The recent credit crisis in the world economy is changing the way financial institutions look at risk. Risk categories are quickly expanding to incorporate not only external market pressures such as liquidity, hedge funds and derivatives exposure, but also internal conditions such as insider threats, regulatory exposures and control deficiencies that can directly impact the balance sheet.
Mix in the elements of recent events, such as the Societe Generale incident, and the spectrum of risk grows quite large. So it's no wonder that financial institutions have started to change how they evaluate risk. Instead of conducting evaluations at a single point in time, the new emphasis focuses on risk being a constant, evolving set of criteria that must be researched, maintained and applied throughout each business and back-office process.
As is commonly known, external risk criteria can ebb and flow in direct relation to publicized issues, such as Societe Generale. Items such as insider threats, weak security controls and publicized regulatory exposure spell trouble, especially in a down economy when the financial community may be hypersensitive to negative press. Internal to financial institutions, the public disclosures of materially weak controls can lead to civil and criminal charges brought on by employees and investors alike, which can further harm brand and customer loyalty.
To better prepare your organization for the impending changes in risk mitigation, here are some best practices that can be incorporated into your financial firm's risk management process.
Implement a risk clearinghouse: Develop a workflow that utilizes a central repository of global risk- and compliance-related intelligence and news that has been made available to the public in order to detect emerging issues and breach disclosures. The collected data can provide a great way to trigger a risk review of your organization's current controls to ensure the best possible posture.
Automate risk assessments: Build risk assessments into existing business and IT processes, such as access controls and employee life cycle events. By establishing compliance touch points within applicable processes, alerts and indicators can provide earlier notification of fraudulent activity. In addition, certain employee actions, such as transfers, can be standardized through automation, providing mandatory checks to ensure the appropriate access controls.
Monitor compliance: Develop a hierarchical monitoring capability to ensure employees and managers are operating within a certain risk tolerance within their normal daily routine. By having a cross section of the organizational chart aligned to a standard baseline in compliance and risk mitigation activity, the organization is more likely to notice and thereby act upon behavioral indicators, especially in areas that require segregation of duties.
Determine legal sponsorship: As risks are identified, accurate measurements are normally required to determine the current posture of the organization. Once the enterprise commits to a routine test of controls, make sure to include the legal team early in the process so they can provide oversight with the tactical implementation of the testing, or offer suggestions in protecting the findings to reduce future exposure to the company.
It is no longer viable to claim a certain level of compliance or security just by having the appropriate documentation -- a.k.a checkbox security. The shift is now firmly seated in actively implementing and enforcing security policies to protect the organization's customers and investors.
Even though the notion of business risk exposure in IT is still a challenge for the business as a whole, investors and executives demand to see proof, due to their exposure to civil and criminal penalties. The key is to ensure that risk management controls are routinely reviewed -- alongside newly identified risks -- and modified accordingly to reasonably prevent someone from subverting the controls. The greater the alignment between risk mitigation and IT operations, the greater the ability for the controls to work for your organization, not against it.
About the author:
Rick Lawhorn, CISPP, CISA, CHSS, TNCP is the CISO at PLANIT Technology Group and previously was CISO for GE Financial Assurance and Genworth Financial. He has more than 17 years of experience in information technology and extensive security experience, and has created a working group focused on developing meaningful metrics for CISOs. He can be reached at rick.lawhorn@mac.com.
