We all know that all companies risk losing or leaking information. But do we really know what to do about enterprise risk management? Best practices aren't always relevant to enterprise environments, nor do companies always have the proper benchmarks in place to implement them.
Taken together, GRC is an oft-used acronym that refers to the way in which organizations manage, store and share information. Taken individually, there are integral pieces of the process.
Governance + Risk Management + Compliance
Governance begins long before the first datum is gathered. It starts with a strategy that outlines and defines the mechanisms an organization uses to ensure that its constituents follow established processes and policies. Without policies and procedures in place, risk and compliance are rather irrelevant.
However, once governance is established, risk management, the way that an organization sets the risk tolerance, can work to identify potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Effective risk management works to leverage internal controls to manage and mitigate risk throughout the organization.
Finally, compliance records and monitors the controls needed to ensure compliance with legislative or industry mandates, as well as internal policies.
When all parts of the process work well, organizations can reap the rewards of being able to manage risk and maintain a level of compliance that brings trust and integrity to the enterprise.
Making the GRC Equation Work
It all seems easy enough, but when you delve into the process, it's not hard to become overwhelmed by the details involved with determining the policies and procedures by which you will govern, manage and comply.
CMSWire has compiled a list of processes and tools needed to ensure that issues of governance, risk and compliance are addressed effectively. Incorporating the policies and guidelines that will oversee the way your organization will manage risk is daunting. It requires you to be part visionary, technology guru and investigator all at once. But it can be simplified if you think about the ways that make information easy to manage, store and share.
Since computers became basic office essentials, there have been many iterations of software and updates galore that can make information inaccessible and unreadable. Be prepared to have information saved in a compatible format.
This will require you to think long term about technology needs so that information strategies that include the use of format standards (e.g. TIFF or PDF/A) and audited content refresh cycles, will ensure that information remains accessible for the whole period that it is being kept for.
Keep these processes in mind when talking with vendors and other third-party contractors.
It's called disaster recovery for a reason. Whether it's a hurricane or the delete key, organizations need to create electronic and manual processes to back up data when obstacles arise. In a controlled environment, the system also needs to provide specific “hold” or “freeze” mechanisms which prevent normal information disposition schedules from inadvertently removing critical information, for example, when litigation is in progress.
Searchability and Discoverability
Companies generate a lot of information. How will you be able to find exactly what you need? Effectively organizing, categorizing and prioritizing (metadata, keywords) your files will not only let you find what you need when you need it, but should you ever be subject to litigation it will come in handy.
Authorized Access & Control
Avoid having documents fall into the wrong hands or subject to fraudulent changes by ensuring that information is captured in a controlled environment where access or deletion of records is only possible through the defined and security controlled disposal processes.
All access to records must be monitored though a detailed audit log.
Just like disasters, accidents happen. Whether the email gets deleted or the laptop crashes, using process-controlled, automated declaration and classification procedures for capturing both paper and electronic records, can diminish the risk of losing critical information.
Additionally, having human resource policies in place for employees who choose to ignore or disregard policies and procedures, will also help to ensure that they comply.
A New Era of Risk Management
These guidelines are meant to help steer your strategies toward a more productive information management system. Yet, they can't replace having a strategy and hopefully they will lead to more questions. Curiosity may have killed the cat, but when it comes to risk management, asking questions never hurt. Be inquisitive and think outside the box, as well as into the future.
The financial crisis and subsequent recession have taught us a lesson. A new era of information risk management is upon us and not having a strategy in place is no longer acceptable. Customers, shareholders, employees and executives are wiser and expect a certain level of governance and compliance before they choose to invest their time, energy and money with a company.