Ask "What is strategic risk management for compliance?" and the answer will depend on who's talking. But the gist
is this: Rather than allowing the ever-multiplying regulatory mandates to determine a compliance program, an organization focuses on the threats that really matter to its business -- operational, financial, environmental and so on -- and implements the controls and processes required to protect against them.
"You need to do information security not to meet compliance but to protect the business. There is a huge difference between those two methodologies," said Candy Alexander, chief information security officer (CISO) at Long Term Care Partners LLC, an insurance company formed in 2002 to provide long-term care insurance and administer medical benefits for federal employees.
Alexander practices what's known in compliance circles as a risk-based approach to regulatory mandates, as opposed to compliance by checklist. Her risk management strategy focuses on three regulations: the Federal Information Security Management Act of 2002 (FISMA), the data privacy laws enacted by 44 states and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
But dare to suggest these big three mandates drive her organization's security strategy, and Alexander sets the record straight.
"I have been in organizations where my main focus was to meet compliance, nothing more, nothing less. People who are doing security for compliance purposes are putting their organizations at risk," Alexander said. Regulations, she added, should be the baseline.
Focusing on protecting the business will result in a strategic risk management program that, in theory, will answer compliance regulations but in some cases go well beyond the mandate. A risk management approach, say advocates, also saves money by reducing the redundant controls and disparate processes that result when companies take an ad hoc approach.
The scope of protection against threats and degree of compliance depends on an organization's risk appetite. The appetite for risk can wax and wane, depending on externalities such as a data breach, a global economic crisis or an angry mob of customers outraged by executive pay packages. When companies are making big profits, they can spend their way out of a compliance disaster. In financially rocky times, however, there is much less margin for error.
IT pros like Alexander and a variety of experts suggest that while a risk-based approach to compliance might be the right thing to do, it is also difficult, requiring that the organization:
- Define its risk appetite.
- Inventory the compliance obligations it faces.
- Understand the threats that put the various aspects of the business at risk.
- Identify vulnerabilities.
- Implement the controls and processes that mitigate those threats.
- Measure the residual risk against the organization's risk appetite.
- Recalibrate its risk appetite to reflect internal and external changes in the threat landscape.
A risk-based approach to compliance requires a certain level of organizational maturity and, some experts hasten to add, is ill-advised for young companies.
Strategic risk management for compliance can be managed manually or by Excel spreadsheets, but vendors promise that sophisticated governance, risk and compliance (GRC) technology platforms will ease the pain. Meantime, those baseline compliance regulations still need to be met to an auditor's satisfaction.
Do you know what level of risk your organization can tolerate?
The assumption in a risk management approach to compliance is that the business knows best about the risk level it can tolerate. But there's the rub, said Eric Holmquist, a risk management expert.
"When it comes to risk management, getting your head around a tolerance level is extremely difficult," said Holmquist, former director of operational risk management at Advanta Bank Corp.
Then there's the dirty little secret of every organization: "For hundreds of years, businesses have been managing risk intuitively: I perceive there to be a risk; therefore I build control. But most controls are built to a perception of the risk and a perception of the scope of the risks, without really stopping to consider what is the real risk and is this the right control," he said.
By not doing the risk-benefit analysis, companies get the controls wrong. "I can't tell you how many times I've seen a $1 million control mitigating a $100,000 risk," Holmquist said.
The short end of the cost-benefit analysis
Back in the 1970s, Ford Motor Co. was sued for allegedly making the callous calculation that it was cheaper to settle with the families of Pinto owners burnt in rear-end collisions than to redesign the gas tank. The case against Ford, as it turns out, was not so cut and dried, but the Pinto lives on in infamy as an example of a company applying a cost-benefit analysis and opting against the public's welfare.
"Regulations introduce externalities that risk management itself would not have brought to bear," said Trent Henry, a security analyst at Midvale, Utah-based Burton Group Inc. "Regulations make it a cost of doing business."
A recent example concerns new laws governing data privacy. For many years in the U.S., companies that collected personally identifiable information owned that data. In the past, losing that information didn't hurt the collector much but could cause great harm to the consumer, Henry said, "hence the regulations." But the degree to which a business decides to meet the regulation varies, depending -- once again -- on its tolerance for risk. Organizations must decide whether they want to follow the letter of the law to get a checkmark from the auditor, Henry said, or more fully embrace the spirit of the law.
"Is your philosophy as an organization minimal or maximal? And if it is minimal, you may decide that it is worth it to get a small regulatory fine rather than comply," he said.
Indeed, "businesses now are cutting costs so narrowly that some know their controls are inadequate and are choosing not to spend that $1 million to put the processes, the people and infrastructure in place for that $100,000 fee," Henry said, echoing Holmquist. "They calculate they're still $900,000 ahead." But don't expect a business to own up to that. "They never let that cat out of the bag."
Sarbanes-Oxley drives risk management strategy
Compliance is expensive. It is hardly surprising that companies are looking for ways to reduce the cost of regulatory compliance or, better yet, use compliance to competitive advantage. According to Boston-based AMR Research Inc.'s 2008 survey of more than 400 business and IT executives, GRC spending totaled more than $32 billion in 2008, a 7.4% increase from the prior year.
