The Tribune

Strong governance requires effective management at its core. Governance, risk and compliance (GRC) have, over the past decade, expanded from standalone and abstract disciplines to arguably the most important functions in a business. They are not a technology platform, fad or catchy phrase for software vendors and professional service providers to generate revenue. Instead, it is about ensuring compliance while strategically pushing the business forward.

The ingredients for strong governance, risk and compliance functions were detailed by the KPMG accounting firm thus: “There was a general consensus that GRC should be an approach or framework to help clarify reporting lines, ensure consistent processes, and minimise the degree of subjective interpretation as information passes across business units. It sets the overall direction, and guides the scope of a range of assurance and compliance programmes, along with subsequent technology implementations.”

The debate on an exact definition of cyber security has been a marathon to say the least. However, I would submit that it is the processes, protocols and mechanisms deployed by a company and its employees to protect various technology assets against malicious attacks.

Information security, meanwhile, encompasses three attributes, namely confidentiality, integrity and availability through procedures and protocols for the protection of information. Simply put, cyber security addresses digital information while information security addresses both information assets - digital or paper-based. Moreover, cyber security typically relates to cyber crimes, cyber frauds and law enforcement, while information security relates to unauthorised access, disclosure modification and disruption.

Risk and Controls

A collective approach by Board and management to managing risk is crucial to any company. You must decide what your company's GRC framework will include. In the risk management process, you must identify, analyse and evaluate the risk, treat it and then review, before engaging in further monitoring. Cyber security and information security are no different.

In this digital age, and with the increase in cyber attacks, cyber security risks must be managed to control a company's overall risk exposure. The recent ‘FinCen’ files leak highlights the intersection of cyber security and information security.

Experts have discussed in several forums whether the environment at the US Financial Crimes Enforcement Network (FinCEN) lent itself to an information security breach or a cyber security breach, depending on how the information was leaked to the reporter.

Risk requires balance. This balance is achieved to control activities. The controls can either prevent or detect an issue, or correct and recover from any incident while preventing it from occurring again. All of the above should be monitored by a risk management function, then reviewed by compliance, which provides a creditable challenge if needed. The results should be shared with the Board.

Data Privacy Oversight

Arguably the most robust regime in the world for the regulation of privacy and data flows is the European Union's (EU) General Data Protection Regulation (GDRP). Although data regulations vary from jurisdiction to jurisdiction, legal, risk, compliance, audit and technology leaders must have a privacy programme in place that establishes accountability and oversight of data throughout the company. Board and management must consider the following when designing their data management frameworks.

• Pinpoint compliance requirements
• Allocate and establish policies and procedures
• Construct breach and incident management processes
• Develop privacy and data change management and communication strategy

Carefully constructing a framework that suits your company should not be taken lightly. All stakeholders should be engaged at the beginning to ensure gaps are minimised. This topic, inclusive of the technical and oversight perspective, will be discussed at length by industry professionals during the Bahamas Association of Compliance Officers’ event – Cyber Security Management, the GRC Perspective, which is being held today.

NB: Derek Smith Jr is a compliance officer at a leading law firm in The Bahamas, and a former assistant vice-president, compliance and money laundering reporting officer (MLRO), at local private bank. His professional career started at a ‘Big Four’ accounting firm and has spanned over 15 years, including business risk management, compliance, internal audit, external audit and other accounting services. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS).