It sounds simple enough on paper: As new risks emerge, the compliance function adapts to address them. In an age of rapidly evolving technology, however, that approach can leave organizations a step behind.
At the Compliance Week 2013 annual conference last month in Washington D.C., a panel of experts weighed in on approaches for retooling compliance efforts to adequately address modern technology risks. No easy task, that effort requires policy development, risk analysis, and improved communication with employees and business units, all of whom probably have their own, hard-to-budge views about technology and social media.
The risks companies face are internal and external, domestic and international.
Social media sites, for example, pose reputation risk by giving a platform to customers, critics, and even employees. Rapid fire posts, pictures, and tweets need to be constantly monitored, and information that flows from employees, whether sanctioned or rogue, needs to be tracked, reviewed, and filtered. Cloud-based services offer productivity tools for document sharing and storage, but using them also means relying heavily on third parties for security and abiding by the provider's self-serving terms-of-use agreement. There are also e-discovery concerns and the Zen-like riddle of jurisdiction when data is virtualized and distributed. Stirred in are threats presented by laptops, tablets, smartphones, and the applications they run, as employees and executives alike embrace the “Bring Your Own Device” phenomenon.
Simply adapting to address these risks after they have emerged may put companies in danger, since they can change so quickly. Instead, organizations need to create a system that can be more proactive, and can evolve quickly itself to address the risks as they emerge, not after they do.
Organizations shouldn't “get sidetracked or distracted too much with the technology itself,” said Mahtab Haider, manager of risk assurance and internal audit management for Aflac. Instead, they should focus on building and developing a proper governance structure and GRC framework that assigns ownership at the process level, categorizes risks, and implements effective controls. Once that framework is established, these efforts can evolve as necessitated by new technology and practices.
The need to build such a system is even more vital, since many data and technology challenges are reaching critical mass for many organizations, forcing them to answer such questions as: Who should own the oversight of controls and policy compliance? How is this information tracked and reported? What should the roles of internal audit and compliance be?
Companies sometimes fail to grasp that what they view as new problems are actually previously overlooked ones, said Michael Rasmussen, chief GRC pundit for the research and consulting firm GRC 20/20 Research. Executives and department heads may fret more these days about putting sensitive data out in the cloud, but for more than a decade teams have been using the cloud-like functions of programs such as SalesForce.com. His message is that organizations need to “grapple with how they embrace these technologies, and not run away from them.”
“ There is always going to be new, emerging technology,” Cronin added. “It doesn't really matter if it is Google glass, Facebook, Instagram, or whatever, if you set policies and guidelines for handling issues”
—Sean Cronin,
Global Director of Pre-Sales for GRC Services,
Thomson Reuters
Rasmussen observed that information is growing exponentially with technology. Data is no longer adequately measured in megabytes and gigabytes; petabytes and zettabytes are now the necessary standards. It is estimated that by 2015, “big data” collection will grow by 45 percent, evolving into a $25 billion marketplace.
“How do you scale that data? How do you scale access when it's not within the boundaries of the data center run by the company's own IT department?” asked Haider. His approach to dealing with cloud-storage is to have “effective policy management solutions in place,” an approach already in place at his company for software-as-a-service platforms. That process is built around a third-party verification process.
External threats are often overshadowed by the internal challenges of employees who view the use of their personal electronic devices and social media sites as a right, not a work-sanctioned privilege.
And it's not just rank-and-file employees who dig in their heels; the C-suite and directors are guilty as well. “Nearly anybody who has a board seat these days is using iPads,” said Sean Cronin, global director of pre-sales for governance, risk, and compliance services at Thomson Reuters. “Calendars, board voting, and important papers are all in the cloud. The most sensitive company information is already out there.”
Who Owns the Control?
It is important to ensure that an established person, or department, has designated control, Haider said. For example, in the event that a mobile device is lost or compromised, the IT department can be tasked with deciding when to remotely wipe all data from a device. Those controls can later be tested by the audit team to make sure that set protocols are properly executed and are effective.
“There is always going to be new, emerging technology,” Cronin added. “It doesn't really matter if it is Google glass, Facebook, Instagram, or whatever, if you set policies and guidelines for handling issues.” Knee-jerk reactions, he said, will not be sustainable.
Hand-in-hand with policy and delegation is training. Rasmussen suggested fighting fire with fire, leveraging social media to combat the very risks fueled by the proliferation of personal mobile devices in the workplace. Video and audio clips, for example, can be used to supplement policies and advance training. In-house education efforts can even be improved upon by using “gamification” approaches, such as awarding points, badges, or unique messaging avatars to employees who successfully complete training steps.
From left: Thomson Reuters' Global Director of Pre-Sales for the GRC Group Sean Cronin; Mahtab Haider, manager, risk assurance & internal audit management at Aflac; GRC 20/20 Research Chief GRC Pundit Michael Rasmussen; and Mike Toll, head of marketing communications at Thomson Reuters.
“The people using these technologies are the people who like Facebok and YouTube,” he said. “Let's use those technologies to communicate with employees on how to comply with mobile policy and get them more engaged. Throw it back at them. Show them that your department is just as hip and trendy as they are and they might have more respect.”
The panelists agreed that, in many ways, businesses are gradually getting a better handle on how to address these modern risks. “We're not in infancy stage anymore,” Cronin said.
REPERCUSSIONS
The following chart is from the modern technology session at Compliance Week 2013.
What repercussions would make Gen-Y employees more vigilant when using their personal devices for work?
Source: Compliance Week 2013.
He recalled a client that once banned the use of laptops by visitors, a policy that made a software demonstration he was there for nearly impossible. The reason was a security breach made through its wireless network. “Most companies today wouldn't resort to such a knee-jerk reaction,” he said. “There is a maturity coming along. Before, they just put their heads in the sand, but I'm not seeing that anymore.
Nevertheless, there is still much work to be done.
“Those in the compliance and legal profession tend to be luddites,” Cronin said. “Historically they have been quite comfortable sticking with their legal pads and pens. I think we are starting to overcome that, but we need compliance and legal to take a leadership role.”
No comments yet