It is no secret that in today’s world, information is more at risk than ever before. Unfortunately, we now must deal with the realization that it’s not if an attempted breach will occur on your network, but rather when. Despite an organization’s best efforts to secure networks and information, human error and system vulnerabilities will continue to exist. Considering that reality, organizations must be sure to prepare an actionable plan for when the worst-case scenarios play themselves out.
Incident response is the process of establishing a plan for responding to these worst-case scenarios. The ability of an organization to react to and contain incidents in a prompt and efficient manner is equally as important as the tools and procedures that are put in place to prevent such scenarios. This means not only having the tools in place to detect potential threats, but also having the personnel on hand to respond and react efficiently.
Who needs incident response?
In short: everyone. All businesses have intellectual property, personally identifiable information (PII), financials or some form of sensitive information that can be dangerous when in the wrong hands. Establishing an actionable plan will result in faster response times and minimize damages as a result of an incident.
The potential risks your organization faces as the result of poorly responding to an incident are vast and may vary based on industry. That said, below are some of the more common risks to consider when evaluating the value of your organization’s incident response plan:
Operational risks. An incident such as a system breach could result in critical systems and applications becoming inoperative. This may lead to a loss of core business functions (such as a production line being shut down) as well as potential security vulnerabilities.
Reputational risks. Responding poorly to an incident can have severely negative impacts on your organization’s public image, as well as in the eyes of your current and potential customers/clients.
Compliance risks. In some instances, an incident may result in an inability to meet regulatory requirements and introduces the potential for fines and/or penalties from governing bodies.
Financial risks. All the previously mentioned risks have the potential to result in negative financial impact to your organization. These, along with the potential for lost assets, the cost of repairs, legal fees and other unexpected costs should be considered.
Determining the components of a successful incident response plan will vary from business to business, but at its core should deliver the following:
- An executive commitment and endorsement of the incident response initiative
- An Incident Response Team (IRT) comprised of members with varying areas of expertise ranging from IT to legal and communications
- A defined communication plan
- A plan to support, maintain and test the incident response plan on a regular basis
- An organized, structured approach that clearly defines the roles and responsibilities for all parties involved
- A clearly stated definition of what an incident means to your organization and how incident response aligns with existing organizational security efforts, such as business continuity and disaster recovery plans
- A well-defined plan on how to monitor and analyze potential threats to the environment
- An operation plan that defines how incidents are declared and initial steps for information gathering
- A post-incident process for lessons learned and process improvement
A successful incident response program should align with standards set forth by the National Institute of Standard and Technology (NIST), the International Organization for Standardization (ISO) and the Information Technology Infrastructure Library (ITIL).
Adults don’t really like new ideas, and while cyber risk may have been born around the time of the first mainframes, it can still feel new today. CEB reported last month that 66 percent of business leaders don’t understand the cyber security information that goes to the board. This isn’t a failure of business leaders but of the messages they’re receiving.
While children consume and learn voraciously, adults struggle with finding context, skepticism, and social conditioning. Overcoming these cognitive biases to drive your company toward more risk-savvy behavior means you’re going to have to deliver a pretty clear and effective message. Keep in mind these three rules of thumb to improve how well your risk reporting is understood.
One message at a time. Yes, IT risk is complicated and often there are many steps between a threat and the preventative actions needed to keep them from happening. Keep those connections in your appendix for later questions. Instead, focus your reports on the actions needed to be taken. Don’t contrast vulnerability scans with failures in change management controls on the same page. The risk is different, the response is different, and you’re inviting confusion.
A single message has another benefit: if you are only trying to change one behavior, you’ll have a much easier time tracking the effectiveness of your message and adjusting in the future.
Risks become consequences. A focus on threat vectors, incidents and trends is good for figuring out where controls are weak or strong, but sometimes bad for grounding the danger in something meaningful for a non-cyber savvy professional.
Focus on the consequences of the risks being reported. Phishing simulations may show an increase of management clicking on suspicious links, but other than potentially receiving a scolding, why should people care? Link phishing to a particularly painful data loss event, or laptops held ransom, and include recovery time as well. There may be no effective recovery from ransomware, and reparations for exposed personal information could cost millions and take years. The Anthem data breach from February 2015 is still in the courts.
Consider your audience. One kind of message will rarely work for everyone. Not only will managers, VPs and executives all have different perspectives on the world and the work that IT security is doing, but they all have different backgrounds and interests.
Take a look at your audience. Will executive management be making decisions about change control check gates? Generally not, so your one message to them shouldn’t be to get them to improve the sign-off process in application development. Maybe the better message is that investments in release management software haven’t been effective in reducing production failures.
Tailoring risk reporting to the people receiving it is the best way to increase the odds that your message is received. It’s cumbersome, but this is the heart of risk management: to reveal connections between sometimes esoteric events and business opportunities so that leaders can make the right calls at the right time.
Editor’s note: Adam Leigh will present on “Consequences That Matter – IT Risk” at North America CACS 2017, which will take place 1-3 May in Las Vegas, Nevada, USA.
More than four in five global IT professionals (82 percent) see vulnerabilities in Internet of Things (IoT) devices as significant security concerns for organizations.
Those concerns, highlighted in ISACA’s annual IT Risk/Reward Barometer, are reflective of insufficient security measures by IoT device manufacturers.
One of the main culprits is IoT devices running old versions of Linux – sometimes as much as 10 years old. This happens for a variety of reasons, such as the version becoming outdated while the device is in development, or manufacturers building on top of existing devices and sticking with the old software to speed up development time. The result is devices hitting the market with easily anticipated vulnerabilities.
IoT manufacturers also need to make sure their devices have the capability to automatically and reliably run security updates. This should be considered a must-have feature by consumers and businesses when making their purchases. If the devices are able to be updated, without it being a time-intensive process for users, security threats can be addressed much more quickly and effectively.
Making some of these adjustments will be critical, or trust in IoT devices’ security among professionals and consumers will be further damaged, given the threat landscape in 2017 and beyond. The proliferation of IoT devices will result in escalating instances of DDoS attacks this year, according to Deloitte – potentially along the lines of the massive Mirai DDoS attack that used infected IoT devices to cause widespread disruption in October.
That attack, while certainly a wakeup call to some device manufacturers, might not have resonated with many consumers, who did not see a direct impact on their lives, even if their own device was infected and part of the attack. But there is little doubt more and more individuals will be affected by IoT security shortcomings as the devices – and the related threats – grow at a staggering rate.
That could include the emergence of IoT ransomware threats. Ransomware exploded on PCs in 2016, resulting in estimates of about US $1 billion in payments. Given how lucrative the attacks have proven to be, it’s not much of a stretch to anticipate that criminals will explore how they can target IoT devices in their ransomware schemes. For example, imagine a smart lock on your home or car that won’t open until you pay a small ransom. From a criminal perspective, ransomware attacks on IoT devices could make for an efficient strike, with the possibility of holding customers’ device or data hostage and extracting money from the same individual or organization in a single step.
As attacks on IoT devices continue to evolve, none of us will be able to say we didn’t see them coming – 80 percent of professional respondents in the Risk-Reward Barometer survey expressed a high or medium belief in the likelihood of an organization being breached through an IoT device. Enterprises can use network segmentation to isolate IoT devices from their production network. Consumers also recognize the security threats; more than 75 percent of consumer respondents in each of five regions surveyed – Australia, India, Singapore, the US and the UK – expressed concern that augmented reality enhancements could make their IoT devices more vulnerable to a breach. Home IoT network security devices like Dojo by BullGuard, CUJU, and BitDefender BOX can help consumers protect their IoT devices from cyber attacks – some even have enterprise-like network segmentation capability.
Connected devices are becoming increasingly prominent in our daily lives. It is up to consumers and organizations to send the message to device manufacturers that insufficient security design will be a deal-breaker when it is time to consider a purchase.
The IoT, or “Internet of Things” (everyday objects and systems that have connections to a network to provide data-sharing and virtual control), is a fast-growing arena of technology growth. The potential uses of the IoT to build a “smart world” of connected devices is enormously convenient and brings a whole new level of mobile management to every aspect of consumer and business activities. We are now able to start our cars from our phone, lock our front doors from our PC, or turn on the crockpot in our kitchen from a tablet in the office. Who knows what we will be able to do in the very near future?
Unfortunately, the IoT brings with it not just convenient access for users of the “things” on the IoT, but also convenient access for those wanting to exploit those things. More access points mean more places for attackers to get in. More remote control means more ability to hijack that control. All that leaves big problems for the organizations that design, build, and sell, or buy, implement, and use these products. With HVAC systems, point of sale systems, communications systems, manufacturing lines – entire organizations, in fact – tied into the connected world, the IoT is opening increasing risk (security and operational) every day to businesses whose operations are more and more often tied into the network, whether they are making or using IoT devices.
