All organisations today, hold critical data and infrastructures that cannot afford to be at risk. As has often been stated, “Information is the most valuable asset an organisation has”. For some organisations, such as financial institutions and healthcare organisations, data is of an extremely sensitive nature and thus needs additional due care. Whatever the core focus of your organisation, one thing that holds true is that the cost of a serious ransomware attack and or data breach is not what anyone needs or wants.
Some of the biggest threats include human behaviour, which can often be the weak link in an overall ERM or cybersecurity strategy. Too often risks are still evaluated in silos, which expose an organisation to seemingly “hidden” or “unknown” risks. Had there been an effective strategy supported by a well-designed framework for ICT GRC, these risks would not have been missed and leads to a much higher degree of transparency for the organisation, which ultimately translates to the resilience levels needed in today’s cyber risk climate. Maintaining clear visibility and control over these current emerging threats, as the organisation and environments change, helps it not only remain stable but grow as a result of having the correct data and guidance in place.
Company strategies need to zoom out to reveal the larger picture and detail every corner of the organisation, from its customer journey to internal processes, and external risk. Beginning the journey of breaking down the information silos can be an overwhelming task and great responsibility.
While data is often largely available to C-suite execs, security and operational teams within organisations, effective skills in data interpretation are needed which leads to truly understanding the data and being able to take the correct actions to prevent risk is a skill in itself. In a recent article, Capitec listed data literacy as “the future of work” in South Africa. This skill is not yet a mainline skill for GRC and ICT GRC professionals as yet. However, if organisations are to truly address the full scope of the complexity of cyber risks, it is a skill set that must be demanded in the EGRC teams.
Each one of our GRC programmes offers an extensive analysis of your data and insightful interpretations, which provide visibility of your risk exposure position. We have steadily built up our strength in data insights and data interpretation, so as to support you in that first step in your journey to transparent management of the complex world of cyber risks, information security and data privacy management.
Let’s unpack some of the crucial GRC verticals that we manage for our clients in the financial sector:
IT Risk & Governance
Focus on maturity relating to critical aspects of governance, control, process, strategy, approach, monitoring, and reporting aligned to numerous key leading IT frameworks and standards, such as NIST, CIS, ISF, and Cobit 2019 as well as leading governance principles within King IV and other governance best practices.
ISO 27001 is a foundation standard for good practice in information security management. The maturity assessment asks critical questions relating to clauses 4 to 10 & 5-18 (Annex A Controls) of the standard.
With the state of rapidly evolving and expanding cyber risk and the daunting regulatory requirements of GDPR and PoPIA, as well as numerous other privacy regulations being developed around the world, the risks associated with handling sensitive and PII data and failing can be devastating.
20 years on and the activities of governance, risk and compliance continue to be managed in a decentralised and siloed fashion. This approach exists even though many of the GRC activities relating to enterprise risk, strategic risk, compliance risk, quality risk, environmental risk, OHS and BCM cross over one another in policy, governance and accountability, process, reporting, control management, data insights and many other areas.
This content allows organisations to focus on the individual maturity of these critical requirements for each executive and non-exec director. The content relates to critical aspects of governance, integrity, leadership, ethics, control, process, strategy and performance and monitoring and reporting.
People GRC has not matured in most organisations and hence the poor oversight experienced by HR professionals and risk professionals in most organisations. The leadership of many organisations often have little insight into what is happening on the ground, and where the pressing risks lie, as the people risk-GRC is underreported if not reported at all. The approach taken by most organisations tends to be a ‘fighting fires’ approach, as and when the risk occurs.
Although, most big organisations have structured themselves in accordance with the HR/People operating model, in order to separate people governance issues, manage the people risk as well as ensure compliance, the poor risk-management acumen in terms of the GRC, has just created a structural operating model, with no synchronization on governance, risk and compliance, and therefore the oversight tends to rather be a hands-off approach.
The financial management of any business is a critical element of the ongoing sustainability and viability of an organisation, large or small. The challenge, as with many aspects of governance, risk and compliance, is that the financial control and GRC elements, within an organisation, tend to be managed in silos of information, which results in senior management, exco, board and investors never really being able to see the full picture. The RUBIQ Financial Controls Programme guides organisations through a financial control implementation, with GRC integration in mind.
The strength of an organization’s ethics culture and the effectiveness of its internal ethics and compliance (E&C) program are closely tied to workplace behaviour. Each key indicator of ethical performance – pressure to compromise ethics standards, observation of misconduct, reporting of violations, and retaliation for reporting – improves in companies with strong ethics cultures. Ethical performance is strengthened in organizations with effective E&C programs. In fact, pressure and retaliation become extremely rare in companies when they implement effective ethics programs.
A SOC 2 audit report provides detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality, and privacy controls, based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria). The RUBIQ content, within the platform support maturity evaluation, gaps analysis, remedial gap plan for gap closure and readiness assessment audit prior to the formal audit report, which is completed by authorized auditors.
Crime and fraud continue to be ever-growing issues for organisations to get on top of. There are many aspects to this risk area and as such organisations need to tackle the risks from a number of angles, with an “out the box” mindset, if they are to stay abreast of the ever-growing fraud and crime pandemic that is so prevalent across the globe. Preventing fraud, cybercrime and other related threats is an ongoing, complex challenge in a highly volatile risk landscape. Current surveys indicate that 46% of organisations, in the last 24 months, experience fraud, corruption or other economic-related crimes. To truly be successful in combating this area of risk, a multifaceted approach is needed. The RUBIQ forensics evaluation is a good start, combined with RUBIQ ethics framework and cyber risk exposure review. Unknown risk is impossible to manage and defend against. DON’T BE IN THE DARK.
Business Continuity Management (BCM) integrates the disciplines of emergency response, crisis management, disaster recovery (technology continuity) and business continuity (organisational/operational relocation). In today’s world, it is critical that any business can demonstrate resilience and a strong BCM strategy. The RUBIQ BCM Programme provides tangible, evidence-based results of such resilience, for all levels within the organization. This means high assurance can be offered to all stakeholders and interested parties.
Healthy and Safety
This content allows organisations to focus on the individual maturity of these critical related to health and safety practices, compliance with the law and implementation of a sound ISO 45001 management system.
Environmental, social, and governance (ESG) criteria are a set of standards for a company’s behaviour used by socially conscious investors to screen potential investments. Environmental criteria consider how a company safeguards the environment, including corporate policies addressing climate change, for example. Social criteria examine how it manages relationships with employees, suppliers, customers, and the communities where it operates. Governance deals with a company’s leadership, executive pay, audits, internal controls, and shareholder rights. This programme, combines existing, other contents into consolidated ESG content and includes the development of full financial controls and operational assurance attestation framework related to all the RUBIQ GRC verticals implemented by a client.
SARB & Solvency II
This content is aimed at financial services institutions’ governance frameworks and good practices related to SARB (South African Reserve Bank) requirements and solvency II in the insurance industry. This touches on KYC and anti-money laundering good governance and process when implemented with some of the other key programmes, such as forensics, ethics, dir duties etc.
For more information on our GRC Managed Services Programmes, please contact us on email@example.com