You are here

Here's a better way to do compliance and risk management

public://pictures/b.png
Joydip Kanjilal, Consultant, Independent

As government regulations spread around the globe, geopolitical, regulatory, legal, and compliance risks continue to present challenges in the enterprise. With the proliferation of laws and rules and the increase in stakeholder expectations, your organization may be more vulnerable to compliance risks than ever. 

Too many companies are still taking an old-school approach when it comes to managing compliance risk. Today's issues of risk change at the speed of business, so your strategy and process must also change quickly. Here's how to go about doing that. 

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

Know your terms

Many compliance regulations have been enacted to ensure that organizations operate fairly and ethically. Most organizations have compliance processes in place to make sure they adhere to all relevant laws and rules, or face potential legal, financial, and other consequences. 

Compliance risk is any threat to an organization's financial, organizational, or reputational standing. A well-defined compliance process can reduce your organization's overall risk of violating these standards—and facing the consequences.

Compliance management and risk management are related, but they are not the same thing. Risk management involves predicting and managing risks to help an organization protect itself from risks that might eventually lead to non-compliance. For its part, compliance management is the process of managing compliance within the boundaries of a time frame and a budget. Non-conformance to compliance regulations is also a risk.

You cannot have a robust risk management program without compliance, and vice versa. However, to address compliance and risk management, you should have distinct approaches and execution tactics for both. Non-compliance is a risk, but risk management is not compliance.

Hence, these two should be dealt with differently. The correct risk management strategy can tackle both compliance and risk management.

[ Also see: GDPR execution will be a major task this year—and reap benefits ]

The traditional approach 

Typically, a compliance team assesses the existing program, which includes evaluating the process and technology and analyzing ways to improve how compliance is being managed. The compliance team also manages a budget to invest in any new technologies needed to attain the desired objectives, and assigns resources to reach the goals and objectives.

To identify, manage, monitor, and reduce compliance risks in an organization, you need to take advantage of certain strategies. These include identifying the areas of high risk, and ensuring that regulatory alerts and updates are actionable—all of which the compliance team manages.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

Doing it differently: Become more risk intelligent

Business is changing so rapidly that the old, reactive ways of managing compliance risks might lead organizations to fall behind the competition or leave them exposed to larger regulatory or reputational risks than they ever expected.

This is why some organizations are finding ways to better manage compliance risks and be more risk intelligent, which involves being more aware of today's risks. You need an integrated compliance model across the organization to keep compliance risk in check, and to ensure that ethics policies are followed at every level in the organization.

It requires a holistic approach toward managing compliance in an organization. The goal is to provide a single, enterprise-wide solution toward managing compliance. The benefits of an integrated compliance strategy include reduced risk, faster time to market, reduced costs, enhanced customer experiences, and more.

How to approach risk management now

Companies in the same industry and of the same size are likely facing similar compliance challenges. What are your peers doing to mitigate such risks? Business leaders need to come up with a unique compliance management strategy that does not follow the same approach used by their peers. 

Here's why: If you are handling compliance risk management like everyone else, how can you gain an edge? Evolve your risk management approach by analyzing what your organization is doing today and how it should be doing it tomorrow.

Here are six ways in which you can handle compliance in a different way:

1. Adopt a unique compliance strategy 

Such a strategy may anticipate future industry trends across business, products, services, and geographies. This will help the organization gain a competitive advantage through well-planned compliance management programs.

2. Technology and tools

The right combination of technology and best practices can make your compliance process more effective. With today's tools and technologies, it is not that difficult to stay ahead. An efficient approach for managing compliance risk is to use tools that can extract data from your systems and then tell you what is deviating from the desired policies. 

[ Also see: Use data masking to ensure secure—and compliant—software delivery ]

3. Framework to manage compliance risk

One way to improve how you manage compliance risk is to build a framework and methodology for assessing the risks. This framework should, in turn, be comprehensive and customizable. 

A compliance framework refers to a set of guidelines and policies that discuss how an organization can adhere to compliance regulations. Typically, it is developed by the compliance and risk management teams in an enterprise.

It may be built from scratch, or existing frameworks can be leveraged. This is at the discretion of the enterprise. Some ready-built compliance frameworks available include the COBIT 5 Framework and the Unified Compliance Framework

4. Increased collaboration

Increase collaboration and functional integration among all those who are involved in various areas of compliance, including senior managers and the compliance and risk management teams. There should also be an automated workflow in place to deal with the complete compliance process; this workflow is typically created by the compliance management and development teams.

5. Enterprise-wide risk management process

Risk and compliance should be integrated into an enterprise-wide risk management process. This will ensure that any risks and compliance issues faced by the organization are not considered in isolation. It should include all activities related to risk management and compliance, and it should provide a framework that can be leveraged to assess an organization's exposure to risk. This helps the organization make timely and well-informed decisions.

Employees ranging from senior managers to risk practitioners should be involved in this. To get started, establish an enterprise risk structure that matches your organization's structure.

6. Training

To better manage compliance risks, you should have a well-defined process as well as well-documented policies, procedures, and guidelines. Corporate leadership should communicate expectations and values. It is imperative that training help make everyone aware of what he or she should adhere to—all related laws, regulations, and company policies.

Periodic checks should also be conducted to ensure that people are following the rules—at least, until the compliance culture fully takes effect.

Compliance should be a culture

For compliance management to be success, merely following the right strategies, adopting the right tools, and doing the same old thing won't be enough. You must create a culture of compliance across the organization. And, ultimately, adherence to compliance shouldn't have to be imposed on employees, but rather, should come from within.

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]