Tight budgets and limited resources are forcing companies to take a converged approach to many business processes, and information risk management is no different, according to Duke Alden, vice president of global information governance at Aon plc, which provides risk management services. Businesses can ultimately save valuable time and money by taking a strategic, targeted approach to information risk management and consolidating resources from various departments.
Alden was in Boston earlier this month at the 2014 Governance, Risk Management and Compliance Summit to deliver a presentation titled, Building a converged information risk program: Information governance + security + privacy. Following his presentation, Alden joined SearchCompliance Editor Ben Cole to further discuss how companies can make moves to create a converged, company-wide approach to data governance and its associated information risk management processes.
What are some of the must-haves that companies should include when developing a converged program for managing information risks?
Duke Alden: I think it's different for every company, but at the end of the day, you are talking about information security, privacy, information governance and some kind of IT compliance lever to make sure you are keeping up with your SOX [Sarbanes Oxley Act] obligations and the other IT-centric regulations that companies need to abide by.
Do you think it's important to define information risk models and goals before going any further in an information risk program?
Alden: We found we were not starting our conversation with business objectives in mind. Knowing your destination before you start a journey is always the most efficient way of going about any kind of project you are undertaking. In the current environment, for any company, whether we are talking about my company or any other company represented here at the conference, shared service dollars are becoming fewer and fewer.
Business leaders are expecting us to be more and more efficient and forward-thinking about how we spend their money. I think that's the right approach. We are all shareholders within our own companies and we need to act as though we're acting with the end in mind. That's what we are trying to do with our information risk model.
Who needs to be involved in that information risk identification process, and who are some of the stakeholders?
More from the GRC Summit
As threats evolve, proactive risk management is a must
Policy transparency, foresight vital to BYOD security
Alden: I lead information governance, so my team really focuses on records and information management. Layered on top of that is kind of part and parcel to our converged model, and includes the chief information security officer and the team associated with his or her work. IT compliance is often delivered in various parts of the enterprise, and it's important that the people responsible for [ensuring] compliance within those environments are represented on the team.
And, of course, the privacy team. The privacy team can mean a lot of different things to a lot of different companies, but within our environment, we thought it was really important to involve our chief compliance officer as well as the various chief privacy officers that we have stationed in various areas around the globe.