The year-over-year growth was actually less than the 8.5% growth from 2006 to 2007, but the data shows that spending among companies is shifting from specific GRC projects to a broad-based support of risk. In addition to risk and regulatory compliance, respondents told AMR they are using GRC budgets to streamline business processes, get better visibility to operations, improve quality and secure the environment.
"In prior years, compliance as well as risk of noncompliance was the primary driving force behind investments in GRC technology and services. GRC has emerged as the new compliance," AMR analyst John Hagerty said.
Folding regulatory mandates into the organization's holistic risk management strategy gained momentum in the wake of the Sarbanes-Oxley Act of 2002 (SOX), one of the most expensive regulations imposed on companies. SOX was passed as protection for investors after the financial fraud perpetrated by Enron Corp. and other publicly held companies, but it was quickly condemned by critics as a yoke on American business, costing billions of dollars more than projected and handicapping U.S. companies in the global marketplace.
Indeed, the law's initial lack of guidance on the infamous Section 404 prompted many companies to err on the (expensive) side of caution, treating the law as a laundry list of controls. By 2007, under fire from business groups, the Securities and Exchange Commission and Public Company Accounting Oversight Board issued a new set of rules encouraging a more top down-approach to SOX.
"There are certain areas mandated you wouldn't want to meddle with -- it is legal and no exceptions -- but instead of checking every little box, companies were advised to take a more risk-based approach," said Ravi Shankar, head of assurance services at Capgemini's business process outsourcing division in Bangalore, India.
Risk management frameworks and automated controls
Risk management frameworks are not new, and neither, really, is a risk-based approach to compliance, Shankar points out. But the strategy has been gaining ground, driven in large part by IT as well as by IT best practices frameworks such as COBIT and the IT Infrastructure Library.
Ten years ago at any well-managed organization, 75% of controls were manual. "Today, the industry benchmark is the other way around. IT drives about 70% of the controls and 30% are manual." The endpoint is to move the 30% manual controls to automated controls, Shankar said.
Two fundamental building blocks are essential to adopting a risk-based approach to compliance, in Shankar's view: stable systems and processes, and a strong business ethos. "If a company has absolutely diverse processes, it is not a good choice," he said. Burton Group's Henry concurred. "It's more like crisis management than risk management for those guys -- compliance Whack-a-Mole."
Formulating a strategic risk management strategy also requires a clear definition of the values and principles that drive the organization's business -- in other words, a certain level of maturity, Shankar said. "If the ethos is loosely defined, then it is not safe to take a holistic approach to compliance."
Companies that make the grade, that give consistent guidance to investors, indeed any that operate successfully in the SOX arena, are probably ready for a risk-based approach, Shankar said.
GRC management software
Shankar gets no argument on that point from Alexander Paras, who joined LeapFrog Enterprises Inc. in 2006 to manage the educational toy maker's SOX compliance. LeapFrog recently bought GRC management software from BWise to support SOX compliance and manage enterprise risk.
Candy AlexanderCISO, Long Term Care Partners LLC
"What did we have before? We had a nightmare! We had a bunch of Excel schedules and Word documents and Microsoft Project to manage things," said Paras, senior manager for compliance at Emeryville, Calif.-based LeapFrog until March 2009, when he was named divisional controller for the company's Mexico division. "As you can imagine from a version control standpoint, this created quite a bit of frustration for the auditors, business process owners and senior management."
LeapFrog needed greater transparency into its compliance efforts and controls. Unlike come of the other 20 solutions vetted, BWise GRC works at a process level, Paras said, capturing changes as they are made to documents and automatically ensuring those changes are reflected in all the other relevant systems in the compliance process.
"You have one point of contact in the system and all the information cascades down," Paras said. "SOX is just part of the routine, rather than an onerous project, which is what it should be."
Luc Brandts, BWise founder and chief technology officer, said the starting point for most customers is money. "GRC to improve business is a great story, but we come in to solve a pain point. The cost of compliance is too high. Customers see they are doing the same thing eight times and want to get a grip on this, and as a second result they get a grip on their business. In the process they find out they have 16 different ways of doing accounts payable and there is no reason on earth to do so."
In an era of increasing regulation and more guidelines likely on the way, companies might be excused for seeing the auditor as the next threat. But don't tell that to Long Term Care Partners' Alexander, who got her start at Digital Equipment Corp. (DEC) "in the days before there were regulations." Security folks had to jump up and down to try to get the business to protect information. "And they would say, 'We really don't need that, or there is no ROI.'"
DEC quickly learned the value of data protection after its source code was stolen by notorious hacker Kevin Mitnick, she says. But the response from the business side was often that it would take the risk -- to an absurd degree, Alexander recalled.
"That risk acceptance level was getting higher and higher and higher until it got to a ridiculous point, and that is when they came out with these regulations, with HIPAA, with Gramm-Leach-Bliley, with FISMA. A lot of folks in the security business went, 'Phew! At least now we can get it done.'"
Let us know what you think about the story; email Linda Tucci, Senior News Writer.