Blogs
Principles of an Effective Cybersecurity Strategy
- IT Risk & Cyber Risk
- 28 April 17
4 min read
Managing Cybersecurity Risks
A number of trends contribute to today’s reality in which businesses can no longer treat cybersecurity as an afterthought. These include a rapid increase in the number of internet connected devices, an increased dependency on third party applications, self-provisioning as a result of bring-your-own-device and public cloud. Add to these, unprecedented levels of smart phone and mobile device adoption and we can see that the cybersecurity ‘attack surface’ has increased massively.
According to MetricStream’s, ‘The State of Cyber Security in the Financial Services Industry’ report, around 66 percent of financial services institutions have faced at least one cyber-attack in the last 12 months. The cost of this, which can be catastrophic, can include regulatory penalties, eroded share prices, a loss of customer confidence and reputational damage. It can even result in a complete shutdown of the business.”
It is clear therefore, that organizations need to constantly evolve their security strategies and tactics to safeguard data, systems and operations against ever-evolving security risks.
In today’s cloud era, an effective strategy should leverage industry-standard cybersecurity frameworks and unified threat management systems. A sole reliance on traditional approaches and tools, such as firewalls and security solutions, may now leave networks exposed.
Companies attracted by the cost, flexibility and adaptability of cloud still have concerns over how secure it is. According to Crowd Research Partners’ 2016 Cloud Security Spotlight Report, security concerns top the list of barriers to cloud adoption and one in three organizations say external sharing of sensitive information is the biggest security threat.
Understanding the Cyber Landscape
The constant threat of cyber-attacks hangs over all businesses. So prevalent are security breaches that over half (54 percent) of cybersecurity professionals anticipate a successful cyber-attack on their organization in the next twelve months, while Ponemon tells us there is a 26 percent likelihood that a material data breach involving 10,000 lost or stolen records will occur in the next 24 months.
The explosive growth in digital transactions, together with the increased volume of personal and sensitive information now stored digitally has raised the potential for targeted attacks. The emergence of cybersecurity threats can be broadly attributed to:
- Consumerization resulting in a loss of data control and device usage beyond the traditional data center
- Collaboration that means highly sensitive data is now shared across channels and platforms
- Innovation, and with it the lack of clear understanding of the risks and threats due to cloud, social media, virtualization, mobile and shared services.
It is a challenge to keep pace with technological change and to adapt to new ways of protecting data from internal and external threats. Not surprisingly therefore, cybersecurity is one of the top priorities for regulators during supervisory reviews.
Add to this the complexity of maintaining compliance with evolving regulations, such as the EU’s General Data Protection Regulation (GDPR), Federal Information Security Management Act (FISMA), Gramm-Leach-Bliley Act and the Homeland Security Act and a significant effort has to be put into assessing current policies and practices to ensure compliance.
Principles of an Effective Cybersecurity Strategy
An effective cybersecurity strategy should be sufficiently flexible to cope with the evolving threat landscape and should:
- Include the implementation of security policies
- Incorporate security assessment models such as the Open Web Application Security Project (OWASP), the Software Assurance Maturity Model (SAMM) and other industry standard frameworks
- Monitor for early warnings, continually gathering threat intelligence accordingly
- Include a rapid response plan including crisis communications, so that the business is prepared to minimize material impact should a cyber-attack occur.
A cybersecurity framework is a good starting point for enterprises to define, adopt and refine the critical infrastructure. It helps organizations to assess current capabilities and draft a prioritized roadmap towards improved cybersecurity practices.
Frameworks provide a toolkit to assess security measures against industry standard best practices and compliance requirements. The Federal Financial Institutions Examination Council (FFIEC), National Institute of Standards and Technology (NIST) and other regulatory bodies have all released specific frameworks and tools to strengthen cybersecurity policies.
Enterprises today allocate considerable budget and resource to establish security policies and adopt industry frameworks. However, with threats becoming more sophisticated, it is extremely important for organizations to invest in threat intelligence systems and better business continuity, disaster recovery and redundancy mechanisms.
What Cybersecurity Means in a Cloud Era
Cloud abuse is one of the top cybersecurity threats. The recent spear phishing campaign on Dropbox’s cloud storage, where the attackers were able to carry out their activity while hiding as legitimate users shows that attackers continually adapt new technologies as well as vulnerabilities to further their ends.
Alarmingly, as per the 2016 Cloud Security Spotlight Report, a huge majority (84 percent) of cybersecurity professionals are dissatisfied with traditional security tools when applied to cloud infrastructure. The report also states that unauthorized access or improper access controls is the single biggest threat to cloud security, followed by hijacking of accounts (44 percent) and insecure interfaces/APIs.
Organizations need secure cloud to preserve the integrity of systems and operations and to protect their data, and for this they must work collaboratively on risk assessment and security planning with cloud service providers. Clarity and rigor is required around security protocols including access and data separation as well as roles and responsibilities around compliance and assurance over business continuity.
Is Cloud Enabled Cybersecurity the Way Forward?
PwC’s Global State of Information Security Survey 2016 highlights the importance of using cloud-based monitoring and analysis technologies and adopting new safeguards for digital business models. Cloud-based threat management systems allow organizations to rapidly identify and analyze a threat in order to take action.
