10
GRC And Cyber Security Disconnects Are Driving the Need for Enterprise Risk Management Why Practice Areas Must Operate Separately and Together Sponsored by:
GRC And CyberSecurity DisconnectsAre Driving the Needfor Enterprise RiskManagementWhy Practice Areas Must Operate Separately and Together
Sponsored by:
2
GRC And Cyber Security Disconnects Are Driving the Need for Enterprise Risk Management
Executive Summary
Organizational risks are growing as companies become
increasingly digital and interconnected. Throughout time,
new risk-oriented functions have arisen out of necessity
such as cyber security. The result of forming different groups,
typically on a reactionary basis, is disparate siloed groups
which speak different languages and have different goals.
Meanwhile, businesses and their IT ecosystems are
becoming more complex which results in additional forms
of risk. The modern enterprise is digitally connected to
partners, customers, and third-party data sources as well
as mobile devices, cloud environments, the Internet of
Things (IoT), and social.
To identify and close the risk gaps, the diverse risk-
oriented groups must be able to collaborate effectively.
In addition, organizations should have an enterprise
risk management (ERM) group or committee that
supplements whatever may exist at the board level so
that the entire spectrum of risks can be identified and
managed on a day-to-day basis. To achieve all this,
organizations are adopting intelligent ERM and integrated
risk management (IRM) solutions that help facilitate more
effective risk management between and across the
disparate functional areas. Those solutions also help risk
professionals identify new opportunities for innovation.
This white paper explains some of the challenges today’s
organizations face and how leading companies are driving
better outcomes.
Table of Contents
The Fragmented Approach to RiskHas Been Reactionary - Pg 3
The Importance of Narrow andBroad Views - Pg 4
Obstacles to Achieving ERM - Pg 5
How GRC Tools Are Evolving - Pg 6
Executive Interview with Scott Bridgen,GRC Consulting Director, OneTrust - Pg 7
Business Continuity ComesBack into Sharp Focus - Pg 8
Conclusion - Pg 8
3
GRC And Cyber Security Disconnects Are Driving the Need for Enterprise Risk Management
The Fragmented Approach to Risk Has Been Reactionary
Traditional risk management, compliance and cyber security
are three of many risk-focused areas that emerged out
of necessity. Traditional risk management concerns itself
with business risks, such as credit and operational risks.
Compliance, which sometimes precedes traditional risk
management, is driven by regulatory and legal mandates
such as the Sarbanes-Oxley Act, the Health Insurance
Portability and Accountability Act (HIPAA), the European
Union’s General Data Protection Regulation (GDPR)
and the California Consumer Privacy Act (CCPA). Cyber
security emerged in reaction to misuse and abuse of new
technologies but ultimately to protect digital operations and
data from all ranges of internal and external threats.
Each separate risk function operates effectively within the
scope of its silo, speaking a different language than the
other groups. Meanwhile, their organizations are competing
in a global business environment in which entire industries
are being disrupted by digital newcomers. The constant and
accelerating change has caused companies to partner with
non-traditional entities and extend out to non-traditional
customers. Similarly, their technological footprint has pushed
out beyond the proverbial four walls to mobile, cloud, IoT and
social, enabling companies to engage their constituencies
in new ways. The growing complexity has created
opportunities for bad actors and inadvertent innocents to
expose organizations to new forms of risks for which it may
not be prepared.
Quite often, risk-oriented departments have been
organized to align with the structure of the business. The
problem with that is the business is always changing.
While it is possible to reorganize a company based on
risks and risk categories, more companies are better
prepared to enable cross-functional collaboration to
improve risk-related efficiencies and effectiveness, including
identifying and minimizing or avoiding risk gaps. In addition,
organizations should have an ERM function for day-to-day
risk oversight that exceeds what a subcommittee of the
board can achieve on its own.
4
“The maturity of risk management, as a function and as a profession, has come to the point that there’s an awareness that everything is connected and the dependency isn’t just about upstream or downstream business functions, technology, or how we work with third parties. Every piece plays a role and that three-dimensional connectivity is complex.”
Rik Parker,principal, Cyber Security Services, KPMG
GRC And Cyber Security Disconnects Are Driving the Need for Enterprise Risk Management
The Importance of Narrow and Broad Views
Risks are best managed by the people who understand
them and are empowered to do something about them.
For example, no one understands the causes and effects of
cyber security incidents better than a trained cyber security
professional. The same is true for other areas of risks
including traditional risk management and compliance. So,
narrow expertise is essential.
However, today’s hyperconnected world results in a network
effect as it relates to risk. For instance, when a data breach
occurs, it tends to impact the cyber security team as
well as legal, compliance, finance, and public relations.
