Tag Archives: compliance risk

How to Face Rising Compliance Risk?

As digital capabilities expand, so do compliance risks—especially those related to privacy and cyber risk.

Enhanced analytics and visualization tools are providing insurers with new and better ways to identify, manage and report risks. But along with the availability of more sophisticated technology comes increasing compliance risks related to privacy, cyber risk and the use of digital channels.

At a time when the compliance function us manage risk with constrained resources, it must demonstrate and provide value to the organization—and insurers must support compliance’s seat at the table.

For our Accenture 2016 Compliance Risk Study, we surveyed more than 150 compliance officers at financial institutions across the Americas, Europe and Asia-Pacific. Of concern is that many respondents reported that their data and technology architecture does not meet their needs for managing the increasing compliance risks.

See also: Compliance Challenge in Communications  

Other issues facing compliance officers include:

  • Slowing investments in compliance.
  • Shifts in reporting lines to executives.

There are difficult choices in how to make the best use of resources.

In this Insurance Insight of the Week video, I outline what compliance officers see as being their top priorities over the next 12 months to three years.

As the pace of change continues to intensify, insurers and their compliance functions must identify a path forward that enables them to meet emerging risks and changing stakeholder expectations, and successfully measure their progress along the journey.

See also: Minority-Contracting Compliance — Three Risks

For the other videos in this four-part series, visit the Accenture Insurance Blog.

How Much Cyber Risk Should You Take?

I have been spending a fair amount of time over the last few months, talking and listening to board members and advisers, including industry experts, about cyber risk.

A number of things are clear:

  • Boards, not just those members who are on the audit or risk committee, are concerned about cyber and the risk it represents to their organizations. They are concerned because they don’t understand it – and the actions they should take as directors. The level of concern is sufficient for them to attend conferences dedicated to the topic rather than relying on their organizations.
  • They are not comfortable with the information they are receiving on cyber risk from management – management’s assessment of the risk that it represents to their organization; the measures management has taken to (a) prevent intrusions, (b) detect intrusions that got past defenses and (c) respond to such intrusions; how cyber risk is or may be affected by changes in the business, including new business initiatives; and, the current level and trend of intrusion attacks (some form of metrics).
  • The risk should be assessed, evaluated and addressed, not in isolation as a separate IT or cyber risk, but in terms of its potential effect on the business. Cyber risk should be integrated into enterprise risk management. Not only does it need to be assessed in terms of its potential effect on organizational business objectives, but it is only one of several risks that may affect each business objective.
  • It is impossible to eliminate cyber risk. In fact, it is broadly recognized that it is impossible to have impenetrable defenses (although every reasonable effort should be made to harden them). That recognition mandates increased attention to the timely detection of those who have breached the defenses, as well as the capability to respond at speed.
  • Because it is impossible to eliminate risk, a decision has to be made (by the board and management, with advice and counsel from IT, information security, the risk officer and internal audit) as to the level of risk that is acceptable. How much will the organization invest in cyber compared with the level of risk and the need for those same resources to be invested in other initiatives? The board members did not like to hear talk of accepting a level of risk, but that is an uncomfortable fact of life – they need to get over and deal with it!

The National Association of Corporate Directors has published a handbook on cyber for directors (free after registration).

Here is a list of questions I believe directors should consider. They should be asked of executive management (not just the CIO or CISO) in a session dedicated to cyber.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity, and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce risks by signing up for new cloud services?

I welcome your thoughts, perspectives and comments.

12 Questions for Managing Cyber Risk

Recently, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40 to 50 board members very actively involved, because this is a hot topic for boards.

I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.

The set of questions can also be used by executive management, risk professionals or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.

This is my list:

How do you identify and assess cyber-related risks?

Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of intellectual property, compliance risk and so on) and not just IT risk?

How do you evaluate the risk to know whether it is too high?

How do you decide what actions to take and how much resource to allocate?

How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?

How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?

Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?

How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?

Can you respond appropriately at speed?

What procedures are in place to notify you, and then the board, in the event of a breach?

Who has responsibility for cybersecurity, and do they have the access they need to senior management?

Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?

I am interested in your comments on the list, how it can be improved and how useful it is – and to whom.