Enterprise Risk Management is like a good coat of paint. It should provide protection as opposed to covering a multitude of sins.
As a former CIO and VP of IT, most risks look like an IT opportunity waiting to be implemented in my new role as Chief Risk Officer. I know this is a bias that I need to broaden but certainly cannot afford to ignore. So many risks reveal themselves in the data, and working back from that point to the sources and processes associated with that data allows the problem to be looked at from an enterprise perspective.
A “wake up in the middle of the night in a cold sweat” example would be credit card information.
No, it should never be stored unencrypted (if it is stored at all, and no, I have no credit card information at all in any of my databases, or files, anywhere!) but it opens the door to thinking about how this data is handled and the risks associated with it. If you accept credit card payments over the phone and you record phone calls, this part of the call needs to be deliberately not recorded. This becomes a training issue. If the information is entered onto a processing web screen, then you need to have the PCI certs for that vendor, and ensure that anti-virus software is sufficient on that terminal and that the employee entering the data has been properly screened and trained on how to handle the data. You have to ensure that this training is regularly repeated, and that audits of the phone conversations are performed to ensure compliance. The rules associated with this area change and need to be kept up with so that processes and training can be adjusted accordingly. And this is an easy one.
"Constant testing, questioning, and involvement of independent parties to look at the enterprise with a fresh set of eyes is needed"
How do you inculcate an awareness and culture that encourages people to be proactive in enterprise risk management? Clearly, one person or even a small department will be hard -pressed to keep up with all the external and internal changes that need to be addressed. If, on the other hand, you had a large and clearly competent group dedicated to this, wouldn't the rest of the enterprise become complacent and assume that everything was being handled by that group? Harkening back to my IT roots, even the best risk manager doesn't have that much insight into what a few lines of poor coding, poor patching practices, and emergency fixes could do to your organization.
Constant testing, questioning, and involvement of independent parties to look at the enterprise with a fresh set of eyes is needed. Often people new to the organization can see things that are obvious to them but just aren't seen by the people doing the everyday work.
Yes, asking your new employees to become de-facto auditors is a daunting thought. How do you encourage questioning of what is without introducing witch hunts and lower productivity?
An approach could be to draft people from the organization to participate in enterprise risk management committees. Yes, another hated committee distracting people from their work! As a young college student, I passed a billboard at a small church each day that had new sayings posted regularly. One that confused me at the time but which later become painfully clear was “And God so loved mankind, he didn't send a committee.”Still, recruiting good people for very short sprints of efforts in this area could prove helpful. When something is found this way, recognition should be given to encourage everyone to help. Rotate new people through to get as wide a view as possible.
From the technology viewpoint, the ability to add outside services for IPS, Intrusion Prevention System and Web Access Filters, WAF’s, is a very real plus. Multiple layers of protection from multiple vendors to enhance internal resources, people, and machines adds to security and protects the company from data breaches. Not being dependent on too few people but being able to rely on them to manage and backstop for these services works well. Getting the most from the devices and services is not a “set it up and forget it” type of thing. Understanding the updates and enhancements in relation to your company’s needs is critical. Communication between security techs, network techs, database administrators, developers, and business analysts is needed. Someone keeping track and documenting issues that are brought up is needed. Sharepoint can be a great repository tool for keeping track of issues and effort but it should not be relied upon as a single solution, as it can also be a black hole that things go into never to be seen again.
For electronic and paper data retention, there are specialists out there who devote their business lives to keeping up with regulations and technology to address this area. They are available for contractually designing and implementing sound practices, training people, and then coming back and auditing and training regularly.My company is using one of these firms to get a firm handle on where documents and data are stored and ensure that they are stored where they need to be and have the proper destruction dates and processes.
Microsoft’s O365 opens up new possibilities with the tools available.The ability for employees to keep data in the cloud is another area of concern. Planning for using this tool is critical in not letting it get out of control.
As you add new technology, applications, processes and people, you need to respond to the risk factors inherent in each.
Again, it is not just the job of the Risk Officer. But is is the job of everyone in the company because everyone’s job is riding on this being done well.