Many business leaders struggle to efficiently respond to risk and compliance needs because of the complex regulatory landscape, ever-evolving risk scenarios and inconsistent internal processes. It’s only been more recently that organizations have embraced enterprise integrated risk management (IRM) tools to overcome a siloed approach of managing risk and compliance data.
The advent of these tools has brought people, processes and data closer, resulting in enhanced operational efficiency and governance. Enterprises aspire to get a holistic view of the risk and compliance posture of their organizations. IRM tools facilitate this by providing persona-specific context around data.
And, the right data at the right time is essential for business managers to make risk-aware decisions. However, a manager trying to evaluate a technology also must be aware of a technical weakness. It is critical for system criticality, upstream and downstream process information to be available in order to accurately assess the risk. For example, two similar databases with similar vulnerability (one containing personally identifiable information data and the other containing transaction logs) will have very different regulatory risk impact.
Today’s advanced technologies can provide the necessary efficiencies in the IRM space by supplying deeper insights into its existing data. Learn more about which specific technologies can provide positive advantages.
Integrated Risk Management and Modern Tech
IRM solutions rely on data points provided manually or captured from external data sources. IRM solutions are integrated with multiple third-party tool sets to achieve specific objectives and derive maximum value. Examples include the integration of a vulnerability management tool to gather weakness to IT assets or the integration of security information and event management (SIEM) to handle cyber incidents.
Both integrations cater to a bigger purpose in terms of governance. Vulnerability data can be used for risk management. SIEM data can be used to create incidents metrics and evaluate the cyber risk exposure for the organization. Thus, IRM tools continue to be the central tool in the cyber security universe, in which all supporting tools feed data into. Leaders get a single look at much of the interconnected data effectively. And, advanced technologies, such as robotic process automation (RPA), artificial intelligence (AI), blockchain, security orchestration and automated response can offer an even deeper look into this data.
Robotic Process Automation
Organizations are trying to reduce manual repetitive tasks to bring in more efficiency by using this technology. In an established process, large amounts of processes can be fully or partially automated using RPA technology.
According to the National Association of Software and Services Companies, RPA implementation can help companies with a “cost reduction of 35% to 65% for onshore process operations, a 10% to 30% reduction in offshore delivery and an investment recovery period as short as six to nine months.”
Some IRM processes that can be optimized using RPA technology are:
- Control Testing: Large number of controls analyzed manually can be automated using bots. The possibility of automating administrative controls testing can also be explored. This could reduce the control testing life span significantly.
- Metrics Analysis: Organizations rely on metrics data to monitor variety of aspects like risk, performance and improvement areas. Gathering the metrics periodically and analyzing the trends using bots can result in operation efficiency.
- Internal Audit: Use of RPA in audits will remove an auditor’s repetitive tasks and allow them to focus on more critical tasks. Some tasks might include evaluation of backup logs, administrative privilege review, extract data for change management review, track evidence collection and report preparation.
International Data Corporation predicts by 2024 enterprises powered by AI will be able to respond to customers, competitors, regulators and partners 50% faster than those not using AI. Use of AI in existing processes can bring in efficiency by predicting and providing recommendations. Business leaders will be better prepared to respond to situations as they unfold. AI use cases with an IRM are:
- Mitigating Control for Risk: A great deal of responsibility rests with the risk management team of the organization to manage its risk universe and propel the organization to growth. AI plays an important role in predicting new risks and suggesting mitigating controls.Changes in the external scenario can give rise to new risk or modification of existing risk. In both cases, AI can be very efficient in predicting a new risk or suggesting mitigating controls for existing risks. This technology analyzes the existing mitigating controls effectiveness and suggest alternative corrective actions.
- Risk from Unprecedented Events: The failure of a server can be evaluated to a greater accuracy by seasoned risk managers because these events are not that uncommon. However, global events, such as Covid-19, are rare so evaluating risk for these events can be difficult. Relying on AI predictive capability can come in handy in such situations.
- Reputational Impact: How an organization is perceived in the marketplace has evolved as one of the key parameters to ascertain the reputational impact of the company. Sentiment analysis through social media posts related to an organization can provide a wealth of knowledge in this space. This concept is used in a third-party risk management process or to analyze the quality of services a vendor offers.
The coronavirus has provided a reality check for organizations’ business resiliency strategies. Companies have started focusing on third-party risk management. During this crisis, many entities are also going out of business, as vendors could not supply the agreed services. Or, vendors are going out of business because clients couldn’t honor commitments. Plus, small-scale vendors find it hard to spend exorbitant legal fees to create binding contracts. They also refrain from participating in larger contracts because of similar reasons.
Blockchain smart contracts can be an effective way to deal with these situations. Smart contracts are small programs which are automatically executed when trigger conditions, such as the transfer of funds to the car seller will immediately trigger ownership transfer process, are met.
Currently, this is best suited to handle payment milestones and penalties transactions from a contract. When client and vendor are on-boarded to the blockchain ecosystem, fourth-party management and vendor performance metrics become easier.
Security Orchestration Automated Response
Organizations are embracing various tools to provide efficiencies to security operations. SIEM helps organizations to collect security incidents. SOAR helps triage and handle the incident effectively. Traditionally a SOC team uses a playbook or task list based on an incident category to troubleshoot security risks. This technology can help automatically take actions against predefined tasks. Common use cases are:
- An analyze login attempt failure to be genuine or an indication of a brute force attack
- Maintain baseline across assets and execute a patch remotely
- Crosscheck signature across intelligence tools and execute blocks
- Reporting and dashboards
These technologies free up SOC analysts to perform more critical tasks, including critical incident investigation and forensic analysis.
Lots of organizations are already experimenting with similar automation opportunities to bring in more operational efficiency and enhance data insight. Every organizations IRM journey is unique, and no single recipe will fit all. Carefully embracing these technologies will propel existing IRM solutions to become future-ready.
Learn More about IT Risk Management Services
Senior Advisory Consultant, IBM Security
Kanad has more than 10 years of experience in security in the risk and compliance domain. Kanad has significant hand on experience with numerous GRC automati...