Integrated Risk Management

“Integrated Risk Management” (IRM) is the next level of business strategy in the prevention and management of adverse events.

Now that the implementation of the Data Privacy Act in the Philippines forces companies to adhere to the law and the regulations of the National Privacy Commission, and that the deadline for General Data Protection Regulation (GDPR) readiness (May 25th, 2018) in the EU is staring us right in the face instead of being in some distant future, the likeliest catalyst to get things right is Integrated Risk Management.

There are a lot of people who are probably wondering why GDPR is any different than the multitude of regulations that came before. That’s a valid question. For years now, big regulations have been the controls in place to encourage “good” behavior from businesses.

However, until GDPR came along, businesses have been able to get by with fragmented risk management and siloed compliance efforts that occur almost entirely within one area of the business.

GDPR is really the first time when it will be vital for several key departments to be in sync to achieve effective management. While data security and network protection have traditionally been the domain of Information Systems (IS) and Information Technology (IT), GDPR’s requirements make this a C-Suite family affair. The CEO, the Chief Compliance Officer, the Chief Information Officer / Compliance Information Security Officer all need to be involved in the strategic risk assessment and gap analysis. With the full, visible support of the CEO and General Counsel, the security team will have to work in concert to address both the Operational and IT Risks through the design, implementation and rollout of the program’s risk treatments and mitigation strategies – which will include a mix of technology solutions, awareness campaigns, trainings, and attestations. This is exactly the scope of changes that are presently introduced in major organizations in the Philippines.

Initially, compliance seems daunting, and the time commitment is an imposition, especially for those not “in” compliance or IT. Benefits of a strong program are also hard to define… it’s a bit like proving a negative; you can’t show cost reduction from the results. This makes sponsorship a tough sell to some top executives when you’re vying for support and resources with other, more concrete, methods of revenue protection.

The best way to quantify the benefits is probably to consider the aftermath of an incident occurring. In addition to the profit-killing fine for a negative ruling on a court case, which is the scariest and most concrete of the calculable consequences, CLOs should be concerned with the costs of time, legal fees, and expenses defending against a NPC court case – win or lose. CIOs may well be concerned with the additional strain and scrutiny their team will endure should the controls in place for compliance be found inadequate. CCOs might consider what extra audits mean for their own teams and CEOs ought to be interested in how the public perception might change when the brand’s name is reported on the news in a negative light.

All of this is to say an ounce of prevention, is worth a pound (or significantly more) of cure. Data privacy compliance can be thought of as Business Continuity Management. So as your company travels its Data Privacy Protection readiness journey, bring all the players together simultaneously so the monumental task can be broken down into small and manageable bits. Keep working to maintain open lines of communication between top executives, especially of Strategic, Operational, and IT risks. Finally, see if you can’t find a way to tie financial value into getting it right – like estimating the full cost of an incident, fine and fallout from a lawsuit. Once you’ve got that number, you can calculate the amount of money you will save daily with your strong compliance program.

To learn more about how you can be compliant with the Data Privacy Regulations, discuss with experts who offer solutions for this necessary journey.

Comments are welcome – contact me under [email protected]