November 01, 2009
Required Reading
Wibecke Vinke
View Magazine Version of This Article
© 2009 Hospitality Upgrade. No reproduction without written permission.
Even with an economy rebounding next year, hotels will be cautious when deciding on investing and it will take longer before non-intrusive IT areas, such as compliance, will get the attention and resources they require. And although managing regulatory compliance is often seen as being best solved by centralizing processes and systems, these major projects often do require the large investments for which funds may not become available in the near- to midterm. So what can we do if we need to improve compliance efforts in this case? Are we able to become more effective by rethinking how we treat compliance?
The use of the word compliance.
Compliance is one part of an organization’s GRC* initiatives. GRC stands for governance, risk management and compliance, but many companies still think compliance because the first information security initiatives dealt with compliance, rather than with governance and risk management. Compliance, however, should not and cannot stand on its own, to be effective is must be an integral part of GRC–or RGC because the reason for needing regulations, compliance, standards and governance in the first place, is the need to manage an organization’s risk.
Businesses often see regulatory compliance as policing and in general prefer to use the word governance. But it is crucial to get compliance into the culture of an organization and although training and documentation increase awareness, people don’t really get excited about topics like security and compliance. But when approached from a risk management perspective, it is more likely to resonate and will get more visibility.
The changing role of compliance.
With the pressures of SOX and PCI still fresh in people’s mind, for many companies compliance is about filling in checklists. And when new legislation is introduced, it is considered adequate to read the introduction and action the to do section. Most of the known credit card security incidents were in companies that were PCI compliant. And most of the security breaches happened because someone did something wrong, not because the technology was not installed or tests were not performed. Compliance cannot be about checklists, but should be about managing risk. The compliance questions you really need to ask are: Why do we have this regulation? What is the risk that we are trying to manage here?
What is the compliance risk.
If compliance is about risk, let us look at what is actually meant by that. A basic premise of risk management is that risk does not need to be eliminated but needs to be aligned and that risk alignment is about identifying the inherent risk, the risk tolerance, what controls need to put in place to reduce that risk, and what would be the residual risk. What tends to happen with compliance is that it ends up being about maintaining the control. A control is good but if looked at in isolation it is invalid. The question whether a control needs to be maintained is only relevant if you also ask 1) Why do we have this control and 2) What is the remaining risk when this control is in place?
This also applies when you need to put controls in place to adhere to regulations, but on a global level one factor to consider here is the difference in regional cultures. Europe has a tendency to “comply or explain”, there is some flexibility and a degree of discussion is possible. In the USA there is a tendency to “comply or jail”, which does not mean that everyone actually goes to jail but it does feed a belief that as long as you are compliant, you are safe.
Regularly relook compliance.
It is human to set and forget and once we put a process or control in place, it is often left alone, but circumstances change, regulations can change, and an often forgotten factor is that an organization’s level of risk tolerance can change too. Therefore it is very important to stay flexible by incorporating a check on compliance in your change management processes. And it can go the other way too in that there is no longer a requirement for a certain control, for example when you outsource certain services and systems. Or that the sensitivity of the outsourced data can differ depending on the system and with it the required controls on the different outsourcing partners. Staying flexible means to regularly take a hard look at the controls that you have in place.
Compliance Stakeholders.
If compliance is about adherence to regulations and policies, it is obvious that policies and procedures need to be enforceable and that the organization is capable to adhere to these policies and procedures. This is where the complexity often lies and a typical example of this is the password policy. To create enforceable policies, it is crucial that the business processes are compliant. This means IT must work closely with the business stakeholders on policy definition and governance. It is necessary to establish a way to identify weaknesses in existing risk management processes and for IT to recommend improvements. You can achieve this by forming a compliance committee, or make compliance a fixed topic on the company’s risk management committee agenda.
Optimism
At the recent CIO Summit, when asked about technology budgets in 2009, 16.28% reported that their budgets were unchanged since 2008, 25.58% reported that they were decreased less than 15% from 2008, 34.88% reported that they were decreased more that 15% from 2008, and an impressive 23.26% said that their budgets were increased since 2008.
That's 40% who reported unchanged or increased technology budget in 2009.
SALES
Top 12 Tips for Effective Selling
Everyone is a salesperson. Yet very few universities have practical courses on how to buy and sell technology. I've found a weekly column by James Carlini to be rather helpful over the course of this year. Here is his list of 12 pragmatic tips for effective selling.
http://tinyurl.com/JCarlini
European Union Data Protection
Managing within the legal boundaries of EU data protection can be a daunting task.
Under the EU Commission the protection of personal data in third countries
URL: http://tinyurl.com/EUprivacy
An EU Compliance Roadmap can be found at URL:
http://tinyurl.com/wvinke-EUschema