The future lies in harnessing the power of cloud to improve cybersecurity for organizations. This includes using cloud to create highly secure platforms which can be used to block any tools and procedures used by the attackers.
The original article was published by Cloud Tweaks. You can view it here.
Jump to Topic
Related Resources
Blogs
Components Of An Effective Third-Party Due Diligence Program
- IT Risk & Cyber Risk
- 13 April 17
3 min read
Introduction
Third-party intermediates such as distributors, resellers, agents, service providers, or business consultants are contracted to rapidly create a presence in or access to new or emerging markets. They can work as the first foothold in opening a commercial presence, both domestic and internationally. Also, they can provide insights of the local business environment and their relationships as a business partners. While third parties are retained to operate on the organization´s behalf, their business activities are not always as transparent or controllable. It increases the exposure to bribery and corruption risks. Intermediaries include not only those used in the sales channel, but also as part of a business operations and strategy.
A third-party due diligence program (KY3P) allows reducing the risk of improper payments and fraud. In addition, regulations such as the FCPA and the UK anti-bribery act, settlement agreements, enforcement actions, ISO standards and best practices, require a third-party due diligence program as part of the corporate ethics and compliance program.
The following components are part of an effective program:
Risk-Based Approach: the first step in the program is to perform a risk assessment of third parties, usually classified into low, medium and high. These risk tiers define how deep the investigation should be performed. For instance, the risk approach should identify key factors such as interaction with government customers and other politically exposed persons, unclear ownership and control of the third party, expected purchasing volume, perceived country corruption risks, exposition to regulatory enforcement, type of business relationship, and level of confidentiality and dependency.
Consistency: automating the control activities and developing templates for selecting third parties will help drive consistency across the organization. A robust procedure will be critical for organizations with decentralized compliance departments or lacking of integrated GRC software. The third-party base should be centralized to have all the information visible and controlled. Training on the anti-bribery policy and trade compliance should also be given on specific criteria to all agents and intermediaries.
Management involvement: compliance and commercial executives should be involved during the third-party due diligence process to identify other risks or action plans. Workflows should be able to escalate approvals in the decision-taking process, and the remediation plans, especially when some risks cannot be avoided. The management involvement includes the compliance and legal departments, and also sales, finance, exporting and data privacy experts. The due diligence program and the anti-bribery commitments should be well communicated, internally and externally, by the top management.
Efficient, reliable and scalable: controls and validations should be reasonable to address the risks in a well-thought-out process. Contracting considerations with its third-party partners should address key risk by selecting specific acceptance procedures to each case. For instance, specific procedures include due diligence questionnaires, business justification memorandums, certification, targeted training, extended background checks including financial checks, in- depth review of sanctions and watch lists on different jurisdictions, and on-site visits and interviews
Comprehensive: Both internal and external information should be used during the due diligence. It is important to get risk information from outside the organization, such as sanction lists, financial and political exposed person lists, credit ratings, and adverse media.
Independence: conflicts of interest should be avoided during the investigation and action plans to assure the objectivity in the selection process. Due diligence procedures should be independently performed and approved from the requestor. The acceptance of agents should be removed from the business operations.
Continuous monitoring: changes in the risk profile on agents should be proactively monitored to adjust the screened controls. Automated database searches should be systematically performed on the third-party base.
Which best practices have you identified in implementing a third-party due diligence?
The original blog appeared here.
Jump to Topic
Related Resources
Blogs
What Is Important? Cyber and Continuity Risk
- IT Risk & Cyber Risk
- 05 April 17
5 min read
Introduction
New risks are emerging every day in the realm of Cybersecurity, and many organizations are moving quickly to address these risks: developing documentation, procedures, and processes. However, this is often without regard for Cybersecurity best practices. To ensure sustainability, organizations must develop cyber policies, plans, and procedures and put effective controls in place. If these controls are already in place, they should be evaluated frequently to ensure that they address these emerging risks.
It is essential for every organization to review and update their security procedures and policies in order to prepare for emerging business and IT risks. Having a standard and consistent monitoring and incident response program is becoming more and more critical, as attacks occur more often and more viciously, targeting organizations across sizes and industries. In addition, the organizations need to constantly upgrade their security awareness and training programs to educate the employees and other stakeholders about new technology advances and techniques and tools available to prevent cyber attacks. Digital enterprises today need to tailor standard cyber risk methodologies, based on best practices, such as ISO 27005 to fit their organization.
In the event of an attack, to ensure that critical business processes aren’t brought to a standstill, disaster recovery (DR) and business continuity planning (BCP) must be incorporated into the overall cyber-security program. A cyber incident affects both business and technology, thereby requiring disaster recovery and business continuity plans to be invoked and operationalized.
Cyber Security Policies, Plans, Procedures and Controls
Cybersecurity policies, plans, and procedures, though connected, play different and distinct roles. A policy is the highest-level document that expresses what an organization, group, or division will and will not perform in terms of managing information and managing the associated risks. A plan is a document that outlines a clear path to accomplishing the policy’s goals. A procedure is specific step-by-step directions to the operator on how to effectively execute a particular task.
