In today's business world, silos are coming crashing down. The business landscape has been redefined as a result of digitalization and the evolution of the internet, mobile computing, and data sciences have led to a greater interconnectedness of operating markets across geopolitical borders.
The unprecedented after-effects of COVID-19 also made us realize that the world we live in today has a high degree of interdependency. For instance, this slow shift toward working remotely on a permanent basis could result in some long-term impacts on different industry sectors simply because everything is connected. A disruption anywhere on the transaction chain has the potential to create a domino effect and send ripples down the market. If businesses fail to understand and analyze the interconnections, they can make myopic decisions that could cause organizations to fail in developing and executing effective recovery strategies.
Despite the ongoing effort to adopt new technologies and tools to implement a pervasive approach to risk management, business leaders and risk teams are still unable to fully understand the interconnectedness of risks. In our recent webinar, risk professionals and leaders discussed why that happens and how businesses can take a holistic and integrated approach to make risk management processes more efficient and effective.
Even today, businesses implement control without understanding the implications of how it impacts different business areas. Implementing controls within a siloed system can lead to overabundance, overlap, and duplicated controls which are unnecessarily expensive, time-consuming, and eventually reduce efficiency. Therefore, it is absolutely critical to have an integrated approach to risk management where you’re not spending 80% of your time in data collection and only 20% in analysis.
Risk management needs to evolve and help businesses obtain a deeper understanding of all aspects of the risks they face as well as the intricate spider web of interconnections they create because these links among risks can amplify the overall impact, indirectly or indirectly.
And, in order for IRM to be effective, people, processes, technology, and perhaps even data need to come together and work as part of a common ecosystem with a common purpose and goal in mind.
However, risk identification and assessment programs by themselves do not serve the full purpose without having quantifiable measures put in place to support risk identification. This requires some carefully thought-out measurement components to be designed and implemented that would provide useful insight on the risk.
While many of us would like to believe that enabling technology for IRM is primarily about implementing an enterprise GRC tool, it requires some broader thinking. IRM is an extension of your GRC program where risk management practice is seamlessly embedded into compliance, cybersecurity, vendor risk management, and business continuity planning.
Businesses need to understand and break down the complex interrelationships. And that means risk identification needs to happen, where risk happens.
Our MetricStream Platform can help you cut across organizational silos by standardizing risk and control taxonomies and enabling stakeholders to effectively coordinate and unify risk management activities across all business functions. Organizations can use our product to align their assurance programs and gain comprehensive visibility into both risk exposure and relationships. Reach out to us to know how to achieve forward-looking risk visibility with predictive risk metrics and indicators in your Risk Management program today!
With the growing reliance of organizations on an interconnected network of third parties, they are becoming increasingly vulnerable to a plethora of risks. A 2020 Ponemon survey found that a typical enterprise has an average of 5,800 third parties, and the number is expected to grow by 15 percent this year. As the third-party network of an organization expands, so does the number of potential points of failure.
Companies often have to share sensitive information with third-party vendors for business-critical goods and services. And, if the latter suffers any data breach, it could have a deleterious effect on the organization. Recent incidents, such as security breaches at Microsoft and Accellion, and SolarWinds hack, are unfortunate reminders of how third-party risks can make multiple organizations susceptible to illicit actors and impede their operations. Moreover, in this digital era and hyper-connected business environment, a security lapse at even a small-sized enterprise can have far reaching and disastrous consequences.
As such, implementing an effective third-party risk management (TPRM) program has become critical for today’s extended enterprise. The objective is to identify and mitigate the business, operational and cyber risks associated with the third parties, fourth, and subsequent parties, including security breaches, supply chain disruptions, unethical actions, poor performance, financial impact, and more.
TPRM Key Considerations
There are certain must-haves when it comes to a robust TPRM framework:
Implementing a centralized and technology based TPRM solution, which streamlines and digitizes these processes, has become vital for organizations to mitigate third-party risks in an efficient manner. MetricStream Third-Party Risk Management provides organizations with an integrated, real-time view of the extended enterprise and helps automate various associated processes including collating information, onboarding, continuous monitoring, risk, compliance and control assessments, and risk mitigation.
The MetricStream Arno release enhances BitSight integration, enabling proactive identification and mitigation of cybersecurity risks in the extended enterprise. When setting up the due diligence task, organizations can now define one of the stages as information security risk assessment using BitSight content. The task to review the content will be triggered as part of the due diligence workflow – the information security score and rating from BitSight can be reviewed and risk mitigation steps can be documented.
Furthermore, organizations can also leverage BitSight infosec ratings to continuously monitor third-party risks. They can also subscribe to regular or periodic alerts from BitSight for chosen third parties and define rules to automate review task assignment—when a change occurs in the BitSight score, it will automatically send notifications so that the user can review the changes and take further action.
To know more about BitSight content integration, register for the live webinar here.
As the uncertain business environment continues to linger in the wake of the COVID-19 pandemic, organizations must boost their preparedness for the unknown unknowns to ensure uninterrupted business operations.
Work has moved home due to the pandemic but has not slowed down. To understand the state of risk management and how risk professionals are approaching this critical business function in the new normal, MetricStream conducted a survey of chief risk officers (CROs) and risk managers spanning multiple geographies and industries. The survey results have been compiled in The State of Risk Management Survey Report 2021. Here are some of the key takeaways from the survey:
Risk management is no longer seen as an annual or half-yearly “tick-box” exercise. The crisis has particularly highlighted the importance of competent risk managers and an effective enterprise risk management (ERM) strategy for business continuity and resilience.
To keep up with the evolving operational environment and risk landscape, it’s imperative that the top management and leadership are aware of the organization’s risk profile, tolerance, and appetite to make informed business decisions. A data-driven, technology-based IRM program can better equip risk teams to provide risk intelligence to the senior management in real-time, thereby improving an organization’s agility and responsiveness.
The survey, in fact, affirmed that IRM is key for ensuring operational resilience as more than half of the organizations (52.63%) that had already deployed an IRM solution did not alter their risk programs, approaches, or activities due to the pandemic. That said, a significant number of organizations still depend on basic office productivity software for risk management activities, which hampers their risk identification, reporting, assessment, and mitigation capabilities.
In these unprecedented times, companies can position themselves as trailblazers and gain a competitive edge by their ability to thrive on risk. It is important to note here that implementing a technology solution alone to meet risk management needs is not enough. For an IRM program to be successful, organizations must transition to a matured framework—one that strikes the right balance between people, processes, and technology. This approach is not a silver bullet but can greatly enhance an organization’s resilience to risk events.
“Beyond financial risks and cyber risks, we now must pay very critical attention to HR and operational resilience of our organizations as well. Unfortunately, this is going to be part of the new normal for years to come as we have to be ready to deal with the pandemics—the current one and perhaps other incarnations of these kinds of pandemics into the future. We have to learn how to deal with crisis and emergency events and other wartime scenarios that are the ‘Unknown Unknowns’ that the GRC industry must learn to tackle,” said Gunjan Sinha, Executive Chairman, MetricStream.
MetricStream offers a suite of products and solutions that enable organizations to enhance and streamline risk management activities and processes. The MetricStream Integrated Risk Solution empowers organizations to manage both existing and emerging risks across geopolitical, digital, strategic, third-party, cybersecurity, and compliance areas. In addition, some key enhancements have also been made to the MetricStream Platform with the Arno release to enable better business configurability, improve mobile capabilities and enhance user experience.
To download the complete report, click here. To request a demo, click here.
Risk aggregation is a process used by organizations of all sizes to get a complete view of the total risk exposure across various processes, business lines, and risk types using multiple risk data aggregation methods. Risk aggregation is vital for informed decision-making.
The credit and financial crises have proved that looking at risk management through the rearview mirror is dangerous. Since then, organizations – especially banks and financial services institutions – have recommended adopting a forward-looking approach to risk management. Organizations of all sizes now want to assess and aggregate risks across various processes, business lines, and risk types using multiple methods.
The process of identifying the impact of various risks on a business requires the ability to aggregate risks both vertically and horizontally. A robust aggregation mechanism enables risk officers not only to understand the total risk exposure, but to also make risk-aware decisions and define risk treatment plans that are in line with their organization’s risk appetite definitions.
