Information Insecurity—Motivator of Corporate Compliance Practice 

 
Download Article Article in Digital Form

The word “compliance” is used more and more to refer to the corporate practice of seeking to ensure adherence to and safekeeping of procedures and regulations. Similar to the terms “good habits” and “corporate behavior” (ethical and honest) being used to refer to enhancing clear, effective and efficient management of the business. Along these lines, an enterprise’s compliance function is in charge of safeguarding its operations, since it must always be vigilant in identifying any attempts at altering the “right corporate order” and interfering with and overcoming them as required.

This trend is a warning that world-class corporations are increasingly demanding of themselves high levels of corporate assurance that rely on people and processes to ensure that the execution of their activities does not follow a random path, but instead conforms to open, ethical and transparent corporate practices.

In light of this and the corruption scandals at international and domestic levels globally, it is necessary to insist on a culture that incorporates beliefs and values into its structure. The culture must also include strategies that foster behaviors akin to good corporate reporting and control practices, and can guarantee responsible corporate processes in respect to the enterprise’s global results.

Key Features of the Compliance Function

There are several approaches to defining the compliance or chief compliance officer (CCO) function, which, on first review, show an inquisitive or accusatory role in terms of compliance with regulations:

A CCO is a corporate official in charge of overseeing and managing compliance issues within an organization, ensuring, for example, that a company is complying with regulatory requirements and that the company and its employees are complying with internal policies and procedures.1

The definition of a CCO presents a corporate executive who considers corporate benchmarks, validates their application and reports on the level of compliance to determine any gaps and risk derived from a limited execution of the benchmarks. That is, the CCO develops a proactive and preventive monitoring function that detects inadequate execution of practices, reports them, and performs a follow-up on the assessed areas in order to overcome the identified condition. This helps strengthen the self-assessment that should be an inherent part of processes and their participants.

Others define compliance as “adherence to and the capacity to show observance of directives, requirements defined by laws and regulations, as well as voluntary requirements, as a result of contractual obligations and internal policies.”2

This definition is restricted to a function of law enforcement and ensuring third-party obligations. It does not address the fundamental resources required to consolidate the practices associated with mandates whose fulfillment is compulsory, such as culture and risk anticipation, affecting corporate dynamics. In this sense, in the same way as noted previously, the definition relies on control execution reports defined by the corporation, which indicates a certain level of process assurance and accounts for the evidences revealed by the mitigation status of the identified risk.

The following are five key features for the development of an effective compliance function:3

  • Authority—Authority must be adequately allocated in the organizational structure with a reporting level that ensures independence and the incorporation of practices to help an organization move from one maturity level to the next.
  • Responsibility—Its duty is fostering the execution of the compliance program and the implementation of the function while working with specialized professionals from other areas of expertise in charge of addressing key identified risk factors and their impact.
  • Competency—The officer in charge of compliance must have the necessary qualifications, expertise and training to ensure adequate performance in that position.
  • Objectivity—The compliance officer must be able to withstand organizational pressure regarding specific situations, to keep the focus on the assurance of practices and escalate any findings to the relevant level.
  • Resources—The resources required for the function, considering the size of the enterprise and the nature of the risk it faces, must be available.

These attributes indicate that the compliance function, notwithstanding the permanent monitoring and control exercise, should implement a concrete and measurable executive reporting style and follow-up. This can serve as a benchmark of maturity so that improvements can be identified through interaction with the business areas.

Compliance Function and Information Security

The activities associated with the compliance function stem from searching for limitations or restrictions that do not allow for reinforcing behaviors and practices aimed at increasing the level of assurance of an organizational reality. This means understanding the priorities of the business and its value-generation model in order to free the organization from a minimum requirement culture and drive it toward a maximum requirement practice. In this context, compliance functions are vigilant about the risk of noncompliance, enhanced by corporate scenarios related to penalties, errors or omissions, fines, and other measures, and warn the enterprise of the systematic application of bad practices, which may result in incidents destroying enterprise value and deviating the business from its medium- and long-term strategic path. Considering this argument within the framework of information security, it is clear that the information security officer performs a compliance function that requires the five key features described previously to achieve the transformation of the business and increase the level of failure resistance, with a known response to exceptional circumstances.

Figure 1Thus, when in the development of the information security program, risk is anticipated, a protection-driven culture is promoted, operation is ensured and the basis of the compliance function is founded at the enterprise level. These features of a compliance function seek to strengthen behaviors, practices and actions aimed to safeguard results, protect corporate image and, above all, forecast the future. (figure 1).

The compliance function as a source of good practices and active monitoring systems for businesses finds a natural instance of execution in information security. This is because the compliance function defines recommendations and action plans that fulfill corporate directives and moves the corporation toward a culture of due diligence and responsibility in the processing of information.

The Noncompliance Risk

The noncompliance risk can be understood as the organization’s inability to prevent, detect, correct and maintain an understanding of the current and/or emerging risk affecting corporate operation and/or its medium- and long-term strategic objectives. Along these lines, it becomes necessary to develop a risk management strategy that not only allows for reversing the imminence of the occurrence of risk, but also promotes repair and transformation of the enterprise to anticipate or visualize the situation.

