Horizon Media: Building a Risk Program from the Ground Up
Headquartered in New York City, Horizon Media is the largest and fastest-growing privately held media services agency in the world. Horizon had become an industry leader, in part, by using technology to gather business intelligence, measure channel connections, and employ data analytics.
With data and technology increasingly integral to Horizon’s business, its risk infrastructure needed to evolve too. Horizon was operating in a highly virtual environment with a global client base, cloud-based operations, and multiple physical offices. With breaches and cyberattacks constantly in the headlines, Horizon needed a system to capture and monitor cyber risks (including those from third parties) and a cyber awareness training program to give clients the confidence that their data would be safeguarded.
Enter Praj Prayag, a technology risk executive with 18 years of IT Audit, risk, and compliance experience at Big Four and top-tier financial services companies. Praj was hired by Horizon’s CISO to build their technology risk program from the ground up. Recognizing the enormity of the task ahead of her, Praj knew that getting the resources and people she needed would require business support.
Before she came on board, risks were compiled in spreadsheets and not always considered when making strategic decisions. With risk operating independently from the rest of the firm, Praj knew she needed to educate stakeholders on the value of a risk program before she could build a shared culture of risk.
Setting Relevant Objectives
To design an effective technology risk program that met the firm’s needs, Praj and her team needed to understand Horizon’s broader objectives. Exploring why Horizon needed a technology risk program would help Praj socialize the idea and get the structure right.
Besides the standard objectives of protecting data and information assets and reducing organizational and cyber risk, conversations with business, technology, and executive leadership helped Praj understand that customer confidence hinged on strict levels of compliance. Clients needed assurance their data would be protected from unauthorized access, breaches, and cyberattacks. This would become a critical differentiator for Horizon’s clients.
With that, Praj positioned the technology risk program as a key input to growth. Setting the program objectives in line with Horizon’s business strategy smoothed the way for getting buy-in from business and resources for planning and implementation.
“Building a program that provides business value moves away from technology risk and audit being a cost center,” says Praj. “We enable businesses to grow by helping them achieve their objectives while keeping their data safe.”
Aligning People with Process
With support in hand, Praj used the people, process, and tools methodology to define what the technology risk program should look like and build efficiency and alignment across the organization.
The team agreed on four key pillars for their program: information risk management, third-party risk management, cybersecurity, and compliance and controls.
Praj and her team analyzed sources of risk in each area to understand the firm’s critical risks and better prioritize their time and resources. Eventually, they defined discrete priorities and processes for each pillar.
- Information Risk Management - Define an iterative, clear process that captures all the risk information and workflow.
- Third-Party Risk Management - Define a process to get vendor information and provide each vendor a risk questionnaire
- Compliance and Controls - Create an annual plan for controls self assessment based on the annual risk assessment and compliance requirements
- Cybersecurity - Centrally capture cyber risks and provide consistent cybersecurity training
Now that the vision and goals of their risk program were clear, they could move ahead with designing the appropriate structure.
Praj and her team recognized effective risk management was a firmwide responsibility. Identifying the right people to help with implementation was a key part of the process, people, and tools methodology. After designing the process for managing each pillar, they brainstormed about who they’d need to collaborate with and the resources required to manage those risks.
Adopting the Right Tools for the Job
Once Praj and her team were clear on the risk management process and who they’d work with, they needed the right tool to serve their vision. It was important that the tool could align with how Horizon internally managed risk — they didn’t want a tool that dictated to them how their process should work.
“Don’t use the tool to drive your process. Define the risk life cycle process and identify roles and responsibilities, whether that's internal within the risk team or technology or the business before looking for a tool,” Praj says.
Since they were building the foundation of their technology risk program, they started with the basics — a tool that would identify, capture, analyze, and solve risk. But they wanted more than the essentials. The right solution needed to be:
- User-friendly to better collaborate across divisions and get users to adapt to the new process
- Able to quickly generate reports for timely communication
- Efficient enough to be used by a small team without taking more time than a spreadsheet
- Centralized for an integrated view of the firm’s cyber, compliance, and other risks
- Transparent for better tracking and accountability
- Scalable to grow with the firm
LogicGate’s Risk Cloud checked all the boxes. It was customizable to fit their needs, scalable with their risk program, and capable of evolving with their business. Praj and her team started small, beginning with the Risk Management application, eventually expanding to the SOX application for their Compliance assessment, and later adding Third Party Risk Management. LogicGate now helps manage three out of the four pillars of Horizon’s GRC Program.
Risk Cloud’s flexibility and integrated reporting means Horizon can now:
- Collaborate and partner with business units to protect the firm’s assets and reputation
- Align their compliance and risk management capabilities to business goals, whether that’s PCI compliance or PII protection for their clients
- Improve cyber awareness across the organization through personalized phishing campaigns and preventative controls
- Proactively identify and address gaps in controls and compliance before they become a roadblock
- Systematically analyze and review vendors to minimize their third-party risk
“We have now lowered our threat landscape by more than 50% and are actively assessing every new technology vendor that we get into a relationship with, with the goal of monitoring the vendors, expanding to existing vendors and also expanding the risks that we manage,” said Praj.
As Horizon’s technology risk program matures, their goals continue to evolve with the business. Today, Horizon is looking for ways to infuse AI into their cybersecurity training and enhance overall process efficiency.
By aligning risk management processes with Horizon’s strategic goals, Praj and her team have successfully built a culture of risk and proven their value to the business.
“If we focus on what is important to the business, and get the business onboard with reducing organizational risk as a whole, it can add tremendous value to the company,” shared Praj.
LogicGate gives you an interconnected view of risk across the organization that you just can’t get from point solutions. After all, great companies are built not by avoiding risks — but by choosing the right ones.
Risk Cloud® and LogicGate Risk Cloud® are registered trademarks of LogicGate, Inc.®. All rights reserved.
About Horizon Media
Horizon Media is the largest and fastest-growing privately held media services agency in the world. Through its mission “to create the most meaningful brand connections within the lives of people everywhere,” the company has helped clients such as GEICO, Capital One, Corona, and LG develop their brand strategy and manage communications across traditional and emerging channels, including digital, social, and mobile.