Op-Ed: Tackling security risk in GRC

Op-Ed: Tackling security risk in GRC
Derek Smith Jr.

By Derek Smith Jr.

Governance, Risk and Compliance (GRC), once carefully crafted, can effectively manage and monitor an organization’s enterprise risk environment and ensure compliance with industry regulations, while simultaneously addressing inherent vulnerabilities that can lead to negative business impact. Globally, businesses are becoming more reliant on information technology (IT) to increase productivity and efficiency, especially in the wake of the COVID-19 pandemic. Consequently, as dependence on IT increases, the threat of technology failures, incidents and expensive breaches also increases. The traditional compliance department must now see themselves as not only agents to ensure that business practices are aligned with governance, industry regulations and policies and procedures; we must now be keenly aware the only way we can provide creditable challenge within a heightened risk environment led by technology is to fully engross ourselves in the intricacies of information security risk management (ISRM).

Fenz, Heurix, Neubauer and Pechstein wrote, “Information security is as important as it has ever been, but the challenges to determine the factors contributing to information insecurity prove to be of complex nature. In order to reach a desirable level of protection against threats and to provide the necessary mechanics to protect organizations’ assets and knowledge, a vast variety of management approaches and methods have been developed in the last decades.”

For the avoidance of doubt, in this article, assets refer to sensitive data, intellectual property and access to critical operations. Assets become vulnerable once they are connected to the outside world via technology or human interaction. This vulnerability can be minimized but never be eliminated. As a result, threats (human, computer or natural) to these assets can happen at any time and with or without warning. It is against this backdrop that ISRM has become a critical component of enterprise risk management (ERM).

The dance with risk, as I affectionally call it, is a strategy that requires risk identification and assessment, risk control and risk response. In earlier articles, I addressed risk responses in the form of contingency planning. Over the next two articles, I will cautiously dive into risk identification and assessment in the context of ISRM. However, many of these approaches can be deployed to enhance other aspects of your organization’s ERM framework.

Risk identification includes, but is not limited to, risk categorization and risk valuation.

Risk categorization
Risks associated with assets should be identified along with their correlated threats and vulnerabilities. Risk managers should be fully aware of the asset’s name, asset’s owner and its importance to the business. Additionally, these assets should be further subcategorized into information data, procedures and people. The associated inventory data should also be identified, simultaneously.

Risk valuation
Another key step in risk identification is valuing the assets that are at risk. Some may argue that this action is purely financial because it requires calculations. I won’t touch valuation calculations but will merely make you aware that risk can be valued based on many options. These options include revenue generates, profit-generated, replacement cost, depreciation, value to the owners, value to the users, the cost to protect, cost of loss, etc.

Does this seem straightforward thus far? It may be to some; however, the challenge arises when assets have more than one owner and encompass multiple responsibilities. Therefore, it is imperative that the foundation of your risk identification process is thorough and strategic. To ensure your approach is comprehensive to risk management, risk and compliance professionals must start by identifying risks.

Derek Smith Jr. is a Top 40 Under 40 leader; the compliance officer at Higgs & Johnson, a leading law firm in The Bahamas; and the former assistant vice president, Compliance & Money Laundering Reporting Officer (MLRO), at an international private bank. His professional career started at a “Big Four” accounting firm and has spanned over 15 years including business risk management, compliance, internal audit, external audit, and other accounting services. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS) and an executive member of the Bahamas Association of Compliance Officers.