After an in-depth survey of IT security and risk professionals, as well as our ongoing work with leaders in this field, Forrester recognized the need for a detailed, practical way to measure the maturity of security organizations. You asked, and we responded. I'm happy to announce today we published the Forrester Information Security Maturity Model, detailing 123 components that comprise a successful security organization, grouped in 25 functions, and 4 high level domains. In addition to the People, Process, and Technology functions you may be familiar with, we added Oversight, a domain that addresses the strategy and decision making needed to coordinate functions in the other three domains.
Our Maturity Model report explains the research and methodology behind this new framework, which is designed to help security and risk professionals articulate the breadth of security’s role in the organization, identify and fix gaps in their programs, and demonstrate improvement over time.
What makes the Forrester Information Security Maturity Model work?
My colleague Boris Evelson, who covers business intelligence for Forrester and serves business process professionals, recently wrote a great post about the use of spreadsheets for business intelligence. He explains that while many BI vendors initially sought to replace spreadsheets in the corporate environment, it's now clear that they are not going anywhere any time soon.
Sound familiar? While many governance, risk, and compliance professionals and GRC vendors continue to work toward helping customers consolidate data and move away from spreadsheets, they are still basically ubiquitous. In fact, several of the top GRC vendors are now working to improve the way their tools interface with Excel... Not just for exporting reports, but for data input and analysis as well.
I recommend reading Boris' post, where he details three best practices regarding the use of spreadsheets for BI:
Create spreadsheet governance policies.
Monitor and enforce compliance with those policies.
Give preference to vendors that work well with spreadsheets.
Creating clear policies for what information will and will not be managed on spreadsheets is critical here, and extremely important for the GRC universe. Unless you have specially-built controls, spreadsheets do not give you the level of security, access control, change control, or audit trail you should have for data related to compliance or risk management. Knowing Office tools are going to be handling substantial amounts of important information for the foreseeable future, so it's worthwhile to review and update your policies and make sure they are being appropriately enforced.
The Court found that the method by which Public Company Accounting Oversight Board (PCAOB) members are appointed does not grant the Executive branch sufficient oversight because of the restrictions on when members can be removed from their position. According to Chief Justice Roberts' opinion, "The consequence is that the Board may continue as before, but its members may be removed at will by the (Securities and Exchange) Commission." And for those arguing that SOX doesn't have a severability clause that maintains the act's legality even when a portion of it is overruled, Roberts clarifies that "the unconstitutional tenure provisions are severable from the remainder of the statute."
In my ongoing work with risk management professionals, I've been encouraged to see how quickly the role is growing in influence and responsibility in today's business environment (even though the drivers for that elevation are often disastrous). Along those lines, I read a great article this morning in StrategicRISK, discussing the window of opportunity for risk experts, aptly entitled Keep Your Eyes on the Prize.
The article quotes the Institute of Risk Management's deputy chairman, Alex Hindson, who says that top executives and boards of directors are looking for risk management guidance, and if risk experts in their organizations can't step up to fill that role in their "window of opportunity," it will be filled instead by auditors, finance professionals, or external consultants.
In my recent engagements with Forrester's clients in risk management, I've certainly seen a lot of interest and participation from other functions in the business - most notably audit and IT. And just last week, my colleague Craig Symons published a report explaining key issues in risk management for the CIO.
A few weeks ago, Stephanie Balaouras and I posted a podcast on a topic that has been a high priority for many of our customers — how to apply risk management techniques to IT security. We know that many of you are feeling the pressure to take the lead in IT risk management and in some cases even play a role in initiating risk management at the corporate level.
The key to success is understanding the core elements of risk management and how to plug them into existing processes without creating simply another layer of overhead. A major theme of my recent research has been on existing risk management standards and how they are being applied to IT Security and Risk functions. For example, the ISO 31000 risk management standard outlines a five-step process for formalized risk management. My January report, Introducing ERM To IT Security And Risk , provides a summary of the standard, and I will be expanding upon the next steps in my upcoming research documents. In addition, look out for my next doc on Regulatory Intelligence, to be published in the next few months.
In the meantime, I encourage you to listen to this podcast to hear about best practices and lessons learned from clients who have gone through these steps. And as always, I welcome any questions or feedback.
I recently recorded a podcast with Stephanie Balaouras, discussing the potential for increased collaboration between crisis communication, business continuity, and risk management functions. The strategies that businesses implement to manage disasters can mean the difference between bankruptcy and resilience... and we unfortunately see reminders of this on an almost weekly basis.
As each disaster hits the news (BP’s oil spill in the Gulf Coast, the recent volcanic eruption over Iceland, the financial crisis, the H1N1 virus, the extreme weather that crippled Washington, DC this past winter, etc.), the overwhelmingly negative impacts that occur start to hit home. Fortunately, we are starting to see our clients turning more to their crisis communication, business continuity, and risk management teams to ensure that they are prepared for the worst.