Managing risks across a large enterprise can be a challenge. The process of identifying the impact of multiple risks on an organization requires the ability to aggregate risks at multiple levels. The basic goal of risk aggregation is to collect several risks in order to arrive at a total risk exposure for all or a part of an organization. Risk aggregation allows grouping of similar risks from different perspectives to provide a complete picture of risk across the enterprise.
Basel Committee on Banking Supervision (BCBS) points out the need for risk aggregation in banking and financial services sectors as below:
“Naturally, the organization of risk management functions varies across firms. In some firms, risk management is a highly centralized function where the dedicated risk management function exercises substantial authority. In other firms, particularly in the insurance sector, local business units with a limited risk profile retain substantially greater autonomy over significant risk management decisions. Moreover, even in some firms with a bias toward centralized risk-management decision-making, the key decisions are made by a senior management committee, rather than by the risk management function itself. The organizational infrastructure of risk management decision-making varies considerably across firms, and it is difficult to conclude that any single approach is becoming dominant.”
Additionally, companies follow different organizational structures to support their nature of business. Some organizations might group risks as per organizational structure while others might group them by legal entities, geographical structure, processes, products or risk categories. Risks can be present at multiple levels within an organization. Risk owners at each level would want to easily identify their exposure as against the total exposure at enterprise level. There could be common risks between two functions or locations. Stakeholders at each level would want to view aggregated level of risk exposure for specific risks or risk types, for example, External Fraud, Attrition etc. This can be useful for monitoring changes in risk profile over time. Risk owners at various levels would want to look at top risks at their levels and take necessary actions to mitigate them. They would also want to easily identify if any risk or a group of risks are approaching risk appetite limits or have already breached those limits. To facilitate all these, organizations have to adopt risk aggregation methodologies that suits their risk management approach and business strategy.
Risk aggregation at multiple levels and also at enterprise level helps risk leaders understand the root cause of risks and take meaningful, remedial actions. Slicing and dicing of risk data by aggregating at different levels enables risk owners and organizations to make risk-based decisions and take advantage of market movements and conditions.
Collection, quality, and applicability of data are a major challenge while rating and scoring risks. In the absence of a tool, data may be residing in multiple scattered locations. Collating this data is not only time consuming, but also affects the outcome if not collated properly.
Risks are at different threshold limits based on their criticality. For example, a risk rated very high by a business unit may not have the same threshold limit assigned by another business unit or at an enterprise level, making it a medium or low risk. Considering this, there may be multiple thresholds e.g. financial, reputational etc. across an intersection of different hierarchies making the challenge further complicated. Hence, using the simple average method to aggregate risk may not give an accurate picture of risk exposure.
A majority of the information is qualitative making it difficult to come to an exact risk score.
MetricStream provides capabilities to manage an organization’s entire risk management requirement from risk identification to risk assessment, control evaluation, risk treatment, and risk and control continuous evaluation and reporting.
Given below are some of the core capabilities for risk assessment and aggregation:
As risk continues to permeate through all levels of an organization, being able to gain a holistic view of risks will help build resilience and profitability. Risk aggregation could be a key pivot on which better risk-aware decisions can be made across the lines of the business, propelling organizations towards accelerated performance, thriving on risk.
The COVID-19 pandemic has highlighted how ill-prepared and ill-equipped businesses around the world really were to tackle a crisis of such magnitude. So, while digitization and automation have emerged as the major focus areas for organizations to be able to quickly adapt to the new normal, so has an agile, integrated, and technology-driven approach to risk management. In KPMG’s COVID-19 risk assessment survey of key managerial personnel, a majority of respondents (75%) said that they feel the need for the adoption of technology-based solutions to monitor key risks and their mitigation.
The pandemic has also brought conversations on frontline engagement to the forefront. Being closely engaged in daily business activities, it is the frontline that is more likely to identify emerging risks and vulnerabilities. As such, there is a growing call among risk and compliance leaders to make the frontline more agile and entrusting them with more risk management responsibilities—moving beyond the existing risk identification and management role in day-to-day activities to control ownership and accountability.
