Risk, security and compliance executives have many choices and decisions on their respective plates, and whether or not to automate is not among them.
I’ve been seeing a trend in the marketplace: more and more organizations are investing in risk management and compliance technology tools1. But why? The answer may be as simple as supply and demand dynamics.
Boards, executives and other stakeholders are more urgently demanding sound risk management and intelligence to drive better investments in security and other business decisions. On the supply side, CIOs are challenged with limited resources and budgets, new or changing regulations and tracking and maintaining compliance2. Already high expectations for today’s CIO, CISO and CROs are growing, and this is driving risk, security and compliance teams to become more efficient.
Automation becomes a necessity rather than a choice to keep up with growing stakeholder demand and scrutiny. Plus, an ever-changing risk landscape and growing and increasingly complex security environment require an efficient approach to keep up. Automation strategies create force multipliers on existing resources, allowing teams to focus on high-value activities and leaving the mundane and routine tasks to machines.
This frees up your team’s time, optimizing the skills and talent of your workers and reduces errors in your risk, security and compliance programs. It is clear that risk and security executives must adopt automation by default. Stakeholder demand has increased, and executives’ ability to supply risk intelligence is becoming less and less effective.
Use Technology To Move From Good To Great
As noted in the book Good to Great, Jim Collins identified “myths” about company improvement and change through careful analysis of 1,435 “good” companies over several years, with the goal to explain what made a few of them “great.” Among his findings, he identified “The Myth of Technology-Driven Change: The breakthrough that you’re looking for can be achieved by using technology to leapfrog the competition3.”
Collins discovered that the few, great companies never chose to “leapfrog” ahead by adopting technology, but instead took a crawl-walk-run approach. “Great” companies always leveraged technology tools to accelerate business improvement, not to create or define it.
They used technology to create a force multiplier on existing resources and investments and improve upon their offerings and service levels. Great companies made choices on the long-term process and alignment of underlying technology tools to sustain the organization’s core mission and desired outcomes. The great companies crawled, they walked and finally ran.
Choosing the Right Technology For Automation
Identify and adopt a technology solution that enables your teams to manage risk, security compliance and supports business intelligence and decision making. Technology tools improve your risk and security compliance programs through more timely and complete/accurate insights, new process efficiencies and improved effectiveness overall. Automation achieved through technology enables you meet the growing stakeholder demands for better risk intelligence in the context of business goals and priorities.
Naturally, “automation” encompasses several activities, and more often than not, one jumps immediately to integration. Automating data collection, testing, etc. is absolutely among the long-term benefits, but there is a better approach: crawl, walk, run.
Crawl, Walk, Run Your Way To Automation
Start by replacing any manual activities that rely upon relatively inexpensive, highly inefficient technology (e.g., spreadsheets, email, storage repository, etc.). Within the context of risk management, automate these traditionally manual efforts such as assigning and conducting risk assessments, updating risk registers, reporting risk scores, issuing remediation plans, tracking remediation status and mapping risks to other program information such as applications, assets, controls, incidents, threats and vulnerabilities.
There is opportunity to replace other manual activities such as the general communications and alerts, tracking and reporting status of assignments, gathering artifacts to support risk assessments and assembling reports on risk distribution and posture.
The security compliance scope of work affords opportunities to automate manual activities, too. For example, responding to audits often requires gathering artifacts from control or system owners, and that evidence must be tracked (requested, reminders, received, rejected/approved) and stored (often in a shared repository with no specific linkage to the auditor request for documentation).
Maintaining or updating policies, control documentation and findings remediation also require tracking mechanisms and storage for related artifacts (without specific linkage to the compliance information). As risk or security compliance information changes or updates, related documentation maintained in spreadsheets has to be updated, too, which requires manual effort and is prone to errors and subject to informal, undocumented review. Technology solutions do this well.
Replacing manual risk and security compliance activities to gather, summarize and provide data or evidence is a good first step. Now, you are ready to walk, that is, leverage technology solutions to enhance your risk and security compliance programs.
In the walk phase of automation, teams can leverage technology to perform activities more frequently. For example, risk was assessed annually because of the historically large, manual effort required to complete the assessments. With technology and automation, you can conduct assessments more frequently, with some solutions providing nearly real-time risk insights.
For security and compliance, you can move towards continuous monitoring of control activities by automating recurring updates, workflows and tracking/reporting. Real-time insights on risk and compliance posture significantly improve your ability to report and provide information relevant to stakeholders’ interests and concerns.
Finally, you are ready to run with automation through your technology solution for risk management and security compliance. In this phase, you look for ways to further free up your team by leveraging automation of risk scoring, evidence gathering and even control assessment testing. This isn’t to say that you fully rely on the machines; rather, the technology tool does all the leg work and all your team does is a final review and acceptance.
This may start with individual transactions or activities and move towards review exception reports. Connecting this technology with other technologies (new or existing) may automate and enhance additional, high-level activities such as risk scoring, third-party risk assessment, etc. When you are running, you and your team are able to deliver more strategic value and output.
Leaders of risk, security and compliance teams have a lot on their plate, and leveraging technology solutions to automate manual processes and information collection is the only choice to meet and exceed growing stakeholder needs for better risk insight and visibility.
To continue learning about automation, check out this webinar we recently hosted: Combat Limited Resources and Threats With Automation.
- 1Forrester Infographic: Risk Surpasses Compliance As Main Driver of GRC Tech – Feb 10, 2022
- 2New CIO Study: GRC Challenges and Priorities for 2021 – Reciprocity (figures are rounded)
- 3Good to Great – Jim Collins