As 2014 showed, how a company manages its own data or that given to it by customers and suppliers has become an important source of worry for senior executives. If the information falls into the wrong hands – either through crime or negligence – it can lead to significant financial cost and a big hit to a company’s reputation.
In fact, over 100 finance, risk management, audit, and compliance executives polled by CEB rank a large-scale cyber attack as the most important risk facing their firm.
A Crowded Situation
Given all this sudden senior executive interest in the security of their companies’ information, it’s no surprise that a responsibility that was once the preserve of the information security team, managed by a chief information security officer (CISO) and reporting up into the CIO, has many different teams piling in to help.
Over 80% of IT information security (IS) functions now work alongside internal audit and all work with separate IT audit, and data privacy teams, and with colleagues from the legal and compliance functions. Two-thirds of IS teams also work with the enterprise risk management function as well.
While these professionals will bring a wealth of important skills and experience to managing the problem, it can lead to a political gunfight over who’s in charge, and who does what. Far worse, however, is that it can be a nightmare for people in the line that are actually trying to create, sell, or distribute the firm’s products. Different teams will swoop in at different times, focus on a slightly different aspect of the same problem and then provide often contradictory conclusions and recommendations.
Unsurprisingly, this just leads to fed-up employees who are far less likely to understand or comply with company risk management policy.
Building a Consolidated Risk Assessment Process
What’s required is a “consolidated risk assessment process” that ensures collaboration between the many different teams and, crucially, that employees in the line have one point of contact and one set of coordinated policies to comply with.
The important thing for colleagues working on this kind of consolidation is not to let perfection get in the way of progress; instead, take a “crawl, walk, run” approach by working towards a fully integrated risk assessment process through iterative improvements.
One forward-thinking CISO in the restaurant industry (and a member of the CEB Information Risk network) is making impressive progress based on three pieces of guidance from which many firms could learn.
Coordinate parallel and synchronized risk assessments: A fully consolidated risk assessment process should require a single set of triggers to launch it. This sounds simple in theory but can be complex in practice; most risk management functions – such as Legal, Compliance, and Privacy – use different methods.
In return for creating one set of triggers, each risk management function will have better insight into those business projects that require attention.
Minimize the burden of a consolidated risk assessment: This reduces resistance to participation and increases compliance with risk management policies and controls. To reduce the burden, consider:
Create pre-assessment standards that, if true, exempt low-risk projects from the full risk assessment process: To develop these standards, each risk management function should go through the following thought exercise: what twenty questions does the function always ask during assessment conversations? Of those, what are the ten most important questions, and what are the ideal answers to these questions?
These answers are each function’s baseline standards that indicate when projects are low-risk and thus don’t require the full risk assessment process.
Develop an interactive risk assessment questionnaire: A consolidated risk assessment questionnaire doesn’t mean simply combining the questionnaires each risk function uses.
Rather, look to combine overlapping questions and add skip logic to ask only those questions relevant to individual projects. This makes the full length questionnaire more manageable for business partners to take.
Minimize which functions need to get involved: For projects with risks that must be further evaluated, only involve the relevant risk management functions. Risk management functions responsible for risks evaluated as “low” can trust that they need not be involved.
This minimizes the burden on both the business and risk functions and enables all parties to focus on the highest risks without unnecessary distraction.
Streamline “customer touchpoints”: For projects that do require more extensive reviews, assign single points of contact to guide the project sponsor through the necessary conversations. Typically, this means having a legal-related and technology-related point of contact – one to cover legal, compliance, and privacy concerns and the other to cover IT and information security concerns.
This is important because it streamlines communication and creates clarity of message between risk management functions and the project sponsor.
- Download CEB’s Information Security Risk Assessment Guidebook for examples of the key components of a mature IT risk assessment program, as well as detailed implementation guidance for each risk assessment type.
CEB Information Risk members can use the “Risk Assessment Toolkit” on the dedicated website for step-by-step guidance to building a full risk assessment process, along with many other tools, templates and data on conducting risk assessments.