No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Incorporating the OODA Loop

by Charlie Miller
November 29, 2018
in Featured, Risk
woman mentally sorting information and forming an idea

Stopping Problems Before They Start

As third-party IT security/cyber risks become more prevalent, IT security professionals continue to look for more efficient and agile approaches to third-party risk management (TPRM) that can help organizations stay compliant with ever-evolving requirements. One of those requirements is the integration of continuous monitoring into TPRM programs. This article from Charlie Miller shares an optimal process for doing just that – it’s called the OODA Loop.

Boards and C-level executives are re-examining their organizations’ risk appetite and TPRM program effectiveness to better support their strategic business goals and to stay compliant with the ever-evolving requirements that have emerged across the globe. One of those requirements is the integration of continuous monitoring into TPRM programs.

Continuous monitoring has rapidly become a critical component of organizational third-party enterprise risk and governance strategies. Although the recent growth in continuous monitoring activities has been largely driven by online risks and threats, the benefits of it are broad and extend to almost all areas of TPRM.

Strategy vs. Tactics

In any third-party risk management program strategy, continuous monitoring is a critical tactical solution. However, there’s a common misunderstanding surrounding the difference between strategy and tactics that often leads to techniques and reporting metrics being selected that may not meet an organization’s strategic TPRM goals. Typically, incident response and management within TPRM programs are tactically focused around a specific event, which results in third-party professionals not leveraging lessons learned from these events and determining how to apply continuous improvement opportunities to TPRM processes program-wide moving forward.

Observe, Orient, Decide, Act

The OODA Loop is an optimal process for implementing continuous monitoring efficiently across the enterprise. A four-stage basis of any decision-making process, the OODA Loop gives a nonlinear, proactive approach for problem solving in real-life situations, including continuous monitoring. These four stages can be seen relative to the parts of third-party continuous monitoring: (1) definition of risk appetite, third-party ranking, incident response planning; (2) assessment and monitoring; (3) incident analysis; and (4) incident response.

Figure 1: The Parts of the OODA Loop

The OODA Loop is the natural flow of human thinking and process; however, it demands forethought, documentation and feedback, plus feed-forward practices to be effective and successful. This means that decisions should be based on data that is pertinent, available, readily analyzed and actionable by third-party risk professionals in ways that require the availability of implicit guidance – in other words, guidance that has already been practiced – that can be followed reliably at a moment’s notice. The availability of implicit guidance eliminates the need to go back to a higher authority during a threat situation, making the response timelier and the risk professionals who are making the decision more confident that their response is the right one.

In the context of third-party continuous monitoring, the use of implicit guidance is two-fold:

  1. The first use is for responsible parties within organizations to ensure that they have the availability of highly experienced analysts who have the ability to recognize a threat and act accordingly.
  2. The second use is for an organization’s leadership to ensure the availability of predefined actions that are linked to specific types of threats (also known as playbooks) that can guide less experienced analysts and allow more experienced analysts to document their actions against policy and playbook processes.

The OODA Loop, Program Governance and Continuous Monitoring

The most robust continuous monitoring program employs strategies that are designed to work across the entire enterprise – a difficult task in any size organization. A strategy that calls for integrating the OODA Loop into continuous monitoring processes provides the type of collaboration throughout enterprise risk management to remedy the lack of coordination that typically constrains the effectiveness and efficiency of TPRM programs.

Because of the level of information required to provide an agile response to near real-time events, embedding the OODA Loop into TPRM programs can improve an organization’s security by providing a more proactive approach to risk identification and management. A governance model that includes the OODA Loop empowers people – in the context of continuous monitoring, it leverages implicit guidance for the third-party risk professionals who receive monitoring control data and reports, allowing them to go through a predetermined loop without having to slow down or stop at key decision points. This approach lets them work through a problem avoiding bottlenecks that can have dire consequences for operations, reputation and organizational resiliency.

A playbook can be constructed that is customized to an organization’s unique needs to provide a predetermined set of rules defining roles, responsibilities, options and guidance for responding to risk indicators, events or incidents. The playbook provides clear guidance and assigns responsibility for in-the-moment action, setting the stage to ensure important decisions are made in a timely manner. Since time is the dominant factor in successfully executing a strategy in the TPRM space, where the threat environment is rapidly evolving, establishing playbook options helps to keep from getting hung up at any point in the process.

