Technological advances

Introduction

Although technology is shifting the way organizations interacting, communicating and sharing information by enabling them to access, use and manage information anywhere at any time, emerging technologies such as smart devices, IoT, social media, cloud computing, big data and cyber security are driving change and innovation across all markets and industries.

In this rapid changing business landscape, organizations are engaging in a widespread adoption and integration of these technologies into their business as they offer the advantages of increasing productivity, operating more efficiently, enhancing communications, increasing mobility, better information handling and sharing, ensuring safer and healthier working environment…etc. thus generating economic benefits such as penetrating new markets and making more revenues in shorter period of times.

Since these technologies are breaking down the barriers of the traditional offices and defeating the old IT risk model, IT risk programs must expand and adapt to meet these challenges.

New technology risks

In recent years, organizations are often blindly embracing new technologies and creating new underlining risks by heavily investing massive resources in adopting new IT infrastructures with the associated cost in upgrading old systems following venders’ advertised or promised features of their products/services and the organizations’ own overstated assumptions regarding presumed performance and efficiency of these products/services without prior and detailed study and analysis.

Moreover, security related requirements are frequently overlooked in pursuit of willingness to deploy unconfirmed technologies which ultimately exposes the organizations to great and unknown risks while in reality bringing low added value that fails to meet their strategic objectives and stockholders’ expectations.

Organizations data is becoming available online, universally shared via social media, through variety of cloud platforms and devices such as smartphones, laptops and tablets. Thus enables data to be stored in low secured devices and exposed to a huge risk universe.

Organizations failed to oversight and support changing business landscape may endure severe market share losses. As emerging technologies are generating more market competitions with small entities whom are easily emerging and offering similar or better products/services in lower costs, organizations incapable of watching, adapting and constantly renewing their products/services to new market and technology trends find their business portfolio obsolete as their products/services are quickly becoming outdated.

Organizations are also challenged in either investing and offering training to current staff or hiring high payed talents as well as funding research and development initiatives to keep pace with these technologies.

Managing emerging risks 

Organizations should be primarily concerned by addressing current technology issues and cautioned about adopting emerging technologies. Unless they have a clearer understanding of the associated opportunities and risks, by then they can devote the attention and resources toward adopting these technologies.

Organizations need to build a foresight capacity that allow them to quickly respond to future challenges and uncertainties by adopting appropriate approaches such as Delphi Method, Horizon Scanning and Trend Impact Analysis that help them adopt emerging technologies, assess their trends in the long-term, comprehend related knowledge, develop corresponding risk indicators to watch the outcomes, and understand the potential benefits behind these technologies.

Organizations’ appetite in embracing changing and evolving technologies should be clearly defined by justifying the purposes to acquiring them, considering the expected added value, and understanding the potential risks they came up with. This in turn, enhance their ability to develop suitable controls such as plans, policies and procedures to manage the associated risks and train staff for adequate use of these technologies.

While organizations should limit the attitude and desire of acquiring new technologies just of the sake of getting them without actual need or clear return on investment. In the other hand, organizations should be keen to evaluate and review emerging technologies in order to implement suitable security controls as soon as they are appointed and validated via a proper change control process before putting them into production which reducing the misuse of unapproved but desired technologies.

Conclusion

The growing use of emerging technologies has introduced a higher threat of IT security breaches, misuse of customer data, and reputational damage. Understanding the threats that can emerge from these technologies is critical to avoid potentially catastrophic consequences.

As these technologies are disruption and threatening business models, organizations needs to keep pace with technology advances and scientific innovations, while they should always focus to stay ahead of the evolving industry, market and technology trends, their strategic vision should be aligned toward a thoughtfulness embracing of these trends, they should consider investing in related research and development efforts, they should also prevent in the same time the misuse of these new technologies by improving communication channels and cultivating awareness among staff.

Regulatory compliance

Introduction

Regulatory compliance is the process of ensuring that organizations are aware of, follow and conform with certain laws, regulations and rules (e.g. policies, standards, guidelines, code of conduct, requirements, specifications etc.), those rules can be internal and made by the organization itself, or enforced by external bodies or factors such as governments, legislators, regulators, market, industry, environment, etc.

Thus, organizations are required to identify and comprehend the applicable regulations to comply with, and the risks associated to these requirements which varies by nature (i.e. public, private, non-profit), size and type of industry it which it operate.