Delegating more risk management responsibilities to the frontline, making them risk-aware, and empowering them with proper training and tools has become critical for organizations to efficiently navigate today’s complex business risk environment. Companies are also increasingly engaging with the frontline in the designing phase of the risk management framework itself. Factoring in the frontline’s valuable insights on end-user perspectives, latent and emerging market trends, and more will enable organizations to ensure the relevancy and effectiveness of their risk and compliance programs.
In addition to owning and managing risk management decisions on a daily basis, the frontline today is also tasked with ensuring the effectiveness of controls. Risk and Control Self-Assessment (RCSA) is an important tool that the frontline can use to assess the operational risks associated with their activities and the efficacy of controls that address those risks. This way, RCSAs empower the frontline to make confident, informed decisions.
Bolstering the capabilities and responsibilities of the frontline, in turn, enhances the risk monitoring capabilities and oversight of the second line. A collaborative and synchronized effort of the three lines, in a way that is aligned with business strategy and goals, will help improve risk visibility and forecasting capabilities and make an organization nimbler and more responsive.
Organizations can leverage MetricStream Observation Management which simplifies capturing risk intelligence from the frontlines. The product helps bring GRC to the frontline with engaging platforms, widgets, browser plugins, conversational interfaces, chatbots, and intuitive web forms.
With the MetricStream Arno Release, the product now enables frontline users to capture risk and compliance observations, which can then be triaged and categorized as case and incident, loss event, or issue. AI-powered recommendations can be leveraged for categorizing the observations thereby increasing the efficiency and effectiveness of the triage team. Once triaged, the management and monitoring of actions to address them can be automated.
Earlier this month, tech titan Microsoft reported a state-sponsored cyber breach which is said to have impacted thousands of businesses around the globe.
In a blog post, the Microsoft Threat Intelligence Center (MSTIC) attributed this breach with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China. The group was able to exploit vulnerabilities in the on-premises Exchange Server which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.
In this hyper-connected business environment where we depend on multiple organizations to run our business smoothly, the cyberattack surface is continuously expanding and not limited to your infrastructure only. It is imperative that organizations continuously monitor the relevancy and effectiveness of their cyber risk management programs as well as of their partners with whom they are sharing sensitive information to identify and address any vulnerable areas or loopholes. The situation is further exacerbated by the growing interconnectivity of organizations resulting from the accelerated pace of digitalization. As such, organizations are left with an extremely short window of time to react to any emerging or existing risk event.
An organization is only as strong as its weakest link. With the proliferation of an organization’s third-party network, the number of potential points of failure also grows. To successfully manage the vast network of suppliers, ensuring visibility into supply chain hierarchy and the mapping of the third parties to products, services, fourth and subsequent parties, and business units becomes critical.
Third Party breaches has been on the rise for quite some time. There has been more than 25 breaches because of third parties in just 3 months of 2021 including the big names like Facebook, Instagram, LinkedIn, Supply chain for Audi, BMW, Mercedes, Porsche, Saab, Volkswagen and Volvo across North America, Microsoft, Singapore Airlines, Qualys, Airbus, Air Caraïbes, ArcelorMittal, BT, PWC Russia, etc.
The most recent Microsoft hack has underscored how third-party risks can make multiple organizations susceptible to illicit actors.
In this incident, thousands of organizations worldwide using Microsoft Exchange Server—a mail and calendar server and collaboration solution—were impacted. While the Windows-maker said that it quickly deployed an update for the Hafnium exploits, it is estimated that the breach affected at least 30,000 organizations across the U.S., including small businesses, towns, cities, and local governments, and 60,000 computer systems in Germany. The full scale of the impact is expected to become clearer in the forthcoming weeks.
What makes this hack graver is the fact that organizations using the Exchange Server could not have prevented it as this was a zero-day exploit. The European Banking Authority (EBA) took its email systems offline following the incident. In a subsequent update on the matter, it said that the scope of the event was limited and that the confidentiality of the EBA systems and data has not been compromised. Meanwhile, U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.
