The US Government’s recent actions taken against Capital One for their July 2019 data breach, in which a hacker accessed private data of more than 100 million US Capital One customers, should not come as a surprise even though Capital One is viewed as one of the most technologically advanced banks in the United States.
The question is, if one of the most technologically advanced banks failed to establish an effective risk assessment program, how are other banks effectively managing their enterprise risk management?
As a result of the data breach, the OCC (Office of the Comptroller of the Currency) has imposed an $80 million dollar civil penalty and a cease and desist order that lays out the steps that Capital One must take to improve its risk management program, as well as internal controls related to cyber security and information security. This plan must include an internal governance framework that, amongst other measures, has clearly defined operational risk roles and responsibilities. While a combination of technical, operational and personnel weaknesses likely contributed to the vulnerability that enabled the data breach to occur; an effective controls framework may have prevented the attack.
At Alyne, we have been vocal about the importance of effective control frameworks in managing enterprise risk. Technology can certainly serve as a key component to a successful controls framework. However, technology must be able to deliver needed information to the right people at the right time in order to drive appropriate behaviour. The combination of the right technology coupled with the right content is key to a successful control framework. At its core, an effective controls framework acts as the single source of truth for information that allows everyone in an organisation to clearly understand their responsibilities and specific steps needed to be both undertaken and continuously monitored in order to sustain a successful risk management profile.
Alyne believes that controls need to be more than a check the box exercise. History has shown that those firms who implement control frameworks to guide and support their organisations objectives are positioned for long term success. Today’s heightened regulatory environment, coupled with the reality that information is now distributed instantly across the digital landscape, makes it imperative that organisations have control frameworks in place that are specially tailored to their organisational structure – saving both time and money by creating operational efficiencies, all the while providing true transparency into your risk profile.
An effective control framework is made up of individual controls. If the individual controls in a controls framework are ineffective, then the framework itself is going to be ineffective. It’s that simple. To ensure control success, Alyne has designed everyone of our 1100+ Controls in our Content Library according to the SAMC3 principle – a term coined by Alyne. Following this process for control creation will help you create an effective control framework and reduce risk.
Specific - each Control describes a specific action or practice that prevents harm to the organisation and its assets.
Atomic - each Control only defines one specific aspect. Some poor examples of Controls try to cover multiple aspects and end up covering half a page of text. If one answer cannot describe the current maturity or effectiveness, the Control is not atomic. This also means that every Control shall be meaningful by itself without the context of other Controls.
Measurable - the effectiveness and design of each Control shall be measurable. In Alyne, criteria and data points relevant to measuring the design and effectiveness of each Control is always defined with the Control to ensure this attribute.
Consistent in Structure - while this is not always perfect, we strive to keep the sentence structure of each Control consistent. Convoluted syntax such as double negatives or starting with subordinate clauses makes it much more difficult for the reader, assessor, recipient or other stakeholder to consume. This should be avoided at all costs.
Comprehensible - simply copying the text from a standard or law is not helpful. Wording in Controls should be as simple and meaningful as possible to the audience within the organisation. Laws and standards need to be deliberately broad as to be generally applicable. Controls on the other hand shall only be focussed on your own internal organisation - and therefore use wording that is familiar and meaningful in that context.
Contextual - a Control should provide a link to a standard, law or regulation and to risks it may mitigate. This context provides meaning to Control deficiencies and enables more automated analytics.
Whether you are in operational risk, information security, compliance or audit, our recommendation is that you review your enterprise controls to measure their alignment with the above principles. Doing so may save your organisation.
We invite you to pair this article with our ‘Enterprise Controls: The Need, Evolution & Future’ webinar or our ‘Controls as a Service’ white paper; both of which take a deeper dive into how we structure our Controls at Alyne.