How can the use of “intelligence” enhance Governance, Risk and Compliance functions so that the whole benefit is greater than the sum of the parts?
Shaun’s article in SIRK 1/2018 “Why gather intelligence?” illustrated the distinction between intelligence and information and how to deal with the information acquired. This article builds on that introduction and aims to answer the question “How can the use of “intelligence” enhance Governance, Risk and Compliance functions so that the whole benefit is greater than the sum of the parts”?
Are we saying that the Governance, Risk and Compliance functions are not up to the task? Well, each function has immense value when correctly implemented and performed and each should have checks and indicators built-in to signal if anything is not working as intended. They should also allow remediation to take place before bad things happen.
Now, off at a complete tangent. Imagine a person wearing a swimsuit sitting on a motorcycle on a crowded highway and that the person is wearing a helmet. Oil, fuel and tyre pressure are all showing green lights and speed is within the limit. So, the internal rules and expected behavior are being complied with:
So, what’s missing? The weather forecast, the state of the motorcycle, the area he is in, the condition of the roads and the accident rate can be considered as intelligence.
Putting them all together gives a totally different perspective. It is useless thinking about all these things when you are lying in your hospital bed. Hindsight is an exact science, intelligence is all about doing informed decisions so that hindsight stays as positive as possible.
The key phrase is “putting them all together…” Analysing and aggregating inputs from different sources can give a completely different perspective and through that the possibility of vastly improved decisions even though each element alone is not telling the whole story.
If we could “glue” together all the small and disparate bits of information from GRC activities, then it should be possible to turn hindsight into foresight. If this is expanded further to include all activities within your organization then you must surely be better prepared. For example: Consider a pilot who has an immense array of information coming in from sensors in the engines and avionics. Is this the total picture? What other information might be needed to ensure a safe and successful flight? The cabin crew can provide Information about the passengers and their disposition which may affect the flight, Information from other aircraft in the vicinity regarding adverse flying conditions may contradict the weather forecast regarding turbulence necessitating a change of altitude. Green lights on the flight deck do not mean that all is well or will continue to be so. The point is that the pilot has to make judgements based on multiple and separate (siloed) information in real time.
For this you do not need a crystal ball or the ability to read the runes. You just need the ability to objectively assess one piece of information in the context of all the other bits of information. Sounds daunting, but hopefully by the end of this piece you will see where we are coming from.
Before we dive in to the detail it is useful just to have an understanding of some key concepts.
Intelligence: This is the product resulting from the collection, evaluation, analysis, integration and interpretation of all available information.
The initial step ‘Planning and direction’ is key. What are you seeking to achieve, who is directing it and what does success look like?
Sources of Information: are virtually unlimited. Open source research, SIEM (Security Information and Event Management), social media, HR records, trade publications, news stories, IT logs, audit results, management reports, trends from threat intelligence, products, people, regulators, exception reporting, vendors… the list goes on. The technical term for sources is “sensors;”. They are collectors, not interpreters of value to you. It is crucial that sensors are assessed to make sure they are applied correctly and collecting data that can be used. At this stage, you define and design your own sensors or adjust the format of the output. We suggest that the best inputs are the raw data not subject to filtering by decision. Filtering may add a degree of bias prior to analysis.
Veracity: Each piece of information is accorded a weight based on the reliability of the source. Is it known, first hand, second hand, rumour or merely an assumption made? Blindly acting on information is a recipe for disaster as in the event of an investigation you would be hard pressed to explain your decisions. Hence ´weighting´ is part of turning information into intelligence.
Legality: The collection and processing of personal data is strictly regulated by the General Data Protection Regulations(GDPR) and its provisions must be strictly adhered to. In a potential event of a data breach you will need to be able to demonstrate to the regulator that you took all necessary technical and organizational steps to prevent it. Some provisions of the GDPR give some leeway in what is collected and why. These include network security and prevention of fraud… Building a suitable intelligence system should support your existing organizational measures and is good evidence to present to the regulator in the event of a breach.
We need to ‘glue’ our GRC activities together and the following statement summarises our key points:
Put simply, governance is about making sure that the organization (people) follow the direction of management and that important information reaches management and the board. Governance provides the strategy (direction) for the organization – a place to prosper for people. But there is a problem; governance has a tendency to become rigid and sometimes even a goal in itself. As a consequence, the organization may experience slow decision making, loads of resources going into meaningless reporting and the feeling of total detachment between C-level and the operational level.
To our knowledge it appears organisations attempt to avoid such problems by decentralizing decisions whilst trying to understand the overall risk exposure through aggregation of information – from decision makers up to management and board levels. This approach may have a cost, mostly because risk does not come with a clear explanation as to how it should be communicated, and the chances are the C-suite could be looking at something else.
Intelligence indicators from the governance function could be non-conformity reports, results of root cause analysis, staff feedback, whistle blowing submissions, customer complaints etc. No doubt all of these will be considered in due course but here we are talking about immediate action to process and analyse the data in the context of the whole business.
The value of a well conducted risk assessment cannot be overstated and is something that some organisations do well. The downside is that they tend to be ´static points in time´ and focus on controlling risk, based on factors known or anticipated at the time the assessment was conducted. Failure of a control or a “black swan” event leads into incident handling, business continuity management and potentially an investigation.
Sometimes indicators are strewn all across the corporate landscape and it is only when the “I told you so brigade” find them that the pain starts, mainly because they are actually correct. The trick is to collect these little nuggets and constantly compare and contrast them. Each business is different, so you have the opportunity to define your own “red flags”. One good method is to ask your staff “If you were malicious / dishonest how would you damage or bypass the system? There are no rules or restraints so give free reign to your imagination”
The intelligence system outlined above has five distinct parts which matches quite nicely with the five stages of risk: Identify; Analyse; Evaluate & Rank; Treat and Monitor/ review. Risk underpins almost every activity these days and similar to risk management intelligence allows the determination of probability, but more dynamically. The gathering of intelligence does not require a new system but rather dovetails neatly with your existing framework.
The risk appetite of the organisation may be based on a number of factors such as financial or regulatory but intelligence knows no such bounds. Rather it raises the red flags without taking those pre-set factors into account. Therefore, it supports future decisions not decisions that have already been made.
Rules have been set internally or imposed externally as we have seen in the Governance section. Risks have been assessed and treated and now the compliance officer has the responsibility to make sure all is well and that the figurative landmines and tiger traps are avoided. There is an expression used about detecting when things have gone wrong as “indicators of compromise”. These indicators could have come from specific events or from an audit but are all postevent. The damage is already done unless you were fortunate enough to nip something in the bud. The question is, was it by luck or judgement? One example might be the exercise of ´management override´. Sometimes this action can be justified but it can an indicator or something more sinister (such as fraud). A questionable action on its own may just mean a disregard for the rules but what about other indicators such as queried expense claims, staff complaints etc. The expression “the signs were there for all to see” offer no comfort when an investigation concludes.
We see the value of collecting and analysing data from activities that may be siloed for organisational reasons. It may even be that the benefit of such an activity has not been considered. Additionally, opportunities exist to define your own ways of collecting data and to design your own sensors.
Intelligence provides decision support. The techniques described above are “battle tested” throughout the world, affect most people in their daily lives whether they realise it or not, are understandable to most and can be explained in a clear and concise manner.
There is no requirement to initially re-engineer your existing frameworks or to re-train all of your staff. Of course, any necessary organizational learning can be fed back for a policy decision but the day-to-day operation of this system will give “near time” situational aware ness in terms of opportunity and threat.
First published in IIA Norway’s magazine SIRK 2018/2