By Sean Costigan, PhD
In a recent exploration of the intricate world of corporate risk management and cybersecurity, I enjoyed the privilege of engaging in a compelling conversation with Annie Searle, a distinguished expert in the field of operational risk management. Searle’s extensive experience in the financial, IT, and emergency services sectors illuminates the multifaceted nature of risk in the corporate world. With her academic prowess at the University of Washington, Searle is a formidable voice in the realms of corporate governance and cybersecurity. Her career trajectory is not just impressive; it’s a testament to her deep commitment to risk management excellence. Searle’s work in developing premier risk programs and advocating for technology access, notably through her involvement with the Seattle Public Library Foundation, underscores the breadth of her expertise and dedication.
During our discussion, we delved into the intricacies of notorious corporate scandals, including cases like Theranos and Wells Fargo. Annie emphasized the utmost importance of recognizing early risk indicators, a lesson that many companies, unfortunately, have yet to put into practice. Her critique of the failures in corporate governance systems reveals a troubling disconnect between leadership’s decision-making processes and the operational ground realities of organizations. One of the most enlightening aspects of our conversation revolved around the concept of tone at the top.
Annie elucidated how leadership ethics and operational standards cascade through an organization’s hierarchy, profoundly influencing its overall conduct. She brought to light how skewed incentives and bonuses can lead managers down the wrong path, and how important it is to recognize the early warning signs of risk. Furthermore, Annie’s observations on the dilution of risk reports as they ascend the corporate ladder resonated with me, highlighting a dangerous underestimation of risks at higher management levels. In conversations with board members, Annie notes that she recommends the creation of risk committees: “Because I see risk as overarching and including cyber and I think there ought to be a relationship between the board members on that committee at the board level and the cyber organization itself.”
Our analysis of the Wells Fargo debacle shed light on the critical role of board members in overseeing company operations and managing risks. Annie’s insights into the board’s challenges, especially in comprehending and managing cybersecurity risks due to a lack of technical know-how, were eye-opening. It’s notable that, according to a recent study, just 12% of S&P 500 corporate boards have some measure of cybersecurity talent. As she notes: “we still have this gap operationally with the security apparatus where we’re not good at explaining what the threats are or why the investment will pay off or assembling a kind of research history of the threat in terms that even a C-suite executive can understand.”
We also tackled the complex new SEC rules on cybersecurity, particularly the intricacies involved in determining the materiality of a breach. Annie’s recommendation for boards to establish dedicated risk committees, distinct from audit committees, struck me as a vital step towards enhancing board-level advocacy for cybersecurity and risk management. This approach is especially crucial when cybersecurity doesn’t top the CEO’s agenda.
Reflecting on our conversation with Annie Searle, I am reminded of the pressing need for vigilant and well-informed leadership at the highest corporate levels. Her expertise sheds light on the criticality of a strategic and informed approach to risk management across organizational tiers, particularly in our increasingly digitalized world. As we advance, the lessons drawn from this insightful dialogue with Annie are more relevant than ever, emphasizing the importance of robust governance and risk management strategies in today’s complex corporate landscape.
Listen to Episode 1 of Resilience Rising by clicking the link below