Controls are put in place to guard a system against loss or damage. For example, implementing a system of identification and authentication controls ensures that only authorized users and system components can access vital data. Though controls may vary, the end objective is to always mitigate or reduce a risk in some form.
Security Personnel, Physical and Environmental Security
According to the FBI’s Cyber Crimes Division, the majority of all data theft and computer-related crime happens via internal sources. Therefore, implementing personnel security measures, appropriate to the type of business and data to protect, is crucial. Executing potential safeguards, like performing extensive background checks on new employees, separating duties, and administering the right controls such as instant revocation of credentials after dismissal of an employee, all combine to help mitigate risk posed by internal personnel. Physical and environmental security are equally important to protecting an organization from attacks.
Awareness and Training
The most vulnerable aspect of a system is undoubtedly the human element. Users need to be trained on how to protect the system from unauthorized access to valuable and confidential data. Also, users that have other important information and knowledge serve as one of the biggest vulnerabilities for a cyber intruder. The training should include both technology and behavioral aspects to ensure that users are not divulging critical information over phone calls or emails without sufficient verification. Security training and constant reinforcement via ongoing awareness information sessions reduce the risks affiliated with the human element of a security strategy.
Monitoring and Incident Response
During an emergency event or situation that leads to system failure, a detected or active intrusion, or a virus attack, following a standard protocol and response team is important for timely and effective incident response. It limits the extent of damage an attack can have on the organization.
Business continuity planning and plan exercising are important parts of ensuring a coordinated and standard incident response. It significantly limits the damage as well as improves recovery time.
Disaster Recovery and Business Continuity Planning
IT systems are considered vulnerable to a range of adverse events with the potential of seriously impacting standard business operations, possibly compromising confidential data or integrity and availability of information. Even though proper preparation and effective planning are vital mitigation strategies, it is impossible to completely eliminate the risks and the potential damage posed. Due to this situation, organizations need not have any illusions about the potential threats.
Companies should take utmost care when planning precise steps to take during the event of a system disruption, no matter the magnitude. By ensuring a climate of constant testing and adjustment, implementing effective plans prior to any disruption can mitigate the potential damage and can significantly lower the potential loss of productivity, revenue, and information.
Configuration Management
Without a clearly defined process that carefully accounts for policy mandates, security concerns, business impact, authorization, and oversight, changes to configuration seriously may affect the stability and security of a system. As a result, organizations need to follow standard configuration management processes.
A configuration management process makes sure that network and system updates decrease the chances of penetration via malicious code. It also works to reduce the likelihood of human error.
Furthermore, adding to the security benefits, following a specific and formal change, management process derives more business benefits. These added benefits include having a duplicable process for recreating a product, the capability of efficiently reusing components of a project or product, and important safeguards against loss of intellectual capital should any loss of key personnel occur.
Cyber Risk Methodologies
Cyber risk methodologies normally entail a variety of processes to promptly detect and assess risk to a system or group of systems, providing a duplicable technique to conduct and administer risk management. Most obvious to all methodologies are implementing the necessary resources to execute risk assessments, performing system testing including observation, data analysis, and electronic testing (e.g., vulnerability scanning, penetration testing), and lastly, establishing a way to track and monitor system vulnerabilities and mitigation activities (e.g., plan of action).
Senior management needs to standardize and endorse the risk identification methodology to ensure effective results and consistency across the entire organization‘s critical IT functions.
Summary
Comparison of current cyber security activities with the desired level of preparedness enables the designated staff to identify weak links properly and to deploy the necessary enhancements that can be accounted for to justify the investment budget. Establishing and enhancing cyber security capabilities that are fully integrated into ongoing state of preparedness and efforts help build a solid bedrock to drive collaboration and coordination from across functions and through all levels of the organization. As there is more technology integrated into our nation’s prevention protection, response, and recovery activities, cybersecurity will continue play a crucial role.
The blog content is contributed by Michael Redmond & Vibhav Agarwal. The original blog was published by Disaster Recovery Journal. Click here to view it.
Jump to Topic
Related Resources
Blogs
5 Recommendations For Effective Governance, Risk And Compliance Management
- GRC
- 28 February 17
4 min read
Introduction
Cloud adoption continues to grow, which is evident from the fact that annual 2016 revenues for cloud vendors were “within touching distance” of $150 billion. Gartner also predicts that, a corporate ‘no-cloud’ policy will be as rare by 2020 as a ‘no-Internet’ policy is today. However, a ‘’cloud-ready’ security and compliance program is the need of the hour, to manage the risks and the complexities due to cloud adoption. This will enable organizations to face cloud challenges which, according to RightScale’s 2016 State of the Cloud Report include compliance with regulations, a lack of resources and expertise, governance and control and security. Although a challenge mainstay, confidence in cloud security is nonetheless rising; SkyHigh Networks points out that 65 percent of IT leaders think the cloud is as secure, or more secure, than on-premises software.
To maximize the benefits of cloud deployments while mitigating the risks, companies need to prioritize a cohesive approach to governance, risk management and compliance (GRC). A cloud governance framework can automate cloud security, risk, and compliance workflows, enable stakeholder reporting and visibility, and ensure best practices and standards for cloud compliance.