That said, organizations must not let their guard down when dealing with third-party risks. To thrive in today’s digital era, they need to implement a well-defined third-party risk management program that provides an integrated, real-time view of the extended enterprise. A robust, technology-driven program will help organizations automate the entire third-party risk management lifecycle, thereby improving visibility into the risks posed by the third and subsequent parties and accelerate responses to risk events. Also, organization should focus on having a robust business continuity program in place to help them running critical business function in case of these disasters.
MetricStream helps organizations effectively manage third-party risks with its Third-Party Risk Management product. With Continuous Third-Party Monitoring, Periodic Third-Party Due Diligence, Intuitive Dashboards and Reports, the product empowers organizations to protect their business from existing and potential threats from third parties, as well as strengthen resilience, contain costs, and optimize business performance.
To learn more about third-party risk management read MetricStream’s eBook, Boosting Third-Party Risk Management in a Time of Uncertainty, which delves into how third-party risks can expose organizations to a wider spectrum of risks if left unchecked. It also provides quick tips on how to review third-party risk management operating models and identify gaps or opportunities for improvement.
Today, business leaders and risk managers are required to navigate an increasingly complex risk landscape that is evolving at a rapid pace. Economic, environmental, geopolitical, technological, and other factors and their growing interdependencies are resulting in an ever-changing and expanding risk environment, making risk management extremely challenging.
The current volatile operating environment has questioned the very validity of the longstanding siloed approach to risk management. The situation has been further exacerbated by the COVID-19 pandemic which has amplified digital dependency and interconnectivity of people, processes, and organizations, thereby multiplying the points of intersections of different risks. Furthermore, siloed risk approach results in risk data being scattered across an organization, which acts as a major impediment to an organization’s decision-making capabilities.
To succeed in these uncertain times, organizations need to adopt an integrated approach to risk management, which will help create a single source of truth of all risk-related issues and data across different business units and functions. The integrated risk management (IRM) approach will considerably enhance an organization’s risk visibility and provide a better understanding of risk relationships and their cascading effects. In addition, by enabling prompt risk identification, organizations will be better equipped to reduce risk response time and take appropriate risk mitigation and remediation action.
It is encouraging to see that organizations are gradually embracing this forward-looking approach. The OCEG 2020 GRC Maturity Survey revealed that a number of businesses around the world are starting to integrate and standardize their governance, risk, and compliance (GRC) processes and technology.
Integrated Risk Program of the Future
A future-ready integrated risk program builds upon the existing risk management infrastructure and reconfigures it to make it more agile, unified, structured, and coordinated. This approach provides C-suite executives and board of directors with real-time actionable risk insights for improved decision-making and business performance. It puts in place a comprehensive integrative layer that provides deep visibility into an organization’s risk profile and risk relationships, along with an integrated issue and action management strategy that enables risk mitigation in real-time.
With the growing labyrinth of risks, companies are increasingly looking to tap technology-driven IRM tools that can significantly streamline and simplify risk management that is tied with business objectives and goals. These solutions, which leverage artificial intelligence (AI), robotic process automation (RPA), and such advanced and innovative technologies, seamlessly integrate with the larger IT infrastructure, dramatically improving an organization’s risk identification and mitigation capabilities, risk preparedness, and overall operational resilience and efficiency.
By 2021, Gartner expects more than 50% of large organizations to use an integrated risk management solution and projects the IRM solutions market to grow to $8 billion.
MetricStream offers a range of products and solutions that aim to enhance and streamline risk management activities and processes. The MetricStream Integrated Risk Solution enables organizations to manage both current and emerging risks across geopolitical, digital, strategic, third-party, cybersecurity, and compliance areas. It cuts across organizational silos by standardizing risk and control taxonomies and enabling stakeholders to effectively coordinate and unify risk management activities across all business functions.
Adopting a mature, technology-driven IRM approach is increasingly being viewed as a core competency for organizations to achieve their business goals. Once implemented, organizations should proactively conduct routine assessments to ensure the program’s effectiveness. In the long run, this will help an organization to better understand its risk posture, improve its risk appetite, and make well-informed decisions.
