Operationalize Risk Management
Pravin Kothari
The last topic of discussion at the Accenture CISO Roundtable was “Operationalize Risk Management”. If you recall, we started the session with Bob West of Echelon One discussing the need for CISO to speak about and measure risk. Then Scott Charbo of Accenture discussed what risks to measure and how to measure them. Mark Lockareff of Agiliance then discussed how do you operationalize these measurements and how technologies can help. Here are some of the key discussion points.
When the analyst community coined the term “GRC” a few years back, they positioned the 3 terms in order of theoretical maturity level. In theory, an organization should figure out how it wants to run its business and operations (Governance), then figure out how to manage risks they face that may prevent it from running its business, then figure out how to assess and report for compliance requirements. This is a maturity model that is perfectly logical, but very difficult to achieve given real world constraints. Given most organizations are on-going operations and must “keep the lights on”, compliance became priority number one. Compliance is relatively the most well understood requirement and the consequence for non-compliance is clear cut. By now most organizations have significant investments in various aspects of compliance, in terms of people, processes, and technologies. Most big organizations are becoming “compliant” and have matured to a point of wanting to fill out the rest of the GRC functions, namely Risk and Governance . Risk is the natural next step since it is better understood and more measurable than governance. So, the real-world maturity model is really “CRG”. Not the way things should be, but it is the way things are.
The next logical questions is how does an organization that has invested heavily in compliance, make the transition to proactive risk management? Can an organization leverage its compliance investments for its risk management initiative? Where are the gaps and what are the next steps?
Organizations that have invested in compliance programs have usually defined set of controls and testing procedures. Most organizations have also invested in some control technologies, such as vulnerability scanners, data leakage prevention, identity management, segregation of duties, log monitoring, etc. The good news is that these control points are some of the same ones required to gauge risk for security, operations, disaster recovery and so on. The fact that controls have already been defined and being tested and enforced is a great start. The issue is that the testing and reporting on these controls are generally done with manual audit processes, involving lots and lots of spreadsheets and processes that are error -prone. As risk is inherently real-time, risks do not cease to exist in-between the audit cycles. So in order to leverage control investments for risk management, an organization needs to be able to make control assessment and reporting near real-time and continuous. To move from a compliance centric GRC program to a risk centric GRC program, an organization needs to invest in automation for control assessment and reporting as well as new processes for risk management.
New automated and integrated GRC solutions leverage existing control technology investments and elegantly combine automated data from the environment and deployed controls with the information from operational controls, audit processes and mapped risk models. By such integration, GRC solution can enables continuous risk and compliance management.
The key to success for most IT projects is to roll out incrementally and achieve realistic goals with clearly demonstrable business benefits at each phase. GRC automation projects are no exceptions. There is no need to boil the ocean or throw the baby out with the bath water. Build on existing investments and processes – is the key to move up the “CRG” maturity cycle.
This will probably be my last post for the year. So happy holidays and a very happy new year to my fellow GRC professionals.
