The Tribune

Governance, risk and compliance (GRC), once carefully crafted, can effectively manage and monitor a company's enterprise risk environment and ensure compliance with industry regulations, while also addressing vulnerabilities that can negatively impact it.

Businesses are becoming more reliant on information technologies (IT) to increase productivity and efficiency, especially in the wake of the COVID-19 pandemic. Consequently, as dependence on IT increases, the threat of technology failures and expensive breaches also increases. The traditional compliance department must now see themselves as not only agents to ensure business practices are aligned with governance, industry regulations, policies and procedures. We must now fully engross ourselves in the intricacies of information security risk management (ISRM).

Fenz, Heurix, Neubauer and Pechstein wrote, “Information security is as important as it has ever been, but the challenges to determine the factors contributing to information insecurity prove to be of a complex nature. In order to reach a desirable level of protection against threats, and to provide the necessary mechanics to protect an organisation’s assets and knowledge, a vast variety of management approaches and methods have been developed in the past decades.”

In this article, assets refer to sensitive data, intellectual property and access to critical operations. Assets become vulnerable once they are connected to the outside world via technology or human interaction. This vulnerability can be minimised but never eliminated. As a result, threats (human, computer or natural) to these assets can happen at any time and with or without warning. It is against this backdrop that ISRM has become a critical component of enterprise risk management.

The dance with risk, as I affectionally call it, is a strategy that requires risk identification and assessment, risk control and risk response. In earlier articles, I addressed risk responses in the form of contingency planning. Over the next two articles, I will cautiously dive into risk identification and assessment in the context of ISRM. Many of these approaches can be deployed to enhance other aspects of your organization’s enterprise risk management framework.

Risk categorisation

Risks associated with assets should be identified along with their correlated threats and vulnerabilities. Risk managers should be fully aware of the asset’s name, asset’s owner, and its importance to the business. Additionally, these assets should be further sub-categorised into information data, procedures and people. The associated inventory data should also be identified, simultaneously.

Risk valuation

Another key step in risk identification is valuing the assets that are at risk. Some may argue that this action is purely financial because it requires calculations. I will not touch valuation calculations, but will merely make you aware that risk can be valued based on many options. These options include revenue generated, profit generated, replacement cost, depreciation, value to the owners, value to the users, the cost to protect, cost of loss, etc.

Does this seem straightforward thus far? It may be to some. However, the challenge arises when assets have more than one owner and encompass multiple responsibilities. Therefore, it is imperative that the foundation of your risk identification process is thorough and strategic. To ensure your approach is comprehensive to risk management, risk and compliance professionals must start with identifying risks.

NB: Derek Smith Jr is a compliance officer at a leading law firm in The Bahamas, and a former assistant vice-president, compliance and money laundering reporting officer (MLRO), at local private bank. His professional career started at a ‘Big Four’ accounting firm and has spanned over 15 years, including business risk management, compliance, internal audit, external audit and other accounting services. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS).