This is Part Two of a Six-Part blog series on Cyber Risk Management from guest blogger Simon Goldstein
Is your risk program awash in expanding piles of data, from many organizational, operational, and functional sources, that offer no clear sense of useful information? Do you find that comparing where you were a year ago to today’s state is a challenge? Does relating remediation efforts to compliance seem complex? Are controls redundancies across frameworks and standards evident but pinpointing specifics remains frustratingly elusive? Are executive leadership and board members asking questions your data seems to offer no insight to in response?
These conditions may lend themselves to concerns about program effectiveness, delivered value to the achievement of corporate goals, and expense creep, with no demonstrable promise of return on the investment for the hard work already completed. While no software system is a substitute for sound program management, good governance, and informed judgement, a comprehensive enterprise risk management system (ERM), or governance, risk, and compliance (GRC) platform (as they were once called) can be a powerful organizing and supportive tool essential to effective and efficient enterprise risk management. For engaging today’s cyber risk environment, the GRC fulfills a role critical to the support of risk and security across your enterprise. Let’s explore how.
First, and to some thinking, foremost, the ERM platform provides a unitary authoritative repository for risk information, including cyber risk. Often referred to as the “system of record” with respect to risk activity, such a singularity for data provides some clear, valuable opportunities (see Exhibit 1). The risk information can be expressed through a standard set of language, definitions, and terms often referred to as the taxonomy for discussing risk.
Exhibit 1
A taxonomy is generally defined as a classification system. This means you can use the ERM to inform and promote a single definition of terms such as inherent and residual risk. While this seems innocuous or even trivial, too often an uncommon understanding of terms and measures within a particular discipline lead to miscommunication and misunderstanding. In risk, this can be costly. A common language aides operating efficiency as well as fostering a reporting environment focused upon the facts and findings, not the terms and situations. It’s actionable.
A quality enterprise ERM will provide the means to organize activity and data around frameworks relevant to your business. This feature may also allow the identification of specific controls present in multiple frameworks. Thus, you can use such a “cross-map” or “cross-walk” to identify where control compliance in one standard also achieves compliance for that control in others, removing the need for repetitive testing and enabling more efficient leverage of risk and compliance data to represent a current state against multiple frameworks or regulations. effective compliance monitoring becomes more achievable, while the intrusion and disruption into normal operations risk assessment sometimes creates is brought to an efficient minimum. Reduced effort leads to increased results of greater utility.
Another opportunity offered by a great ERM is the ability to map corporate policies to framework standards, and risk status findings to remediation. This enables areas responsible for policy to understand the impact upon them when a regulation or governing framework changes. It reduces the hunt and analysis time to an effort to create a one-time map thereafter maintained rather than recreated. Being able to assign and track remediation in the context of findings aides audit functions and answers executive and Board questions about actions being taken to address vulnerabilities and non-compliance. Does your current reporting enable that?
ERMs are great at providing standardized processes, procedures, tools, and methods for the activities and reporting inherent to operating a comprehensive risk management program. So, risk assessment, scoring, terminology, education, and even training in the use of the ERM offer standardized approaches for every part of your organization to follow. Even where exceptions are by design enabled, they are executed through choice or configuration, rather than customization, wherever possible. This means managing the ERM as a tool does not become a resource sink on its own. That’s important. If risk resources are consumed by ERM management their participation in the risk program is diluted. The program is there to manage risk, not the risk management tool.
Providing context and meaning to raw IT metrics and data often associated with cyber risk monitoring and detective tools and processes is another example of ERM value to a cyber risk program. Because data is offered and organized in the context of frameworks, that raw IT metric data can be analyzed and arrayed in context of its business implications. Does your executive team care about 2,357 servers with current patches, or with a consistent month over month server compliance rate of 98.4% against a target goal of 96%? That your IT department applied 23,641 changes this month, or that necessary patch demand rose 18% but was achieved without deterioration in compliance against target?
Let’s not ignore reporting. A great ERM should offer a wide array of reporting options, and a package of standard reports, such as risk registers, heat maps, Gap analyses, and more. Reporting should be easy to create; whether new from scratch or by modifying standard reports, and it should be straightforward for non-technical people (without requiring an advanced degree in database management and programming) to achieve. This is where standard practices, standardized data forms, terminology and processes really begins to pay off. But the report maker needs to know what questions need regular answers, what data needs those answers imply, and what the state of their data stores are before evaluating reporting options. An important, but often overlooked option is report publication. Your ERM should be able to provide output to hard copy, as well as images that can be incorporated into narrative reports, PowerPoint presentations, internal web sites, or posting to other internal data sharing services. Publication services should allow saving output in a variety of formats to support these distribution strategies, including editable and fixed options. Remember, great reporting answers important questions that support and enable informed decision-making action!
Organizational efficiency is a more subtle but important contribution your ERM can make to your risk program. The standardized process and procedures rely upon clearly delineated roles and responsibilities for activities. This is particularly evident when configuring process workflows or determining participant activity for distribution across multiple operating units. The latter is important to reducing dependence upon a central administrative risk authority and can foster increased program ownership throughout the enterprise. And, being tied to a framework where common controls to regulations may be noted allows risk data to be leveraged and repurposed for audit discovery, validation of findings, and evidential reporting; all economies of operating effort that yield consistency as well as efficiency.
Finally, the ERM’s cumulative features help you ground risk management efforts firmly in the roots of the business. The context of information gathered, reports, risk assessment and remediation choices all will be able to be rationalized, explained, and understood within the context of your organization’s mission, goals, and operating obligations. This empowers your Board and executive leadership to extract the most meaning from the risk management program and help make it an important and valuable contributor to corporate success.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.