By Grant Elliott, President and CEO, Ostendio
Twitter: @ostendio
There’s an inherent risk to doing business, particularly business that touches personal data. For years now, the business community – from healthcare to retail – has focused on the threat prevention aspect of data security. We train employees on compliance, how to recognize PHI and personally identifiable information (PII), and to protect data privacy. All good things. The exhausting part of the process is knowing that data is always going to be at risk. That’s why Integrated Risk Management (IRM) offers a more reasonable, strategic approach.
Deciding what risks are acceptable and how you’re going to manage them is choosing to be more risk management-oriented than risk-averse. Risk aversion is what typically drives businesses to implement tactics to address the prevention of anything adverse from happening. Most businesses tie this in with how policies are written and play out (governance) and how those policies and procedures help them meet regulatory requirements (compliance). Together they form the basis for GRC, which is how most companies look at their overall operations.
But that tide is turning. Instead of companies just shooting for the gold star of compliance, they’re looking at how risk management can both support and sustain growth. Gartner and Harvard Business Review (HBR) have published on the virtues of risk management. The idea that compliance simply isn’t enough, and a tunnel-vision focus on risk prevention could, in fact, stifle growth, is gaining traction.
The reality is that risk has evolved. The Internet of Things (IoT) and the proliferation of personal technology exponentially increases the amount of data generated every second of every day and the risk to it. Data is everywhere. Yet the majority of organizations are not only unaware of all the places their data resides, they’re also not fully aware of how it’s managed, nor who has access to it.
Traditional GRC tools don’t cover the strategic. One study shows that 86% of losses in a company’s market value relates to strategic risks, with only 3% relating to legal and compliance risks. Yet most businesses tend to focus on compliance vs looking at risk strategically.
The same study identifies people to be one of the main risks to organizational security. To address that risk at a granular level, every employee needs to comprehend how their particular function relates to overall security, and what they can do to manage risks to data security.
So, what will an IRM solution look like?
As the move to IRM’s comprehensive approach intensifies, organizations will increasingly look to platforms and tools that enhance their ability to:
- Manage risk at an enterprise level
- Assure that employees comprehend their role in IRM
- Track assets and manage inventory
- Self-audit and track tasks
- Centralize document management for policies, procedures, and contracts
- Assure transparency with third-party vendor security status
- Respond effectively to security incidents and breaches
There will always be a need for organizations to respond to risk from a legal and compliance perspective. It’s simply that there needs to be a greater emphasis on managing risk, and a need for a tool that does that. Likely, that tool will be cloud-based, affordable and scalable, and will give them a leg up over the competition. To grow and innovate, successful organizations must take risks; an IRM strategy helps turn those identifiable risks into potential.
This article was originally published on Ostendio and is republished here with permission.