If the people responsible for managing risks are not
communicating and if there is no ERM function with visibility
across the affected areas, the enterprise cannot manage
the potential fallout effectively.
There needs to be a level of consistency across the groups,
which an ERM function can help provide including a risk
taxonomy, a control taxonomy, how to identify issues, and
how to conduct risk assessments. Similarly, there can be
technological systems in place, including ERM and IRM
systems, that provide the cross-functional visibility and
collaboration capabilities. In addition, all the groups should
align with common business objectives, not just the narrow
goals of their own groups.
“Board members come to us and they say, ‘When compliance, cyber, internal audit, and risk management talk to me, they all give me a different top risk. Why can’t they coordinate and make sure I understand what are the top three to five risks facing the organization, not just within the silos?”
Kreg Weigand,partner, Internal Audit & Enterprise Risk, KPMG
5
Culture is one of the biggest obstacles to achieving ERM
because culture depends on the alignment of people. To
establish an effective ERM function, an organization must
define the role of that that group in relation to all the other
risk-oriented groups beneath it. Then, the ERM group
needs to help ensure that the various risk groups align with
common goals and that the groups’ rules of engagement
are consistent.
Although higher levels of collaboration have been enabled
by IRM systems, for example, the risk groups should
understand the benefits of communicating and coordinating
with each other so they can work together more effectively.
Though individuals and groups tend to work with the
company’s best interests in mind, some organizations have
had trouble achieving the level of collaboration they aspire
to because the company has grown very quickly, either
organically or by acquisition, or they lack the structure and
processes necessary.
ERM and IRM systems can help facilitate cross-functional
collaborative processes. However, effective processes are not
the result of implementing a tool. When the risk functions are
collaborating effectively with the proper processes and tools
in place, the organization is in a better position to:
Understand the entire scope of risks
Avoid doing things that cause risks
Reduce risks by adding mitigating measures
Take on more risk
An organization that understands its risk appetite and
tolerance can also innovate in new ways by taking
calculated risks. Otherwise, the company may take too few
risks which limits the potential scope of its or the organization
may take on more risks than are wise.
“Can you get buy-in from local areas to be able to do this? Because it’s going to have to be done across business functions. No change management process is painless, but the time you invest in doing [ERM] right will pay dividends for years to come.”
Alla Valente,analyst, Forrester Research
“We like the three lines of defense: The first, second and third. We believe the primary responsibility for managing each and every one of these risks is the first line which is the operational part of the business that runs the organization. The second line of defense is the risk management organization which oversees and challenges us to think through the right topics. The third is internal audit which provides an independent level of assurance.”
Joe Nocera,principal, Cyber security
and Privacy, PwC
GRC And Cyber Security Disconnects Are Driving the Need for Enterprise Risk Management
Obstacles to Achieving ERM
6
GRC And Cyber Security Disconnects Are Driving the Need for Enterprise Risk Management
How GRC Tools Are Evolving
The governance, risk management, and compliance (GRC)
solution space has been dominated by large legacy
players which primarily serve financial services and other
highly regulated industries. However, more enterprise
software players have entered the market and new players
with modern ideas have emerged. In fact, in 2017, Gartner
shifted away from GRC tools in favor of IRM platforms
that enable “simplification, automation and integration of
strategic, operational and IT risk management processes
and data.” More specifically, instead of being so heavily
focused on compliance, IRM encompasses six different
areas including:
Digital risk management
Vendor risk management
Business continuity management
Audit management
Corporate compliance & oversight
Enterprise legal management
IRM provides actionable insights as opposed to just
informational insights. The challenge with the latter is
what to do with the information on a dashboard. The new
tools, because they represent more than just compliance,
understand the first and second lines of defense. They are
also incorporating newer technologies such as robotics
process automation (RPA), artificial intelligence (AI) and
machine learning (an AI technique) so that the system can
provide recommendations within the unique contexts of an
organization’s risk landscape and the company’s approach
to managing risks. Unlike traditional GRC systems which
provided point-in-time information based on scans or self-
assessments, the newer platforms provide a near real-time
view of the environment.
Another benefit of IRM solutions is the ability to correlate
events, the impacts of actions taken, and the outcomes
based on a company’s own data, anonymized data from
similar organizations in the same industry, and public
information. It then provides recommendations based on an
analysis of all the data.
Intelligent systems are not magic, nor are they “set and
forget” technologies, however. Their accuracy depends on
several factors including whether the system has adequate
information available to do its job properly, the quality of the
data on which it is trained, the extent to which new data has
impacted the accuracy of the model, etc.
7
GRC And Cyber Security Disconnects Are Driving the Need for Enterprise Risk Management
What obstacles keep risk functions such as governance, risk, compliance, and security from working together effectively?