Dealing with Risks on the IoT
The key to dealing with the changes in the security risk environment brought about by the ongoing evolution of the IoT is to focus, not on a detailed plan for any specific risks (which are ever-changing), but more on organizational resilience and risk-principle-based security management in general. The protection and continuation of business operations in the risk environment of the IoT goes beyond the scope of just information security. The risks associated with these networked devices transcend technology and reach deep into the realm of overall business resiliency and, as such, must involve stakeholders from across the business.
Organizational resilience enables enterprises to respond nimbly, pivot on a dime to change focus and alter activities, and keep fulfilling their mission no matter what is happening around them. It’s a philosophy that relies more on an attitude of preparedness – on understanding that a crisis is likely to occur no matter how many mitigation plans you put in place – than on hard-and-fast rules for responding to a crisis event. Organizational resilience is a team approach that allows the risk managers and business leaders to work together in a partnership to ensure that critical functions can continue no matter what. It’s an outlook that enables a quick response to events that can quickly escalate – exactly the type of events we can expect when dealing with a fast-changing environment like the IoT.
Enterprise Security Risk Management (ESRM) is a security paradigm that is gaining significant traction in the security world and is a perfect response to the kinds of changing risk environments associated with the IoT. It’s a risk-based security management philosophy that is based on building partnerships across the business to manage security risk and to ensure that business leaders are making educated risk decisions for their assets and critical functions. ESRM embraces risk identification and mitigation while at the same time recognizing that businesses need to sometimes take risks to succeed. It enables business owners and security practitioners to work together to find the best solution for protecting the company while not stifling its ability to get the job done.
Using the two complementary philosophies of enterprise security risk management and organizational resilience, the business organization is in a better place to both protect itself from harm and embrace positive change due to uncertainty in the business environment. Resilience works both ways in an enterprise, to flexibly adapt to good or bad risk outcomes – both are highly possible when dealing with the IoT universe.
These philosophies drive all parts of the business to recognize and proactively deal with security risk, not simply put the responsibility solely on the technology or security department. ESRM is a security management system that any organization can take and adapt to its needs to build out a flexible and business-based program that will help it along the path to true organizational resilience, no matter what risks it is exposed to in the present or the future. Now is the time for security leaders to embrace these philosophies and strengthen the resilience of their enterprises, because the future of the IoT is already here.
One of the hottest emerging technology topics surrounds the Internet of Things (IoT), or as some have characterized it, the Internet of Everything. A McKinsey Global Institute report estimates that by 2025, the global financial impact of the IoT could reach between $3.9 trillion to $11.1 trillion a year.
Every industry will potentially benefit from this technology that relies on small sensors communicating among themselves and providing data that will drive exceptionally huge big data.
Smart sensors integrated into buildings could monitor and collectively control environmental conditions. Miniature medical sensors could keep healthcare workers informed and alerted about patients in hospitals or as they go about their normal activities. Manufacturing processes could self-control production providing instantaneous correction as sensors collaborate throughout the production of a product. Our self-driving cars will communicate with other vehicles and the roadway, navigating safe and quick transit to a desired location while providing city-wide information about traffic patterns to city planners.
IoT has the potential to dramatically change how things are done while significantly enhancing the quality of life for everyone. Our small experiments with home automation and building control are nothing compared to the automation we will see integrated into daily life and work.
The concept behind the IoT seems relatively simple. Multitudes of miniscule sensors will collect specific information, share information with neighboring devices, and communicate data to a repository where control can be coordinated or information massaged, giving never-before-seen insights. While this description is the basis for the IoT, it is not clear how devices will communicate and coordinate. It is not clear how innovative thinking could evolve new uses and business models around IoT that will result in significant levels of market disruption.
The most promising intra-device communication and data record among devices could well be blockchain. Blockchain is essentially a secure, distributed, peer-to-peer implementation of a ledger system that is most often associated with bitcoin monetary transactions.
The truth is that the blockchain ledger can contain any information, including heath records, identity, and non-financial transactions. A really interesting use is developing smart contracts using blockchain as the organizing infrastructure. Smart contracts could bind individuals, or for IoT, sensors that share information, and when a certain condition is met that is a metric included in the e-contract, a pre-programmed response is initiated. This could be a payment in the case of business-to-business relationships.
Between devices, smart e-contracts could be associated with carbon credits, power creation and consumption, or any number of other device-to-device activities. At an even higher level of organization, IoT sensors could be implemented within a Distributed Autonomous Organization (DAO) to achieve some end result but governed completely within the smart contract that established the DAO.
