GAN Integrity adds new risk management module

From press releases

GAN Integrity this week launched its Risk Management module that builds on GAN’s all-in-one compliance platform. GAN designers say the module is designed to integrate seamlessly with the rest of GAN’s compliance components, so users can make strategic, data-driven decisions based on a holistic and real-time view of all compliance-related activities.

GANCompanies can customize how they frame their risk management and shift to a dynamic approach. The tool complements annual risk assessments and helps compliance teams take action on next steps, company officials said.

“As an organization’s risk management evolves, so does GAN’s tool configuration, enabling real-time identification, assessment and management of all risks,” said Valerie Charles, chief strategy officer for GAN Integrity. “It empowers compliance teams to focus on what matters with technology that enables them to proactively manage any compliance issue that arises, at anytime, anywhere.”

The Risk Management module joins GAN’s comprehensive compliance platform, which includes Training, Due Diligence, Policy, Gifts and Case Management modules.

According to GAN Integrity engineers, the Risk Management module lets teams can:

  • Identify: The user-friendly solution allows users to easily map and manage all risks across the company in a centralized risk library, along with any related controls and action plans.
  • Assess: Detailed information on specific risks enables users to design customized risk rating scales and matrices that are tailored to the organization.
  • Manage: Users exchange manual, paper-driven, siloed processes for a simple and user-friendly solution and import risk assessment data into a configurable tool.
  • Monitor: The module tracks compliance risks in real time using a heat map that enables a company to instantly react to critical changes to risks throughout the business. All changes and activity are saved for later reference.
  • Evolve: The module automatically updates risks based on changes to the business.


FCPA Blog: Panasonic case provides a teachable moment

By Erich Lochner

President and CEO, Steele Compliance Solutions Inc.

Erich Lochner, Steele Compliance Solutions

Erich Lochner, Steele Compliance Solutions

The Panasonic enforcement action in April — resulting in $280 million in penalties and disgorgement to the DOJ and SEC — offers almost every lesson a compliance officer might want to discuss about anti-bribery programs.

First, due diligence matters all the time, all the way down

As often happens with anti-bribery offenses under the FCPA, bribes were relayed to government officials through intermediaries and sales agents. Multiple agents working for Panasonic failed the company’s internal due diligence checks and parted ways with the company — and were then hired back as subcontractors, with a sales agent that had passed the due diligence.

That scenario underlines the point of what due diligence truly is: an effort to expel corrupt third parties from the enterprise permanently, rather than a simple background check to be performed at one moment in time.

If the mantra is, “Companies don’t commit crime; people working for companies do,” then due diligence programs should flag specific high-risk people and ensure they don’t work on behalf of the organization. That can require language in contracts with other third parties (to avoid subcontractor risk), follow-up audits, and similar measures.

Second, accounting controls also matter

Panasonic engaged in considerable books-and-records violations both to mask the improper payments and to inflate revenue and pre-tax income by recognizing revenue early. Panasonic ultimately paid more than $1.75 million to supposed sales agents who provided few (if any) actual services. None of that was properly recorded in the company’s books.

Moreover, Panasonic employees knew about, and concealed, the scheme to sub-contract the sales agents who had been terminated. The third party that employed those sub-contractors was paid from a Panasonic budget line under the sole control of a senior Panasonic Avionics executive, with no oversight from anyone else at the company.

Proper accounting controls are crucial to effective FCPA compliance, since they can choke off the supply of money necessary for criminal violations. For example, a company could require multiple executives to counter-sign any payment above, say, $50,000; and require documentation that the party receiving that money has delivered the services promised.

Compliance with the civil side of the FCPA (implementing strong accounting controls) supports compliance with the criminal side (not paying bribes).

Third, leadership works if the first two issues to matter.

Large organizations are always porous collections of people and business practices. Even the most exhaustive controls, policies, and procedures leave some crack where misconduct can sprout. Strong ethical leadership is the sealant that tries to fill those cracks. The absence of strong leadership does the company no favors.

