Open Letter to CEOs on Why You should Care about Business Threat ManagementRajesh Unadkat
Because what you don’t know going on in your business can cost hundreds of thousands if not millions of dollars.
The impact of business compliance and liability management is increasing with the amount of bureaucracy & regulations, costs of non-action & non-compliance, demands for deeper forensic accountability, and executive personal liability. As CEO, you need a centrally manage the 360° risks from regulators, employees, customers, partners, and vendors. The cost of failure from fines, judgements, legal fees, distractions, breeches, reputation, and internal resources to defend actions has the potential to consume the profitability of the business.
There are six major areas that we would recommend that you review for the 360° business threat management is to actively build a centralized platform for preventing legal, regulatory, and reputation actions.
- Vendor Agreement, Policy, and Compliance Auditing
- Channel Partner Agreements, Policy, and Compliance Auditing
- Customer Management Process Auditing
- Employee Policies & Handbook Adherence
- Internal Process Standardization
- IT Security Policy Compliance (protection from loss of IP, customer data exposure, or hacking breaches)
Risk management is one of the hottest areas in governance, risk, and compliance, but one of the least tangible. What does this tangibly mean for the business? Why is it really about business threats?
- External threats come in the form of external regulatory compliance requirements, auditing by third parties, and internal auditing to defend against claims of policy violations. You get audited, can you pass?
- Internal threats are all about the compliance to business standards, employee handbook and adherence to stated corporate policies. You get sued, can you demonstrate that your organization was doing the right things to prevent whatever they decide to sue you about?
Why now? What’s changed?
Simply, the increase in the amount of bureaucracy, costs of non-action / non-compliance, and executive personal liability are a toxic mix.
- You now have to certify a lot of stuff about how compliant your company is around an ever increasing amount of regulations.
- More and more, companies cannot just check the box with simple checklists, etc. You have to demonstrate forensic accountability with audit trails, certified acceptance, and demonstrable implementation of controls.
- Executives and board members can be held personally liable for certifications. Somethings can even cause criminal prosecutions.
- Hard costs of lawsuits keep going up. Couple that with detrimental business impacts that kill productivity, drain resources, and sap morale EVEN when the lawsuits are bogus.
- Time is not your friends. with the simple equation of more personal risk, increased business costs, with more regulations and more moving pieces.
What Do We Do About It?
For CEOs and executive management teams, it has evolved beyond simply how to run the business and make a profit, being sued is what keeps CEO’s up at night or should if they understood the risks – employees, partners, vendors, etc. Many owners and CEOs don’t think in terms of policy, risk management, etc. BUT every business has regulatory compliance issues. Compliance is defensive posture, but when it comes to the threat of lawsuits, active policy management is priceless. Even in the case of defensible actions, the business will spend a tremendous amount of money getting wrongful lawsuits dismissed. An organization can spend more on defending bad lawsuits than on putting the controls in place to prevent lawsuits in the first place.
The key to leveraging policy management and Governance, Risk, and Compliance business controls for 360° business threat management is to actively build a centralized platform for preventing legal, regulatory, and reputation actions. Business executives need a comprehensive controls system to manage the internal and external threats to the business from legal action from employees, customers, partners, vendors, and regulatory actions or hits to your company’s reputation from breeches, process breakdowns, lack of controls, or negative PR events. If you can’t see it, how can you defend against it?
The new paradigm is to lock the business controls down proactively rather than reactively defend against actions. Think Business Threat Management as the new paradigm. Design the controls into the DNA of the business to ensure protection of the business.
Do you run your business via email?
Where do you manage your decisions, approvals, workflow, documentation, and people management? Can you defend your actions? Can you demonstrate that the date stamps from emails and documents are from when you say they were? Why not automate the rules for running the business and create a lockbox to ensure defend-ability? A good offense is a strong defense.
- Ensure compliance and auditability
- Dashboard visibility to exceptional events
- Streamline management of operational business
- Audit key areas of vulnerability to the business
- Proactively build defensible practices against legal, regulatory, and reputation actions
Think about the existing tiers of threat management that you have built into your business today and how much are you really protecting your business in a systematic and manageable way:
- Data – protecting your data
- Information – managing your confidential information
- Process – ensuring compliance to business rules
- People – empowering people to make the right decisions
- Business – protecting the integrity of the business to prevent the costs, resources, and the focus in defending the business from legal, regulatory, and reputation defense.
Who else do you need on board with a program like this?
- CEO and Executive Team – Building in the controls to prevent risks
- General Counsel, head of F&A – streamline organizational accountability and implementation of protections
- HR – build in the automation of the employee management controls
- Information Security – protect the integrity of the data, systems, and processes of the business for strong auditing defense.
- Compliance – build cross-functional bridges to aid in adoption of compliance programs by empowering stakeholders with direct value to their core functions
- Vendor, Partner, and Customer Management – leverage and engage stakeholder ecosystem to improve performance
- Employees – adoption of the business practices is critical to ensuring protection. If your employees are passive-aggressive about following the business policies, you are still at risk. You need to know prior to an incident.
Who should own this for the business?
Ideally, it needs CEO-driven accountability. At the end of the day, if you sign off on certifying that your company is compliant, that your organization follows certain guiding practices; you are accountable.
Who needs to execute this for the business?
Whoever owns legal at the executive level. How it gets executed will be based upon the scope of the business impact and the areas potentially most vulnerable to potential lawsuits, but it will be the executive team that is accountable and held liable for defending against potential litigation or regulatory actions.
Practically, it will take the whole team: HR, legal, IT security, compliance, and vendor/partner/customer program managers working together to implement. You need the executive sponsor to prioritize the first area and set the overall goals, you need a good business program manager, and you need a good technical project manager to drive selection and implementation of the system.
Sometimes, an ounce of prevention (a good business threat management program and GRC system) are worth a pound of cure (cost of defending legal and regulatory actions). If you are managing liabilities in an ad hoc and unsystematic way, you are running significant business risk. Don’t just get with the program, make it happen.