The genius of the IoT is not that there are multitudes of small sensors creating terabytes of data, but that there is a system of devices sharing information in an intelligent and controlled manner that achieve a result within a self-governing structure. The thing that binds these sensors, providing both governing and the ability to act intelligently, will come from the blockchain.
For a moment think about these statements:
- Technology has evolved and is evolving faster than ever before.
- My enterprise is facing unknown competitive threats.
After considering these statements, how would you answer the question of whether your business will be competitive in 10 years?
With the countless factors that exist across every sector, the question is very difficult to answer. The pace of positive, negative and unclassified technological advancements is exponentially greater than ever before. How will your enterprise and IT governance structure survive these exciting times?
Consider Your Enterprise’s Risk Appetite
Information technology is now a core component in achieving business objectives. So if we look at it from a business growth point of view while anticipating current trends, your strategy may have to shift to focus on digital channels. What this means for your business is that you need a digital footprint that is both secure and user-friendly. With every new strategy you may have new risks, so your company’s risk appetite has to be considered.
What type of IT service and infrastructure would you need to deal with multiple types of digital connections that deliver standard functionality across these channels? How would this impact your resources and IT management options? Do you need to move to the cloud? Broadening the enterprise’s digital footprint can create the possibility of multiple connections to your services via numerous known hardware (e.g., tablet, watches, laptops, cell phones), along with anything that can be digitized. Your traditional business structures are now expanded with newer delivery options, so supporting demand now requires a rethinking of traditional network structure to handle the new scales. This can become an issue for many enterprises.
The security aspect of the future cannot be overlooked because you now have a wider attack surface and crippling ransomware to deal with. If your security fails, this affects customer perception, and you will not be able to honor the confidentiality and integrity of the user experience. Ransomware is quite destructive because not only does it affect the availability of the infected data, you also have to pay hefty sums to get back access to your data if there is no mitigation plan in place. Can your enterprise continue to meet the current industry regulations and maintain a secure infrastructure into the future?
GEIT Can Get You There
Within the next 10 years your enterprise will face the growing Internet of Things (IoT) landscape, with faster, more convenient delivery methods, harboring both increased risk and lucrative opportunities.
With a flexible governance of enterprise IT (GEIT) model, you could construct a relevant framework that looks at how the enterprise’s strategic plans and IT work together. You could look at continuous improvement actions and keep this alive within the enterprise. You could ensure IT risk management is aligned with the enterprise’s risk appetite and that security is considered at all points. You could consider various means to optimize your IT resources and capabilities required, as all these are key to helping your enterprise adapt and remain relevant in the future landscape.
There are some technologies that seem to have their own “gravitational pull.” By this, I don’t just mean technologies that are interesting, compelling to the business, or likely to be considered by businesses. Instead, I’m referring to those technologies that exert a steady, near-continuous and (one might argue) irresistible pressure across multiple areas of the organization to adopt.
Cloud, mobile, and social media are all examples of technologies like this. Say “no” to the sales team’s request to use a Software as a Service (SaaS) tool today, and chances are you’ll be talking to the marketing team about a similar tool next week. These technologies, when they arise, are usually highly advantageous to the business, have a diverse potential use base, low barriers to adoption and a high degree of awareness among end-user customers.
It’s important to pay attention when new technologies like this land on the scene for a few reasons.
First, the potential for shadow adoption is high. Compelling usage, coupled with low barriers gating that usage, mean that individual business units (or individual employees) might take it upon themselves to employ it without thinking to inform or engage with technology (let alone security or assurance) teams. As a consequence, a given assurance, security or risk practitioner might not know the usage is there until after it is entrenched.
Second, adoption changes the risk dynamics of the organization. New risks are potentially introduced while old ones are potentially reduced and business value potentially increases. From a holistic risk perspective, therefore, it is imperative that practitioners evaluate these technologies and understand their risk impact even though they may have limited time to do so in light of shadow adoption.
While still relatively new, application containerization is demonstrating many of the above properties.
Application containerization represents a mechanism that allows the creation of modularized, packaged application functionality that contains the application as well as any configuration or underlying support software required for the application to run. By virtue of them being small and componentized, the containers are portable between environments; they leverage the segmentation features of the operating system on which they run to enforce segmentation between different containers on the same OS instance. The portability offered helps enable development while the comparative efficiency (relative to, for example, OS virtualization) offers potentially increased allocation density of applications per physical device.
