Integrated Risk Management (IRM) and Governance, Risk Management and Compliance (GRC) are critical areas for business security and success. But all too often these programs aren’t thoroughly tested – or worse, aren’t actionable or effective.
Organizations that want to position themselves for success are putting strategies into place now that will ensure their IRM programs are robust and actionable.
Recently, NAVEX hosted a Fireside Chat on trends and predictions for IRM in 2022. The discussion focused on the implementation of privacy frameworks, the impact of IT risk on business continuity, and how to develop effective third-party risk management programs.
First Steps to Implement an Effective Privacy Framework
The first thing businesses need to do is analyze the state of their data privacy program. Questions to ask include the following:
- Is our privacy program mature or siloed?
- Is it reactive or proactive?
- Are we making requirements simple enough to understand so they will impact day-to-day activities?
- Are we making privacy requirements auditable?
One of the initial steps a business must take is to choose the right data privacy framework and make it actionable. To implement a privacy framework, it’s important to assess risk appetite. Dollars and cents are a good place to start. Businesses should ask themselves how much they are willing to spend, and what thresholds they are willing to cross.
Privacy frameworks become more meaningful if there is buy-in across the business. Is there an executive management commitment? Is there a culture of compliance? If the answer is ‘yes,’ then the business will be well-positioned when reactive regulatory audits come along.
And if there’s no culture from the top down, it certainly makes this endeavor much more difficult.
Building a culture that is focused on compliance is the most important thing. Too often, businesses rely on training videos, but while these can be educational, they won’t build a culture that prioritizes compliance. Privacy laws are only increasing, so building that culture needs to be a significant focus for businesses.
Assessments to Help Build Business Resiliency
Another trend is making IT risk part of business resiliency, not just from a technology or disaster recovery standpoint, but also to span all aspects of the business. In terms of risk management, the biggest failures and data breaches are the result of core competency failures.
Blocking and tackling feels like the phrase of 2022…The biggest challenges, the things that are most overlooked, are the core competencies of IT, of business continuity, of third-party risk management – of everything in risk.
Businesses need to ask themselves essential questions such as:
- Are we patching?
- Are we continuously monitoring?
- Are we maintaining backups and recovery, physical security, and maintenance?
A truly resilient business is one that continuously assesses and establishes controls to address IT risk. The word “continuously” is critical here because this is an ongoing an iterative process. The threat landscape and IT risks facing the business are not static and for the sake of business resilience, should not be treated as such.
Working From Home Causes Increased IT Risk
During the pandemic, organizations took on different levels of risk to do business. For example, working from home made it abundantly clear that backups and recovery needed to extend beyond the four walls of a company and reach into employees’ homes.
Companies that had a strong posture around working from home, or IT risk in general, were in a better spot than those who were forced to figure it out on the fly. This type of preparation illustrates the importance of trying to be proactive whenever possible instead of just reactive.
Third-Party Risk Management: The Importance of Partnerships
Obviously, if you are working with outside vendors, you need to hold third parties accountable when it comes to risk management. But if it's frustrating to do business with you, that's going to make it more challenging. Key pieces of advice when working with third-party vendors include the following:
- Make sure the monitoring and assessment process works for your third parties, not against them. If you’re having to ask (and answer) a lot of questions, you’re wasting their time (and your own).
- Think more about partnerships, and less about transactional vendor relationships. You don't have to be best friends with your vendors but understanding where they come from and what their goals are can be critical to success.
- Be continuous and reactive. For example, regarding the recent sanctions on Russia – Did you have an assessment ready to send out? If not, how long did it take for you to create an assessment?
- Provide third parties with a roadmap of your expectations if they will be housing your data or managing your assets. Tie this to a business requirement whenever possible.
What should be at the forefront of all businesses regarding IRM and GRC is making it easier for people to make organizational compliance commitments. One critical question every business should ask is whether it is making people's lives harder for the sake of compliance, or easier to hit compliance goals?
A continuity plan that isn’t tested isn’t a plan – it’s a dream state.
This mindset applies to employees as well: Does your business have programs or systems that are difficult for your employees to use or update?
If you have a system that’s challenging to assess, then you need to prioritize how to get data that drives understanding. Similarly, if processes aren’t working, they should be adapted and modified. If your technology strategy impedes what you're trying to accomplish, that needs to be reviewed and corrected.
Commit to testing your risk strategies and programs regularly. A continuity plan has to be proven effective before it can be implemented.