An effective Risk Intelligence Solution framework can help businesses identify risks near real-time, enabling stakeholders to take actions and decisions based on priority.
One of the largest financial services organizations in US had as many as 29+ risk management applications in different business units to address their risk and compliance needs. The organization had established a Policy & Control Framework to meet the regulatory and internal policy mandates. Each business unit had maintained different risk taxonomy and carried out risk and control assessments. Though several initiatives were undertaken, the Governance, Risk and Compliance Management activities were driven by stakeholders with different objectives. The organization lacked an integrated view of risks, vulnerabilities, and non-compliances to policies and controls. The organization struggled to standardize its risk functional organization structure, business processes, risk taxonomy, reports and dashboards. Multiple frameworks and overlapping compliance requirements that were managed in silos caused duplication of effort and inefficiency in compliance management processes.
Understanding effective risk management
Risk intelligence is the ability of an organization to gather information or events that will help to identify the uncertainties; present them in the business context; enable the organization to make more informed business and security decisions in a proactive manner. To manage risk effectively, the criticalities of business processes and enterprise infrastructure including applications, servers, network devices, data centers and mobile devices, the key is to have a solution that will bring the business context to the systems. With the process and system profiling performed, having known which are the critical business processes and systems to be protected, half the battle is won.
The other aspect is to understand the enemy. What different risk events are causing uncertainty to the processes, people and systems? How to collect them and present them with the business context? How to prioritize the remediation? How to get a multi-dimensional view from different stakeholders’ perspective - business perspective, asset perspective risk/- threat perspective, compliance and control perspective. How to perform all these in a proactive manner and at the same time not get bogged down with innumerable battles?
Risk Intelligence Solution
Many organizations do not leverage proactive data monitoring and risk analytics in their risk and compliance initiatives. Traditional methods and siloed risk assessments, control monitoring efforts of the enterprises are unsuccessful. Hence, there is a need to approach governance, risk and compliance processes differently by organizations.
Risk Intelligence Framework leverages risk data analytics, artificial intelligence, machine learning techniques and uses past incident data, abnormal events, internal and external risk information, audit findings, control test results, threat feeds, feeds from anomaly detection platforms, security management tools and ERP based risk tools . The impact of various events, incidents and control failures are analyzed to provide the organization a view of risk and changes in risk scores, which in turn help to take the right decisions.
The Risk Intelligent Solution integrates different risk domains (including business strategic risks, business process risks, functional/ operational risks and information technology risks, cyber risks) to provide a holistic view of the risk posture to relevant stakeholders. The solution is built by leveraging big data anomaly detection platform, risk analytics engine and integrating into the Governance, Risk and Compliance (GRC) platform. The solution architecture, driven by industry best practices and frameworks, help the GRC process owners to address their ROI goals as well.
Solution implementation approach
The Risk Intelligence framework and solution architecture can be implemented using any leading GRC tool available in the market. It is tool agnostic, and can be rolled out using the Assess - Design - Deploy methodology with a GRC tool.
It would be fundamental to understand the current state of GRC process in any organization. Organizations should have clarity and a well-defined roadmap in terms of their GRC maturity roadmap. GRC benchmark study and maturity roadmap would help organizations to assess where they stand and where they intend to reach. This would help to drive and strategize the whole GRC journey.
It’s a consultative approach to design and conceptualize the Risk Intelligence framework and solution by understanding the organization’s business goals, GRC priorities, level of GRC maturity, resource availability, compliance requirements, etc. The blueprint must be prepared based on the requirement gathering inputs and signed off by the process owners. GRC processes have to be standardized across the organization and a Key valuecommon framework has to be implemented across business units. Organizations have to choose the right and best suited GRC tool for automating the whole GRC process.
In this phase, functional and technical consultants have to work together to develop and deploy the framework and solution. Based on the selected GRC tool, the organization has to invest its resources in development and deployment of the solution, which has to be tested and transported to production by adhering to the SDLC processes.
Key value proposition
An effective Risk Intelligence Solution framework will help organizations to identify risks on near real-time basis, which will enable stakeholders to take required actions and decisions based on priority. The solution framework will enable proactive risk and compliance management through data analytics and near real-time risk dashboards. This will give the senior management better control and visibility on governance initiatives.
Looking beyond GRC automation
As disruptive technologies are changing the landscape of business models, risk managers would need to strategize approaches for addressing digital risks due to large scale adoption of Cloud, Mobile, Internet of Things (IoT), etc.
Figure 1: Risk Intelligence Framework
Anitha Selvaraj is a Senior Practice Manager, Cybersecurity and Risk Services, at Wipro. She is currently responsible for solution development, leveraging industry leading GRC automation platforms and tools like Archer GRC, MetricStream GRC, OpenPages GRC. She can be reached at firstname.lastname@example.org
Kiran Kumar Gudekota is a Senior Practice Manager, Cyber Security & Risk Services (CRS) at Wipro. He is currently responsible for Risk & Compliance solution conceptualization and transformation. He has over 15 years of experience in GRC Consulting, Internal Audit, Fraud Examination, managing large Compliance programs and implementing Risk Management programs. He can be reached at email@example.com.