2012-09 Managing Information Security Risk in Distributed...

Presented by:

Collaborative Accountability in GRC: Creating Harmony Across Business Roles

Slide 1 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com

Michael Rasmussen, J.D., CCEP, OCEG Fellow Risk & Compliance Lecturer, Author, & Advisor

Managing Information Security Risk in Distributed and Dynamic Business

© 2012 Corporate Integrity, LLC www.Corp-Integrity.com

Does your organization have integrity?


Are you focused only on what you see?

“Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”

E.J. Smith, Captain of the Titanic

Risk Awareness

Risk Ignorance


Risky Nature of Business

•  You cannot outsource liability

–  You “stand in the shoes” of your business relationships

–  Their problems are your problems –  Their problems directly impact your

brand and reputation

•  Increasing regulatory focus –  Can you attest to an “in-compliance”

status?

•  Many companies focus on the on-boarding process…

–  Most risk is incurred over the life of the relationship

–  Who owns on-going third party risk? –  How is third party risk assessed and

reported to the board?

The issues organizations face in managing risk and compliance across extended business relationships include: q  Information Security q  Privacy q  Anti-corruption q  Code of conduct and ethics q  Corporate social responsibility q  Environmental q  Geo-political q  Health and safety q  Import and export q  Labor standards q  Operational risk q  Quality q  Regulatory compliance q  Physical Security q  Supply-chain risks


The current state of 3rd party risk management is like “Dante’s Inferno”

Risk is only considered during the on-‐boarding process

• Risks in extended business rela1onships are usually only analyzed during the on-‐boarding process to validate the organiza1on is doing business with the right companies. This common approach fails to recognize that risk is incurred over the life of the business rela1onship. Once a rela1onship is established, organiza1ons oBen neglect risks that build over 1me.

Partner performance evalua:ons neglect risk • Metrics and measurements for ongoing business rela1onships oBen fail to fully analyze and monitor risk in extended business rela1onships. OBen, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considera1ons.


We need our oversight &accountability for 3rd party risk to be collaborative

©2012 OCEG, Permission by OCEG is required for reproduction and/or use of material www.OCEG.org -- Derived from the OCEG GRC Illustrated Series

IS YOUR PROGRAM CONSISTENT?Establish standardized processes that apply to all areas of the busi-ness everywhere in the world. Incorporate standardized forms and templates to drive consistency.

IS YOUR PROGRAM RESPONSIVE?Support transparent and sound decision-making with strong management oversight and robust reporting.

IS YOUR PROGRAM INDEPENDENT?

Minimize potential con!icts of interest and ensure decisions are objective.

IS YOUR PROGRAM REASONABLE?

Don’t interfere with operations or be a burden on the business.

REINFORCE BRAND ANDCORPORATE REPUTATION

nhance Brand Credibilityolidify Shareholder Trust

Respect in the Marketplace

FULFILL LEGAL OBLIGATIONSAND GUIDANCE

. Foreign Corrupt Practices Act Bribery Act

.S. Dodd-Frank and Patriot ActsPublic Procurement Laws

and Regulationsuidance from OECD, World Bank,

and Non-Governmental Organizationstandards

ontractual Obligations

Protect Corporate Assets and Operations

Enable Public Procurement Lines of Business

nable Operation in Corruption-Prone Countries

Prevent Revenue Loss From Non-Compliance

Avoid or Reduce Fines and Penalties

ASSURE THE BOTTOM LINE


High performing business requires agile 3rd party risk processes

BUSINESS MODEL

strategy, people, process, technology and infrastructure in place to drive toward objec1ves

OPPORTUNITIES

OPPORTUNITIES

OPPORTUNITIES

MANDATORY BOUNDARY boundary established by external forces including laws, government regula1on and other mandates.

VOLUNTARY BOUNDARY boundary defined by management including organiza1onal values, contractual obliga1ons, voluntary policies and other promises.

OBJECTIVES strategic, opera1onal, customer, process, compliance objec1ves

Reliable achievement of objec:ves while addressing uncertainty and ac1ng with integrity


Who is a 3rd party and how is your program built?


1 - Establish 3rd party governance and oversight

PROGRAM OWNERS

COMPLIANCEAND LEGAL

ANDOTHERS

FINANCEBUSINESS

OPERATIONS

AUDIT RISK

ESTABLISH PROGRAMOWNERSHIP AND OVERSIGHT



2 - Scope your 3rd party risk program


3 – Understand your 3rd party risks

Factors •  Nature and location of business

activities •  3rd Party relationships •  Methods for generating business •  Applicable laws

Evaluate and rank: •  Risk appetite •  Internal changes •  External changes


IDENTIFICATION

RISK

S

OBJECTIVES

CORRUPTION


4 - Build & operate 3rd party controls to mitigate risk

Establish: •  Preventive •  Detective •  Corrective

Across the business: •  Process •  Technology •  Human capital •  Physical


5 - Perform Due Diligence

Due diligence includes analyzing

whether established policies and controls

are followed.

PROFESSIONAL SERVICES

REGULATORY FACILITATORS

SUPPLY AND SALES CHAIN


6 - Collect and analyze 3rd party data


7 - Implement screening procedures


8 - Train and educate

Provide training: •  Across the business

and its relationships •  Role-specific

programs for high-risk roles

•  Develop/acquire content

•  Understand cultural needs

•  Track attendance and certification


9 - Monitor and review 3rd party relationships


10 – Monitor and Evaluate


Track and assess policies and controls for e!ectiveness and performance in various ways:

monitor internal and external information and compare vendor, partner and customer records against trusted data sources for red !ags that indicate issues

SCREEN

provide regular internal audit oversight and inspection of the anti-corruption program; test and assess controls to determine if additional or modi"ed action is necessary

AUDIT

obtain and assess information about observed or suspected misconduct, using appropriate quali"ed teams, and considering privilege issues

INVESTIGATE

establish hotline and other open channels for reporting and resolution of questions and issues

IDENTIFY

evaluate data to locate concerns and potential problems by applying analytic techniques, tools and reporting capabilities

ANALYZE

AUDITING/TESTING

ANALYTICS

SCREENING

INVESTIGATIONS

HOTLINEDATA


11 – Review, Realign, and Report

Take action: •  Disciplinary on incidents •  Continual evaluation •  Alignment to changing

business •  Keep board and

management informed •  External review and

certification •  Strengthen program



3rd party risk management needs to be efficient, effective, and agile

ROI

Enhance Organizational CultureIncrease Stakeholder Con!dencePrepare & Protect the Organization

Achieve Business Objectives Prevent, Detect & Reduce AdversityMotivate & Inspire Desired ConductImprove Responsiveness & E"ciencyOptimize Economic & Social Value

UNIVERSAL PROGRAM OUTCOMES

RESPONSIVE (agile) EFFICIENT (lean)

EFFECTIVE (sound)

e!ective, responsive and e"cient processes will deliver measureable program outcomes

for the organization


Questions? Michael Rasmussen, J.D, CCEP, OCEG Fellow

[email protected] +1.888.365.4560

Some of the content we have evaluated is OCEG content that I have an established agreement to use. Please do not copy these slides without

permission, and I highly recommend you consider OCEG membership at www.OCEG.org.

Corporate Integrity Newsletter

LinkedIn: Corporate Integrity Group

Blog: GRC Pundit

Twitter: GRCPundit

Events: Corporate Integrity

LinkedIn: Michael Rasmussen

THANK YOU!

2012-09 Managing Information Security Risk in Distributed...

Documents

Transcript of 2012-09 Managing Information Security Risk in Distributed...