Regardless of the way in which risk management methods set certain execution conditions, Deloitte4 proposes a method that seeks to ensure an approach focused on addressing noncompliance risk management, based on international standards, and considering aspects such as context of occurrence, risk requirements or conditions, risk analysis, action prioritization, control effectiveness assessment, monitoring, reporting, and communication. While this approach fosters specific actions, it does not warn of the asymmetry of failure unavoidability and deviates to the cause-effect model that characterizes traditional risk management.

In this context, noncompliance risk, understood as a key factor to information security, requires developing the skill to see, from the perspective of failure opportunities, the structural links among technology, processes and people in order to condense potential threat scenarios. This shows anticipation of exceptional situations and does not merely warn about regulatory noncompliance inherent to certain situations, but also builds on the supporting forecasting capability faced within its business context and considers the responsibility toward all stakeholders (figure 2).

Figure 2

Thus, information insecurity is the foundation from which noncompliance risk is understood; it is a double benchmark that invites the enterprise to find bad-practice emerging patterns in its everyday practice, which, in time, could erode the privileged position of the enterprise in the industry. That is, an event of greater magnitude than a predictable threat may go unnoticed by the risk matrix, since it is not manifested concretely to allow notice of an obvious hazard.

When noncompliance risk is understood as an item beyond compliance with an enterprise’s internal and external regulatory requirements, one makes way for a structural and systemic perspective that allows the enterprise to understand and reveal the hidden laws of economics and psychology and the link to the business sector, enhancing its capabilities to identify disruptors or unidentified agents that change the way of doing business in its own industry.5

Conclusion

Insight over the function of compliance and its link to information security practices means dwelling on the capabilities required by an enterprise to differentiate itself from the competition and ensure a privileged position in its business sector. The compliance function requires that its head officer (CCO) breaks the pattern of the surrounding circumstances to find an interconnection of processes, expertise, information technologies and tools, and emerging trends—anticipating its strategies to move forward in valuable areas for its clients and stakeholders.

Although the compliance function is linked to a reduced perspective of reliance on the regulatory context and the promotion of an integral and ethical culture, the function must understand the way in which the enterprise generates, attracts and protects value. By enhancing its capabilities and context sensors, it may continue to fulfill its clients’ needs, even when they vary over time.

Consequently, once the function of information security is understood as a natural enforcement of corporate compliance, it becomes necessary to walk along the information insecurity path to establish the potentiality of noncompliance risk. This helps the enterprise detect future patterns of environmental threats to prepare and respond to these threats and to develop new practices that create opportunities and unbalancing factors, which change the strategic reality of the company and its context. Developing the enterprise’s anticipation capability in terms of information insecurity allows it to identify risk synergies, increase monitoring capability, and optimize resources and operational management, so that the enterprise is prepared to act in response to unexpected situations and move confidently, while having the necessary skills to recover from total or partial failures.

Consequently, information security as a compliance function should be synchronized with the enterprise’s normal dynamics and its information flows to ensure security and control practices inherent to current business risk. Also, it is important to keep a constant understanding of inner relationships among operations, clients, processes, and big and ambitious corporate goals.

Finally, the compliance function—as management’s guarantor in assuring the operation, the development of an assurance culture and the forecasting of new risk scenarios—finds a natural ally in information security, which seeks a natural sphere to promote structural change and reach new maturity levels in the relationship among people, processes and technologies that goes beyond adherence to a regulatory benchmark or noncompliance deviation report.

Endnotes

1 TechTarget, “Chief Compliance Officer,” http://searchcio.techtarget.com/definition/CCO
2 Vicente, P.; M. Mira da Silva; “A Conceptual Model for Integrated Governance, Risk and Compliance,” in Mouratides, H.; C. Rolland, Advanced Information Systems Engineering. Lecture Notes in Computer Science, Springer Verlag, 2011, p. 199-213
3 Girgenti, R.; T. Hedley; Managing the Risk of Fraud and Misconduct: Meeting the Challenges of a Global Regulated, and Digital Environment, McGraw Hill, 2011
4 Deloitte, The Risk Intelligent Chief Compliance Officer: Champion of Risk Intelligent Compliance, 2012, http://webserver2.deloitte.com.co/Doc%20ERS/No.24%20The%20Risk%20Intelligence%20Compliance%20Officer.pdf
5 Birshan, M.; J. Kar; “Becoming More Strategic: Three Tips for Any Executive,” McKinsey Quarterly, July 2012, www.mckinseyquarterly.com

Jeimy J. Cano M., Ph.D., CFC, CFE, CMAS, is a distinguished professor at the School of Law of the Universidad de los Andes (Bogota, Colombia). He has been a practitioner and researcher on information security, information technologies and digital forensic science for more than 17 years, working in different industries. He is a member of ISACA’s Publications Subcommittee. Cano can be reached at jjcano@yahoo.com.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.