Published: January 30 2009, 05:10 AM | no comments
by Allan Gajadhar

Allan Gajadhar shares his thoughts on how the change in administration, coupled with the fallout from the financial crisis, will lead to changes in the U.S. regulatory environment.

Trouble viewing the video? Click here to view it on the CA YouTube channel.

Published: January 29 2009, 06:21 AM | no comments
by Reed Irvin

It's amazing how a technology can start out as a point solution but as market demands and conditions evolve, its role changes.

Email archiving originally took off as a "must have" for organizations concerned with email storage challenges. Email servers were full of old and stale email. IT was burdened with the troublesome task of enforcing mailbox size limits. Users were storing email on PSTs without any controls.



Then along came the development of new email archiving software that solved these problems. These solutions allowed users to easily access archived mail. Storage issues were alleviated. IT overhead tasks were reduced. Everyone is happy, right?

Maybe at first, but eventually other risks started to surface for companies when it came to email archiving "litigation readiness for one. Saved email represents significant risk if there is ever a discovery order, because you're required by law to be able to find content in a timely fashion or you risk fines, the loss of the lawsuit, or an expensive settlement. The same goes for regulatory compliance. You have to know what data you have and be able to prove compliance or again, you risk significant fines. As a result, companies, including CA, began enhancing and upgrading their email archiving tools to solve these new, more sophisticated challenges.

So the market has changed. The stakes have gone from solving storage issues, primarily an IT concern, to reducing risks associated with Litigation and Compliance. Essentially what was once a storage challenge is now an Information Governance challenge. The benefits of addressing this new challenge are that organizations can proactively reduce risk, ensure budgets are wisely allocated, and can give their business the agility required to compete "all of which are especially important under current market conditions.

The need for email archiving is still there, but the game has changed. I see the market continuing to evolve as Information Governance becomes pervasive in effective and well run organizations.

Published: January 28 2009, 12:05 PM | no comments
by Sumner Blount

On Jan 22, the US Government Accounting Office (GAO) released the biennial update to its list of federal programs, policies, and operations that are at "high risk" for waste, fraud, abuse, and mismanagement, or in need of broad-based transformation. This list is updated every two years and released at the start of each new Congress to help in setting oversight agendas. This list generally receives a lot of attention from the Congress and the Administration, and it has been used to help create or modify specific services from governmental agencies.

You can read the press release here, and view more details about this program here.

The first item on the list this year is: "THE OUTDATED U.S. FINANCIAL REGULATORY SYSTEM" and is described as follows:

The worst financial crisis since the Great Depression has revealed major weaknesses in the U.S. financial regulatory system, which failed to keep pace with recent market trends, such as the emergence of large, interconnected financial conglomerates, and the development of new, often complex, investment products. In the near term, strong oversight is needed to ensure that the huge sums being deployed by the Treasury Department and other government entities are achieving their goals and are being used efficiently. Long term, GAO believes that modernizing the U.S. financial regulatory system and aligning it to current conditions is an essential step to reducing the likelihood that our nation will experience another financial crisis similar to the current one.

The exact details of new regulations that might result from this are obviously unclear at this point, but what is clear is that more regulations are on the way. This means that the compliance and risk management challenges that financial services firms must overcome may only get worse.

In addition, firms that were not catastrophically impacted by the financial meltdown are very likely to strengthen their overall risk management initiatives, in the hope of avoiding a similar fate that many financial institutions were faced with.

The GAO update report reinforces two clear market trends:

1. Compliance isn't going away"¦.more regulations are on the way, and this problem will only get worse for most companies.




2. Effective risk management is becoming much more of Board-level issue than it was before.

When the viability of an enterprise can be wiped out as quickly as has occurred to many companies involved in the current crisis, managing the totality of corporate risks becomes an absolutely vital element of corporate governance.

Published: January 26 2009, 05:00 AM | no comments
by Reed Irvin

Without defined, repeatable processes and the right tool it's apparent that accurately estimating the cost of an eDiscovery response is dicey at best and is a complete unknown for most. Ask around your own company and the likely answer will be: "It depends."

There have been numerous articles recently about the Bush administration's email woes, including this Washington Post article that cites a $10m figure for finding lost emails. I'm sure that we will all carry that burden as taxpaying citizens of the US.

No one is immune from a document request. eDiscovery responses are becoming more of a regular occurrence (or should I say disruption?) throughout both the public and private sectors. So let's just assume there is a high response cost to a document request as we noted above. This really elevates the need to "have your house in order."