With that in mind, here are five recommendations for ensuring a proper governance, risk and compliance framework for cloud assets and operations:
1. Improve cloud asset / service visibility
An essential first step is to understand the scope of cloud services in use within the organization and gain visibility into the whole cloud environment. IT and infrastructure managers need to have a complete picture of the processes running on cloud deployments, the underlying assets and their ownership within the organization both from an IT and business standpoint. While they may seem intuitive, alarmingly, the 1H 2016 Shadow Data Report states that organizations use 841 cloud apps on average – an astonishing 20 times more than they thought they did. Organizations also need a well-defined policy to deploy, manage and run the cloud applications and categorize the sensitivity of the data held to ensure that requisite controls are in place to manage the data.
2. Assess the cloud service provider (CSP) continuously
Businesses always have the thought of losing control on application and infrastructure while deploying an application on the cloud. Assessing and creating a working relationship with the cloud provider based on a mutually agreed framework is very important. The organizations must select a cloud provider who can demonstrate validation of controls including network security, physical datacenter security as well as a standard audit framework conforming to applicable regulatory standards.
Gartner recommends that organizations need to address several key issues when selecting a cloud hosting provider, which include access privileges, regulatory compliance, data provenance, data segregation, data recovery and business continuity.
To gain a complete understanding of the CSP environment, organizations should also ensure that there is no ‘insufficient due diligence’, which Cloud Security Alliance (CSA) rates as one of the ‘notorious nine cloud computing top threats, and establish a due-diligence framework to monitor the cloud service provider performance on a continuous basis.
3. Assign business ownership and accountability for critical cloud assets and services
Organizations should understand the importance for an effective governance function within the cloud environment. The cloud assets, cloud services, business objectives, business processes, policies must be documented, along with their operational relationships. These processes and policies must be accountable, clearly assigned and consistently understood throughout the business.
Also, it is of utmost importance to establish accountability when customer information is intertwined with that of the cloud service provider. This includes logical separation of your data sets from those of the other customers / users, defining SLAs on both sides and categorizing the services consumed.
4. Know the cloud threat landscape and evaluate risks
Inevitably, there are risks with cloud environments as there are with all storage and retrieval systems, both electronic and manual. Businesses must understand the cloud threat landscape, effectively evaluate and mitigate risks and protect themselves and their interested parties from exposure.
The likelihood of threats rarely lessens, but threats do change in nature and for this reason companies should be continually alert and abreast of latest developments. SkyHigh Networks revealed, in its Q4 2016 Cloud Adoption and Risk Report that the average company experiences over 23 cloud-related security incidents each month. Yet, despite this, a different study – the 2016 Global Cloud Data Security Study from Gemalto and the Ponemon Institute – discovered that 54 percent of respondents didn’t agree that their companies have a proactive approach to managing security and complying with privacy / data protection regulations for the cloud. Therefore, it is imperative that organizations prepare for security threats to the cloud before becoming a victim.
5. Leverage standard risk / control frameworks to assess compliance
Businesses should assess cloud compliance with regard to security, privacy practices and policies. Among the most well-known risk and control frameworks are best practices is the Cloud Security Alliance (CSA)’s GRC stack, which provides a toolkit to assess private and public clouds against industry standard best practices and compliance requirements.
Others include the CSA’s ‘Treacherous Twelve’ Cloud Computing Top Threats, ISACA’s Cybersecurity Threats and Controls, the National Institute for Standards and Technology (NIST)’s Framework for Improving Critical Infrastructure Cybersecurity, ISO/IEC 27017, ISO/IEC 27018 and the Center for Internet Security (CIS)’s Critical Security Controls.
Leveraging industry standards provides a level of assurance that best practices are followed both by the organization and by cloud service providers.
Businesses can achieve enhanced information security, compliance and risk management as well as reliability, operational control and transparency with effective implementation and extension of the GRC framework to their cloud assets and operations. Adhering to best practices and standards will deliver informed decision-making and ongoing management, placing the business in a better position to reduce risk and realize the benefits of the cloud in enhancing business performance.
The original article was published via Cloud Tweaks here.
Jump to Topic
Related Resources
Blogs
3D Printing – Boon or Bane
- Compliance Management
- 26 February 17
3 min read
Introduction
The 3D printing market is growing at an average of 35% CAGR, and is set to quadruple to $12.5 Billion by 2018 from $3Billion in 2013 (Wohler Associates 2014 report), however at the same time, organizations have to face heavy penalties and loss diminished by brand and reputation due to risks associated with 3D Printing. For instance,mishandling of patient information through 3D Printed software and associated violations of HIPAA compliance has already resulted in $9Million in fines for US-based companies in the last one year alone.
Consumers around the world are converging to newer technologies that allows customization and immediate product deliveries. Just as e-commerce companies have done for consumers, will 3D Printing do the same for organizations?
