A CIO once quipped, "Security isn't hard, compliance is." And in fact many companies focus their security efforts on meeting compliance requirements. But if you are audit compliant, have you in fact addressed all of your risks, or are you just kidding yourself? Is it better to focus on the risks presuming that doing so will cover you off on the compliance side? Network World Editor in Chief put the question to two practitioners, both of whom come down on the side of risk.
Navigate Uncertain Waters by Managing Risk
By Christian Anschuetz, SVP, CIO of UL
History aptly illustrates that great losses can occur even when an organization is fully compliant with the necessary laws and regulations.
When the HMS Titanic disappeared beneath the waves with over 1,500 souls aboard, the captain and crew had complied with the most important rules guiding their conduct. The Titanic had, for example, precisely the number of life boats the law required, but sadly far too few to save the lives of all the passengers on the doomed liner.
What was proven true then is still true today; namely, that simply complying with laws and regulations without considering a broader perspective of the perils present in this uncertain world can result in the sinking of even the most promising endeavor.
Certainly there must be a balance between compliance and risk. Both are necessary. But ensuring compliance should represent an organization's starting point, not the endgame. Although firms must meet the appropriate regulatory standards in order to simply conduct business, this action might not be enough to truly protect its interests and workforce.
As a firm grows and matures it quickly begins to realize that most regulations only represent the absolute minimum standard that must be adopted and stopping there exposes the firm to unnecessary potential harm. OSHA standards, for example, detail the minimum legal requirements that firms must follow to protect its workers, but there is risk to a company when an optimal level of employee safety is not addressed and integrated into the cultural fabric of an organization.
Moving from a compliance mindset to one focused on managing and mitigating risk can be difficult, but is important and necessary in this dynamic and often dangerous world. Compliance, which is the act of ensuring conformance with stated requirements (laws, regulations, contracts, strategies and policies), is second nature to most firms. It represents the "rules of the road." As good citizens, we are accustomed to following the rules. But to manage risk? Well, that involves dealing with something less obvious, less concrete and substantial; it requires a whole new way of thinking.
Risk management involves the identification, analysis, and where necessary, response plans to appropriately address situations that might adversely affect the realization of a firm's objectives and is tailored to the exact nature of the organization's business. Using this framework, a wide variety of risks are typically addressed, including technology risks, information security risks, commercial and financial risks, and even regulatory compliance risks. As such, a proper risk management practice addresses not only the complex identification of what could go wrong, but also will include the risks of non-compliance.
Sign up for Computerworld eNewsletters.