When is the right time to think about compliance versus risk? |
Network World interviewed the CIOs of Underwriters Laboratories and the Minnesota Department of Veteran Affairs on this topic and generated some interesting comments. Both make the expected argument that you can’t pursue one over the other, but in the end they say risk is the key consideration.
Christian Anschuetz of UL uses the story of the Titanic to illustrate his point. When it sunk into the North Atlantic 101 years ago losing over 1,500 people, the captain, crew and the White Star Line had complied with regulations at the time by providing the number of life boats required. The regulations were clearly not up to the risk faced by the vessel and its passengers
Non-compliance is another form of risk. Barely a day passes without a story of a hefty fine levied against a firm that violated a HIPAA privacy rule or did not comply with PCI standard for data security. In these cases, compliance is it’s own risk category.
CIO Dan Abdul offered nine tasks for avoiding unnecessary risk or overcompensating with too many controls by determining your organization’s risks:
- Risk of failing to fully comply with regulations
- Loss of intellectual property and any sensitive information
- Impact of disasters and unplanned events
- Impact of an event which adversely affects the brand image of the organization
- Gaining stakeholder feedback on impact and likelihood of these risks
- Benchmarking existing process for managing the risks identified as concerns by stakeholders
- Identifying the costs required to address the risks
- Performing a cost/risk analysis
- Prioritizing control efforts accordingly
The challenge with compliance is that the regulations generally are in response to previous incidents. They try to point out the risks, but don’t really provide a set of controls to determine if you are absolutely compliant. That comes down an interpretation of the auditor. Another risk.
Abdul adds, “More importantly, if you implement every control recommended for any regulation and still have a breach, you are not protected from law suits and fines from the regulating entity.”