The 3D Printing industry emerged in the 1980’s, then known as Additive Manufacturing for product developments and rapid prototyping. With new technologies in design and faster printers available, the trend has quickly shifted to mass production. General Electric, as a part of the LEAP project, started to mass produce close to 25,000 aircraft fuel nozzles using 3D Print technologies. Similarly, USPS has partnered with 3D Print Service providers and are planning to purchase printers onsite in order to deliver packages, printed in 3D, to consumers when they need it. This service from USPS will add $485 Million in incremental revenues
To meet this increased demand, organizations small and large are either providing 3D Printing as a service, or manufacturing 3D Printers. For example, HP has been relying heavily on the sales of its 2 newly launched 3D Printer models (HP3200 and HP4200) in May-2016, making up for its declining PC and 2D printing business. Additionally, several startups have received funding to leverage the potential of this growing market.
3D Printing is set to disrupt the Manufacturing industry, however, organizations are cautious about adopting this technology as there are initial upfront costs, design complexities, increased raw material costs, and slow print speeds.
While the market demand, potential and revenue upsides are high, the risks associated with 3D Printing must not be ignored.
- Cyber Security
3D Printers work by accepting a CAD/STL design software file when the printer is connected to Internet through Wifi. This makes it vulnerable for hackers to inject a virus into the design file, which can change the orientation of the print head. As a result, this could print products of low quality – in such cases, organizations may have to recall the product and face impact to their brands and reputations.
- Counterfeit
Using 3D Printing technologies, products can be duplicated easily and exported as the originals. This can pose security risks, and can infiltrate the supply chain. Blueprints of the products can get into the hands of attackers through the CAD/STL file, which could have a disastrous impact on the company and its relationship with consumers.
- Supply Chain
3D Printing technologies are set to disrupt the Supply Chain for many organizations, as their products will now be available at the point-of-use as raw materials. This will be difficult to regulate, especially in the healthcare industry, where the FDA recommends to design controls from the point-of-origin in manufacturing to when the product leaves the facility. In the case of 3D printing, it is unclear what will be regulated – is it the CAD file leaving the facility, or the part that was printed at the point-of-use?
- Intellectual Property
Just as the music industry suffer from piracy, the 3D printing industry is vulnerable to similar threats. File sharing will become common online and can cost organizations billions in the loss of IP file designs that can also lead to counterfeiting. This is not common right now, but it is a serious potential risk in the future that we must be mindful of as the market matures.
- Drugs
The healthcare industry needs to be cautious when using 3D technology, as patented drugs can be printed by illegal drug manufacturers. Researchers used a sub $2,500 MakerBot 3D printer to manufacture illegal drugs, and to fabricate tiny implants with certain chemicals, which will release specific drugs when placed into the human body. If this isn’t tightly managed, the potential for disaster could be huge.
- Weapons
Anyone with CAD/STL design can create input files for 3D Printers. Criminals can get access to such files online for producing guns at home. In 2013, a law student from Arkansas, printed a gun from a 3D Printer. The design file used for the gun was made available online, and was then downloaded over 100,000 times around the world, before the state department ordered to bring it down.
There are great opportunities with 3D printing technology, but understanding its implications and risks, and regulating the process and execution is critical. Public and Private partnerships are needed here, to help us realize the great potential of this growing market, while protecting consumers and organizations alike from risks at hand.
Jump to Topic
Related Resources
Blogs
Basel IV: The Next Step for Capital Requirements
- GRC
- 22 February 17
6 min read
Introduction
Basel IV will certainly have operational impacts on the day-to-day governance and risk management of financial institutions – but it also stands to have a wider impact on the competitive banking market. These effects could include industry consolidation and a change in banking portfolios, which could eventually lead to a reduction in choice for their customers.
On the one hand, Basel IV will instigate a higher level of financial disclosure, meaning that customers will have more information to help them make choices. However, on the other hand, customers may discover that providers have shrunk their portfolios to mitigate the capital impact of the changes, leaving fewer options open to them.
Basel IV forms part of the arsenal deployed to protect economies from the risk of another financial crisis. A large part of its impact will be on capital requirements, with a projected average increase of an eye-popping 40 percent. While the mandate on capital requirements is intended to create a stronger banking system overall, such a leap clearly represents a sea change for individual banks.
At the same time, the revised method of calculating capital requirements is designed to bring standardization and consistency to the industry.
Measuring Up
The capital requirements of cumulative Basel requirements – coupled with other measures that impact how market, credit and operational risk is managed – create a public standard against which banks will be judged. How they measure up against this standard is increasingly subject to public scrutiny, and there is a higher level of interest in the aftermath of the financial crisis. Consumers are now increasingly more aware of (1) the significance of banks’ operational activities; (2) banks’ policies, processes and practices; and (3) how these policies, processes and practices can impact the economy and society at large.
Most recently, results of the Bank of England’s stress testing – which looked at banks’ capital adequacy and resilience to stand up to a range of challenging hypothetical scenarios – highlighted where more needs to be done by banks to shore up their financial strength. Encouragingly, the banking system as a whole stood up to the test, but some individual shortcomings were exposed – most notably at the Royal Bank of Scotland. Revelations like these can give rise to speculation over how a bank will alter its activities to better capitalize.
Through increased transparency, standardization and stress testing, customers, analysts and investors become more aware of how regulated institutions perform and stack up. Indeed, a lot less is now open to interpretation.
