Keeping a Lid on Risk

By Samuel Greengard  |  Posted 2009-08-04

In a world filled with risks, threats and potential compliance problems, there’s no way to build bulletproof business processes and ironclad IT systems. But, as a growing number of executives recognize, risky business isn’t a viable alternative.

“Industry is catching up to the thinking that it’s essential to manage assets, resources and risks in a focused and structured manner,” says Doug Landoll, chief strategist for the IT security consulting firm Lantego and author of The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. “The need for systems to manage governance, compliance and regulatory issues is enormous.”

Clearly, managing a long list of internal issues and external requirements is no simple task. More than a few companies have found themselves reeling as a result of internal policies gone astray, or an inability to adhere to industry and government regulations. In today’s data-centric world, risk management is no longer an abstract concept; it’s an essential foundation for conducting business.

Organizations are searching for ways to take a more strategic tack, consolidate initiatives, and do a better job of recognizing and categorizing risk. Unfortunately, the situation isn’t getting any simpler.

Although high-profile regulatory and compliance requirements such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) grab the headlines, a spate of global initiatives conspire to create an almost mind-numbing situation. According to the Washington, D.C.-based Competitive Enterprise Institute, U.S. federal agencies alone issued 3,830 rules in 2008 at a total cost of $1.17 trillion. To be sure, there are complex security issues to cope with, internal business processes to examine and potentially high costs associated with IT systems, including storage devices and software to manage them.

As a result, the concept of enterprise risk management is changing, says Joseph Bugajski, senior analyst at Burton Group. Organizations are looking to consolidate efforts and improve the visibility of risk throughout the enterprise. An effective governance, risk and compliance (GRC) strategy can help centralize and integrate policies, processes, procedures and controls.

“Although the term GRC is gaining traction throughout the business world, these initiatives actually represent different but similar challenges that relate to risk assessment and control of data,” Bugajski explains.

How can an enterprise navigate the GRC world? What can it do to minimize risk and maximize internal security? And how can it put business processes and IT systems to work in order to stay out of trouble?

What’s clear is that GRC can lead an organization through a confusing labyrinth of concepts, tools, business processes and IT systems. “What makes enterprise risk management so challenging,” says Karl Kispert, director of the Corporate Governance Advisory Practice at Huron Consulting Group, “is that many organizations have traditionally operated silos and have used fragmented solutions.”

Framing a Strategy

Utter the words “enterprise risk management” to any corporate executive, and you’re likely to wind up with an earful about protecting assets and steering clear of trouble. High-profile examples of breakdowns abound, and there is a growing focus on accounting and security practices. A major reason for the change: Government entities have increasingly introduced regulations and laws stipulating privacy standards, accounting rules, environmental and other requirements in response to the excesses of the past.

According to Deloitte Financial Advisory Services, 24.3 percent of survey respondents in 2009 indicated that they view the risk of a government investigation as being higher today than a year ago, yet only 20.8 percent of these executives say their organizations are “very ready” to handle a government or regulatory investigation. Worse: A 2008 study conducted by Aon Risk Services found that among 320 corporations in 29 countries, a shocking 42 percent of respondents identified risk only through intuition.

That’s not good enough in an era of accountability and transparency. The upshot? Management must play an active role in framing a strategy, says Burton Group’s Bugajski: “There must be an overall framework in place to manage risk and oversee compliance for both internal and external factors.” This task is made even more difficult by shared data, unstructured data, and massive amounts of stored and archived data. “In many cases, companies don’t even know what data they have and where it resides,” he adds.

A starting point for addressing the challenge is to recognize the roles of both the business and IT sides of the enterprise. Business leaders must build the conceptual framework for identifying data that’s sensitive or private, knowing where it should reside and how it will be used. The IT department, on the other hand, serves as the custodian of the data and must develop systems to monitor, manage and protect the information. Both groups must work closely together within a formalized structure.

Unfortunately, creating rules and privileges—and determining where data will be stored—frequently emerges as a point of conflict within an enterprise. “Oftentimes,” Bugajski says, “the business side will say, ‘Well, we don’t know where the data is, and we can’t really do anything about it.’ There’s an element of truth in that because the data may be stored in the cloud somewhere. But that doesn’t eliminate the responsibility for managing the data.”

At that point, it’s up to IT to identify ways to locate all the data on the network and beyond—while also identifying software and tools to protect it. Lantego’s Landoll contends that identifying a single data owner is a key factor in achieving success in the GRC arena. “Too often, it’s not clear who has ownership of data,” he says. “Users throughout an organization wind up making decisions that may or may not fit the company’s best interests.”

Automation is also essential. GRC products target access control and rights, firewalls, encryption, digital rights management, endpoint security and reporting capabilities. Some systems monitor compliance and compare IT configuration changes with security policies—including changes made by individual employees—so that it’s possible to flag violations. A variety of vendors offer GRC solutions, including BlackLine Systems, CA, IBM, Informatica, Lumigent, Microsoft, Novell, Oracle and SAP.

