Risk Management and Business Context

This week I attended the RSA Security Analytics Summit in Washington D.C. and had the incredible opportunity to meet one of the smartest individuals to date. Nate Silver was the keynote and he covered a lot of ground including 1) an analogy of the proliferation of information via the printing press in 1440 and the most recently the world wide web in 1990; 2) The End of Theory: The Data Deluge Making the Scientific Method Obsolete; 3) The 538 method and lessons from the 2012 elections; 4) the influence of bias in big data 5) the “Signal-to-Noise” ratio which results in increased variables that occur along with the need for a true distribution model to enable trend effective trend analysis; 6) the limitation of technology in some cases where technology was deemed more powerful and a better predictor than the human brain and 7) the use of mathematics to help with predictive modeling. As you can see from the list of topics the presentation was truly engaging and thought provoking.

Signal To Noise Ratio_opt

Towards the end of the presentation Nate Silver provided a suggested approach that not only solidified his presentation but provided actionable guidance in how to better use data as a predictor. The suggested approach is as follows:

1) Think Probabilistically
2) Know Where You’re Coming From
3) Survey the Data Landscape
4) Try, and Err

When given the above guidance, which is clearly outlined in his book The Signal and the Noise, I instantly was able to relate to point number 2….”know where you are coming from” to risk management. The reason why it resonated with me so much is that I am a communications major and studied countless hours both in theory and practice on intra/inter personal relationships. As I work with organizations and listen to the different approaches to risk management using predictive analysis I find people in the risk management profession often overlook the power of knowing where people or in this case risks are coming from within the organization. Risks to financial data or healthcare records are different from risks to a conference room portal application. People must apply common sense to sophisticated models of risk analysis. The only way to get common sense is to drive context into the relationship of the risk to the expected results or impact to the business.

The need for context (common sense) has never been greater. As you look to drive your risk management or even security practices within our organization you must have all four elements in place not just 1, 3 and 4. Context of the risk will empower you to respond in a logical, appropriate, timely and effective manner. Context will also enable you to ensure the people, departments, divisions understand the impact to their world and can also enables the conversations you need to have executive leadership for relational visibility into the risks that truly impact the their world. Without context you will provide less meaningful data and increase the risk exposure to your organization.

In closing I recommend reading Nate Silver’s book The Signal and The Noise and look forward to seeing how all of you apply his astute suggested approach.

S2N Book

Advertisements

Shire Pharmaceuticals Drives Into the Future of Healthcare

Some would say that there is nothing more gratifying than helping people in need. In the case of Shire Pharmaceuticals, helping people with life-altering conditions to lead better lives is core to their business and their culture. Based nearby in Lexington, Massachusetts, Shire focuses on developing treatments for conditions in neuroscience, rare diseases, gastrointestinal, internal medicine and regenerative medicine. The need to stay on the cutting edge of healthcare is paramount to the organization and information security has played a key role in that mission.

Shire’s Senior Director of Information Risk Management & Security, Bob Litterer, came to the company tasked with developing a world class information security function aligned to their business goals. Like so many CISOs today, Bob knew the importance of information security as a business enabler, but needed to drive awareness and create a security culture that embraced their business. In his words, “we didn’t want perform security for security’s sake”. He was also tasked with reducing costs associated with changing compliance requirements, drive-up efficiency, and managing acceptable risk tolerances so the organization could continue to innovate and stay competitive. Quite a tall order when there is so much on the line.

Like any good leader, Bob knew he needed a great team behind him – so he brought in one of our alliance partners OpenSky who helped build a comprehensive Governance, Risk and Compliance (GRC) platform based on RSA Archer.

As you heard from Peter Ridgley, Lead Consultant from OpenSky, explain in the video, Shire was able to quickly spotlight where there was a need for improvement as well as areas where they were successfully hitting the mark. The visibility through RSA Archer allows Shire to do a drill down review of each area to determine how they can improve driving credibility into the management of the program as well as demonstrates its depth.

