methods and that’s a real pitfall. RiskLens plays a very important role in that the value at risk metric is a common currency for all types of risk.