In Panasonic’s case, an internal audit in 2010 flagged potential problems with high-risk agents, and that report was circulated among senior executives. No follow-up happened for years.

Panasonic didn’t disclose the misconduct voluntarily. Only when the Securities and Exchange Commission began requesting documents did Panasonic admit potential problems and begin cooperating. That said, after the investigation began Panasonic did cooperate fully, including a thorough internal investigation and providing foreign employees for interviews with the Justice Department.

The company ultimately received a 20 percent discount on its penalties, per the DOJ’s new FCPA Corporate Enforcement Policy (pdf).


MetricStream GRC summit highlights issues facing enterprises

By John L. Guerra

GRC & Fraud Software Journal

Gaurav Kapoor, COO MetricStream

Gaurav Kapoor, COO MetricStream

MetricStream’s 2018 GRC Summit in Baltimore brought together governance, risk, compliance and regulatory leaders from various industries and market segments. The three-day summit covered the biggest issues facing GRC practitioners in banking, real estate, health care, and other business sectors.

Gaurav Kapoor, chief operating officer for MetricStream, spoke with GRC & Fraud Software Journal about the summit.

“We created a GRC summit where we could gain feedback from thought leaders and practitioners in the room,” Kapoor said. “It was intensive, with some 500 people representing 300 small to large companies representing a number of different industries – the main takeaway is that we’re all on the same journey.”

To set the stage for discussion, MetricStream announced its new tagline: “Perform with Integrity.”

“That mirrors the desire that companies have to raise performance while maintaining integrity in several aspects of the GRC model.”

According to Kapoor, companies both large and small worry about maintaining not only the integrity of their data, but their company’s integrity in the eyes of their customers who too often find they can’t trust companies to protect their personal data. Top executives at Uber, Facebook, Wells Fargo, and other companies have been summoned before Congressional hearings to answer for misuse of customer data.

“For the last two years, there have been huge breaches of trust when it comes to high-performing companies and major banks,” he said. “Companies are ensuring their GRC platforms are built for performance and integrity, and that’s in addition to preventing bribery, money laundering and other ethical problems. For the companies at our summit, maintaining the trust of their customers topped the list.”

The largest companies at the MetricStream summit said they designed GRC systems that would control ethical standards, prevent data breaches and enable them to report problems quickly to customers when they occur, Kapoor said.

“A large retailer in Sweden said their primary GRC strategy is to align systems that build trust with customers,” Kapoor said. “If there is a breach, how do we deal with customers? How do you write GRC to reflect ‘Tone at the Top?’ When your platform lets you document what kind of policies you need or have in place, you can accomplish these controls.”

At one point, the moderator asked for the attendees to stand and sit back down when the moderator hit their chief concern.

“At change and change management, most sat down,” Kapoor said. “Companies have been faced with so much change, that they are looking for the ability to adapt quickly to concerns and write it into GRC applications. For instance Crypto is an issue nobody knows how to handle. Companies are exposed to more risk like that because things are a lot more digital.”

Less Pain, More Gain: InfoSec risk management and ISO 27001

By Jason Eubanks

Lead Auditor, LockPath


Jason Eubanks, LockPath

Jason Eubanks, LockPath

How have the recent privacy and security violations reported in the news everyday changed your company’s behavior? There’s a silver lining to all the doomsday headlines — they should compel stakeholders in your company to pay more attention and provide more buy-in for proactive safeguarding activities against these risks.

How are you going to leverage this opportunity? You need a fresh approach, management support, a solid plan, and comprehensive technology to support all the moving parts involved in setting up an integrated security and risk management program.

As an experienced governance, risk management, and compliance (GRC) consultant and former auditor, I’ve assessed and supported many companies through the challenges inherent to building a mature, enterprise-wide information security risk management program that aligns with global standards and boosts competitive advantage.

One way many organizations are approaching this is through ISO 27001, an international standard for establishing, operating, maintaining and continually improving an Information Security Management System (ISMS).

This standard pushes organizations to move past checking boxes for adherence to controls by promoting a top-down, risk-based approach to developing processes, policies, and controls that specifically address the organization’s information security risks.