Of course, effective risk management also involves vast storage arrays, mobile devices and productivity tools such as the USB drives that employees carry with them. “Gaining visibility is a huge task, and indexing and e-discovery are crucial,” says Terri McClure, an analyst for Enterprise Strategy Group.

By the Numbers

One of the pain points with information technology is that every solution eventually becomes a problem. Dozens, if not hundreds, of different spreadsheets, software packages, storage devices and reporting products eventually conspire to create an unmanageable tangle of systems. When that occurs, tracking data and understanding risk can lead to a black hole of processes and technologies.

Tammie Coley, director of accounting at Cox Communications, understands that concept well. With more than 6 million customers, the third-largest cable provider in the United States has 18 field locations that stream data into the company’s headquarters in Atlanta. In the past, each location had its own accounting team. Maintaining accuracy in a decentralized environment was cumbersome and time-intensive. “Each office had its own system for reconciliations,” Coley says. “While we had good policies in place, there was no efficient way to monitor those policies.”

In some cases, weeks or months would pass before headquarters spotted discrepancies and potential problems. Then auditors or compliance team members had to track down spreadsheets residing on hard drives scattered across the company and find supporting paperwork tucked away in binders. “It was a huge effort,” Coley says. “Our month-end closing schedules had become unpredictable. We needed to improve the efficiency of our reconciliation controls.”

In November 2005, Cox Communications turned to software from BlackLine Systems to roll up manual records and automate data from an Oracle E-Business Suite. The company’s goal was to improve data access and accuracy, establish a more standardized platform, improve accountability, and obtain faster closes and better insight into financial processes.

By automating the systems, Coley says, Cox has managed to trim 1,500 worker-hours per month in processing time. The system also has reduced travel expenses and, most importantly, put data at the fingertips of auditors and compliance managers. Although Cox became a privately held company at the end of 2004—thus eliminating Sections 302 and 404 of Sarbanes-Oxley requirements—it continues to adhere to the same stringent regulations.

The BlackLine software has transformed governance at Cox Communications. “We can see whether reconciliations are being performed correctly and whether field offices are getting deposits to the bank on time, and we can easily monitor the progress of month-end closes,” Coley says. In fact, she has alerts in place to remind staff about required tasks and corresponding due dates. “We have entered a new era of efficiency and accuracy,” she adds.

Rx for Progress

Over the last quarter-century, regulatory requirements have become a fact of life for many organizations. And Sarbanes-Oxley is only the beginning. A dizzying array of initiatives—Basel II, the Gramm-Leach-Bliley Act, HIPAA, NERC, COBIT, COSO, RoHS, WEEE and many others—force a growing number of organizations to adopt policies and procedures that ensure compliance.

“It has gotten to the point where an organization’s enterprise risk management strategies affect its credit rating,” Huron’s Kispert explains.

Mark Pfefferman, director and assistant vice president of identity management for Western & Southern Financial Group, is among those who clearly understand the gravity of risk management. The Cincinnati-based Fortune 500 firm, rated among the top 10 insurance companies worldwide ($2.78 billion in 2008 sales), must adhere to the Model Audit Rule (MAR), a body of regulations that dictates auditing requirements and data access rules. HIPAA and Gramm-Leach-Bliley regulatory issues also apply.

“We have to address regulations and requirements without pushing up our head count and overall costs,” he says.

A data breach could result in the company losing the public’s respect and, in a worst-case scenario, losing its charter to conduct business in Ohio and beyond. In the past, Western & Southern Financial had mostly manual controls in place.

“Unfortunately, humans are very poor monitors,” Pfefferman says, adding, “There’s a huge cost associated with having people dedicated to manual controls, and it’s extremely difficult to audit the environment.” In fact, an audit could require hundreds or thousands of pieces of paper or spreadsheets.

No longer. The company now provisions access rights and privileges based on roles and then certifies that individuals are slotted into the correct roles with the desired level of access. Using Novell Access Governance Suite, Western & Southern Financial is rolling out the system department by department, until all 4,000 employees are using it.

The advantages include better reporting, more granular access controls, improved auditing capabilities, and reduced administration and personnel costs, according to Pfefferman. The solution also has “a very tight system for terminating rights,” he says. “We’re able to avoid orphan accounts that could lead to unauthorized access to systems.”

Protection Schemes

One thing that makes GRC so challenging is the fact that it touches all corners of an organization, including security. Server security, vendor patches, endpoint systems, firewalls and other components all play a key role in managing data and ensuring that it doesn’t fall into the wrong hands. Consequently, IT managers need to take an active role in maintaining various systems and ensuring that technology solutions fit the underlying business processes.

IT leaders also need to work closely with GRC vendors. “Many companies rely on outside vendors, and there’s a clear risk associated with sharing access rights and data privileges,” Pfefferman points out. “It is critically important to identify high-risk vendors that are dealing with your critical information, including intellectual property and customer records. You have to know where data is stored, how it is protected and what the company is doing with it.”

