2012-09 Managing Information Security Risk in Distributed ...€¦ · 2012-09 Managing Information Security Risk in Distributed and Dynamic Business.pptx Author: Michael Rasmussen
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Presented by:
Collaborative Accountability in GRC: Creating Harmony Across Business Roles
“Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”
– You “stand in the shoes” of your business relationships
– Their problems are your problems – Their problems directly impact your
brand and reputation
• Increasing regulatory focus – Can you attest to an “in-compliance”
status?
• Many companies focus on the on-boarding process…
– Most risk is incurred over the life of the relationship
– Who owns on-going third party risk? – How is third party risk assessed and
reported to the board?
The issues organizations face in managing risk and compliance across extended business relationships include: q Information Security q Privacy q Anti-corruption q Code of conduct and ethics q Corporate social responsibility q Environmental q Geo-political q Health and safety q Import and export q Labor standards q Operational risk q Quality q Regulatory compliance q Physical Security q Supply-chain risks
The current state of 3rd party risk management is like “Dante’s Inferno”
Risk is only considered during the on-‐boarding process
• Risks in extended business rela1onships are usually only analyzed during the on-‐boarding process to validate the organiza1on is doing business with the right companies. This common approach fails to recognize that risk is incurred over the life of the business rela1onship. Once a rela1onship is established, organiza1ons oBen neglect risks that build over 1me.
Partner performance evalua:ons neglect risk • Metrics and measurements for ongoing business rela1onships oBen fail to fully analyze and monitor risk in extended business rela1onships. OBen, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considera1ons.
IS YOUR PROGRAM CONSISTENT?Establish standardized processes that apply to all areas of the busi-ness everywhere in the world. Incorporate standardized forms and templates to drive consistency.
IS YOUR PROGRAM RESPONSIVE?Support transparent and sound decision-making with strong management oversight and robust reporting.
IS YOUR PROGRAM INDEPENDENT?
Minimize potential con!icts of interest and ensure decisions are objective.
IS YOUR PROGRAM REASONABLE?
Don’t interfere with operations or be a burden on the business.
REINFORCE BRAND ANDCORPORATE REPUTATION
nhance Brand Credibilityolidify Shareholder Trust
Respect in the Marketplace
FULFILL LEGAL OBLIGATIONSAND GUIDANCE
. Foreign Corrupt Practices Act Bribery Act
.S. Dodd-Frank and Patriot ActsPublic Procurement Laws
Track and assess policies and controls for e!ectiveness and performance in various ways:
monitor internal and external information and compare vendor, partner and customer records against trusted data sources for red !ags that indicate issues
SCREEN
provide regular internal audit oversight and inspection of the anti-corruption program; test and assess controls to determine if additional or modi"ed action is necessary
AUDIT
obtain and assess information about observed or suspected misconduct, using appropriate quali"ed teams, and considering privilege issues
INVESTIGATE
establish hotline and other open channels for reporting and resolution of questions and issues
IDENTIFY
evaluate data to locate concerns and potential problems by applying analytic techniques, tools and reporting capabilities