Organizations are certified based on adherence to a set of process level clauses (requirements) and controls used to support the processes, and auditors certify against these requirements.


Why try to certify?

I’ve seen a growing number of companies working toward ISO 27001 certification (or towards compliance without undergoing the certification process). Implementing this standard is a highly effective way to build an integrated risk management program by establishing an ISMS.

An ISMS is comprised of the people, processes and IT systems used to apply a risk management program for managing an organization’s most sensitive and valuable data.

Approaching ISMS development in alignment with ISO standards will help your organization protect its critical data and IT assets, build resilience against threats and incidents, and be prepared for challenges and opportunities as they arise.

Even though it is voluntary, ISO 27001 certification is a valuable undertaking for many reasons. ISO 27001 is highly recognized and respected worldwide, encourages continual improvement and serves as a solid foundation for other IT risk and compliance standards and frameworks.

If you can meet the ISO 27001 standard, you are well positioned to comply with most other information security regulations, as well as client information security requirements.

At this point, organizations doing business globally are increasingly encouraged to achieve certification to stay competitive and win new business. As US companies expand operations internationally, they are often forced to comply with additional privacy and security regulations and provide additional assurances to partners and customers.

In addition to being an important indicator of information security maturity, a certified ISMS operates as a marketing tool, and as a seal of approval, providing a competitive advantage over competitors. For evidence of this trend, do a quick search on ISO 27001 certification; note that the results are packed with company press releases announcing certification and re-certification.


A high bar to clear

Many companies struggle to achieve certification. The ISO 27001 standard sets a high bar — it is not a one-and-done, checkbox list of requirements.

It’s a continual living and breathing program that includes understanding interested party requirements, management commitment, cataloging risks, assessing the severity of risks, planning how to remediate risks, and producing documentation to substantiate the risk management activities.

The standard also requires that organizations apply a mindset of continual improvement, where management pushes past program mediocracy and strives to improve the overall health of the ISMS.


Manual approach not working 

Traditionally, ISO 27001-related tasks have been performed manually; documents are stored in network file folders or process owner local drives and tasks are managed through spreadsheets, documents and email.

It is nearly impossible for global, digital businesses to keep up using a manual approach, given the complexity of information security programs, the expanding reliance on supply chains and outsourcing, and the criticality of data and IT systems.


The pain points become acute when it is time for auditors to assess a company’s operations. Scrambling to pull together the proper documentation is a time-consuming hunt that distracts staff from core functions and operational improvement work.

An inability to efficiently prove compliance, of course, increases the likelihood of failing an audit.

This dynamic is disastrous enough for mandatory regulations like HIPAA and SOX. When it comes to voluntary standards like ISO 27001, failed audits, runarounds, and tedious tasks kill stakeholder enthusiasm and make it impossible to gain traction.


How can you bring focus and efficiency to your ISMS efforts, so you can build momentum towards certification? The key is to streamline, centralize, and automate.

As a first step, consider your current processes to document and manage ISMS processes. If they are performed through manual ad hoc processes, then departmental segmentation, duplicated efforts, lack of visibility and accountability, and wasted resources are sure to follow.


Integrated systems deliver lasting benefits

This is why a governance, risk management and compliance (GRC) technology platform is so critical to successful ISMS initiatives and efficient compliance programs. These enterprise software suites are comprised of interoperable tools that all types of organizations deploy to help manage risk, demonstrate regulatory compliance, automate business processes, and prepare for audits.


Streamlined documentation and automated tracking are key features of these tools. When a task (e.g., inventory, assessment, remediation workflow, exceptions approval, policy review, etc.) is performed within the tool, the tool automatically retains the required evidence, allowing GRC teams to gain significant efficiencies.

In contrast, if you’re performing or documenting that task in Excel, it’s nearly impossible to show when or by whom that task was completed.


GRC platforms do far more than establish evidence repositories. They support the work of integrating processes, policies, and controls across departments and business units, which is essential to extending comprehensive risk management throughout the value chain.

