Getting to compliance and lowering risk with integrated communications technologies

White  paper
March 2011

Tyson  Macaulay
Security  Liaison  Officer, Bell  Business  Markets

 

Table of contents

  • About the author
  • Executive summary
  • 1.0 The compliance conundrum
    • 1.1 Reducing business risks through compliance and ICT
  • 2.0 Identifying and understanding risk
    • 2.1 Risk defined
    • 2.2 How all risks are connected
    • 2.3 The hidden dangers of operational risks
    • 2.4 ICT and risk
  • 3.0 Taking action–Part I: Developing your risk focus
    • 3.1 Risk focus: Establishing the right controls
    • 3.2 Risk focus in six industries
    • 3.3 Applying risk focus to sample regulations
      • 3.3.1 Sample privacy regulations
      • 3.3.2 Sample security regulations
      • 3.3.3 Sample reporting regulations for publicly listed companies
  • 4.0 Taking action–Part II: Developing an Enterprise Risk Management program
    • 4.1 Alternatives to ERM
  • 5.0 Best practices: 7 steps to achieve compliance and reduce risk through ICT
    • 5.1 Get security and privacy departments to work together
    • 5.2 Perform compliance requirements analysis
    • 5.3 Prioritize risks
    • 5.4 Plan remediation
    • 5.5 Get management to endorse the plan
    • 5.6 Implementation
    • 5.7 Audit and review
  • 6.0 The path to better compliance
  • Recommended resources
 

About the authors

Tyson Macaulay is a Security Liaison Officer for Bell. In this role, he is responsible for technical and operational risk management solutions for Bell's largest enterprise clients. Tyson also supports the development of engineering and security standards through the Professional Engineers of Ontario and the International Standards Organization (ISO) SC 27 committee.

 

Executive summary

As the regulatory environment in Canada grows more complex, organizations may regard the new compliance requirements as a burden to doing business. What many organizations don't realize is that internal compliance initiatives–increasingly the domain of Information Communication Technology (ICT) solutions–can help improve processes throughout their operations and provide vital protection to a business, its competitive position, even to its brand and reputation.

Fortunately, organizations can reduce their exposure to four primary categories of risk– strategic, market, financial and operational–through managing compliance with best practices in ICT.

In today's ICT landscape, a single network platform now supports many, if not all, information assets–business data, voice, physical security, industrial controls and more. An organization's ICT network can have an impact on all areas of risk. By the same token, addressing these types of ICT-related privacy and security risks goes a long way to meeting compliance objectives and addressing an organization's overall risk profile.

In order to put together a plan that will effectively mitigate risks, an organization must identify its risk focus: the combination of possible past, current or future outcomes that represents the greatest threat(s) to your organization. Every organization has a different weighting between historical, real-time or forward-looking risks, which are reflected to some extent by the regulations and compliance controls in its industry. By assessing and using the right combination of these controls, an organization can develop the right risk focus.

Smart organizations recognize that it is important to have a complete picture of what kinds of risks they face, and the best ways of addressing them. Technology plays a critical role in managing compliance and reducing business risks.

1.0 The compliance conundrum

Canadian businesses face more compliance requirements than ever. As the regulatory environment in Canada grows more complex, organizations may regard the new rules as a burden to doing business. And there is some truth to that: no one is in business just to satisfy compliance requirements.

Organizations typically approach the issue of compliance with a mix of resignation and disdain. Some businesses will do what is required to the letter of the regulation;; others will only do as little as is necessary to achieve a semblance of meeting the requirements, merely to avoid the consequences of non-compliance. Many organizations are confused by compliance issues and either never become fully compliant, or drift into states of non- compliance.

Sooner or later, though, compliance is an issue that has to be dealt with.

1.1 Reducing business risks through compliance and ICT

What many businesses don't realize is that internal compliance initiatives–increasingly the domain of Information Communication Technology (ICT) solutions–can help improve processes throughout their operations and provide vital protection to a business, its competitive position, even to its brand and reputation.

Fortunately, there are best practices that constitute a path to compliance and point the way to reducing significant risks that businesses face across its organization, from individual departments right up through the C-level executive suite to the board of directors.

This white paper will demonstrate how organizations can reduce their exposure to four primary categories of risk–strategic, market, financial and operational–through managing compliance with best practices in ICT.

You will learn:

  • How to identify and understand different kinds of risk in your business
  • The critical role ICT can play in addressing these risks
  • How to develop a risk focus to guide compliance
  • Keys to developing an Enterprise Risk Management program
  • Best practices for managing compliance in ICT

Armed with this information, your organization can assess and address countless risks that it faces by putting a plan in place to achieve and maintain compliance.

2.0 Identifying and understanding risk

A crucial first step in determining where organizations should concentrate their risk mitigation and compliance efforts is understanding the risks they face. Once risks are clearly defined, organization will see how they are interconnected and the optimal role for ICT to play in achieving compliance.

2.1 Risk defined

Typically, there are four kinds of business risk that apply in some degree to any organization: strategic, market, operational and financial. To a greater or lesser extent, each organization faces these same four risks depending albeit in a unique combination depending on its individual situation. Here is how they are defined:

  • Strategic risk – The risk of losses arising from poor business planning with respect to products, services, clients and competitors. This also includes the risk of accepting a state of non-compliance
  • Operational risk – The risk of losses resulting from inadequate or failed internal processes, people and systems. Operational risks can include fraud, industrial security, productivity and the safety of intellectual property and financial records
  • Market risk – The risk associated with regulation and compliance within a country or region, as well as the ways in which customer perceptions, tastes and behaviour affect an organization
  • Financial risk – The risk of losses in stock value, goodwill or financial uncertainty associated with interest, credit or currency rate changes. Financial risk covers everything from the value of your receivables to the probability of default. This is where most risk management efforts are directed

The good news is that becoming compliant helps address all four kinds of risk.

2.2 How all risks are connected

Each kind of risk can have major consequences in its own right. However, all risks are also interconnected. Failing to manage one kind of business risk can create a cascading effect across the other risks. For example, problems that occur due to mismanaged financial risk turn into a kind of market risk because it can impact customer confidence and brand reputation. In the same way, strategic decisions can also elevate an organization's financial risk–consider a major acquisition that requires substantial financial leverage. Operational risk can elevate strategic risk as well, as in the case of unsafe work conditions lead to an incident that damages an organization's reputation. In fact, allowing any risk to grow to a level where a major incident would result in negative publicity is a good example of too much strategic risk.

Recognizing that risks are connected is critical to understanding how ICT and compliance initiatives can help address them. In order to manage the market risks associated with compliance, an organization must effectively manage ICT-related controls that address financial and operational risks.

2.3 The hidden dangers of operational risks

Operational risks play a key role in the overall risk picture. However, organizations tend to overlook operational risks and their interdependencies with other types of risk.

Every department inside an organization has its own operational risks–physical security, ICT security, human resources, contract management–and each department typically addresses those risks in its own way, often without clear policies or corporate guidelines. Moreover, because executives rarely get involved with addressing operational risk, it does not have as high a profile as other kinds of risk and operational risks are rarely quantified.

This could have potentially disastrous consequences. Although most organizations place a heavy emphasis on financial risk–the term risk management is often synonymous with financial risk management–securities regulators and debt ratings agencies are beginning to signal that they recognize a link between operational risk and financial risk. How so? A degradation of the business or production processes will affect profit–a financial risk that can impact an organization's ability to remain competitive, attract and retain clients, and ultimately to operate. As a result, regulators and ratings agencies have indicated they will factor operational risk into their predominately finance-oriented assessments. In short, operational risks–fraud, industrial security, the safety of intellectual property and financial records–now have the potential to impact share price.

2.4 ICT and risk

Many organizations view ICT as just one kind of operational risk. But the reality is that in today's ICT landscape, a single network platform now supports many, if not all, information assets–business data, voice, physical security, industrial controls and more.

