The view from the LPRS Summit
Keylight users reached the GRC summit at LPRS18, which was held last week at the Overland Park Convention Center, just outside Kansas City. The Summit offered a commanding view of how companies can improve in managing risk and complying with regulations.
Here are some LPRS18 highlights:
Carole Switzer with OCEG kicked off LPRS18 with her keynote on building a culture for change. Switzer detailed her discovery of and appreciation for culture. “Softness is a foundation.” The goal is to build a culture open to change, but the challenge is winning hearts and minds wired to resist change.
Chris LaVesser with Jones Lang LaSalle, a Fortune 500 real estate firm with 300 offices worldwide, shared his experience in dealing with auditors before and after Keylight. Before Keylight, an audit entailed 4-6 hours trying to convince auditors with spreadsheets, missing information, and broken links. With Keylight, LaVesser spends less than an hour with auditors and shows a few reports and dashboards. His advice: show auditors what they want to see and look organized. It means fewer questions.
Lisa Hartford and Molly Stolpman with General Communications, Inc, a top provider of voice, data, and video services for the state of Alaska, conveyed the value of having a company-specific framework for compliance with multiple regulations. They also shared their six-step compliance lifecycle, and how it helps their small department complete big tasks.
Christopher Heinz with Guidewire shared the challenges of auditing disparate controls and the value of having one harmonized set of controls. This view was echoed by Lynn Heiberger with Unified Compliance who spoke during Day 2’s lunch period about how much risk control frameworks, regulations, and laws all have in common. Heinz also offered an interesting take on risk. “Risk is real. Risk is beneficial. Risk is the result of opportunity. You can’t hide from it.”
Tom Garrubba with Shared Assessments walked the floor and walked the talk on third-party risk. “Perform due diligence prior to the business relationship.” “Cyber insurance gets you back up and running. It does not cover litigation.” “Outsourcing the process doesn’t mean outsourcing the risk.” “How resilient are you that you don’t have to invoke an incident response or BCM?”
On Day 2, keynote speaker Michael Rasmussen with GRC 20/20 stressed the importance of interconnected risks, contextual awareness, and using a federated approach to risk management. “The fact we have a policy means we have a risk, yet we don’t connect policy to risk or link risks to controls.” Rasmussen shared a stick-with-you example of the Titanic; multiple risks were disregarded and they all contributed to the boat sinking. The lesson? Businesses today face integrated risk factors, and like the Titanic, they operate in open waters.
David Mir and Helen Fradette with Quantam Solutions delivered a stark contrast between paper documented compliance and compliance with Keylight. Instead of a huge stack of documents, Keylight and common controls help streamline compliance. Risk assessments are now shorter and easier for users to complete. For example, users can select previously answered sections, and their questionnaires are dynamically created based on responses.
Lockpath’s Sam Abadir and Adam Billings defined risk as the roadblocks or uncertainty encountered when pursuing objectives and goals. They presented a strong case for the bow-tie analysis and demonstrated how to perform it in Keylight. A slide on messaging from sourcing and procurement all the way to customer satisfaction conveyed the importance of audience-specific communications.
The last session of Day 2 was a vendor risk management panel featuring Chris Gorsuch, Change Healthcare; Fran Gutkowski, Zinga; Dolly Krishnaswamy, SecurityScorecard; Travis Paggioli, a360 Firm Solutions; and Or Schwartz, Digital Shadows. All shared their tips for managing vendor risk as it relates to a range of issues, including onboarding, assessments, and incidents. Each gave parting advice:
Gorsuch: “Know exactly where in the process your vendors are.”
Gutkowski: “Make it clear and simple. Strive for a definitive message.”
Krishnaswamy: “Try to reduce your ecosystem risk. Set yourself up as a collaborator. Be transparent and give actionable data.”
Paggioli: “What are you really trying to address and why? If you don’t know why, vendors won’t know why.”
Schwartz: “People are inadvertently the reason for many of the risks. Educate them on why we have certain controls, why we’re doing this.”
After LPRS18 closed, it was back to the climb for attendees. The Summit provided the view, perspectives, guidance, and know-how. Now the challenge is taking what was learned and applying it to advance their respective compliance and integrated risk management programs.
NSCC members face a new compliance requirement: cybersecurity confirmation. It sounds easy, complete a form, but risk is high. Here’s guidance.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
COVID-19 has pushed several risk disciplines into the spotlight, including business continuity, third party risk, cybersecurity, and data privacy. We’ll explore each one and deliver advice and guidance.