Inadequate communications within and between teams,
departments and organizations, which leads to;
Lack of accountability: Assumptions that monitoring,
performance management and corrective action were
someone else’s responsibility
Risk oversight: A culture focused on the organisation’s
priorities to the detriment of key risks and also;
Information bias: An institutional culture which puts
more weight on positive information than on information
suggesting there is cause for concern
What should they do to better align their efforts?
Ongoing communication: Talk openly about their goals and
barriers to execute – work together to help each other over-
come barriers.
Understand interdependencies: your team impacts others
– yes, you might think that patching a server is a low priority,
but for the compliance teams, who must evidence that data
is secure, it’s the highest priority.
Be adaptable: Learn to embrace change, things don’t al-
ways have to be set in stone and if teams can flex to accom-
modate others, then working together will become easier.
Unified front: ‘Act as one, move as one’ when dealing with
the ‘C Suite’ - must have each other’s back and ensure
everyone is onboard. The same goes for training, do not silo
yourselves when training on ‘risk language’
Where does enterprise risk management fit in?
Enterprise risk management (ERM) doesn’t fit in to a specific
domain or task, it’s everywhere. Organizations start an
endeavor to take a business opportunity, these are strategic
enterprise level initiatives that should shape and inform
how subsequent goals and tasks are executed to align
the business. There is uncertainty about if the organization
will take the opportunity or not. So, each endeavor has
an associated risk. Enterprise Risk Management (ERM) is
important because its success determines the health and
life of the business enterprise. If an organization fails to
identify risks to its existence (on a broader scale), it will be ill
prepared to face any risk events.
ERM institutionalizes risk management procedures in the
organization by standardizing the “master” objectives, and
designates the tools, methodology, people and processes in
monitoring associated risk.
“An ounce of prevention is worth a pound of cure.”
How can an enterprise risk management group or committee work most effectively with the more specific risk functions such as cyber security and compliance?
By clearly setting the bar - Giving specialized teams a
common initiative to work from and contribute to should be
among the primary objectives for ERM commitees.
How can IRM and ERM solutions help?
ERM solutions can help align risk initiatives from specialized
risk domains such as vendor, IT & cybersecurity, ethics or
privacy to core strategic business goals. ERM solutions can
also help to enhance visibility by providing aggregated and
normalized calculations of quantitative or qualitative values
collected across risk management activities to a holistic view
of an organizations overall risk posture.
Integrated Risk Management solutions can also help
enhance visibility by further extending connectivity, data
collection and classification outside of traditional second-
and third-line risk and audit professionals to first line
business activities. Given the digital nature of operations
there is a huge opportunity for expanded oversight – and
IRM solution can help “wrap” the data with the appropriate
context to retain meaningful information through risk
analysis to board reporting.
Executive Interviewwith Scott BridgenGRC Consulting Director, OneTrust
INTE
RV
IEW
8
Businesses must have broad and narrow views of risks and those
views must work in concert to anticipate threats and enable
swift action. As organizations become increasingly digital,
they have become more complex entities that involve more
types of risks that must be dealt with swiftly and intelligently.
Organizational cultures and structures as well as the tools
necessary to manage the expanding landscape of risks are
all evolving simultaneously. Modern risk professionals from
GRC and security to beyond must endeavor to collaborate
as necessary to anticipate and manage the full scope
of risks more effectively. There also needs to be an ERM
function with visibility across the functions, so that risk gaps
can be avoided and more innovation can be enabled.
Conclusion
GRC And Cyber Security Disconnects Are Driving the Need for Enterprise Risk Management
Business Continuity Comes Back into Sharp Focus
Business continuity has always had a place in risk
management but it has not been given the same level
of priority as it had during the Y2K frenzy, until recently.
Although organizations have contemplated natural
disasters, political unrest, and even pandemics, businesses
around the globe were not prepared for the sudden and
severe impact of the COVID-19 pandemic. Unlike the dot
com bust and the 2008 financial crisis, the pandemic’s
impacts have been both global and systemic, wreaking
havoc in every industry. Companies such as Amazon
suddenly found themselves scrambling to keep pace with
a sudden spike in demand while others were forced to
shut down temporarily as the result of executive orders.
Now, business continuity is again a top priority because
as recent history has shown, circumstances can change
dramatically and almost instantaneously.
With the pandemic hit, organizations had to pivot, change
policies and alter the way the operate faster than ever
imagined. They realize now that they need to be prepared
to do the same thing again in the wake of the “new normal.”
Given the complexity of the problem and all the functional
areas the pandemic impacted, the business continuity
function can no longer sit in a siloed department. It must be
integrated into the first and second line business practices to
ensure that decision makers and risk professionals have the
ability to interpret signals that could prevent the company
from meeting its objectives.