It follows, then, that an organization's ICT network can have an impact on all areas of risk. For example, poor network security can result in:

  • A security breach that causes damage to the brand, affecting market risk
  • A loss of intellectual property and ultimately revenue, affecting financial risk
  • Elevated operational risk
  • Strategic risk due to decisions made about ICT security

By the same token, addressing these types of ICT-related privacy and security risks goes a long way to meeting compliance objectives and addressing an organization's overall risk profile.

3.0 Taking action–Part I: Developing your risk focus

There are three possible ways for an organization to deal with any kind of risk: accept it, address it, or transfer it. For example, if the level of risk is not too high, if it doesn't impact compliance or if it is too expensive to address it or transfer it, risk can simply be accepted as part of doing business. In some cases, risks can be transferred to a third party that assumes responsibility (facility security can be outsourced to a security company; network security can be outsourced to an ICT managed services provider).

But what about those risks and compliance issues an organization must act on? In order to put together a plan that will effectively mitigate them, it's important to know your risk focus: the combination of possible past, current or future outcomes that represents the greatest threat(s) to your organization.

3.1 Risk focus: Establishing the right controls

Depending on an organization's industry, compliance controls exist for each category of past, current and future risks as follows:

  • Historical controls are associated with risks created by past actions, such as accounting practices. For example, the Sarbanes­Oxley Act and Bill 198 govern how organizations handle financial reporting and disclosure
  • Real-time controls guard against risks during the course of business, day-to-day and minute-to-minute. Good examples of real-time controls are the anti-virus, firewall and data loss protection measures, as required through regulations such as Payment Card International (PCI) compliance and privacy regulations
  • Forward-looking controls ensure good business continuity and resilience. Compliance regulations such as chemical facility anti-terrorism (CFAT) standards are concerned with ensuring that business and production continue as normal in the event of a security event

Every industry has a different combination of risk focus: historical, real-time or forward- looking. Your particular focus will be reflected to some extent by the regulations with which you must comply.

By assessing and using the right combination of these controls, an organization can develop the right risk focus.

3.2 Risk focus in six industries

To demonstrate how these controls point the way to addressing your overall risk profile, we will look at risk focus for six major industries.

  • Financial institutions – Emphasis is on the integrity and confidentiality of all transactions and records; historical accounting controls to deal with reporting accuracy and tracing fraud; and business continuity, because outages can sometimes cost hundreds of thousands of dollars each second.
    Risk focus: historical, real-time and forward-looking
  • Retail – Similar in many ways to banks, retailers need to safeguard personal and financial information in real-time; maintain secure and accurate client and financial records; and ensure business continuity as outages are costly
    Risk focus: historical, real-time and forward-looking
  • Health care – From a regulatory perspective, privacy is the biggest driver in the health care industry. The focus tends to be on real-time controls concerned with data loss and leakage. These controls include virus detection, control of mobile media such as USB sticks, and training and awareness among staff. Hospitals are also highly developed in terms of forward-looking controls, such as falling back to manual or paper systems in the event of an ICT failure
    Risk focus: real-time and forward-looking
  • Universities and colleges – Similar to hospitals, post-secondary institutions are concerned with real-time data loss and leakage associated with personal data, intellectual property and transactional information. They support hostile, open ICT environments and so invest heavily in controls such as firewalls and anti-virus. Historical controls such as data backup are also important because of the intellectual property on their systems
    Risk focus: real-time and historical
  • Energy – Electric utilities and energy producers must remain operational at all costs, so systems are focused on resilience, recovery and forward-looking controls in terms of both ICT and industrial control system management. Investments in real-time controls also focus on physical security and redundancy
    Risk focus: forward-looking, then real-time
  • Government – The privacy of personal information and national security requirements give the Government of Canada a focus on real-time and historical controls. Governments at the provincial and municipal levels are more focused on the protection of personal information, but also emergency management, giving them a focus on forward-looking and real-time controls
    Risk focus:
    • Federal: Real-time, then historical
    • Provincial and municipal: Real-time and forward-looking

Knowing your organization's risk focus not only allows you to concentrate on complying with regulations in those areas, but also gives you the knowledge to build an effective risk management plan.