In light of these factors, ISACA has issued a pair of white papers on application containerization. The first volume outlines what application containerization is: the business drivers causing its popularity, the value proposition for developers and datacenter managers, and a description of what the technology offers, and how it works. The second volume outlines the practitioner impact: why the security, assurance, risk, or governance practitioner should care and what they can do to help prepare for risk and control decisions that involve application containers.
It is our hope that this guidance will assist practitioners as they approach risk decisions relative to containers within their environments and assist them in evaluating usage scenarios as containers and micro-services rise in prominence. By laying out the value proposition to the business and providing a working understanding of its technical operation, as well as outlining some of the risk considerations, we hope to arm practitioners with the information they need to approach these decisions with confidence.
It may not be on the mind of every CEO, CIO or CTO but the rise of disruption is of major concern. Disruption itself has always been a part of business theory under Michael Porter’s five forces and classified as “the threat of new entrants”; but this threat has continued to evolve.
Barriers to entry in various markets have been in place to control competition. However, modern disruption can occur outside these barriers with the “disruptors” changing the very way the market sector operates thereby out manoeuvring and altogether eliminating existing big market players who could not anticipate this risk.
The difficulty in anticipating and mitigating disruptive risk is extreme since they may not actually exist at the moment but can exist in the future. Can your business survive after the disruption has happened? With the evidence of the impact of disruption all around, it should be evident that it is no longer a small issue, since the very survival of the enterprise may depend on it.
When Disruptions Occur
With this being the case, flexibility, speed and adaptability come to mind. However, many enterprises and their internal IT departments cannot offer those characteristics fast enough when disruption occurs, leaving the enterprise at a competitive disadvantage. This is because the “things always work this way” and “resistance to change” mentalities exist within all enterprises. By looking at the governance of enterprise IT (GEIT) and the importance of IT to support the enterprise, it may be wise to consider reinventing your IT.
By reinventing your IT you should consider the possibility of disruption as a major fact and readjust your current work models to offer some best case resistance/adaptability towards this. To take it a step further, you should streamline the enterprise to become the market disruptor itself, thereby giving your enterprise a head start against your current and potential competition.
One consistent view that remains is that security itself is of the uttermost importance and must be considered even though there is no single way to achieve the reinvention of your IT. We are in the age when digitization and connectivity play major roles for consumers. Customer demand and market conditions drive business strategy; however, reinvention can also be found in creating systems that change how business itself is done, to the benefit of customers, thereby driving habits and behaviors surrounding these.
Disruption should be discussed and considered as a new expectation rather than an impossibility. All strategy considers risk, but the question is: how does one prepare for the unforeseen disruptive risk that has not happened yet? Is your enterprise ready?
Over time, the term risk assessment has become so commonplace that it has almost lost its meaning and is now much maligned.
Organizations run helter-skelter carrying out risk assessments that eventually become exercises in futility. One wonders why well-meaning managers, highly paid consultants and C-suite members with years of experience, access to tons of research, and armed with the best intentions eventually end up with unusable outcomes?
Here are 6 key lessons from more than a decade of working with organizations across the board on risk assessments from various perspectives, including information security, application security, health and safety, and a project standpoint. They include:
- Strategize: The first step is to put in place a well-defined and articulated strategy which not only becomes a guidepost which can be revisited time and again, but which also can be the buoy you cling to when the time comes. A clear, well-articulated strategy can go a long way in ensuring successful risk assessments and driving outcomes.
- Keep it simple: Simple is the friend of the wise and can go a long way in ensuring effective risk assessments and outcomes. A simple risk assessment is aligned with strategy, has wide and deep buy-in, and can help keep things practical. Simple risk assessment approaches deliver results easily and enable stakeholders to use them to manage risks effectively. Characterized by very close alignment to the organization and its context, its culture and ease of use, keeping it simple can help ensure sustainable success.
- Buy-in, buy-in, buy-in: Irrespective of the reason for the risk assessment, effectiveness is determined by how deeply various stakeholders are involved, how much information is shared, and how the outcomes are perceived. Stakeholder buy-in can determine how the risk assessment is approached and how various stakeholders get involved; a sure shot way to achieve success. Buy-in is easier said than done and requires effective training and communication, transparency on all aspects relating to the risk assessment, a risk-aware organizational culture, and most importantly, visible management commitment.