Additionally, Shire is now able to continue that assessment on a regular basis to report progress, showcase how the information security organization is aligned with the goals of the business, and ensure they are always able to meet changing business needs and compliance requirements.

While this project is impressive in and of itself I am happy to share with you that Shire has earned an important industry accolade as well. Just last week, the company was awarded the OCEG GRC Achievement Award at the 2013 Compliance Week Conference which recognizes organizations that make great strides in improving and integrating their approaches to governance, risk management and compliance. Working with OpenSky, Shire leveraged the OCEG Redbook to provide a framework for managing the GRC Program and it has been paying off in spades. Thanks to the dedication of Shire and OpenSky as well as the power of RSA Archer, Shire gets to take home this honor and we couldn’t be happier.

What have years of exploring eGRC taught us?

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Those of you who know me from the world of enterprise governance, risk management and compliance (eGRC) will know that I have a particular view of eGRC, which is rooted in what I’ve learned from the hundreds of customers I’ve worked with over the course of my career. For those of you who don’t know me, I’d like to introduce myself by sharing my overall philosophy with you and giving you an idea of what I want to achieve with my blogs.

eGRC: led by technology or strategy?

There are many vendors who are using the phrase ‘enterprise governance, risk management and compliance’ as a catch-all to create a market for their technologies. Let me put my stake in the ground: eGRC can’t just be about technology. To be effective, it needs to be a tightly woven strategy for leveraging people, processes and technology to achieve business objectives.

Specifically, we’re talking about business objectives shared predominantly by four enterprise domains: IT, finance, operations and legal. Focusing on technology is not a bad approach, but is myopic when considering how people and processes across the enterprise need to be engaged in the program.

Is your organization struggling with eGRC silos?

Here are some typical indications that your organization hasn’t yet taken a strategic approach to eGRC:

If you’re in IT, do you find yourself thinking: “I’m so busy with day-to-day IT activities, I have no idea whether my role provides business value; I just hope it does”; or “I work in IT; how can I truly affect our business objectives or increase shareholder value”?

If you’re outside IT do you find yourself thinking: “the key objectives on my plate don’t pertain to IT. Sure I use systems, applications and devices; and IT is great at supporting me. But when we’re opening a new site or trying to launch a new product, IT gets in the way.”

If you’re outside IT and engaged in some form of risk management, do you believe something like: “For me to do my job in the financial risk management group, IT needs to do what IT is meant to do…serve us!”

In most cases, views like these indicate a complete disregard from senior management for the importance of investing in both top-down and bottom-up eGRC objective-setting. They reflect a lack of visibility of how the work of different business functions links together — or should link together — to drive towards the end game. They show a distinct lack of collaboration, which is a theme I’ll return to in later blogs. This is particularly evident in the view of IT having no strategic role to play in risk management, which is isolationist (and in many cases egotistical) thinking that just gets in the way of the business achieving its objectives.

Or are you doing it right?

For those of you who do know me and have already taken the initiative within your organization to transform your business, much of what I’ve just described has already been sent to the waste-basket or kicked to the corner. I know so many companies who’ve done it right and who are well on their way to true strategic and collaborative eGRC across the domains of IT, finance, operations and legal. And when we asked Ovum to research the status of eGRC across seven countries in North America and Western Europe, their results agreed.

eGRC is personal

The great thing about this approach is that the people I’ve worked with have created an amazing upward professional path for themselves and can point to their eGRC efforts as game-changing in their career. Ultimately eGRC is all about you! It’s about enabling you to have the right visibility and control so that you can make better decisions, act faster and ultimately spend less.

eGRC is about trust

I look forward to sharing with you many of my stories and will hopefully provide a forum for us to really get things out on the table. I would like this blog to be about trust. Trust between you and me. Trust that we can agree to disagree. Trust that when I’m wrong, you’ll be constructive in your feedback. Isn’t that ultimately what eGRC is all about? Trust.

GRC Resources:
EMC eGRC resources

www.emc.com/grc
RSA eGRC resources  

http://www.rsa.com/node.aspx?id=3732

Next time:
Unpicking the concept of eGRC