An effective IRM program needs to be complemented with a “risk-aware” culture across an enterprise along with well-defined roles, responsibilities, and accountability for employees. Educating employees on emerging risks and upcoming trends in the market, industry, and economy will help broaden the outlook of the workforce and boost their risk identification capabilities.
For diving deeper into IRM you can read MetricStream’s eBook, The Future of Integrated Risk Management, which details the best practices for a future-ready IRM program, provides quick tips for preparing an organization to adopt IRM, and delves into the organizational challenges involved in managing unknown-unknown risks, as well as the strategic direction of the financial services industry as it prepares for these risks and their domino effect.
The recent FireEye breach is perhaps the most significant cybersecurity headline of 2020, with one of the leading advanced threat detection vendors falling victim to an apparent state-sponsored attack. As new details of the breach unfold, the nexus between cybersecurity and risk management become increasingly evident, forming the basis of several lessons learned.
Over the last 10 years, IT departments have gained undeniable advantages and realized significant business benefits by utilizing third-party IT solutions. Rather than building costly on-premise IT infrastructure and services, agile businesses have reliably turned to third-party vendors, such as Amazon AWS, Salesforce, Microsoft and others to effectively and efficiently host, manage and provide mission-critical business and IT services.
Following in this practice, FireEye reportedly used the third-party network performance, management and monitoring software from SolarWinds, which appears to be the crux of the breach. However, the fact that the breach potentially stemmed from SolarWinds is irrelevant. The fundamental issue here is that supply chain and third-party IT solutions present real risks to enterprise security architectures.
The proverbial ship has sailed when it comes to outsourcing IT services, and despite recent attacks, businesses have much to gain (e.g. cost savings, agility, flexibility, productivity, etc.) by using outsourced and cloud-based services. Knowing this, the prudent course of action is to implement a solution that reduces risk associated with third-party vendors.
One such solution is the MetricStream Third-Party Risk Management offering, which protects businesses from existing and potential third-party threats. Built on the MetricStream M7 Integrated Risk Platform, MetricStream’s Third-Party Risk Management product provides an integrated, real-time view of the extended enterprise. It strengthens resilience, contains costs and optimizes business performance by automating the end-to-end processes for information gathering, onboarding, real-time monitoring, risk, compliance and control assessments and risk mitigation.
In the cybersecurity world, policy and policy management is often overlooked and undervalued. However, without policy, enforcement of enterprise security programs is futile and inefficient. We see this every day in society. We have laws to protect citizens, but without the police (policy enforcement), we would live in a lawless society.
Every breach is an opportunity to learn, strengthen security and become more resilient. Policy factors into this, and should be included as part of a post-breach review. In fact, most breaches are not nearly as sophisticated as the FireEye breach, but are instead the result of employees not following security policies. For example, a spear-phishing campaign often succeeds because an employee clicked on a link embedded in a suspicious external email, even though corporate policy states not to do so.
MetricStream Policy and Document Management built on the M7 Integrated Risk Platform, streamlines and simplifies the creation and communication of organizational policies, while providing a centralized policy portal to store and access the latest policies. It delivers a contextual view to policies by mapping policies to regulations, risks and controls, thereby strengthening compliance while highlighting potential risks. Policy and Document Management raises awareness throughout an organization and brings policies to everyone, including first line employees, who are often the targets of cyberattacks.
One observation noted from the FireEye attack is the speed and transparency of their communications. Kudos to those involved, as often a breach is solely managed by Legal and/or IT. Whenever a substantive breach occurs, businesses face damage to their brand, sales efforts, customer success and partner base.
Not only do breaches potentially trigger lawsuits, but for many corporations, a material breach can also trigger SEC Regulation FD (Fair Disclosure) consequences. Cybersecurity incidents are often listed as part of corporate governance documentation relating to Regulation FD.
For those not in Legal or Corporate Communications, Regulation FD basically states that a corporation must prevent the selective disclosure of material, non-public information that could be used in the decision-making process of buying or selling a security. Depending on the severity of a cybersecurity incident, Regulation FD may apply.
