Risk Management Insights

I want to join the BLOG

27/10/2014 / Compliance Management

Considerations when designing an optimal compliance function

17 September 2014: Protecht was proud to be a part of Compliance Solutions Day 2014 hosted by Lexis Nexis and Compliance Network Australia at the C3 Convention Centre in Vienna, Austria.

Protecht's Executive Directors, David Bergmark and David Tattam with Arithmetica, one of our European partners.
 

The following post is an overview of David Tattam's presentation:

Optimising the Compliance Function in 2014 and Beyond

 

Compliance means conforming to a rule. That rule may arise from an external source such as a law or regulation or an internal source such as a policy, code or control. Compliance with these two main sources gives rise to external and internal compliance.

The issue for an organisation is: how can conforming with the rule(s) be ensured?  This is the key objective of a compliance function.  The methods we can use to ensure we conform with the rules are many and varied and an organisation needs to determine what compliance methodology will be used. The compliance methodology should balance a desired level of compliance against the cost and time in achieving that level of assurance. Getting this balance right will lead to an optimal compliance function.  

Considerations when designing an optimal compliance function include:

Read More

24/10/2014 / Compliance Management, Security Risk Management, Enterprise Risk Management, information security management

Information Risk Management as part of your ERM framework

 

We hear many times that this is the information age and that data is the new gold.  The “Big Data” trend encapsulates this and focuses our minds on the potentially huge amounts of data our businesses have access to, both internal and external. Data and information is therefore a potentially high value asset but just like a gold mine, it needs to be mined and refined into something valuable and protected. 

Due to the explosion of available information and the ever increasing importance of using this information to provide our business with the information resources it needs to function, information risk management has never been more critical for business.

This article considers information risk management as part of an overall Enterprise Risk Management (ERM) framework.

The starting point for information risk management is to identify all sources of information that is used and managed by the organisation.  This requires the development of an “Information Asset Register”.  This should include such things as:

  1. Information Asset Name
  2. Type:  Electronic / physical
  3. If electronic:  Production, Test or Back-up
  4. Type of storage: Server, laptop, desktop, mobile device, web, USB key, physical (filing cabinet) etc.
  5. Type of information (field descriptors)
  6. Purpose /use of information
  7. Location (geo location)
  8. Number of records
  9. Relevant external obligations over information. Is the information public or private? For government, unclassified / protected etc.
  10. Information / Storage owner
  11. Methods of write access (add, amend, delete)
  12. Methods of read access (web, intranet, print etc.)
  13. Parties with write access
  14. Parties with read access
Read More