Nearly 7 in 10 internal audit leaders responding to the IIA’s annual “Pulse of Internal Audit” survey ranked cyber-attacks and other security issues as a major concern, but only one-third said they have high confidence in their organizations’ ability to address such risks. IIA President Richard Chambers says the results confirm that “organizations must improve how they identify emerging risks.”
Compliance officers have become targets for regulators because of what they (presumably) know and advise about regulatory requirements—including their role in identifying and reporting of violations. Now compliance officers face personal liability even for failure to act, rather than any direct violation. This week, Compliance Week columnist Jose Tabuena explains how escalation processes provide protections for compliance, as well as for the company itself.
Software vendors offer a range of products known as “enterprise legal management” to help the legal department analyze spending, discern patterns, and manage costs. Given that many legal costs are the result of some governance or compliance risk, is there an opportunity to use enterprise legal data to improve your GRC program? The answers aren’t clear yet, but they are intriguing. More inside.
With yet another huge data breach hitting Corporate America—add insurance giant Anthem to the Hall of Shame—internal audit departments are trying to pinpoint what expertise they can bring to the company’s cyber-security risk assessment. Plenty, many audit executives say. “There are technical aspects of these projects, but regardless of the technicality, internal audit can add a lot of value to this,” says Tom O’Reilly, head of internal audit at Analog Devices.
Companies that move data throughout Europe, or beyond its borders, face a long and exacting list of privacy and security demands. Some companies are choosing to take advantage of Binding Corporate Rules (BCRs), presenting their data compliance framework for approval by data protection authorities. BCRs, despite a lengthy approval process, may hold numerous benefits. We looked at how First Data, a payment technology company in Atlanta, undertook the process.
Compliance officers are under constant pressure to demonstrate to senior executives, their boards, and regulators that the compliance function works. That means finding ways to measure compliance program effectiveness. To develop those metrics properly, “you have to define your goals,” says Anne Harris, former chief ethics officer of General Dynamics. Inside, compliance executives share their approaches to capturing and reporting compliance metrics.
Reputation risk is the strategic business issue for many boards and senior executives today, and yet few know how to address it well. “Reputation is an ‘amplifier risk,’ because it attaches itself to other risks,” says Andrea Bonime-Blanc, head of consulting firm GEC Risk Advisory. She and others recommend several concrete steps to manage reputation risk, but they are not the sort of controls and processes you’re used to. More inside.