Digital Convergence Demands a New Governance Approach: Are You Ready?
By: John Bree, SVP & Partner, NeoGroup
Digital convergence, new technologies and regulations are changing the way organizations need to approach governance and control to the new mindset of Supply & Source Chain Component Oversight.
The digital convergence journey is leading organizations to enhanced data processing, storage, retrieval, and value. At the same time, the regulatory sector is catching up and will likely begin using the same technology breakthroughs that we are implementing to test our compliance capabilities and diligence and enhance our businesses.
The General Data Protection Regulation (GDPR), Consumer Credit Protection Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA) and The Common Rule, also known as the Federal Policy for the Protection of Human Subjects, are becoming cross-industry challenges — no one is immune!
As we move aggressively to follow the Innovation Mantra, we must be just as aggressive with our tools to measure and track risk identification, controls, compliance and governance in our managed services.
A New Paradigm is Needed
In this new world, we must change our focus from Third Party Risk, Control and Governance to Supply & Source Chain Component Oversight. This article is based on a basic difference in Supply and Source chains that I believe impacts how we approach Control, Governance and Risk determination.
For the purpose of the following discussion, Supply Chain is primarily an inbound process where product components are provided from external sources and must meet predefined criteria. Component adherence to agreed criteria can be validated prior to the component being integrated into the final product. Think of airplane parts, consumer goods raw materials, machinery, data processing systems and even applications…..we can test them before we activate them.
Conversely, Source Chains for the purpose of this article are defined as both owned and contracted entities that a company employs to process confidential data that has been entrusted to them by the dataset owner.
In Risky Times, Put Oversight First
With automation at the forefront of the majority of IT and Operational services, foundational control and monitoring are critical for an organization to pursue innovation.
It is also essential that Risk, Control, Monitoring and Oversight be considered at the very beginning of the Systems Development Life Cycle (SDLC). I would go so far as to recommend that the cost, both staff and financial be included in the original business case and cost justification calculations.
Many of us have experienced the unenvious position of trying to explain why the original ROI numbers and dates were not realized. It is often a case of additional expenses due to unplanned controls and roll out delays due to poor planning for country regulatory approval.
I personally recall situations where an IT Project Manager developed a global, multi-phase rollout schedule without input from the Privacy Department, only to realize too late that the countries in the first phase would require up to six months regulatory approval. The real sad part was that the countries in the second and third phases required minimal or no regulatory approval.
Another realization in today’s rapid design, testing and implementation timelines is the need to establish sophisticated Continuous Monitoring. Whether it is a new application or system, or the enhancement of an existing platform, changes are occurring at a faster pace and, therefore, the tried and true episodic Risk Assessment of the past is no longer practical.
The Mandate for the Future
Real-time, continuous, multi-category, risk intelligence for both suppliers and locations is the mandate for today and the future. This type of monitoring allows companies to maximize Risk Assessment cycles and cadence, by using changes in vendor behavior to identify specific areas for review and avoid the time and expense of all-encompassing assessments, which can often include 1,000 or more questions. These traditional assessments place a very expensive demand on both the service user and provider.
In addition to pretty much everything As A Service we also have to deal with the challenges to the left.
Collaborate with Peers
After 40-plus years in the financial and advisory sectors, the one thing that has never changed is the need to be open to new ideas and never forget that success is not a spectator game.
While there is no single solution or approach that will meet all the myriad challenges across the vast spectrum of companies, products and processes, a proven first step is to share our issues and concerns with our peers in open forums provided by IAOP like OWS19.
For more on this topic, attend a panel discussion moderated by Bree on Governance in the Digital World at this year’s Summit. The session will also feature expert views from Khiv Singh, Vice President Sales and Marketing of Sapience; and Punit Bhatia, Privacy & Protection Officer, ING.
Visit the OWS 19 website for regular program updates.
About the Author: John Bree is a financial industry professional with a proven track record in developing and managing Vendor & Third Party Risk Management programs. He has held senior positions in New York, Tokyo, Singapore and London for Citi and Deutsche Bank covering corporate, investment, commercial and consumer banking operations.
