How to Get IT, Security, and the Business on the Same Risk Page

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7
Next How to Get IT, Security, and the Business on the Same Risk Page-4 Next

It’s important to develop a common language when speaking about risk; one person’s risk assessment is another person’s control review, and they aren’t the same thing. Develop a "risk ontology" that defines elements of risk, their relationships to one another, as well the rules and calculations that determine what’s a real risk and what isn’t. Extend the traditional risk and control framework to a policy, risk, control and asset framework. Focusing on key performance indicators (KPIs), key risk indicators (KRIs) and key control indicators (KCIs) as a set of financial and non-financial metrics will help to provide insight into areas of potential risk, as well as show warning signals of possible loss events and other exposures.

It’s essential to make the transition from risk and compliance "identification" to risk and compliance "analysis," and, finally, risk and compliance "intelligence." Technology can provide a powerful foundation for analytics and automate much of the governance, risk and compliance process – especially as more automated continuous monitoring and measurement is available through the technology ecosystem.

IT, security and the business have important shared objectives: 1) raise stakeholder value, 2) drive performance improvements, 3) ensure compliance across activities and operations, and 4) protect the organization, its assets and its people.       

We’ve seen breath-taking and awe-inducing changes over the last few years – the rise of a digital universe that is global, social, mobile and interconnected; the double-edged sword of innovation and rising risk profiles; the flight of business to the cloud; and IT/OT transforming to the orchestrator model. New technologies bring new risks, and it is becoming clear that there are growing disconnects between IT, security and the business on what this really means.

In the midst of all of this change, leadership, senior management and employees alike feel extreme pressure from customers, regulators and suppliers, all of whom demand explanations as to how their risks are being identified, managed and controlled. This can be a real challenge in the midst of increased threats, regulatory complexity and pressures to demonstrate control over material risks. In order to both support the strategic objectives of our organization, and just plain do our job in keeping critical processes running and sensitive assets protected, we need to build a common language and discussion framework to understand risk appetites and scenarios, and also identify and discuss risks in a context that the board and business can understand and use in decision making.

Here are five fundamental questions, identified by Yo Delmar, vice president of GRC solutions at MetricStream, a provider of governance, (IT) risk and compliance (GRC) solutions, that we need to answer in order to get IT, security and the business on the same page with a 360-degree view of risk. Working with siloed views of risk is not an option anymore – the stakes are just too high for us to continue forward with the status quo.

 

Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

 
More Slideshows

PAM PAM Solutions: Critical to Securing Privileged Access

To protect the company from those insiders who abuse their privileged access and from hackers with stolen credentials, many companies are turning to a privileged access management (PAM) solution. ...  More >>

Fake news How Can We Fix the Fake News Problem?

Is fake news a security issue? Some say yes, as it can be used as a social engineering tool to spread disinformation and conceivably to get unsuspecting users to click on malicious links. ...  More >>

blockchain The World According to Blockchain

Blockchain comes with many costs and is surrounded by confusion. Here, we examine realistic use cases, drawbacks and the potential of blockchain. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.