In my house, the boys are getting excited anticipating the presents that are going to be under the Christmas tree. My figurative presents under the tree are some thoughts from the 2015 Privacy. Security. Risk. (P.S.R.) conference presented by the International Association of Privacy Professionals (IAPP) and the Cloud Security Alliance (CSA). When you open these presents, you’ll find thoughts from Lockheed Martin, Microsoft, Acxiom and Hewlett-Packard to help improve your compliance program in 2016.
At Lockheed Martin, Mr. Byrne takes a dual perspective on assessing risk, first examining risk from the customer’s perspective and then from the business perspective. This approach requires an intentional approach to compliance strategy, understanding and leveraging organizational structure and accountability, policy development, incident management, and privacy reviews. Specific components of privacy reviews that were highlighted were what constitutes a privacy review, the type of review an initiative needs, and how exceptions to the review process are handled.
The framework Lockheed Martin uses can be described as follows:
Governance
Compliance
Oversight
Integration
Workforce Excellence
Mr. Lynch outlined Microsoft’s methodology to managing privacy. That approach is to score the likelihood of a risk having an organizational impact on a 1 to 5 scale and the potential impact of the risk on a 1 to 5 scale and multiplying them together to determine “inherent risk” on a 1 to 25 scale. This is then compared to the perceived level of control effectiveness that mitigates, monitors, and manages the risk. Each risk can then be plotted in an X-Y coordinate graph, with risks treatments as follows:
Ms. Colclasure and Mr. Taylor outlined a process by which compliance teams can increase the impact of their assessments of compliance risk. The foundation of this was as follows:
Understand the Business Values
Understand the Business Objectives
Your assessment process and program need to serve as a business enabler for your operational teams to achieve their goals. The process needs to get to “Yes” in a timely manner, provide guidance that can be used to reach objectives, and deliver what the operational teams need to be effective. The process needs to invert the traditional perspective that compliance teams take and put business enablement ahead of pure compliance.
FOUR AREAS TO EVALUATE TO SEE IF YOUR COMPLIANCE TEAM IS DRIVING THE IDENTIFIED VALUES:
These sessions reinforced for me the importance of a compliance team engaging productively with its partners within the business. In the New Year, you can evaluate the relationship they have with each other in your institution. Your input and leadership can help them find more effective ways to collaborate and be more effective. The increased strength of your compliance program from these efforts will be the present that keeps on giving throughout 2016.
Brad Reimer, CIPP/US, is Manager, Privacy and Marketing Compliance at Deluxe Corporation. Brad has worked in privacy area as a compliance subject matter expert in operational, legal, IT, and governance roles, developing policies, procedures, tools, and governance structures to ensure efficient and effective operational alignment with regulatory requirements, industry best practices, and corporate policies. Connect with Brad on LinkedIn.
Reposted with permission from Deluxe Blogs