Compliance landscape

There are numerous regulations out there, some of them are generic and others apply to specific industries (i.e. banking, retail, manufacturing, healthcare). The intent of most of these regulations is protecting the confidentiality, integrity and availability of information that effects the organizations' stakeholders (e.g. regulators, owners, employees, suppliers, customers, partners, etc.) as well as protecting intellectual properties, fighting fraudulent activities such as corruption, bribery and money laundering. Below a list of some broadly applicable laws and regulations

• Payment Card Industry Data Security Standard (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Federal Information Security Management Act (FISMA)
• Sarbanes-Oxley Act (SOX)
• European Union Data Protection Directive (EUDPD) 
• Gramm-Leach-Bliley Act (GLBA)
• Children's Internet Protection Act (CIPA).

Regulations are continually increasing in number, evolving and more rules are coming into practice due to wide range of factors such as the economic recession, financial and European debt crisis, cybersecurity threats, privacy and data security breaches, emerging technologies, globalization, climate change and human rights, etc.

Compliance challenges

Organizations are adopting new business models (e.g. IoT, BYOD, social media, big data and cloud computing, etc.), these models changed the business landscape and represented real challenges for organizations to acquire, embrace and comply in the same time with regulations which are increasingly out of date and have not kept pace with these recent technology trends.

In addition to the necessity of investing and allocating significant resources (e.g. talent, budget, training, tools) for compliance related activities; organizations face several challenges in understanding and conforming to regulations which are most likely generic, hard to interpret, and sometimes contradict with each other. This is without mentioning the challenges for international organizations in complying simultaneously to various regional and local regulations which differ from one country to another.

Regulatory compliance enforces organizations to apply a wide range of practices while addressing compliance issues such as introducing transparency, protecting sensitive data, retaining records, providing detailed reporting, employee training and awareness, assessing and treating risks, establishing, implementing and measuring controls, monitoring activities, enhancing communications and ensuring continual improvements.

Compliance risk management is part of the GRC umbrella (Governance, Risk management and Compliance) which overlaps in various business disciplines such as incident management, internal auditing, risk assessment, and compliance with regulations.

Compliance is also about providing and reporting back to regulators - in a timely manner -  that relevant requirements are effectively in place and operational, as failing to do so considered a non-compliance which exposes the organization to a compliance risk by triggering fines and losses.

Failing to comply or violating appropriate regulations leads often to penalties such as payments for damages, fines and voided contracts, which can result also in damaging the reputation, withdrawing the operating licenses, declining in market share and inability to pursue future business opportunities.

Nevertheless, exceptions can be made when organizations decide not to obey nor comply to certain requirements and agree to pay relevant fines, such decision can be taken to avoid implementing ineffective or costly controls which outrun organizations' capacity and hold them from creating value and achieving their strategic objectives, such decision generates a non-compliance and requires top management recognition and approval with appropriate justification and documentation.

Compliance benifits

On top of the implicit challenges in conforming to regulations; compliance brings several underlining opportunities to improve organizations, create value to stakeholders while assuring compliance and gain competitive advantages by adopting best practices, better restructuring, embracing ethics and culture, training employees, increasing performance, improving measurements, managing risks, enforcing controls, prioritizing tasks, enhancing quality, optimizing resources and omitting ineffective practices.

Below some known frameworks, standards and best practices that help organizations in complying with mandatory regulations

• Control Objectives for Information and related Technology (COBIT)
• Information security management system – ISMS (ISO/IEC 27000 series)
• National Institute of Standards and Technology Special publications (NIST SP 800 series)
• Committee of Sponsoring Organizations of the Treadway Commission (COSO)
• Information Technology Infrastructure Library (ITIL)
• The FFIEC Information Technology Examination Handbook series
• Basel III, etc.

Organizations are nowadays gradually embracing the use of holistic frameworks, methodologies and controls which ensures overall and simultaneous coverage of various regulatory requirements without the need to individually address each requirement all-alone. Thus reduces the efforts and optimizes the resources.

International organizations which are subject to multiple national regulations should develop holistic approaches in response to the commonly and mandatory regulations in addition to particular supplements (e.g. on country-to-country basis) suitable to address regional specifics and local issues.

Conclusion

Organizations should be aware and willing to comply to relevant regulations and adopt suitable practices in order to maintain associated risks, ensure sustainability, improve their lines of defense, gain value and competitive edge while addressing regulatory compliance.

While regulations continuously emerge and try to adapt and keep up with changing business landscape requirements, it is essential for organizations to embrace the culture of compliance. Internal auditors and risk managers should be familiar with the compliance universe and the culture of their organizations and assist them in providing assurance to mitigate compliance risks.