ERM has historically lacked perspective and perception to be applied holistically and consistently within an organization. Over the last 10-15 years, information technology and cybersecurity industry associations have staked their own claim to risk management practices, activities, and approaches. Thus, we find ourselves with numerous ERM, risk management, and risk governance definitions, standards, and frameworks. Given this, we'll explore what an ERM initiative means for your organization.
Forbes reports that 70% of firms experienced at least one cybersecurity incident in 2017. In the past year alone, Yahoo’s $4.8B takeover by Verizon was nearly derailed by two major data breaches at Yahoo; even the US presidential election may have been impacted by hackers. And the risks are only growing – cars are computers on wheels and planes are computers on wings. Cybersecurity risk has evolved from just personnel information and financial data to control of physical things. Where does an organization start to minimize cyber risk?
In 2012, the NAIC adopted the Risk Management and Own Risk and Solvency Assessment Model Act (#505) and although some state legislative processes have been slow to adopt, it is expected that most companies should be ready for ORSA and should be using it as part of their ERM framework by the end of 2017. This post explores the Enterprise Risk Management requirements of ORSA.
In today's global and economic environment, two of the biggest areas of risk are regulatory compliance and cyber threats. With regulations on the rise, companies are facing a new and more varied challenges. If a company’s systems are breached it can mean severe damage to their reputation in the market and loss of customers, to name a few.
In order to reduce your organization’s exposure to damaging fines, executives must make compliance and security programs as simple as possible for their employees. Corporations are expected to meet thousands of obligations, both internally imposed and through multiple regulatory agencies. Unfortunately, traditional software solutions to help manage compliance and risk are often built like relics of the past– they are big, bulky, inflexible, and difficult to use.
Corporate leadership is often veiled from the multitude of risks that are lurking behind the corners of their business. Critical risks embedded within business units often aren’t shared up to senior leadership because the systems and processes are not in place to enable this. The methodologies implemented for managing risks across the enterprise vary widely but most are chaotic, relying and email and spreadsheets for tracking a reporting.
Payment Card Industry Data Security Standard (PCI DSS) is the global industry standard set of policies and procedures intended to enhance data security for all organizations that process, store, or transmit cardholder data. It has been adopted by all the major payment card brands as the standard model of data security. It contains practical steps that mirror security best practices.
OCEG recently released their 2016 GRC Technology Strategy survey findings and the results contain some interesting observations about current and future state GRC solutions. For those that may not be familiar, OCEG is a nonprofit think tank and community that helps educate and inform members on governance, risk management, and compliance. They provide content, best practices, education, and certifications to drive leadership and business strategy through the application of the OCEG GRC Capability Model and Principled Performance.