At the Visiting Nurse Service of New York (VNSNY), the largest not-for-profit home health care firm in the United States, security is a key component in GRC, says Chief Information Security Officer Larry Whiteside. HIPAA is a core issue, and maintaining secure electronic medical records is imperative. The VNSNY must also comply with MAR regulations from the National Association of Insurance Commissioners.

As a result, the company monitors all network traffic using Symantec’s Security Incident Manager (SIM) application, and it uses endpoint encryption for laptops, USB drives, and other equipment and devices that employees carry into the field. Altogether, the company manages approximately 8,000 devices, including 4,500 machines that travel outside the company’s offices.

In addition, the VNSNY has conducted a thorough e-discovery and risk assessment analysis using Symantec’s Vontu Data Loss Prevention (DLP) technology. “It was an eye-opening experience because we did not realize how much unstructured data we had residing all over the enterprise,” Whiteside reports.

The result? In addition to adding specific applications and solutions, the organization changed many of its policies and data retention practices. For example, the VNSNY now deletes e-mail messages after 15 months. “Unless someone has a specific business reason and gets approval from a committee, it’s gone,” Whiteside explains.

It’s clear that GRC has emerged as a mainstream issue—and one that no company can afford to ignore. While a multitude of vendors offer products, it’s ultimately up to the IT organization to work with business leaders to build a culture of accountability and assemble the right combination of hardware, software and policies. In addition, the ability to track Key Performance Indicators (KPIs), Key Result Areas (KRAs) and metrics is significant. The use of Balanced Scorecards and the ability to manage multiple regulatory issues within a single dashboard are also important.

Make no mistake, governance, risk and compliance issues aren’t about to disappear. Business and IT leaders must learn to collaborate on solutions that provide visibility deep into the organization. They must also automate processes by connecting systems scattered across departments and divisions.

As Huron’s Kispert puts it: “An organization must go beyond the vendor buzz about GRC and design a comprehensive and effective solution. With a view of data and systems across the enterprise, it’s possible to manage risk effectively.”

Understanding Risk

Enterprise risk management can touch all corners of an enterprise. However, governance, risk and compliance (GRC) typically addresses four primary challenges:

1 Business Risk: This consists of actual threats to the organization, including its products, services, intellectual property and records. Business leaders must communicate to IT leaders what issues exist and where data might reside.

2 Technology Risk: It’s important to understand what pieces of information need to be protected in what way, so that an organization can build the right IT infrastructure, says Karl Kispert, director of the Corporate Governance Advisory Practice at Huron Consulting Group. System security is also at the core of successful GRC.

3 Legal/Regulatory Risk: An organization must establish processes and systems that match legal requirements, whether that involves an e-discovery system that must comply with an e-mail retention rule or storage and encryption standards for managing credit card data.

4 External Risk: IT must address all external threats related to data storage and retention, as well as information life-cycle management. IT needs to play a central role in protecting and disposing of data properly.

A New Lease on Data

Leasing office equipment to hundreds of different companies can create a governance nightmare, and ensuring consistency in the credit review process can tax even the most tech-savvy organization. At Nolè, a Rome-based company that processes approximately 5,000 contracts a year, effective governance is the difference between succeeding or drowning in a sea of red ink.

Two years ago, the company turned to SPSS predictive analytics software to manage its credit approval process and ensure that it follows government regulations. Piero Biagi, general manager of Nolè, says a statistical scoring system and a set of business rules have created a more consistent and refined model.

“We have eliminated bad decisions and sped up the entire credit review process,” he says. In fact, data and text extraction capabilities help the company find the exact data needed when it needs it.

The initiative has helped the company develop better and more stringent business rules, nail down internal auditing and external compliance issues, and improve bottom-line results, Biagi says. Nolè is now able to make better decisions—and to make them faster, with credit approvals taking place 160 percent

faster than before. Says Biagi, “Ours is a highly competitive environment, and efficiency is critical.”

Taking a Healthy Approach to GRC

Managing health and medical records for a state with a population of 3.8 million is no small task, but the Department of Human Services for the state of Oregon takes the challenge seriously. Only a few years ago, spreadsheets and a mélange of systems made it difficult to track records.

Handling all the data—and ensuring adequate security and privacy—was nothing short of daunting. “Medicare, Medicaid, HIPAA, USDA and other programs created significant regulatory, compliance and security challenges,” says Chief Information Security Officer Kyle Miller.

No longer. Today, the agency manages somewhere in the neighborhood of 5,000 contracts and hundreds of thousands of individual records with CA GRC Manager. After entering pertinent regulatory and compliance requirements, the application ferrets out relevant documents and files and ensures that policies and workflow match organizational requirements. Moreover, “We are able to make sure that employees have read and signed off on rules,” says Matt Betts, program and project manager in the Information Security Office.

Along the way, Human Services has ramped up project management and project portfolio management, assessment tools, audit policies, information exchange with partners and more. Today, the agency enjoys greater flexibility and scalability, including the ability to extend business processes and rules throughout the agency and beyond. With a unified view of compliance, it has reduced costs and improved productivity.

“We’ve brought structure to our high-level strategy,” Betts says. “We’ve built a framework for managing data more effectively and securely, while minimizing overall risk.”