Whoa wait a minute…is this a psychology lesson? Well if so hopefully it's no less comfortable than your favorite chair!
Last week we kicked off a new blog series on Issues Management. Read Steve’s initial volley here which neatly frames up the problem of the "Issues Pit". This week I'll discuss the process of compensating for gaps, an often overlooked aspect of managing issues.
Basic risk and control doctrine calls for identifying multiple methods to address risk. We generically refer to these risk mitigation methods as controls. Typically (though not always) the more controls we can identify for a particular risk, the better. As such, it's the nature of things that some controls will be deemed more important than others. Some will be so important that they'll be required to be in place all the time and will usually receive some kind of flashy label like “key control”, “primary control”, etc.
Since it’s inevitible that controls can and will fail, those important key controls will often benefit from having other secondary controls to backstop the primaries and reduce the impact of a control failure. This is all very sensible and seemingly omnipresent not just in business but practically every aspect of daily life. (The generic example of speed limits + seatbelts + airbags + baby seats comes to mind.)
If control issues are unavoidable then it's certainly preferred to discover them on your terms versus some external actor. That's the worst case scenario. Nothing throws an organization into a panic faster than an unplanned crisis. And in almost every case, after action analysis will point to control failures as contributing factors or root causes. In other words, controls must be regularly tested to ensure they function properly; underpinning the essential discipline of compliance. As control issues (gaps) are discovered, a remediation process to address those issues must also be in place. This is unfortunately where organizations that think they have a good handle on things may often roll the dice unknowingly.
Suppose a control issue is found as the result of implementing new business technology and the only remediation is implementing some other new, expensive system on top of it? If the only quantitative decision criterion is the purchasing cost then the organization's leadership isn't very well equipped to make an informed decision, and increases the likelihood the purchase will be pushed off. This is where the value of a GRC program can really shine.
What if the leadership had quantitative metrics on the risks associated with the control gaps that showed the cost was less than the risk? Or, what if the risk could be partially reduced through other resources the company already has under roof? Perhaps a smaller investment could sufficiently address the remaining gap. Regardless, management would have a much better framework for balancing that decision against the other strategic decisions they have to make. And when there's good intel available to inform a decision, no executive would prefer to blindly guess instead.
This mix of risks and controls and exposure is constantly shifting as businesses and markets and security threats fluctuate. A healthy remediation strategy includes the ability to quickly identify alternative controls to supplement primary control activities, or even fully compensate for them in a pinch. Understanding the criteria for determing those compensating controls, inherent limitations, and mapping all that together is impossible without a full inventory of risks, assets, and controls and a solid system of record for managing them. This is another area where GRC capabilities are perfectly suited to deliver value through process enablement, efficiency, and risk reduction.
We've spoken before about the potential competitive advantage that organizations can harness by maturing their GRC processes. Imagine if your organization never feared an audit because your compliance posture was already assured through healthy business processes. By replacing guesswork with the ability to make informed, risk-rationalized decisions, not just for compliance, but for risk taking growth strategies, organizational leaders can much more confidently guide the business forward. In these times of extreme global competition and front page security breaches, what would that kind of assurance be worth to the leaders in your organization?
For more information check out this short video that shows how RSA Archer can help with your Issues Management process.