Each institution’s level of compliance and performance becomes a measure of its own good governance and stands to impact the level of trust and faith that customers, investors and analysts have in the business. This in turn impacts the company’s reputation and the choices that investors and individuals make.
The Shift from Tactical to Strategic
Mandates around capital requirements and other market, credit and operational risk activities are shaping the way banks approach risk management. They are also paving the way for more consistent approaches to be taken across the industry.
For the risk manager, this means more standardization with a lot less left up to the judgement of the individual bank. Institutions with a healthy outlook on change will recognize that this presents opportunities as well as challenges.
Undoubtedly, it creates a burden of knowledge acquisition and maintenance – e.g., governance, risk and compliance (GRC) professionals must get (and stay) up-to-speed on all new and changing regulatory requirements.
In the case of the new standardized measurement approach (SMA) capital model, once compliance is in place, the resources that had previously been devoted to the company’s bespoke advanced measurement approach (AMA) capital model can be reassigned to focus on other activities. The adaptable business will ensure these activities add strategic rather than tactical value by, for example, generating business insight through data analytics.
There is also an opportunity to realize efficiencies by replacing or complementing in-house solutions with third-party, enterprise-level software that can routinize the approach to operational risk data management and ensure regulatory compliance.
All of this results in higher levels of interest in an integrated GRC approach and, in particular, the advantages this can bring in terms of information integration across the business and the rapid and efficient transformation of data into management information.
For providers of GRC solutions in the financial services industry, this regulatory reshaping of the way banks manage risk is a significant change. Solutions providers are well positioned to take advantage of the consistency that regulation brings through compliant solutions that calculate, measure and manage risk in line with standards. For banks, the upside is freed-up internal expertise that can refocus on meaningful business analytics to generate opportunities and create market advantage.
Transparency for Informed Choice
For consumers, standardization supports consistency of measurement and reporting. Moreover, much of this goes to the public record, accessible by any investor including consumers. Through this information, consumers are better able to understand how well their bank is capitalized relative to other banks, and are therefore able to make their own judgements over whether that bank is creditworthy enough for them.
This increase in transparency is evident across a range of factors, including operational aspects such as customer service levels. With higher quality information available on the performance of all banks, customers are better able to make informed choices based on the criteria that are important to them.
For banks’ corporate customers, there is likely to be concern over the impact tighter regulation will have on market choice and the cost of providing their services. A competitive marketplace and strict regulatory regime can lead to a reduction in competition, because of bank consolidation and reduced portfolio offerings. The upshot being that, although more information may be available to help consumers and businesses make informed choices about the bank they want to do business with, there may be less choice and higher pricing.
Public scrutiny can lead banks to raise the level of self-assessment they routinely undertake. Generally speaking, this is a positive thing for companies of any type. Regular internal audits and assessments can lead to greater levels of efficiency, a culture of continuous improvement and a focus on the most compliant and effective ways of working.
For banks that are seen to be performing well through their Basel IV reporting, stress test outcomes and other assessments, it is reassuring to customers — and those with a vested interest in those organizations – to know that they meet requirements and are resilient enterprises. Pleasing outcomes from regulatory monitoring and assessments paint a solid picture of an institution’s governance, compliance and risk management.
Shifting Risk
The reasons behind recent regulatory measures, including the latest Basel implementations, are clear. However, the wider impact that these measures will have in a competitive market – including the effects on industry consolidation and consumer choice – should also be considered.
While increased capital requirements are designed to create a stronger banking system, there are implications for the industry as a whole. In the broadest sense, risk within the system will simply be moved around, rather than removed.
If one institution won’t lend to a corporate customer because it can’t cover the risk and meet its capital requirement, that business is still going to get funding from somewhere. The source that provides funds will most likely be one that, while still part of the collective risk of the economy, is less visible than those in the regulated banking market.
The original article was published by GARP. You can view the full article here.
Jump to Topic
Related Resources
Blogs
Governance at the C-Level: The Evolution of the CRO and Other Factors Driving Risk Management
- GRC
- 16 January 17
6 min read
Introduction
Organizations continually adapt as markets, operating environments and demands change. Business roles, responsibilities and management structures have shifted in the face of today’s mobile, social, global and networked world.
To keep pace with this change, responsibility for governance, risk management and compliance (GRC) has moved up the hierarchy and, appreciating its significance in driving business performance, C-level executives (aka CXOs) are working to embed a GRC ethos into the business fabric.
A robust GRC program seeks to mitigate and manage many significant risk and compliance issues. These include product recalls; compliance failures and fines; corporate scandals; uncertainty around social, economic and political turmoil; and cybersecurity breaches. The latter, in particular, has been a mainstay in our newspaper headlines — and that’s not surprising when you consider that 66 percent of organizations have faced at least one cybersecurity attack in the past 12 months.
Organization-Wide Reorganization
C-level roles are evolving and responsibilities in the organization are also being realigned. For example, compliance used to report to the chief legal officer (CLO), whereas it is now under the auspices of the chief risk officer (CRO) at some banks.
This is a step forward. Not so long ago, GRC activities were often managed in small power centers or by a tiny group of individuals. Now, the responsibility is more central to the business. Indeed, an encouragingly high proportion (69 percent) of respondents to a 2016 GRC survey cited senior leadership as a role/function most likely to add value to GRC activities.