3.3 Applying risk focus to sample regulations

The first place that organizations normally take action to mitigate risk is, of course, where regulation demands it. Each regulation governing the actions of an organization carries a different risk focus, and can also be divided into three major compliance groupings: privacy, safety and security, and reporting. Some privacy and safety/security regulations apply to all organizations, while other regulations are specific to industries or business functions. Public companies must comply with regulations in all three areas.

The following are examples of regulations with which organizations in Ontario must comply. Laws similar to those listed are in place in most provinces, so these can be taken as broadly representative of regulation across Canada.

It is worth noting that in the domain of privacy, if a provincial law is substantially similar to a federal law, provincial regulation takes precedence–compliance with provincial regulation may supersede federal. If there are gaps in provincial law, federal regulation is adhered to.

3.3.1 Sample privacy regulations

  • PIPEDA – The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal data privacy law governing how personal information and electronic documents are collected, used and disclosed in the private sector in the course of business in Canada
  • FIPPA – The Freedom of Information and Protection of Privacy Act is a law in the province of Ontario that provides right of access to records held by public bodies, regulates how public bodies manage personal information, and stipulates that personal information must be protected. Similar acts exist in every province
  • PHIPA – The Personal Health Information Protection Act regulates the collection, use, storage and sharing of personal health information in Ontario in order to protect the confidentiality and privacy of individuals, while at the same time facilitating the effective provision of health care

3.3.2 Sample security regulations

  • PCI – The payment card industry's data security standard is a worldwide information security standard that helps mitigate credit card fraud. It sets controls around data and its exposure to compromise for all organizations which hold, process, or pass cardholder information from any payment card
  • CFAT – Chemical facility anti-terrorism standards legally require high-risk chemical facilities in the United States to enhance security and establish new procedures for protecting chemical facility operations and information. These are industry-set, harmonized standards for security, industrial control and ICT processes that also apply to Canadian-owned facilities in the U.S.
  • NERC-CIP – Critical infrastructure protection (CIP) standards formulated under the North American Electric Reliability Council (NERC) legally require the implementation of a holistic security approach to protect the supply of electricity throughout North America
  • Workplace health and safety (WPHS) and environmental regulations – This class of regulation is provincial in nature and often industry-specific. Regulations implicate ICT systems because of their critical role in supporting and managing safety and security systems, including industrial control security: if an incident occurs and is caused or aggravated in some measure by an ICT error, lapse or omission, your organization can be held culpable

WPHS regulations cover a broad area, given that the network's failure can have a direct impact on health and safety: building water and sewer, heating and cooling, smoke detectors, door strikes, security cameras, process control and more can all stop working because of ICT failure

3.3.3 Sample reporting regulations for publicly listed companies

  • Sarbanes-Oxley is a U.S. law enacted to set new or enhanced standards for all public companies listed in the U.S. in the areas of auditor independence, corporate governance, internal control assessment and financial controls and disclosure. Under the provisions of the law, if ICT security is not adequate, you cannot make statements about the validity of financial disclosures
  • Bill 198 (CSOX)is a legislative bill that provides for regulation of securities issued in the province of Ontario. It is equivalent to the U.S. Sarbanes-Oxley Act listed above and so is also known as the Canadian Sarbanes-Oxley Act or CSOX
  • Taxation regulation All organizations outside of the public sector must securely maintain books and records relating to the previous seven fiscal years.

The following table illustrates the risk focus of each regulation covered in section 4. If you already know which regulations apply to you, this table will give you some idea of the weighting of historical, real-time and forward-looking risk for your organization.

Table 1 : Risk focus of sample regulations

Note: This matrix will differ for individual organizations depending on the nature of their business and their obligations to clients, partners, suppliers and regulators.

4.0 Taking action–Part II: Developing an Enterprise Risk Management program

The one thing that cuts across all industries, regardless of compliance focus, is how organizational risk management is structured. The current trend favours blending security and privacy programs so that the two disciplines address compliance risks in tandem. This is thought to eliminate gaps and duplication of effort, increasing efficiency and reducing the cost of achieving compliance.

Still, there is no single way to structure risk management compliance. It is also common to find security and privacy compliance and reporting managed in a completely separate manner. But when privacy is a major element of an organization's compliance profile–as is the case with organizations that handle a significant amount of clients' personal information, such as healthcare and finance–security will play a major role in the compliance regime. In such cases, it's best to handle security and privacy together.

One way to blend security and privacy is to institute an ongoing enterprise risk management (ERM) program. ERM provides a framework for risk management that involves:

  • Identifying risks and opportunities particular to an organization
  • Categorizing and rating a complete spectrum of risks
  • Determining a response strategy
  • Monitoring progress

The process begins with an ERM assessment that evaluates risks across the full spectrum of strategic, market, financial and operational categories. An ongoing ERM program will allow you to identify compliance requirements as they evolve, and to progressively reduce risks of all kinds, compliance-related and otherwise, regardless of business type.

4.1 Alternatives to ERM

Not every organization has an enterprise risk management (ERM) program in place, nor can every business commit the resources required for a thorough evaluation. Organizations can, however, adopt an alternative approach.

First, take a look at all facets of your ICT security and privacy needs, threats and compliance requirements to identify risks. Next, place them in each of three buckets: real-time, historical and forward-looking. Allocate emphasis on historical, real time or future controls as per the examples in Table 1. This will help you to address risk proportionately and make it simpler to retroactively integrate an ERM strategy into your security and privacy program as time and resources allow.

Once this has been done, report the threats impacting enterprise-level risks to management so that executives can decide which risks the organization is willing to accept, which must be addressed, and which can be transferred to a third party. Whether you are building an ERM strategy or making changes to your security and/or privacy program, it's important to follow best practices in order to wind up with an efficient program that focuses on what is most relevant to your business.

5.0 Best practices: 7 steps to achieve compliance and reduce risk through ICT

Many organizations claim compliance after making only minor modifications to their ICT infrastructure and policies. What's really needed is a better understanding of how real business improvements are possible–that better compliance equals reduced business risk and improved performance. Fortunately, there are best practices that constitute a path to compliance and reduced risk. This section outlines seven steps that will help you to keep your organization in compliance and safe from excess risk.

5.1 Get security and privacy departments to work together

Within organizations, privacy and ICT security departments often have little to do with each other. But because privacy and security are so closely related, when these departments act independently you may not be fulfilling all compliance requirements, or you may end up with two opinions on how to satisfy them, which slows the compliance process. For increased efficiency, speed and risk coverage, it's best to get security and privacy to work together.

5.2 Perform a compliance requirements analysis

The next step in managing compliance is to perform a requirements analysis. This can be done within the framework of a larger ERM exercise, or as a separate exercise geared specifically towards ICT. Begin by analyzing your business: based on the descriptions in section 3.1 do you have a need for historical, real-time or forward- looking controls? Once you know your focus, group security and privacy requirements together in order to reduce costs, delays, and the likelihood of non-compliance.

5.3 Prioritize risks

If at this point compliance is your primary risk concern, you will need to separate compliance risks from other risks and prioritize treatment. Your prioritization should include the following factors:

  • Risks most likely to occur
  • Ratio of cost for proactive risk treatment compared to the cost of occurrence
  • Ratio of cost for proactive risk transfer compared to the cost of occurrence
  • Length of time to address/transfer risk

Once factors have been considered and prioritization is complete, gain management's approval on priorities to be addressed.

