Meeting Compliance to Mitigate Risks
By Xavier Leschaeve, CISO, Remy Cointreau
We are seeing more and more regulations in the compliance area, but hopefully also a convergence of the different regulations. In the past, it was very common to have conflicting regulations between countries or even states. While this still exists, it tends to be less frequent. Being a French based company, we can see that in Europe, some regulations are starting to converge, such as the new GDPR (General Data Protection Regulation). Voted in 2016 and applicable for 2018, the GDPR aims to harmonize Data Privacy regulations in Europe. This will have a significant impact on European companies but also on foreign companies operating in Europe. In most cases a DPO (Data Privacy Officer) will be appointed, data leakage will be escalated to the regulator within 72 hours and a fine of up to 4 percent of the worldwide revenue of the companies can be implemented. In France a specific regulation is also in place for cyber security, but only applicable for the companies critical to the nation (public services, transportation, energy, banks).
Integrating Non-public Information
In our open world of communication, with massive usage of cloud, mobility, and the BYOD trend, it is more and more difficult to keep track of the information flow. Some technology like DLP (Data Leakage Prevention) exists but implementation and operation is complex. For Cloud, CASB (Cloud Access Security Brokers) are emerging, enabling us to keep track of data even outside the perimeter of the company.
Maturity of the Company Defines a CCOs Seat
There are always never ending discussions on who should have a seat on the board, who should report to who… the CIO should report to the board, now CISO, CDO or CCO should be part of the Excom … There is no definitive answer on that.
I feel strongly that treating compliance through the risk management prism is the best angle to take
It depends on the industry the CCO is working in and the maturity of the company in this area. The two are often intertwined. In a highly regulated environment, the CCO should definitely be a member of the Executive Committee, and have a voice about the strategy of the company. In other domains where compliance is less vital, the role will always be important due to its compulsory aspect of compliance. Discussion with business users must be regular, to educate them about compliance and the impact their day to day responsibilities on compliance so that they and to implement the necessary controls. The executive team must be regularly updated about this topic.
Risk Management Framework Brings Visibility to Compliance Risks
I feel strongly that treating compliance through the risk management prism is the best angle to take. Compliance risk must be evaluated and monitored in the risk map of the company. But we shouldn’t only evaluate the risks associated with not being compliant. We also need to evaluate how being compliant will reduce other risks in the company. This avoids managing regulatory compliance as merely a “check the box” exercise. Regulations are there to reduce risks. So it is usually in the interest of the company to comply with regulations. Having solid financial practices, managing privacy of its customers, having a strong cyber security, fighting frauds… Doing that properly is by essence good for the Business and should be reflected in the risk mitigation plans of the company.
No silver bullets Technologies for Compliance
There is no technological silver bullet in the area of compliance. It is, before anything, a matter of processes and behavior. Nevertheless, technology can help of course.
The market of GRC tools (Governance Risk and Compliance) has existed for years but it is still very costly and complex to implement. One of the main wishes would be a tool that, based on the countries your company is operating in, would list all the regulations with which you would have to comply. Then it would produce a template of processes and controls to help roll out, allowing automation of controls and storage of evidences. But it would always still require manual work and integration. I never trust a technology vendor that claims their solution will allow me to be compliant. I have seen that in the past with SOX, we can see it again with GDPR. Most of the time it can help—in certain conditions—for a specific scope.