99
OneTrust GRC enables risk, compliance and audit
professionals to identify, measure, and remediate risk across
their business to comply with internal rules and external
regulations. With OneTrust GRC, companies can seamlessly
integrate risk management into their day to day activities.
OneTrust GRC is a part of OneTrust, the #1 most widely used
privacy, security and third-party risk platform used by more
than 5,000 customers and powered by 75 awarded patents.
OneTrust GRC is powered by the OneTrust Athena™ AI and
robotic automation engine, and integrates seamlessly
with the full OneTrust platform, including OneTrust Privacy
Management Software, OneTrust Vendorpedia™,
OneTrust PreferenceChoice™, OneTrust Ethics, OneTrust
DataGuidance™, and OneTrust DataDiscovery™.
OneTrust’s team of 1,500 privacy, security and trust experts
are co-headquartered in Atlanta and London, with
additional offices in Bangalore, San Francisco, Melbourne,
New York, São Paulo, Munich, Hong Kong and Bangkok.
Backed and co-chaired by the founders of Manhattan
Associates (NASDAQ: MANH) and AirWatch ($1.54B acq. by
VMware), and supported by over $400 million funding from
Insight Partners and Coatue, the OneTrust leadership team
has significant experience building scalable, enterprise
software platforms. OneTrust is also guided by an external
advisory board of renowned privacy and security experts
as well as an in-house global regulatory and legal research
team.
The OneTrust offering delivers catered solutions for
traditional GRC professionals along the three lines of defense
and emerging disciplines such as privacy and expanding
practices around third-party risk management.
Development for OneTrust GRC takes the initiative to
embrace the latest technology advancements, prioritize
relevant market and client needs within the product
roadmap, and maintain a cohesive multi-relational data
structure to power a seamless experience. With minimal
tooling required, organizations can easily tailor functionality
and leverage use-case driven workflows to execute their
business needs within the platform. The configurable user
experience allows companies to enhance their time to value.
This methodology has allowed OneTrust GRC to deliver
enterprise-grade GRC Software solutions to businesses
ranging from mid-market to global organizations.
Delivering business-centric solutions across a unified
code base, OneTrust GRC offers a truly integrated risk
management platform collecting context at the source
for meaningful leadership risk reporting. Analyze risk
and evaluate your risk posture across IT & Security Risk
Management, Vendor Risk Management, Enterprise, and
Operational Risk Management. Enhance risk program
visibility with data collection and additional context through
the Cyber Risk Exchange, Incident Management, and
Digital Asset Discovery. Scale compliance to automate tasks
and track changes across regulations and standards with
Regulatory Change Management, Privacy Management,
and our Regulatory Research Database, DataGuidance™.
Reinforce governance to educate and monitoring business
practices through Policy Management, Awareness Training,
and Audit Management. Perform business impact analysis
assessments across operations to develop, test, and enact
comprehensive resilience programs with Business Continuity
Program. Integrate sustainable and ethical practices by
providing whistle-blower communication channels and open
lines of feedback on the company and public sentiment
regarding business practices through Ethics and Compliance
Management. OneTrust GRC offers an extensive selection
of GRC solutions to select the mix that fits their needs,
resources, and business structure.
To learn more,visit OneTrustGRC.com
or connect on LinkedIn.
Report Sponsor:
GRC And Cyber Security Disconnects Are Driving the Need for Enterprise Risk Management
GRC And Cyber Security Disconnects Are Driving the Need for Enterprise Risk Management
The Cyber Security Hub is an online news source for global cyber security professionals and business leaders who leverage technology and services to secure the entire perimeter in their enterprise.
We’re dedicated to providing the latest industry news, thought leadership and analysis in the cyber security space. Cyber Security Hub’s expert commentary, tools and resources are developed through obtaining data and interviewing end users and analysts throughout the industry to deliver practical and strategic advice.
Our editorial team surveys and monitors the latest trends in cyber security and creates news articles, market reports, case studies and in-depth analysis for a captive audience consisting of C-Level executives, VPs and directors of cyber security and information technology.
CYBER SECURITY HUB TEAM
Facebook:CSHubIQPC
Twitter:CSHubUSA
LinkedIn:CSHub – EnterpriseSecurity Professionals
Susy AngryanyMarketing Manager
Imran ShafiSales [email protected]
Dorene Rettas Managing [email protected]
Tilak AntonyDirector of IQPCDigital Partnerships
Seth AdlerEditor In [email protected]
SOCIAL MEDIA INFORMATION
Barry McIntyreMarketing [email protected]
JOIN US AT OUR UPCOMING ONLINE EVENTS:
ABOUT CYBER SECURITY HUB