5.4 Plan remediation

Once risks have been prioritized, it's time to plan remediation. Most solutions will consist of a blend of three kinds of control: management, operational and technical. The role that each type of control plays:

  • Management controls concern policy
  • Operational controls concern procedures, standards and plans
  • Technical solutions deal with the implementation of hardware and software controls

Some risks will require no technical investment whatsoever. In some cases, the most effective solution may call exclusively for management controls (new policies) along with procedures related to education and training.

In the course of planning remediation, it is important to consult internal stakeholders, gather technical requirements, confirm any assumptions about who needs what solutions and when, and finally, provide stakeholders with an opportunity to comment on the draft plan for remediation.

Putting these things into practice can be done more quickly and efficiently through collaboration and engagement, as internal stakeholders often don't have the background required to intuitively appreciate the objective of the risk management program–nor are they always aware of what gaps exist in their knowledge of risk.

If you face serious time constraints, an alternative is to get all stakeholders to the table and create a solution together. First, conduct a series of focus groups in which compliance requirements are collected through a group interview process. Then come to agreement on where to place risk levels through a collaborative workshop process. Finally, analyze your options outside of the focus group/workshop environment and present them to management.

It should be noted that this kind of solution ought to be considered temporary or interim, as such measures typically result in a risk management strategy that overlooks or omits certain types of requirements–often those that forward–looking–leaving organizations open to unacceptable risk in some areas.

5.5 Get management to endorse the plan

Employees who are charged with managing compliance often come up with a solid plan to address risks only to find that cost and/or deployment timelines are not acceptable to management. The typical reaction is then to reduce cost and accept more risk. For this reason, it is important that an initial presentation to management includes a discussion on the trade-off between residual risk and cost so that decision-makers fully understand the consequences of their actions.

Keep in mind that coming up with a risk management plan acceptable to all parties is often an iterative process. If a satisfactory solution cannot be easily reached at this stage, return to step 5.3.

5.6 Implementation

Implementation can consist of many different initiatives–your plan for remediation will dictate the specifics. Implementation could involve investments in hardware and/or software, or it could have more to do with developing policies to train staff and streamline procedures.

5.7 Audit and review

Under most security and auditing standards, legitimate compliance processes must be audited annually, at the least. This allows for changes to your business to be taken into account and evaluated for changing risk needs as well as any changes to regulations.

6.0 The path to better compliance

The compliance landscape in Canada is growing increasingly complex, and the consequences of failing to comply continue to grow more serious. While most organizations regard regulations as a burden to doing business, compliance can help put them on a firmer footing in terms of brand security, operations and finance. It does this by reducing, to some extent, each of the four kinds of business risk: strategic, market, financial and operational.

Smart organizations recognize that it is important to have a complete picture of what kinds of risks they face, and the best ways of addressing them.

Technology plays a critical role in controlling business risks in every organization. Disparate systems, from accounting to security and industrial controls, are increasingly managed by means of a single technology platform. There are clear best practices in managing compliance in ICT security and privacy for full compliance and reducing many kinds of business risks.

Recommended resources

Managing municipal assets for regulatory compliance with PSAB3150, White paper, July 2009

How to integrate your security program into your overall risk management strategy, Expert insight, November 2009

PCI compliance checklist, Assessment tool, November 2009

Prioritizing your enterprise's investment in security, compliance and risk protection, Webinar, February 2009

Does your compliance and security program fully protect your enterprise?, Assessment tool, October 2008

Talk to Bell

Compliance with regulation is vital to the health and wellbeing of your organization; it's also a crucial step on the road to a comprehensive risk management program. However, it's important to understand the larger picture: what risk exposures your organization faces, and how they influence your focus on historical, real-time and forward-looking controls.

If you don't have significant in-house experience aligning compliance with ICT security programs, it can make sense to engage a partner with the breadth of knowledge and depth of ability to help mentor, architect or implement your compliance and risk management program. Bell is a Canadian leader in corporate compliance strategy and implementation. To find out more about our compliance and risk management services, contact your Bell representative or click here to have a Bell representative contact you.