Digitally linking processes to risks you identify, to policies you create, and to control procedures you administer weaves a tighter web of protection and oversight. I see the “shall” requirement statements — the standards set by ISO 27001 and other security and risk management frameworks — as objectives.

The processes, procedures, and controls you put in place and maintain with the help of a GRC platform determine if you will achieve those objectives, and how expedient you’ll be getting there.
GRC as instrumental

GRC platforms, when combined with sufficient staff and expertise and supported from the top down, are instrumental in many ways. Whether your organization is building an ISMS from the ground up, seeking a better method for managing and integrating security and risk activities, or trying to streamline the audit process after certification, manual processes will no longer suffice.

Your team can leverage a GRC platform’s capabilities to manage regulatory requirements, policies and procedures, risk assessments, third parties, incidents, asset repositories, vulnerabilities, audits, and business continuity. When deployed across the organization, GRC technology systems facilitate collaboration, and increase visibility and accountability. A team attuned to the importance of working together to develop a world-class ISMS can reach compliance and certification more expediently with these capabilities at its disposal.
These benefits are valuable to every organization. Indeed, there are a lot of companies that will follow the ISO 27001 standards without attempting certification, but achieving the certification is the only way to provide assurance that your information security and risk management processes are compliant with the standard.

The public, legislators, and industry organizations are increasingly aware of and reactive to negative news about corporate data breaches, and individual data privacy issues.

Organizations that have built a mature ISMS that matches the standard of excellence set by the ISO will be well-positioned to sustain competitive advantage and protect their assets and reputation in the face of a myriad of challenges.

Jason Eubanks is a CRISC, ISO 27001 Lead Auditor, Principal Consultant at Lockpath, a provider of integrated risk management solutions.

ERP Migrations: Creating New GRC Exposure and Upgrade Hazards

Scott Goolik, Symmetry

Scott Goolik, Symmetry


By Scott Goolik Symmetry

Vice President of Compliance and Security Services

As anyone with an iPhone or Windows PC understands, when Apple or Microsoft issue a new software update, apps and functions that worked fine before suddenly experience degraded performance or simply do not work at all.

There is a parallel for enterprises today as they move to upgrade and migrate to the latest enterprise resource planning (ERP) software from companies like SAP and Oracle. These comprehensive software platforms act like the ‘heart and lungs’ for these companies, managing everything from the supply chain and logistics through to HR and financials.

A key part of ERP software is governance, risk and compliance (GRC) controls, in particular Segregation of Duties (SoD), which are designed to safeguard businesses, investors and customers alike.

At their primary layer, SoD and other access control measures provide checks and balances to prevent careless processes from exposing a business to risks. Taking it a step deeper, these access control measures are carefully designed, systematic rules implemented to keep people from defrauding an organization.

Businesses today count on GRC solutions for their ERP software as an operational necessity — much like encryption or security monitoring. Like these controls, GRC can blend seamlessly into an enterprise and with automation doesn’t have to restrict or slow down daily operations. In fact, without creating additional work for administrators, a system can effectively and automatically check every task employees do in their ERP software.

However, this streamlined process can be disrupted when new functionality is introduced into a system, just like an iPhone or Windows PC update. A good example of this upgrade hazard comes from SAP, one of the main ERP providers with more than 365,000 customers in 180 countries.

SAP Fiori is a new role-based, simplified and personalized user experience interface for SAP. Because SAP’s GRC software is designed around its legacy user interface, the introduction of SAP Fiori can create false negatives around an enterprise’s SoD conflicts.

So how can a business ensure its SAP Fiori solution for access control isn’t missing or mislabeling SoD issues? In the traditional SAP interface, users perform tasks through transactions by selecting them from the menu or entering the transaction code as a shortcut.

SAP’s GRC software then checks these transactions against a list of SoD conflicts to catch combinations of actions that could lead to fraudulent actions. For example, if a user can both create and pay vendors, they could abuse their access power by creating a fictitious vendor to begin funneling money out of the company.

A less extreme example involves flagging authorization risks that circumvent business processes — for example, ensuring managers can’t sign off on their own work. SoD checks are critical in catching these discrepancies for organizations. SAP Fiori, however, functions through service authorizations instead of transaction authorizations. If a user is performing similar tasks like creating or paying a vendor, a transaction start authorization isn’t necessary.

This ultimately means that most SAP GRC solutions can’t monitor for SoD conflicts within Fiori apps, which increases an enterprise’s exposure to fraud. To accurately analyze SoD conflicts and maintain compliance in this SAP example, a GRC solution must check both transaction start authorizations as well as service authorizations.

Within this analysis, a company’s service authorizations will output hash value character codes that correspond to services. To properly interpret these outputs, a company’s GRC team needs to add these codes to its rulebook, essentially creating an ad-hoc SAP Fiori solution for access control.

This can prove challenging because hash values can be system-specific and difficult to connect to the underlying services. Also, manually recreating a complex set of SAP GUI checks in Fiori introduces the opportunity for dangerous errors or inconsistencies — ultimately making maintaining GRC more difficult in the long run.

To close the emerging gap in access controls in this example, businesses need a GRC solution with an included ruleset designed to work across both Fiori and SAP GUI.

This way you can eliminate false negatives, inconsistent security rules, and complex maintenance requirements while protecting the business and ensuring compliance.

As IT departments continue to upgrade software platforms and migrate them to hybrid infrastructures, it is critical for corporate GRC teams to ensure that any upgrades or migrations of ERP or other important software do not create new holes in their SoD processes and expose the company to increased fraud.

Scott Goolik is vice president of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events.

Reciprocity helps companies ready for May GDPR deadline

By John L. Guerra

Editor, GRC & Fraud Software Journal

Maxine Henry, GDPR expert, ReciprocityLabs

Maxine Henry, GDPR expert, ReciprocityLabs

GDPR is the standard through which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data privacy protection for all individuals within the European Union (EU). It also addresses protecting exported personal data outside the EU.

Maxine Henry, GDPR expert at Reciprocity, says non-EU companies that share data with third parties in the EU must meet the GDPR regulations. Protected data can be anything from a name, a home address, a photo, an email address, bank details, as well as postings on social networking websites, medical information, or a computer’s IP address.

“All our customers are asking about it,” Henry says. “It’s not just for companies in Europe; it has a big impact on U.S. companies doing business with any European citizen. If you are handling trans-border data, it puts you in scope for GDPR.”

Failure to comply can mean a fine equal to 4 percent of a company’s annual global revenue.

Reciprocity is helping its clients meet the May deadline.

“We are talking to companies and showing them how to build their GRC platform to meet the GDPR deadline and help them manage it,” Henry says.

According to Henry, GDPR includes, but is not limited to:

  • Timely notification of data breaches
  • A new set of digital rights for EU citizens
  • Compliance with data requests
  • Managed consent management tools
  • Privacy policy announcements and changes
  • Documented privacy policy changes
  • Right of access to types of data

As a GDPR expert at Reciprocity, it is Henry’s job to help companies transition to a single tool to manage and link directly to each of the articles of the EU data privacy standard, Henry says.

“First, we go in and ask: Where are you, what the your maturity level of your business, what compliance regulations and frameworks are in place?  We ask them whether they have good malware, good security software in place, do you have documented data privacy policies and procedures. If not, they should do that immediately,” Henry says.

“Once you actually understand where they are, we can make recommendations on getting to GDPR.”

According to Henry, Reciprocity’s GRC software is a cohesive system that helps companies manage data, assets, access rights, third-parties, and audit controls.

There is no need for multiple spreadsheets, no SharePoint sites, and no shared folders, all the information is in one spot.

“The data map, process flows, the controls, can  all linked and mapped,” Henry says.

The solution uses dashboards so staff can view which assets hold PII data, track information related to third party vendors, manage notifications and response of individual workers managing the data. It provides a cohesive view across compliance roles, responses to assigned tasks, such as who completes a task.

For example, if the IT director gets a task they respond that they’ve performed the task, a manager with the proper permissions can track whether it’s complete or not.”

For more information, visit

IntelligenceBank eyes new customers in North America

By John L. Guerra

Editor, GRC & Fraud Software Journal

Dominic Gluchowski, IntelligenceBank

Dominic Gluchowski, IntelligenceBank

As North America suffered under an Arctic freeze last month, IntelligenceBank employees depended on air conditioning to keep the brutal Australian summer.

“We are in the middle of summer, it’s about 97 degrees outside,” says Dominic Gluchowski, IntelligenceBank’s Marketing Director. “But we’re just as comfortable working in the winter in North America, too.”

The company, founded in Melbourne in 2009 with U.S. headquarters in San Diego, is a business process management platform that delivers niche SaaS applications that help teams reduce costs and risk.

IntelligenceBank has a host of GRC contracts in Australia and customers in more than 50 other countries.

Through a partnership with Deloitte, IntelligenceBank provides risk and compliance software for retail and franchise industries in the United States.

The company is in the midst of negotiations to provide GRC and other solutions to other American-based Fortune 500 companies, Gluchowski said.

“In the United States, we’ve secured several great enterprise customers, and it’s full steam ahead with the growing demand of compliance services across organizations in North America.

Conflict of Interest (COI) platforms are some of the company’s best selling solutions. IntelligenceBank’s conflict of Interest software is purpose-designed to enable staff, distributors and the board to easily report potential conflicts and seamlessly create a culture of integrity and corporate responsibility,” Gluchowski says.

“It automates the review and approval of critical gift, financial interests, and relational conflicts. With a real-time audit trail, compliance officers can instantly run custom reports and track actions taken.”

The solution is designed for any organization, but works well for highly regulated industries such as financial services, government, and healthcare where a system of managing disclosures are required.

It helps companies avoid large penalties for non-compliance, Gluchowski says. It’s less expensive than larger platforms that cost millions and 18 months to install and launch.

The IntelligenceBank solution is usually up and running in three or four weeks, he said. “It’s easier to customize, provides granular permissions for specific groups, and automatically escalates to management if someone doesn’t respond.”

To learn more, please visit our website.

Maturing Business Resilience Through Integrated Risk Management

Sam Abadir, LockPath

Sam Abadir, LockPath

With a new year comes a clear-eyed and optimistic perspective – a clean slate, a new leaf, a fresh start. It’s important to leverage these moments of clarity and opportunity into better planning before we are once again swept up in the muddle and rush of the daily grind.

The punishing disruptions of 2017 — hurricanes, massive data breaches, global ransomware attacks, and revelations of gross misconduct across many industries — should compel executives to focus on business continuity planning as they steer their enterprises into the uncharted waters of 2018. The list of new risk management priorities is already growing: GDPR compliance, cryptocurrency hacking, Shadow Brokers exploits, rapid Internet of Things proliferation, and Meltdown/Spectre vulnerabilities.

The disruptions, outages, and disasters capable of significantly impacting a modern enterprise can originate from many sources — internal and external, cyber and physical. The fallout can include damage to property and infrastructure, financial health, operations, and reputation, often in toxic combinations with cascading and unpredictable effects.

Careful, comprehensive risk assessment and detailed incident response planning are crucial to sustaining operations, revenue, and public trust in such a pressure-cooker environment.

Intelligent Risk Assessment

Business continuity/disaster recovery (BC/DR) planning optimizes the capabilities an organization needs to transition expeditiously from business interruption to business-as-usual. Modern enterprises dependent on a hybrid web of digital technology infrastructure and global supply chains cannot expect to respond and recover efficiently without well-rehearsed procedures and enterprise-wide systems.

The number of companies that have done little to none of this essential risk management work is astonishing; EY reports that 40 percent of businesses that experience a disaster go out of business within five years.

Thanks in part to Shadow Brokers exploits, a record-breaking breach at Equifax, and a cover-up scandal at Uber, board members are more attuned to their IT risks and more focused on BC/DR.

Business and IT leaders need to put data-driven processes in place so they know what to expect when risk becomes reality, and can communicate these insights to stakeholders. It’s important to model a variety of scenarios that include predictions about how long outages will last, how services, products, and revenues will be affected, what remediation will cost, and what the regulatory consequences might be.

Begin by planning around common threats and risks and mapping out possible scenarios specific to your company or industry. Prioritize risks such as hacking, fraud, and vendor failure.

Large-scale threats that are less likely but have potentially devastating consequences should still be addressed, especially if your business is particularly vulnerable to hurricanes or geopolitical strife. Initial efforts to mature business continuity should focus on identifying and planning for risks related to cybersecurity fundamentals, internal threats, and third parties.

Prepare for Things to Get Complicated

How do you plan for the unpredictable? This question goes straight to the core of integrated risk management. Only by acknowledging the complexity and interdependencies of modern enterprises – and implementing comprehensive systems and processes designed to find, define, and mitigate risks on a continuous basis – can we begin to develop greater control and agility.

Business continuity and incident response should be continuously optimized through coordinated planning, testing, and evaluation efforts. Controls should be implemented based on risk assessments and implemented through systematized processes that can be tracked and analyzed.

BC/DR plans should be kept up-to-date, incorporating software, infrastructure, vendor, personnel, and regulatory changes in addition to shifts in enterprise offerings, consumer priorities, and markets. To address third-party risk, include resiliency-oriented planning up front in contracts, negotiations, and acquisitions. Consistently enforce high standards for security-by-design, especially with IoT vendors and implementations.

Finally, when considering how to mitigate the impact of negative events, don’t forget to think through the cascading effects. Business operations depend on an ecosystem comprised of people, process, and technology and controlled internally and externally.

In the midst of executing core BC/DR plans to get operations back to normal, executives and managers will also have to communicate with various stakeholders and resolve issues related to employees, customers, supply chain partners, health and safety, and regulatory compliance.

Resiliency Builds Trust

In times of opportunity, disruption, and disaster, the best outcomes are only possible when everyone pitches in. Resiliency requires vision, leadership, and investment. Because BC/DR program effectiveness impacts everything from the bottom line to brand reputation, initiatives should involve a broad selection of business and operations managers.

Our digitally transformed economy relies on public trust. Vulnerabilities evolve and overlap, attackers grow more sophisticated, and the public becomes wary (and weary) as headlines highlight dangers around every Internet corner.

As partners and consumers become more aware and discerning, they begin to see insufficient risk management, sloppy security protocols, and non-compliance with industry standards as willful negligence.

There’s a lot of work to be done. Business resiliency start with good governance practices. Governance, risk management, and compliance (GRC) initiatives may not be perceived as exciting, but they are essential. We use automation and advanced analytics to enhance marketing, R&D, infrastructure management, logistics, and so much more.

We must similarly support GRC and IT security teams by investing in intelligent, flexible software platforms that streamline and centralize the systematic assessment, tracking, and remediation of risk across the enterprise.

Data and digital systems are critical to business operations. To keep everything running, we have to achieve levels of visibility and control that are only feasible through a combination of technology support, responsible leadership, and an enterprise-wide commitment to maturing resilient response and recovery capabilities.

Sam Abadir is the vice president of Industry Solutions at Lockpath, a leading provider of compliance and risk management software


Top 3 predictions for 2018 – a year of change

By French Caldwell

MetricStream Chief Evangelist

French Caldwell, MetricStream

French Caldwell, MetricStream

In what is becoming an annual event, MetricStream’s chief evangelist, French Caldwell, provides GRC & Fraud Software Journal readers with predictions for the upcoming year.


Prediction 1:

Data controllers and others face surge in complaints

In 2018, large data controllers, data processors, and privacy authorities will be found to be unprepared for a surge in requests and complaints by data subjects. The new EU GDPR expands the rights of EU citizens with several new rules, including the right to rectification, right to erasure, the right to object, and the right to restrict processing.

Privacy advocate groups will launch campaigns that drive large numbers of EU citizens to test these new rights. Many companies and government organizations will find they are vastly under-prepared to manage the large volume of requests and complaints.

Furthermore, many privacy authorities will not be prepared to manage the large number of complaints they receive.  To prepare, data controllers should have robust case management processes in place, and they should assure their third party data processors do as well.

Likewise, privacy authorities should evaluate their complaint management processes and ensure they are ready for a large surge.

Prediction 2:

The first €1million or more penalty under GDPR

In the event of a data breach, the new EU GDPR regulation provides for large penalties, up to 4 percent of revenues or €20million, whichever is larger. With the number of large data breaches growing, it’s just a matter of time before a large breach occurs.

While typically with a new regulation, there is a period of adjustment where regulators work through enforcement priorities, in the case of GDPR European privacy authorities are under a very public spotlight.

The first few companies or government agencies with a large data breach will set the standard for enforcement – especially if they delay reporting it.

While Europe has had many fewer reported data breaches than the U.S. that could change with the mandatory requirement in GDPR to report breaches within 72 hours of becoming aware of them.

The best defense for data controllers and processors will be strong data protection and cybersecurity programs that are well tested, documented, and ready for an audit by privacy authorities.

Prediction 3:

Regulatory technology primary driver for GRC In 2018 and 2019, regulatory tech – which utilizes information technology to enhance regulatory processes – will emerge as the primary driver of technological innovation for the GRC market.

Just as biotech is driving innovation in the life sciences industry, and fintech is doing the same in finance, regulatory tech is starting to impact the research and development investments of major GRC providers.

Artificial intelligence and machine learning applied to both unstructured and structured data to discover new risk and threat insights are the obvious technical leaders of innovation, but not the only ones.

Alexa-like advanced chatbots will enable users to quickly navigate applications, create reports, and discover relationships between risks, controls, processes, performance, assets and other data objects.

Hybrid machine-human scoring of third party cybersecurity, financial, and sustainability risks will supplement onboarding and continuous monitoring programs.

Facial recognition will provide a new means of assurance for data access and separation of duties. To gain competitive advantage, GRC vendors will increase funding for regulatory tech initiatives both organically and through acquisitions.


Most organizations unaware when employees violate policy and rules

From MetricStream press release

French Caldwell, MetricStream

French Caldwell, MetricStream

More than half of organizations (55 percent) can’t tell when their own employees violate company workplace rules and policies across the enterprise, according to a revealing survey by MetricStream.

The company, a developer of governance, risk, and compliance (GRC) apps and solutions, said the survey, “What Makes an Effective Policy Management Program?” paints a picture of how organizations create, manage, and communicate policies.

Other results from the survey:

While only about 1 in 4 organizations use policy management software, the benefits they enjoy are significant. Of these organizations:

  • 21 percent take less than a month to develop and publish a policy from scratch
  • 70 percent do not consider it challenging to author and distribute policies, or provide training
  • 60 percent encountered fewer than 50 policy violations in the last year

Policy management software eases policymaking

  • 80 percent of organizations using policy management software on a GRC platform take less than three months to author and publish policies, compared to only 55 percent of organizations using pure-play policy management software
  • 42 percent of organizations that require employees to attest to certain policies encountered less than 50 policy violations.
  • 59 percent of organizations that have mapped their policies to risks and compliance requirements do not consider it challenging to update polices as regulations evolve.
  • The majority of organizations that use standardized policy templates (62 percent) take less than a quarter to develop and roll out a new policy.

French Caldwell, Chief Evangelist at MetricStream, said the survey shows automation and consistency work.

“Our survey findings indicate that an integrated and consistent approach to policy management can yield significant benefits,” Caldwell said.

Many organizations have written policies, but much more is required to ensure that those policies are adhered to across the enterprise. To build a pervasive culture of ethics and risk-intelligent behavior, organizations must ensure that their policies are communicated effectively and updated regularly in line with regulatory and business changes. Moreover, policy compliance and violations must be tracked and addressed proactively.

“Those surveyed who have mapped policies to risk and compliance requirements, have integrated training into policy management programs,” Caldwell said, “or are using policy management software on a GRC platform are able to create and communicate policies faster, update them effectively, and minimize compliance violations.”

To read the entire survey results, go here.