There are many potential points of collaboration between these teams. . . from modeling critical business processes and assessing the business impact of incidents to executing effective remediation plans and conducting post-incident loss analysis. Recently, I’ve also seen companies that talk about starting from scratch with a risk management function, although they have already done a substantial amount of relevant work for their business continuity function.
Of course, while there are some good trends that point to increased cooperation, there are still many areas for further improvement for every company. In fact, our data shows it to be the rare case in which both internal and external crisis communication functions are handled well in the same plan, with one usually being much stronger and more of a focal point.
I was able to catch pieces of live testimony in front of the House Financial Services Committee yesterday on the Lehman Brothers collapse (covered via live blog by the Wall Street Journal). It was interesting to watch former Lehman head Richard Fuld reluctantly attempt to explain to an understandably skeptical audience, “We were risk averse,” in the period leading up to the company’s collapse.
Meanwhile, Goldman Sachs is back in the spotlight after the SEC leveled charges of fraud against the company last week related to alleged misstatements and omissions in the marketing of specific financial products. While this seems like a relatively small initial shot at the large financial firms, the SEC appears to be reasserting its authority after a series of embarrassing stories have come out about failures of oversight including Madoff, Stanford, and now Lehman.
So what does all this mean for governance, risk, and compliance professionals?
It’s hard to tell what might come of the fraud charges against Goldman Sachs, but if anything, this appears to build a case for more rigorous compliance policies and manual oversight. It’s hard to see how automated controls could have helped here, but the case could involve substantial e-discovery to determine how certain marketing decisions were made.
As I close out my client inquiry records for the quarter, it’s interesting to review some of the common challenges risk management professionals are currently facing. I was impressed to see how closely the issues I deal with were covered in the month’s edition of Risk Management Magazine. In an article entitled, “10 Common ERM Challenges,” KPMG’s Jim Negus called out the following issues:
Assessing ERM’s value
Privilege (of access to risk information)
(Selecting a) risk assessment method
Qualitative versus quantitative (assessment metrics)
Time horizon (for risk assessments)
Multiple possible scenarios
Simulations and stress tests
Negus provides good perspective on these challenges as well as some ideas for solutions. The list is fairly comprehensive, but there are several other challenges that I would have included based on the inquiries I get. First and foremost, the role of technology in risk management – whether for assessments, aggregation, or analytics – comes up very frequently, and vendor selection initiatives have been plentiful since mid-Q4 of last year.
Defining risk management’s role within the business (and vice versa) is also an extremely common topic of conversation. As rules and standards keep changing, this will remain a top challenge. Other frequent issues include event/loss management, building a risk taxonomy, and evaluating vendor/partner risk.
I had a few great conversations yesterday about the increasing role analytics will play in risk and compliance programs, which brought to mind the article, For Some Firms, a Case of 'Quadrophobia' appearing earlier this week in the Wall Street Journal and referenced yesterday by the NY Times’ Freakonomics blog.
The article covers a study of quarterly earnings reports over a nearly 30 year period, which found a statistically low number of results ending in four-tenths of a cent. The implication here is that companies fudge their numbers slightly to report earnings ending in five-tenths, which can then be rounded up... clever. Even more interesting, authors of the study found that these “quadrophobes” are “more likely to restate financials and to be named as defendants in SEC Accounting and Auditing Enforcement Releases (AAER)”... not clever.
The report encourages the SEC to enhance its oversight with a new department dedicated solely to detailed quantitative analysis that might catch this type of behavior. It also occurs to me that many corporations would like to identify such trends within their four walls to detect and prevent potentially damaging behavior.
Clearly, the cultural/human aspects of risk management and compliance – policies, attestations, training, awareness, whistleblowing, etc. – are essential. But as the number and complexity of business transactions continue to grow, companies will be looking more and more for ways to analyze massive amounts of data for damaging patterns and trends.
In my ongoing work with clients, I try as often as possible to stress the importance of flexibility in GRC programs. Internal processes and technology implementations must be able to accommodate the perpetually fluctuating aspects of business, compliance requirements, and risk factors. If GRC investments are made without consideration for likely requirements 1 to 2 years down the road, decision makers aren’t doing their job. And if vendors don’t offer that flexibility, they shouldn’t be on the shortlist.
News outlets over the past year have given us almost daily examples of change in the GRC landscape. The recent stories coming out of Davos have been no exception... giving us some truly fascinating debates on the necessity and detriment of regulations. As quoted in a Wall Street Journal article on Sunday, Deutsche Bank AG Chief Executive Josef Ackermann argued against heavy-handed regulation, saying, "We should stop the blame game and we should start looking forward... if you don't have a strong financial sector to support the this recovery... you're making a huge mistake and you will regret that later on," he said. French President Nicholas Sarkozy summed up the opposing argument in his keynote, explaining, "There is indecent behavior that will no longer be tolerated by public opinion in any country of the world... That those who create jobs and wealth may earn a lot of money is not shocking. But that those who contribute to destroying jobs and wealth also earn a lot of money is morally indefensible."