Senior sponsorship and embodiment of a GRC ethos is critical, but so too is an awareness and understanding throughout the organization. GRC activities must have a wide reach (both within and outside the company), and there is evidence that this is increasingly understood.
Take, for example, the position of partners and suppliers. In the past, they have often been excluded from GRC planning, activities and monitoring. But now roughly 70 percent of organizations include third parties in the scope of their cybersecurity programs.
This is a sign of progress — but there is more to do, nonetheless.
All Eyes on Corporate Governance
Good corporate governance not only sets out and communicates key policies (including those around ethics and policy compliance) but also covers enterprise risk and regulatory management. Moreover, it lays down the company’s risk philosophy, explaining how risk will be monitored and mitigated.
Of course, a comprehensive risk approach can’t be stationary — it needs to be agile and responsive. At some times, and across different parts of the business, the company may need to be more or less risk averse, depending on conditions, objectives and performance goals.
The goal is corporate growth and performance, but it has to be sustainable, ethical and verifiable through a business’s reliability and transparency — as well as through positive audit outcomes. This is why corporate social responsibility (CSR) is a strong emerging element under the corporate governance umbrella and occupies an increasingly prominent role in C-level priorities.
Business reporting must cover not only operations and performance but also compliance and risk management. To ensure effective corporate governance, reporting insights must account for the entire value chain — including vendors, strategic partners, government and regulatory agencies, analysts, investors, employees and customers. Here, we see GRC technology playing an enabling role.
Tone at the Top
A recent research report found that 92 percent of respondents believe organizational culture is a key contributor to enterprise resilience, suggesting that “… business longevity is not just a matter of being able to survive the latest disruption. It is about evolving in the face of change in a dynamic and complex world.”
Culturally and structurally, we do see that organizations are starting to take proactive steps to establish a strong ‘tone at the top’ that is reflected throughout the organization. Ensuring that all employees embody the firm’s risk and compliance vision — and, moreover, deliver its objectives through their day-to-day actions — is critical.
Of course, culture develops slowly and is often the last thing to change. Embedding GRC activities into systems and processes helps establish work habits that will, in turn, influence culture and establish good practices through documented (periodically reviewed) policies and procedures.
However, employees still need to be motivated to get on board with change. Only through their engagement will corporate culture start to shift to where leadership wants it to be. This is where a proper incentive program can help.
As Lori A. Richards, the former director of the SEC’s Office of Compliance Inspections and Examinations (OCIE) once suggested, corporate compensation systems should incentivize production, but in a manner that is consistent with the law, a firm’s code of ethics and the internal compliance and risk culture of a firm. “If the firm’s compensation incentives include only hard production numbers — how many accounts did you open, how much profit did you generate, how many deals did you ink — the firm may encourage employees do so at any cost, and at cost to the firm, to its reputation and to its customers and clients,” Richards advised.
Welcoming a Changing Workforce
Mature millennials are now moving into, or already occupy, senior positions — and their outlook, attitude and ways of working now influence and even lead organizational change. This younger segment of the working population doesn’t relate to rigid hierarchies or inflexible linear processes.
They are used to social collaboration, mobile working and the use of cloud from their own personal lives. Their progressive outlook is impacting organizational and business models, with management structures springing up that support quick decision-making, faster cycle times and agility. Not surprisingly, more and more technology companies in Silicon Valley are adopting so-called ‘flat’ structures.
This agility, flexibility and ‘can-do’ attitude is a breath of fresh air in many organizations — but matters of governance must always be covered. At inception, company founders must not only ask themselves how the company will be sustainable over the long-term but also put in place the foundations for a sustainable, risk-aware corporate culture.
This is critical, as it is the responsibility of founders and leaders to give the ideal culture every chance of thriving through a blend of creative minds, diversity and different experiences and backgrounds.
From the top down and bottom up, everyone must play a role in the integration of GRC into the fabric of an organization. This firmwide approach preserves corporate integrity and protects the brand and its reputation, creating prime conditions for high performance.
The original blog is featured on GARP. You can view it here.
Jump to Topic
Related Resources
Blogs
Balancing Risks and Opportunities: The Board’s Perspective
- GRC
- 31 December 16
6 min read
Introduction
People start a business for many reasons. Some do it out of sheer passion, while others do it to create wealth and economic growth. Yet, underlying it all is a willingness to take risks. Entrepreneurs and established companies make risky decisions every day in the hope that those risks will translate into better opportunities, better performance, and greater profitability. However, as we all know, too much or too little risk can be a bad thing. So, how do you find the middle ground? How do you effectively balance risks and rewards for optimal success? In this regard, I believe a lot of great advice can come from your board of directors.
Many startups choose not to establish a board of directors until a few years down the line. However, I’ve found that the startups that grow the fastest are often those that built a good board of directors as soon as they started their business. Having a board helps you keep your eye consistently on the strategic aspects of your business which, in turn, helps you attract investors and customers. What’s more, a board, being responsible for corporate governance, plays a major role in ensuring that your risk management program is as robust as it needs to be.