To empower each team member, training should be conducted in which team members are able to demonstrate that they understand the goals, strategies and rules of engagement (i.e., the playbook rules). Team members can then better advocate for individual commitment and enforcement by ensuring that those responsible for program management have the authority to execute changes that come to light over time through the feedback, feed-forward process. Strategies for monitoring should be evaluated whenever changes occur to business elements (both internal and external) – such as core mission, risk tolerance or business processes – to ensure that controls function appropriately and that any new gaps are identified.

Effective application of the OODA Loop in a continuous monitoring TPRM setting can:

  1. Improve situational awareness through more effective training and planning enterprise-wide.
  2. Improve ROI in terms of the improved insights (rewards) gained through continuous monitoring and agile decision-making (costs) vs. traditional (point-in-time) periodic assessment practices.
  3. Potentially reduce legal and regulatory compliance costs through demonstrated implementation of defensible risk management practices.

Conclusion

The integration of OODA Loop principles within continuous monitoring and related governance tactics provides more effective risk mitigation and decision-making tools. The benefits of a consistently applied criteria and processes extend to both the outsourcer and the third-party provider, as governance is naturally most effective when the outsourcer and third party work as a team. Planning responses rather than reactions will allow an enterprise to take steps that achieve benefits and reduce both threat impacts and costs.

Want to Learn More?

A white paper provided by The Shared Assessments Program titled, “Innovations in Third Party Continuous Monitoring,” covers the incorporation of the OODA Loop into third-party continuous monitoring and can be downloaded at www.sharedassessments.org/tp-continuous-monitoring/.


Tags: MonitoringThird Party Risk Management
Previous Post

To Succeed, Immigration Compliance Must Be a Company-Wide Effort

Next Post

How Boards Should Tackle Sexual Harassment in the #MeToo Era

Charlie Miller

Charlie Miller

Charlie Miller is Senior Advisor at The Santa Fe Group, Shared Assessments Program. Charlie’s key responsibilities include expanding the Shared Assessments Third Party Risk Management membership driven program, facilitating thought leadership, industry vertical strategy groups, research studies, regulatory and association relationships. He joined the Santa Fe Group, Shared Assessments in 2015 and has been in the third-party risk space for over 13 years. Charlie is a frequent speaker and a recognized expert in third-party risk. He  has vast industry experience, having led vendor risk management and financial services initiatives for several global companies. Charlie was the Director of Vendor and Business Partner Risk Management at AIG and implemented third-party risk management programs at Bank of Tokyo Mitsubishi (BTMU). He held multiple leadership roles at Merrill Lynch & Co., Inc. overseeing the company’s global vendor management program and a Director of Technology Audit. He led a financial services practice unit as a consulting partner at Deloitte focusing on technology outsourcing, risk management and cost control. He began his career at IBM as a system engineer. Charlie is a distinguished Fellow of the Ponemon Institute, Certified International Privacy Professional and Certified Third Party Risk Professional.

Related Posts

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

ProcessUnity Unify Third Party Risk and Cybersecurity Whitepaper-f

Unify Third Party Risk & Cybersecurity for Sustainable Resiliency

by Corporate Compliance Insights
March 14, 2023

Align risk reduction efforts by bringing together third-party and cybersecurity functions White Paper Unify Third-Party Risk & Cybersecurity for Sustainable...

risk cliff

Gartner: 84% of Enterprise Risk Management Teams Have Overlooked a Third-Party Issue

by Staff and Wire Reports
February 21, 2023

A staggering eight in 10 executive risk committee members say their organizations have experienced operations disruptions due to a third-party...

thread needle

Regulatory Clarity Is Coming, But Companies Still Need to Thread the Needle on ESG

by Dean Alms
February 15, 2023

A handful of ESG-related regulations are in the works or go into effect in 2023 targeting global supply chains. Despite...

Next Post
diverse group of leaders with arms crossed

How Boards Should Tackle Sexual Harassment in the #MeToo Era

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT