There are many good reasons for developing a solid risk management and compliance program, but one incentive stands...
out: It simply makes good business sense.
That was the common theme at last week’s MIS Training Institute's IT Governance, Risk and Compliance Summit in Boston. The event showcased the evolving risks and trends affecting GRC programs, with speakers from a cross section of industries describing how to address threats while meeting legal and regulatory compliance.
"Lowering your overall risk creates a more stable environment … customers don't like to deal with unstable organizations," said summit presenter Stephen Fried, vice president and CISO at People's United Bank. "If you have a failure in your risk management program, it will affect your organization's ability to operate effectively."
With GRC rules and regulations constantly evolving, organizations cannot afford to simply focus on economic stability, according to experts -- there must be a GRC culture in place. The growing complexity and breadth of the regulatory landscape requires processes to deal with risk management and compliance. These processes need to be flexible, while avoiding a one-size-fits-all approach.
"In defining the risk assessment approach, we want to make sure we understand the business," said Lance M. Turcato, vice president of information systems audit at Federal Home Loan Bank of San Francisco. "In some cases, certain things would not apply or are not significant."
By focusing on the biggest risks specific to your organization while closing risk management and compliance gaps, companies can save time, money and resources.
To reach this high level of success in managing GRC, a strategic combination of business process evaluation and software-supported analysis should be implemented, said Alan Barnes, director of risk and advisory at Services Assurant Inc., during one of the summit's keynote addresses. Such strategies enable competitive differentiation, cost reduction and growth, he added.
Pros and cons of IT's consumerization
One hot topic at the summit included how the consumerization of IT, coupled with the growing popularity of social media in business, creates innumerable risks to companies. Organizations are increasingly implementing "bring your own device" policies that can reduce technological costs, but they must manage employee behavior when using mobile devices.
In other words, while enabling employees' mobile technology use to their benefit, companies still need to look auditors and regulators in the eye and ensure them that they are compliant. Fried pointed to the increase in identity fraud that has coincided with "explosion of mobile devices" and their use by everyday consumers.
"There is a risk to it, but it's more of a mandate for organizations to manage this change," Fried said. "Until we can find more effective consumer protection, we are going to continue to have these problems we've seen."
Companies can be left vulnerable by not providing protection for sensitive data, or informing employees of acceptable-use policies for mobile devices. If sensitive information lands in the wrong hands, it can negatively affect a company's reputation, and in turn its bottom line and stock price.
Daniel Conroy, CISO and global head of information security at BNY Mellon Corp., moderated a session on social and collaborative media and how companies can protect themselves from a GRC perspective. Conroy said that while there are "tremendous opportunities" for social media from a business standpoint, there are also tremendous risks, including regulatory, reputational, legal and technical.
As a result, organizations must make employees understand that anything posted on the Internet is a "permanent marker," Conroy said. An effective social media risk management program should identify any potential vulnerabilities surrounding information leakage.
Organizations also need to keep a watchful eye for negative comments posted on social media sites, which can stem from not only employees but also customers, business partners and competitors that could harm the company's reputation.
Companies must be careful of any information leaks via social media or any other company-related site as well, Conroy added. Being proactive and establishing a policy to avoid data breaches can prevent huge costs in the long run; Conroy pointed to Sony's experience after a huge data breach earlier this year.
"This resulted in tremendous costs to Sony, which they had to spend reflexively in response to the breach -- much more than they would have had to spend if they had a proper GRC program in place," Conroy said. "Now they're playing what you call 'catch-up.'"
If you have a failure in your risk management program, it will affect your organization's ability to operate effectively.
Stephen Fried, vice president and CISO, People's United Bank
To offset these risks, Conroy suggests carefully determining the pros and cons of social media use by companies, bearing in mind the level of risk mitigated, cost and ease of implementation, as well as alignment with business processes and requirements.
Then, companies can develop a comprehensive and multifaceted strategy that incorporates multiple controls and tools to address each of the risks identified while still satisfying the business needs. Conroy also insisted that the strategy be easily adaptable to changes in the social media environment.
Conroy's suggestions surrounding social media's risks coincided with suggestions from summit presenters regarding companies' overall risk management programs. Communication with employees was deemed key, with training sessions on what is and isn’t acceptable regarding information sharing. Presenters also said it’s important to bring together stakeholders often and get them on the same page regarding risk management budgets and vulnerabilities.
Perhaps most importantly, risk management and compliance programs should be examined as another important business function. As a result, companies need to attack vulnerabilities in a thorough manner, but at the same time be conscious of the economics of GRC during these lean times.
"None of us have unlimited funds to do all this, so you have to be smart about your risk and compliance program," Fried said.
Let us know what you think about the story; email Ben Cole, Associate Editor.