A few weeks ago, I had the pleasure of joining a boardroom panel discussion at the MetricStream GRC Summit 2016 in Washington, DC, on the subject of “Leading with Governance, Risk, and Compliance.” With me on the panel were eminent business and government leaders, and board directors: Kenneth Bacon, Co-Founder and Managing Partner, RailField Partners, Board Director at Comcast; Rodney Slater, Partner, Squire Patton Boggs, Former United States Secretary of Transportation, Board Director at Verizon Communications; and Candace Duncan, Former Managing Partner at KPMG, Board Director at Discover Financial Services, FTD Companies, and Teleflex.
The panel, which was moderated by Bill Coffin, Editor in Chief of Compliance Week, shed some light on what companies – both large and small – should be doing to effectively balance risks and opportunities. Here are some insights and key takeaways from the discussion:
The Top Risks Keeping Boards Up at Night
While companies are getting better at managing operational risks, the primary concern for many boards is controlling external risks – whether they be geopolitical uncertainties, changes in buyer behavior, financial volatility, regulatory changes, or cybersecurity risks.
Kenneth Bacon added, “An opportunity that presents a lot of risks is what I call the democratization of technology. There was a time when all the data in a company was centralized and controlled by a few people, and the velocity of information was relatively slow. So it was easy to control things.”
Today, however, the situation is different. Now, many more employees have access to confidential information about the business. “What’s to stop them from leaving their iPad on the plane or talking about things with their neighbor?” asks Bacon. Something as simple as an open calendar can be manipulated for information if it falls into the wrong hands.
“So on one hand, you have this need to be faster and spread out technology, but the more you do it, the harder it is to control the risks associated with all that information floating around the company,” he remarked.
These risks become increasingly challenging to manage as the company grows. However, even in a small startup, there are many risks that matter – such as hiring the wrong leaders, not getting sufficient investor support, or lacking a competitive advantage. Then there are product risks (can we translate our vision into a successful product?), market risks (do we have customers who are willing to buy our product?), and cash risks (can we generate enough money to self-sustain the business?).
Mitigating Risks and Seizing Opportunities
Given the range of risks that affect both large and small companies, here are four best practices to effectively balance downside risks with the upside risks, from the board’s perspective:
1. Give Risk and Compliance Professionals a Seat at the Table
Unlike traditional risk and compliance management – which was largely a retrospective look at the risk incidents that occurred – today, boards and C-suite executives want to spend more time looking ahead at what risks could occur; what can be done to keep them in check, or more importantly, what can be done to transform them into opportunities.
The best people to answer these questions are risk and compliance executives, which is why it is so imperative that they be included in board discussions. Noted Candace Duncan, “Compared to ten years ago, there’s now a seat at the table for the risk and compliance individual. That individual is there to not only help protect and prevent, but also encourage the strategy.”
2. Ensure that Risk Information is Communicated to the Board in a Simple Manner
Once risk professionals have a seat at the table, the onus is on them to report risk data to the board as effectively as possible. Remarked Duncan, “It can be very difficult boiling down what you and your team have spent thousands of hours on, into a 15 minute presentation. But keep it simple. Make sure that what you’re presenting is efficient and effective for that board member…What do you want us to learn from this information and how do you best share it? It isn’t easy to do, but putting effort and energy into that can be very helpful.”
It’s also important to set a context for the issues that are reported. Are they big or small? Which part of the business do they affect? What will be done about them? The truth is that board members may not be aware of the ins and outs of risks. They need clear, comprehensive information to make decisions.
3. Pay Attention to How Other Companies Tackle Risk
Sometimes, the best way to decide whether or not to take a risk is to look at how other companies are doing it. Bacon observed, “One thing that companies often neglect is the competitive element. If there’s a risk, and you’re pointing it out to me, I want to know what my competitors are doing. Are they taking the risk or mitigating it? If you tell me not to take this risk, but my competitors are taking it, I need to know that… Risk doesn’t exist in a vacuum. Sometimes, it’s relative.”
Bill Coffin reminded us that the biggest risk can be not taking a risk at all. And that information also needs to be communicated to the board, so that they can make choose how to take risk intelligently, and manage it well.
4. Implement an Effective Risk Management Framework
Incidents like the Panama Papers leak and even the upcoming presidential elections are poised to trigger significant regulatory changes that may bring some serious risk and compliance challenges. So, it’s important for boards and the C-suite to get back to the basics and make sure that they have the right risk management framework in place. Scenario planning also helps you prepare to respond effectively to a potential risk.
“I would add that one thing to do is to get the issue of risk and risk mitigation on the strategy agenda,” said Rodney Slater. “Generally, a strategy session stretches across 2-3 days, and gives you the time to sit, digest, contemplate, and respond to risk data. That’s better than a board meeting where you’ve got a number of things to get through.”
In an increasingly volatile and regulated business landscape, the board of directors is no longer just an oversight function, but an active participant in building a risk-intelligent organization. However, risk management is ultimately a concerted effort. Therefore, risk and compliance professionals must engage in board discussions, communicate risk intelligence effectively to support decision-making, learn from how other companies manage risks, and ensure that robust processes and controls are in place to balance risks and opportunities.
Disclaimer: The original draft of this blog was published by Xconomy. You can view the full content here.
Jump to Topic
