To what extent are UK organisations succeeding in bringing together enterprise risk management, security, business continuity and regulatory compliance to set better priorities?
Convergence is challenging and best practice shows cultural impediment
Ollie Ross, head of research, Corporate IT Forum
Corporate IT Forum members recognise the need to address corporate governance and operational risk as a combined entity, particularly in the current climate of business and technology flux.
This is being driven by regulatory standards such as Sarbanes-Oxley in the USA, and Basel II in Europe, and brought into sharp focus with the strengthening demands of the PCI Data Security Standard.
The chaos ensuing from seemingly simple tricks of nature, such as snow and ash clouds, is also playing a part. Organisations are actively moving to align the functions and processes supporting these critical requirements in order to drive top-down buy-in and advocacy and the management of business-wide application.
Of course, this convergence is proving quite a challenge. The forum's members are finding it extremely valuable to share frameworks and 'what-works' strategies, as the challenges are as much cultural as process-based. There is always an element of scepticism about how specific concerns might be addressed in the 'bigger picture' prioritisation of business needs.
Additionally, the value of some competencies is much harder to clarify than others. Risk management, for example, was held at a recent forum workshop to have "a quantified cost, but a subjective financial return". It is difficult to approach and measure in the same way as, say, regulatory compliance. The key to success is strong leadership from the top.
Security is growing out of its teenage phase
Raj Samani, vice-president for communications, ISSA UK
Security has often behaved like an unruly teenager; spending their parents' money without any justifiable return. Such behaviour was often tolerated during the good times, but with business priorities now focused on economic preservation, such behaviour is no longer acceptable.
Current organisational priorities have recently focused on the short-term need for financial survival. Beyond this, according to the Technology Strategy Board, "information security will be driven by various macro-level factors, such as globalisation, climate change, regulation and evolving demographics". These drivers increase the importance of security, with reliable and accurate (electronic) information now the lifeblood of every organisation. Security is now expected to implement proactive measures with full support and risk management from the true risk owner - the business.
New regulatory requirements have begun the transition of integrating security into the business, for example government departments must now nominate a senior information risk owner; a member of the board that has the overall ownership and accountability for information assurance. Such requirements are having an effect on information security priorities; activities must now be justified both in terms of its business context, and return on investment (ROI). Equally, the ownership of risk is being given back to the business with security departments acting as facilitators in the risk management process.
There are examples of assurance activities within various industry sectors now beginning to set better priorities, and deliver security projects with a clear ROI and reduction in risk. Examples include the implementation of strong authentication by Barclays Bank for internet banking customers. Where, "since the implementation of PINsentry, Barclays has dramatically driven down online fraud and is the only UK bank to see a dramatic decrease in phishing attacks". The decrease in such attacks is important, with UK payments association APACS reporting the amount stolen by online banking fraudsters had reached £33.5m in 2006 (up by 44% from 2005).
Much like the unruly teenager, the security industry now has to mature in order to satisfy the assurance requirements of the business. Anything less and corporate systems won't be the only part of the organisation outsourced.
Break out of the silos and attack the pain points
Paul Williams, strategy chair for ISACA and IT governance adviser to Protiviti
An integrated, cohesive, and comprehensive approach to all aspects of governance, risk and compliance (GRC) embracing business continuity, security, and regulatory compliance remains the desired position for most enterprises, in both public and private sectors. For the majority this objective remains elusive as individual point solutions too often remain the norm within siloed organisational and governance structures.
Roles and responsibilities, reporting lines, competing and overlapping requirements, varying levels of regulator interest or pressure and the availability of the data to enable such convergence are all 'pain points' in achieving convergence success.
Although the situation is improving, particularly as enterprises seek to better manage their costs and improve their efficiency, very few UK enterprises take a fully holistic view of enterprise risk management - which usually will include all aspects of GRC including those involving or related to information technology. Usually, it is a failure of governance that is at the heart of failing to achieve effective convergence, reflecting an absence of leadership, commitment and, all too often, a proper understanding of the issue.
Most organisations will do what they have to do to manage their regulatory or compliance responsibilities. This is for the simple reason that they have to do it to stay out of jail and remain in business. The business imperative is obvious and compelling. Such compliance activities, whilst effective on a 'ticks in the right boxes' basis will rarely be efficient or deliver any value to the enterprise. Those enterprises that have invested in a properly thought through, top-down approach to enterprise governance and risk management will be reaping the benefits and achieving competitive advantage over their peers. Proper convergence of GRC activities requires strong and focused leadership and unambiguous allocation of responsibility for dealing with all GRC-related issues.
Success will best be achieved through unambiguous and demonstrable buy-in from the CEO and the board, with the direct leadership coming from the CFO and the CIO working in partnership, supported by business management. Involvement from the audit committee and the risk committee, supported by the internal audit, operational risk, and security functions, will also be essential.
Few understand the extent of regulation
Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information security consultancy Trusted Management
Are UK companies grasping, or at least attempting to grasp the nettle of 'whole business' risk management? Of course, there is no simple or single answer to this question. Large enterprises have, in the main, had business continuity, regulatory compliance and security areas well covered but a stove pipe-type of organisational mentality often leads to these areas not coordinating properly, or at all.
However one of the bigger issues, I believe, arises from a lack of understanding of the extent of regulation. A typical example comes from an encounter I had with the regulatory officer at a mid-sized accounting firm. He told me that his company had all regulatory compliance well and truly sewn up and everything documented. My simple question: "Where are your policy and associated procedures for Data Protection Act and Regulation of Investigatory Powers Act compliance?" were met with a blank stare. Yes, all the financial regulatory stuff that accountants need to comply with was well covered, but step outside of that, and nothing was covered. It was not even recognised that there might be other regulatory areas outside of finance that might just have an impact. Small companies where there is an enlightened (and IT savvy) owner or senior manager often do better, but that is an exception.
Within government the concept of a department having senior risk owner is now well advanced and though you will find similar positions in some of the larger commercial enterprises, that role can often be narrowly defined. It is my belief that until business as a whole get to grips with the concept of 'assuring' information (ie information assurance) rather than IT security which is often solely left in the hands of the IT department, then progress towards an enterprise view of risk and risk management cannot effectively take place.
Integration of business continuity and enterprise risk management is early stages
Roberta Witty, research vice-president, Gartner
From the business continuity management (BCM) perspective, we see more organisations addressing information security risk as part of an availability risk assessment. Both are components of operational risk, which is one component of five: reputation, strategic, market and credit are the others, all included under enterprise risk management (ERM).
This inclusion of information security risk acknowledges that an exploited information security threat can be a business interruption which requires crisis management intervention, at a minimum, up to and including execution of a recovery plan if the security breach results in a production system shutdown.
From an organisational reporting perspective, there is limited integration of BCM into the ERM organisation, although it is certainly a direction for some industries, financial services in particular. If not a formal reporting relationship, a matrix reporting relationship is a good solution.
In addition, Gartner's BCM surveys conducted from 2005 to 2010 show a growing trend of BCM offices reporting into business management, and IT disaster recovery management continuing to report into the IT organisation - both logical reporting relationships for the long term.
We are in the early stages of integrating BCM into ERM owing to the lack of official departments within most organisations and both disciplines being informal.