- Perfect is the enemy of practical: Aiming for perfection is desirable, but in most organizations considering day-to-day requirements, the outcomes expected and constraints ranging from limited time, the need to take action as you go along on identified risks, the dynamic nature of risks, and the need to balance risks and costs involved, it is imperative to ensure that the focus is on the practical. Being practical means the risk assessment used is repeatable, reliable and produces consistent results over time. Remember: you want to be able to identify potential risks and take reasonable actions to mitigate and recover in case risks occur.
- Benchmark wisely: A key piece of advice on risk assessments is to benchmark. Assessing the outcomes of your risk assessment against what your peers in industry are doing can give your efforts a sense of stability and provide much needed navigational support. But it is worth remembering that your industry peers are as fickle as you are and no one wants to share information that is less-than-stellar. Very often benchmarking data comes with small print which simply means that the data is usable under certain standard test conditions and may be impractical if not outright nonsensical.
- Modeling is best left to the ramp: Ok, I know your eyebrows might have merged with your hairline, but the point is, unless models are chosen appropriately and customized to suit your organizational needs and the purpose you have in mind, off-the-shelf models can actually make things more difficult. If you must choose a model, keep it simple (see point 2 above).
Combine the above in the right proportions and your risk assessment is guaranteed to deliver results and go a long way toward achieving organizational objectives and strategies leading to effective risk management.
Author’s note: Whatever your political views on the United Kingdom’s recent “Brexit” from the European Union, I am writing this article to share some of my thinking on the need for a Governance, Risk and Compliance (GRC) solution in the aftermath of this decision. It’s just my opinion, but it has been formed after extensive discussions about the implications of the decision.
Thursday 23rd June was a most momentous day in Great Britain; the UK voted to leave the EU!
It was widely believe, before the Brexit vote, that leaving the EU was highly unlikely. Thus, when the Brexit referendum results were announced, the decision to leave the European Union was so unexpected that £120 billion was wiped off from FTSE 100 and value of the pound fell to its lowest since 1985. The Brexit decision has had global impact, creating a ripple effect across European Union referendums and the US presidential elections.
Brexit will have a long lasting and dramatic impact on international financial markets, investment, prices and jobs. Industries, both within the UK and globally, will feel the repercussions of this decision. As a result of these upheavals, it is likely that a post-Brexit global landscape will forcefully push organizations to fix their broken processes and siloed business approaches, while minimizing unnecessary interfaces and addressing the lack of linkage between corporate objectives and informed decisions.
Good Governance Desperately Needed
Now, more than ever, board and senior management will be desperate for ‘line of sight’ across all business functions, and better aligned resources that contribute to the delivery of desired outcomes.
Failure of good governance, a rising tide of cyber threats on the global risk landscape in both frequency and scale, a deluge of regulations, including the EU’s General Data Protection Regulation, to be complied with and the enormous headcount for the ‘eight eyes’1 control system, are keeping boards and senior management awake at night.
In our post-Brexit world, now is the best time for organizations around the world to act in aligning their three lines of defense by using automated governance, risk and compliance (GRC) solutions.
The current situation provides a compelling business case for formulating and investing in an automated GRC solution. I am convinced that organizations will benefit by integrating technology into their GRC activities.
Six Automated GRC Solutions
An automated GRC solution will provide an integrated and holistic approach to organization-wide governance, risk, and compliance efforts to ensure that the organization acts ethically and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness. More precisely, automated GRC solution will help organizations to:
- Manage third-party risk and compliance issues.
- Manage regulatory content and change management in dealing with regulatory proliferation.
- Develop risk analytics to support integration of risk management and performance management.
- Perform business performance audits as a key internal audit feature.
- Decide which business processes/assets are critical to their operations in term of confidentiality, integrity, availability ratings so they can prioritize and focus on critical applications.
- Create a risk culture by articulating the organization’s risk appetite.
In my view, the lessons generated from Brexit will give management the opportunity and ability to constructively challenge and help boards to develop robust GRC plans. The board needs a fine sense of risk appetite against which to judge investment decisions, allowing ‘line of sight’ for key objectives, from top to bottom, before making any decisions.
It is clear that, in the wake of Brexit, we will experience some choppy waters. As far as the political landscape is concerned, it is now a monumental challenge for those in power to figure out how this new world is going to actually work. As professionals working in governance, risk and compliance, we need to be ready for the economic surprises popping up around us.
1 Most organizations still have manual control testing, requiring nonessential headcounts due to the frequency of the control reviews in managing operational and compliance risk, so it is difficult to determine how effective these reviews are as failures can still occur.