Taking steps to proactively build a compliant and discoverable environment should be on the top of everyone's list, from IT to the CEO. I kind of equate it back to the days prior to everyone having a Disaster Recovery plan. Initially DR was just a plan that sat on a shelf, a check box item if you will. Then as businesses started realizing the impact that IT-related downtimes had on their bottom line, it became more of a commitment by upper management to ensure there was a real, tested course of action between the covers of the plan.

It's clear that eDiscovery responses are expensive when you aren't prepared. As is evidenced by the search for White House email, the dollars are mounting up for discovery cases. However, the better prepared you are to respond, the less impact there is on your bottom line!

To learn more go to
www.ca.com/ig
.

Published: January 26 2009, 03:40 AM | 2 Comment(s)
by Mike Hoefgen

Governance, Risk and Compliance (GRC) requires a common set of processes for managing risks, controls, policies, and measurements. When each business unit or department within a company assesses risk in different ways with different tools and different forms, their likelihood of getting good information on which to base their decisions is dramatically reduced. When they start establishing consistency across their risk management processes, they gain efficiency, as well as increased visibility into their total enterprise risk.

What's the best way to get a GRC effort off the ground? There's not just one way to answer to this question, but here are some
strategic
and
tactical
steps that can help:

STRATEGIC:

1) GRC is Not a Project
During a Quality Management class, the instructor said "Quality is a process not a project." The same applies to GRC; there are no dates when everything will be done. Requirements, regulations, laws and best practices are constantly changing, and GRC processes should always be continuously improved, so GRC will never be "done."

2) Create a Cross-functional Team
Some companies choose one person to be responsible for coordinating GRC efforts. While this can be effective, it may be even more effective to bring together a team to coordinate GRC. The team could consist of representatives from: information systems, legal, internal audit, compliance, and risk management as examples. Patrice Walker, Director of Risk Management for Jefferson Wells has said that GRC is primarily a business challenge that impacts groups across the enterprise, relationships need to be built, and communication across all groups must be effective. She also emphasized the importance of communication and relationships in making GRC successful.

3) Don't Try to Boil the Ocean
Don't struggle to solve all your regulatory and compliance problems at once. As Matt Caston states in his recent eWeek article: ""¦focus on a discrete area with opportunity to expand the program in the future." Your focus could be on a specific regulation where you have an impending audit. Or you could focus on a specific function, such as the need to communicate the company's Code of Conduct and report the level of employee acceptance.

4) The Need for Speed
If you need to implement your GRC strategy quickly, take a look at software-as-a-service, or SaaS. It will provide fast software implementation and reduced upfront investment in server hardware and minimal IT staff resources. SaaS is not for everyone but the model continues to prove itself as a viable alternative to the standard purchase, install and maintain method. Make sure you choose a vendor that allows conversion to other purchase methods. If the software proves itself, you could reduce your long term investment by purchasing the software and either 1) allowing the vendor to host it for you or 2) host the software in your own data center (on premise).

With some strategic decisions out of the way and using your GRC software of choice, consider the following tactical tips:

TACTICAL:

1) Import Existing Objects
Utilize what you have already prepared. If you have a list of enterprise or IT risks in a spreadsheet, import it. If you have a list of controls, import it. If you have company policies like the Code of Conduct or password policy, import it. This will be the beginning of your single source of the truth for compliance. Once imported, you can start the process of getting your cross functional team members to validate and expand it. This will also start the collaboration and creation of your "GRC lexicon" and taxonomy that Matt Caston also describes in more detail in his eWeek article.

2) Start Scoring
Now that you have a starting point, utilize the built-in scoring mechanisms. If you imported your risks, score them so you can see your Top 10 risks. If you imported your controls, ask the control owners to answer the control maturity assessment questions to find the 10 weakest controls.

3) Create Connections
Now you can start "connecting the dots." If you started with a list of your risks, input some of the controls that are put in place to mitigate those risks, then associate them together. If you started with a list of controls, enter some of the risks that they mitigate and associate them together. You can also connect your controls and/or imported policies to the requirements (ISO 27001, SOX, HIPAA, PCI) and control objectives.

These tips will get you started with your Governance Risk and Compliance efforts, but it is only a beginning. Coordinating and advancing a coherent GRC approach across departments and business units requires significant effort and perseverance and the fruits of your labor and your peers may not become evident right away. However, having a structured program ensures long-term benefits such as enhancing governance capabilities, helping mitigate risks more effectively and simplifying regulatory compliance.


*Image courtesy of Gio JL, used under Creative Commons License.