As FireEye has shown, clear, quick and transparent communications is the way to best manage brand-challenging situations. Learning from their experience and response, every organization should have a PSIRT (Product Security Incident Response Team) policy in place BEFORE a breach or serious incident occurs. Response teams are usually comprised of different members within the enterprise, including representatives from Corporate Communications, Legal, IT/Security and the C-Suite. With MetricStream Policy and Document Management, creation of a PSIRT policy and process is simple and intuitive – a must have for any organization.
In conclusion, the FireEye breach will continue to dominate headlines as more information is revealed about the attackers, their processes, tools and techniques. As well, we hope to gain insights from what has transpired to find new and better ways to strengthen security and improve resilience. Clearly, more lessons are to be learned.
Without question, 2020 has been an interesting year, and with so much attention paid to the recent U.S. Presidential election, it is easy to overlook an important ballot initiative, Proposition 24, which effectively replaces the relatively new California Consumer Privacy Act (CCPA). For businesses that buy, share or utilize California resident data, this is big.
Consumer demand for privacy rights and protection of personal information continues to drive regulatory reform worldwide. For example, the General Data Protection Regulation (GDPR) mandate in Europe has redefined privacy and data protection efforts, leaving many jurisdictions, including the United States to follow suit.
California is no different. Seeking to enhance and improve on the existing CCPA, Proposition 24, also known as the Consumer Privacy Rights Acts (CPRA), gives consumers greater powers over corporate use of their sensitive personal information. Furthermore, the Act establishes a new regulatory body, the California Privacy Protection Agency, which has oversight and enforcement duties in parallel with the California Department of Justice.
There are many notable provisions in the CPRA; too many to list. However, several novel features move the CPRA closer in line to Europe’s GDPR. Some of the standout provisions include:
For many technology, financial and other organizations dealing with big data, CPRA compliance comes down to a three-part test:
Under the CPRA, affected businesses are required to submit an annual cybersecurity audit, as well as risk assessments. This means that now, more than ever, businesses need to move from cumbersome email and spreadsheet compliance practices to streamlined and integrated compliance management and risk platforms.
One such solution to this challenge is the MetricStream Compliance Management product that simplifies and strengthens compliance with regulations across organizations, while improving visibility into control effectiveness and ensuring timely issue remediation.
MetricStream Compliance Management, built on the MetricStream M7 Integrated Risk Platform – intelligent by design, helps manage a wide range of compliance requirements, including CCPA, in an integrated manner. Policies, standards, regulations and controls are aligned, eliminating inefficiencies and redundancies. Compliance processes with workflows, self-assessments, surveys, and issue remediation are widely supported.
Key features of MetricStream Compliance Management include:
CPRA, like GDPR, is here to stay, and for businesses around the world that touch California consumer data, they will have to make substantive changes to their compliance programs. Although the majority of the CPRA provisions do not go into effect until January 1, 2023 a one-year “look-back provision” will govern data collected starting January 1, 2022. As many compliance professionals know, this does not give much time for businesses to modify and update their workflows, policies and practices. Given this short time requirement to compliance, it is fair to say that indeed, we are living in interesting times.
Moving from simple risk management to real resilience is a critical new capability that organizations are striving to attain. Teams seek to quickly mature resilience as we re-open our businesses, countries and economies in the post-COVID-19 world. Organizations that do this well and become ‘anti-fragile’ will thrive – those that do not will find themselves being driven out and battered by new waves of change.
In our previous posts on Risk Quantification, the Digital Impact Chain and how COVID-19 Has Changed The We Do Risk – Forever – we focused on how to risk management is changing and becoming more aligned with scoring techniques based on multiple factors from both technology and business stakeholders. This blog post takes Risk Quantification a step further and redefines resilience in terms of becoming anti-fragile.
Traditionally, we think of resilience in terms of how quickly something can ‘bounce back’ from an impact. Business continuity teams focus on metrics such as the number of days or hours to return to operations (RTO) or a recovery point (along a process) objective (RPO). RTO and RPO are typically used to measure resilience goals through business impact assessments (BIAs). Disaster recovery teams execute playbooks that have been tested – often months back in a different environment – and struggle to bring processes back online after an incident.
