Managing Risk in 2018: From Cybersecurity to Compliance
Risk Management is one of the primary duties of boards, executives, and security and compliance teams. But implementing the practices, processes, and policies that enable and ensure integrated risk management is another matter altogether.
Everyone likes to talk about risk management. After all, it’s one of the primary duties of boards, executives and security and compliance teams. But implementing the practices, processes and policies that enable and ensure integrated risk management is another matter altogether. It involves addressing the multifaceted interconnections between cybersecurity, data governance, regulatory compliance and various types of risk management— financial, operational, reputational, third-party and more.
Where once these efforts were consigned to various silos and managed painstakingly via spreadsheets and point solutions, this approach is woefully insufficient given the global scale and complexity of the modern enterprise. As PwC points out in a 2017 report, companies that manage risk from the front line — making it a mandate for the board, executives and business unit leaders — are more likely to succeed at growing revenue and profits. Moreover, in the face of operational disruption, they are better able to recover effectively.
CXOs and Boards of Directors Will Put the Focus on Cybersecurity
In 2018, we will see more data breaches at organizations that do not have an integrated, top-down approach to cybersecurity. After seeing the heads of Yahoo and Equifax in front of Congress, I suspect that CXOs and boards of directors will put extra focus on cybersecurity impacts, leading indicators and best practices. An emphasis will be placed on cybersecurity education, and the dangers of common, less effective approaches to cybersecurity will become apparent. These same roles will also need to focus on institutionalizing and monitoring these best practices, as the cybersecurity talent shortage rages on.
The Integrated Effort to Develop Business Resiliency
Business resiliency, business continuity management planning, disaster recovery, incident response and crisis management are all similar and related disciplines. Within the business continuity and disaster recovery space, 2018 will see an increased focus on reorganizing and consolidating these disciplines. Traditionally, these disciplines fell under the BC/DR umbrella and were functions of corporate IT business units. Now, however, many are arguing that these programs should be seen as part of a larger, more integrated effort to develop business resiliency. This conceptualization more firmly establishes risk management as an organizational responsibility (not solely under IT’s purview) to establish, maintain, recover and improve business operations in the wake of reputational, operational and other adversities.
Third Parties as “Partners” Create Vendor Risk
Authoritative bodies continue to introduce laws and regulations that obscure the distinction between companies and their third parties with regard to regulatory compliance and corporate stewardship (e.g., OCC, GDPR, HIPAA, NY DFS, and more). In an era of rapid digital transformation and business model disruption, the relationship between companies and third parties has continued to shift. Because third parties are more frequently considered extensions of the companies that rely on their products and services, the relationship is becoming less transactional, and more of a partnership seeking mutual success. On the flip side, closer ties also introduce mutual risk, with the primary enterprise left holding more of the liability and responsibility for ensuring the compliance of all engaged entities. As a result of an increase in state-level and industry guidance and enforcement aimed at controlling persistent cybersecurity risk, more industries will experience this paradigm in 2018.
For example, the OCC requires financial institutions to thoroughly assess their third parties since the OCC’s regulatory application considers them to be an extension of the bank or financial institution. That means if a bank’s third party is breached and consequently exposes personal information about the bank’s customers, then the third party and the bank are both at fault and likely to suffer the regulatory (among other) consequences. Because of the symbiotic relationship between organizations and their third parties, financial institutions often work with their third parties to ensure mutual success, compliance and, consequently, risk reduction. Enterprises with less expertise and fewer resources will have to figure out how to adapt these best practices and solutions from the financial services industry to their unique constellation of services, vendors and partners, or face being replaced.
In the year ahead, prioritize a clear-eyed review of how you manage third-party risk, with a cost-efficient, effective, agile and risk-based approach to assessments, performance monitoring and security processes. Most companies need to assess, audit and intervene much more frequently than they currently do. Streamlined controls, repeatable processes and centralized documentation will be essential to achieving closer oversight and tighter integration between data governance, compliance and security efforts in the context of third-party management.
Agile Integrated Compliance and Risk Management Solutions
With business landscapes continuing to change rapidly in 2018, organizations will look for flexible solutions that enable efficient adjustments for regulatory change, market dynamics and unexpected challenges. In the area of compliance and risk management, businesses will no longer simply relate information to a standard. To appropriately manage risk with actionable information, compliance and risk data must relate to the business itself. This also helps auditors as they try to understand and improve business processes. Furthermore, any point-based solutions must be connected to an integrated risk management system, in order to break down silos in the organization, increase visibility and close gaps that could create liability or vulnerability.
When done strategically and thoroughly, the development of digital competencies boosts profits and creates a competitive advantage. Those who approach digitization too slowly or timidly are likely to lose out on opportunities, become overexposed to risk, or struggle to withstand disruptions and disasters. A GRC technology platform that’s designed for integrated risk management can help you create operational excellence, support more collaborative efforts, and maintain greater control over critical assets, data and relationships — all key factors in strengthening business resilience.
These platforms equip you to better understand how your organization is managing risk, through aggregation and correlation of first-hand data (assessments), second-hand data (enterprise key performance indicators) and third-hand information (external data such as news feeds, threat intelligence and regulatory change). You can leverage these platforms to build and test your plans for incident response, and to better understand the business impact of various scenarios. These solutions also streamline vendor management, which is critical to holding all stakeholders accountable, and ensuring that third parties meet their obligations and develop contingencies for service interruptions. The centralization of this data then helps auditors to conduct more thorough, efficient and meaningful audits.
The end of the year is a good time to step back and do a reality check. What’s the big picture when it comes to risk? What incidents or issues from the past year might have been avoided or mitigated by a more robust and integrated risk management program? What are your goals and concerns for the year ahead? Could you achieve and address them more effectively with more in-depth performance information and risk analyses, more efficient processes, or more confidence in your security stance?
It’s one thing to toss around buzzwords and platitudes about risk management. But it’s a daunting challenge to dig in and do the hard work of developing a mature approach to cybersecurity, business continuity, disaster recovery, and third-party risk management. There are real roadblocks on the path to business resiliency. Leadership and corporate culture, readiness to change, digital competence, management buy-in — these are all crucial foundational elements. Choosing the right technology tools and investing the time to implement and integrate them is also imperative.
Waiting another year to launch these efforts is a mistake. Natural disasters, political upheaval, regulatory change and cyber-attacks won’t wait for you to be ready. With a thriving, valued, prioritized campaign to develop technology systems, team leaders, and effective processes your enterprise will be set to weather storms, leverage opportunities and grow sustainably.