In my house, the boys are getting excited anticipating the presents that are going to be under the Christmas tree. My figurative presents under the tree are some thoughts from the 2015 Privacy. Security. Risk. (P.S.R.) conference presented by the International Association of Privacy Professionals (IAPP) and the Cloud Security Alliance (CSA). When you open these presents, you’ll find thoughts from Lockheed Martin, Microsoft, Acxiom and Hewlett-Packard to help improve your compliance program in 2016.
Jim Byrne, Chief Privacy Officer (CPO) and Associate General Counsel at Lockheed Martin; Brendon Lynch, CPO at Microsoft
At Lockheed Martin, Mr. Byrne takes a dual perspective on assessing risk, first examining risk from the customer’s perspective and then from the business perspective. This approach requires an intentional approach to compliance strategy, understanding and leveraging organizational structure and accountability, policy development, incident management, and privacy reviews. Specific components of privacy reviews that were highlighted were what constitutes a privacy review, the type of review an initiative needs, and how exceptions to the review process are handled.
The framework Lockheed Martin uses can be described as follows:
- Corporate strategy and direction
- Executive leadership aligned with corporate approach
- Champions within business units ensuring operational alignment
- Privacy Impact Assessments
- Application reviews
- Process change management
- Vendor evaluation processes – Request for Proposals
- Supply chain management
- Outside counsel management and involvement
- Mergers & Acquisitions
Training and Awareness
Mr. Lynch outlined Microsoft’s methodology to managing privacy. That approach is to score the likelihood of a risk having an organizational impact on a 1 to 5 scale and the potential impact of the risk on a 1 to 5 scale and multiplying them together to determine “inherent risk” on a 1 to 25 scale. This is then compared to the perceived level of control effectiveness that mitigates, monitors, and manages the risk. Each risk can then be plotted in an X-Y coordinate graph, with risks treatments as follows:
- Tolerate: Inherent Risk score <10, Control Effectiveness <3
- Operate: Inherent Risk score <10, Control Effectiveness >3
- Monitor: Inherent Risk score >10, Control Effectiveness >3
- Improve: Inherent Risk score >10, Control Effectiveness <3
Sheila Colclasure, Privacy Officer at Acxiom; Scott Taylor, VP and CPO at Hewlett-Packard
Ms. Colclasure and Mr. Taylor outlined a process by which compliance teams can increase the impact of their assessments of compliance risk. The foundation of this was as follows:
Understand the Business Values
- Corporate values as they relate to compliance
- How the company wants to be seen to the public
- Start with industry best practices
- Comply with the law and align with company values
- Base the assessment on the business model, not an off-the-shelf model
- Understand the Privacy Office Objectives
Understand the Business Objectives
- Brand protection
- Mitigating complexities
- Easy and accessible
Your assessment process and program need to serve as a business enabler for your operational teams to achieve their goals. The process needs to get to “Yes” in a timely manner, provide guidance that can be used to reach objectives, and deliver what the operational teams need to be effective. The process needs to invert the traditional perspective that compliance teams take and put business enablement ahead of pure compliance.
FOUR AREAS TO EVALUATE TO SEE IF YOUR COMPLIANCE TEAM IS DRIVING THE IDENTIFIED VALUES:
- Has the compliance team identified, socialized, and realized the business value of the assessment process?
- Is the compliance team playing offense – proactively reaching out, espousing the benefits of using the process and the negative consequences of not using it – or playing defense?
- Is the assessment process effectively positioned in the minds of the operational stakeholders?
- Has your organization bought into the process, and is it effectively participating?
These sessions reinforced for me the importance of a compliance team engaging productively with its partners within the business. In the New Year, you can evaluate the relationship they have with each other in your institution. Your input and leadership can help them find more effective ways to collaborate and be more effective. The increased strength of your compliance program from these efforts will be the present that keeps on giving throughout 2016.
Brad Reimer, CIPP/US, is Manager, Privacy and Marketing Compliance at Deluxe Corporation. Brad has worked in privacy area as a compliance subject matter expert in operational, legal, IT, and governance roles, developing policies, procedures, tools, and governance structures to ensure efficient and effective operational alignment with regulatory requirements, industry best practices, and corporate policies. Connect with Brad on LinkedIn.
Reposted with permission from Deluxe Blogs