But all that has changed with the COVID-19 pandemic and the ‘call for change’ that worldwide protests are demanding. In a world where human speed is outflanked by digital transaction speed and decisions are made on real-time analytics – old approaches to business continuity and disaster recovery simply don’t cut it.
Developing real resilience means becoming ‘anti-fragile’ – a concept spearheaded by Nassim Taleb author of Fooled by Randomness, The Black Swan and Antifragile. Organizations and processes become anti-fragile by continually testing with small shocks to the integrated fabric of people, process and technology. Why? Because risks are interconnected. Risks can cascade. A COVID-19 hot spot can close access to a critical single-source supplier. Creating greater diversity and fairness at work can mean reworking resource plans and partnerships – in a good and sustainable way. In a world where rare events dominate the landscape because risks have cascaded in ways we’ve not anticipated, anti-fragile is the route to real resilience.
If you have been able to incorporate Risk Quantification, with a the bottoms-up, top-down approach to score risks, by aligning operational, infotech, security and cyber teams, you can now start moving from risk to true resilience. But to develop anti-fragility, your teams must do more – and increase the scope of resilience across a digital environment – not only within your organization but also across your vendors and cloud service providers (CSPs). This means aligning processes such as incident response that now have a larger, wider-spread impact across many distributed, virtual stakeholder groups. Anti-fragile as a goal, especially with increasing digital transformation, assumes your teams see where there can be a chain reaction across the technology and business process workflow – with upstream and downstream processes across CSPs connected to other third and fourth parties.
The best way to start building anti-fragility into resilience programs is to start acting with agility, begin building a strong capability to quickly adapt, leverage early warning signals and have tested, executable plans to bounce back.
Let’s look at some general categories with examples of how our current reactive practice can be transformed by building anti-fragility into our GRC programs and technologies.
Anti-fragile practice – Fix control/test failures faster and completely – address it as a fix right away prior to it getting tied up in a prolonged process. Look across your environment and fix similar problems proactively: Ask where else could this be happening with the same failed control?
Anti-fragile practice – Fix issues by going deep and wide: Conduct a real RCA by asking the Five Whys involving the right people across the organization and CSPs. Use this a point of real learning.
Anti-fragile practice – Be proactive on suspected weaknesses. Forexample: cyber controls are increasing with X-From Home (work, school, medical check-ups, news, recreation, social visits, advice….). XFH has pushed the envelope and hackers have upped the ante. Also look at the infrastructure: If there is a power outage. That’s critical if a doctor is WFH on a call with a patient! What risk can you transfer? Where does your accountability stop and where is it shared? Think through your way of responding.
Anti-fragile practice – Be proactive on cloud modernization: If you have 20 CSPs now, think about everything that could be improved with leading, safer, more secure scalable CSPs. Proactively define your standardization strategy, such as, your SSO strategy across the cloud? You’ll need this kind of standardization to scale as an enterprise.
Anti-fragile practice – Up your game on monitoring and sensing mechanisms: We’re seeing more and more utilities, cable operators and other providers using IOT and remote sensing technologies where real-time data is being pulled and continuously analyzed – and proactively avoiding risks. This puts an entirely new view on resilience. Think about your business and technology processes. What needs to be digitalized and what can you continuously sense and monitor?
Remember, business continuity planning is not enough. Real resilience requires a commitment to developing anti-fragility across the entire fabric of your extended enterprise. We are in an unprecedented age of change – more digitalization and greater diversity, in both people and technologies, transforming our third-party relationships and the way we work. Anticipate and Be Ready to Embrace this Change! Build anti-fragile concepts into your resilience strategy and plans.
Over the coming weeks, we will continue to explore more best practices and how security and cyber teams are adapting to COVID-19, beyond how risk quantification methods tie to the digital asset/impact chain, Moving from Risk to Resilience (this post), to Orchestrating Risk across IT, cyber, op risk, incident and crisis response and other disciplines. Stay tuned!
Yo McDonald, Vice President, Customer Success and Engagement, MetricStream, is a seasoned executive in Governance, Risk and Compliance (GRC) consulting and product solutions. She drives customer engagement and retention, while fostering a culture of customer success at MetricStream.
Dr. Vidya Phalke is Chief Innovation and Cloud Officer.