While there are several initiatives and forums where, the general counsel community speaks of serious knowledge dope on topical legal and regulatory aspects, Lex Witness goes a step aside and gets into a candid coffee table conversation. Have an interesting read through.
I am part of the HPE Enterprise Services group. I am a risk evangelist and a subject matter expert on ISO27001, ISO22301, ISO31000 and ISO27018. I drive what is possibly the largest cybersecurity certifications in the world, covering more than 250 locations worldwide for ISO27001. I am also responsible for ISO22301 which is for business continuity. I have been lucky to have authored the risk management policy and framework for Enterprise Services. Our global certification program is built upon an Integrated Management System that is focused upon principled performance through collaboration, standardization and optimization of common processes across the world.
When we began, there were disparate activities, in silos across the world, with in house experts in some places and outsourced in some. We built an Integrated Management System that leverages 9 common areas across quality management, service management, information security management and business continuity management activities to reduce overlapping processes. Once we built the global program, while we built systems, we have realized that GRC is a continuously improving mechanism. We faced challenges of staffing, pushback from businesses apart from the core risk management issues. It has been a long ride and as we move into the New Year, we are challenged to split out of HPE and merge into a new company. So the roller coaster ride is on.
Absolutely. But I believe that it will always continue to evolve. When I interact with the industry, I realize that the challenges are very similar. At the top levels there is a concern that not all risks are visible, while operational leaders complain that we are still confused between what an issue is, what a problem is and what a risk is. Today’s business is also evolving. And much rapidly than earlier. Disruptive technologies, diverse interests and a continuously evolving threats keep us on our toes. A lot of people still do not associate risk management with opportunities and improvements. So, yes, the Risk Officer is a continuously evolving role, and each day is a challenge.
Gadget – My phone
App – Evernote
Automobile Brand – Honda
Writing Instrument – A sharp Pencil
Holiday Destination – A cultural trip through Europe
Cuisine – Bengali
Multiple. Both at a strategic level and at an operational level. I am amazed by how diverse is the understanding of risk optimization is. Some of the key challenges include establishing a common risk language across the organization, removing or reducing organizational silos to standardize risk optimization and also maintaining a track of how risk remediation is actually contributing to the health of the organization.
I am a great believer in the fact that both hands are needed to clap. We have great support from our corporate Legal team, and they have over the years understood the need to have trained legal experts who understand technology. Many of our legal advisors are either experts at data privacy, or understand the use to technology in a broad way. The technical teams on the other hand can no longer neglect the ever changing legal landscape. Many of the people I work with have a fair idea of most widely known laws and regulations and work very closely with the legal counsel to define a very adaptive compliance program.
I would greatly recommend that before someone takes upon the effort to understand tools, they must understand the underlying concepts. I am a great fan of the ISACA’s body of work that fuels the CRISC certification. The other area of GRC concepts are available at OCEG. For those interested in tools must keep abreast with the reviews published on Gartner. I have used many tools in the past and we now use home grown tools too. IMHO, unless the GRC function is established and the processes are documented, using tools lead us to improper implementations. Archer is one tool that covers multiple areas of the organization, but may not suit some. Then there is the effort tin customization. The challenge begins from the decision to either assess inherent risks or current risks.
I would definitely suggest everyone to take a low cost ISO31000 training to understand the basics. ISO has done a fantastic job of encapsulating a single risk standard across its many management system standards. The next step would then be to gain some experience where the basics concepts clear up and one gains an understanding of how risks, issues and opportunities are intertwined and if optimized can add tremendous value to business. Once this is clear further education in the form of ISACA’s CRISC or the COSO ERM framework or even the FRM certification can be very helpful.
www.grandmasters.in | 8 Years & Counting
www.rcls.in | 8 Years & Counting
www.itlegalsummit.com | 8 Years & Counting
www.bfls.in | 8 Years & Counting
www.maels.in | 8 Years & Counting
www.plcs.co.in | 8 Years & Counting
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved
