"You really need to be able to balance risk in every aspect of your business," says Robert Stroud, international VP of ISACA. "You need to arm your staff with a capability for risk awareness and risk acceptance where appropriate, and also of course documenting it.
In an exclusive interview, Stroud, also VP of CA Service Management, discusses:
- Risk and compliance trends that concern him most;
- Industries that demonstrate leadership in these areas;
- Top risk and compliance challenges for organizations in 2011.
Stroud serves as a vice president and the Service Management and Governance Evangelist at CA, Technologies. Robert also serves as an International vice president of ISACA and was the former chair of the COBIT Steering Committee and is part of the Framework committee. Robert also serves on the itSMF International Board as Treasurer and Director Audit, Standards and Compliance and leads the itSMF ISO liaisons to multiple working groups.
As CA's global evangelist for service management and governance and responsible for strategy development. Stroud is dedicated to the development and communication of industry best practices and acts as a strong advocate for the customer - working closely with users, industry organizations, government agencies, and IT luminaries to identify and communicate IT best practices. He is a mentor to many organizations, advising them on their implementations to ensure they drive maximum business value throughout the process. Stroud also helps ensure that CA's solutions adhere to industry best practices.
TOM FIELD: Just to give us some context, why don't you tell us a bit about yourself and your roles both at CA and especially at ISACA, please?
ROBERT STROUD: I have joint roles. I am international Vice President with ISACA, serving on the board of ISACA, and have been doing so for the last four years. I have held multiple roles within the ISACA organization, assisting in developments of framework like COBIT and also giving input to lots of other GRC and related developments in products we've developed. At CA, I'm known as the Vice President of Service Management and Governance Strategy, and that role encompasses understanding the market trends and what's going on and giving input back to where we are going and where the industry is going both internally and externally to customers.
Compliance, Risk TrendsFIELD: So, upfront I talked about trends in compliance and risk management. As you look at those topics, what are the trends that concern you the most as we go into the new year?
STROUD: The real trend that is out there that is causing me some concern is this [disconnect] between risk management and compliance. Organizations still don't realize the two are linked. Risk management, for instance, offers us a huge opportunity to both mitigate risk, which IT is typically very good at, and also accept risk for business growth. Now the reality is if you make those decisions in isolation of your compliance requirements, you can end up making a decision to accept risks inappropriate. Or alternatively, you could insert too many mitigating controls that stifle business. I think a balance is necessary, and I think in 2011 we really have to start looking for that balance to drive that balance forward.
FIELD: You've got a unique vantage point. You get the opportunity to look across industry through ISACA. As you do that, where do you see common strengths and weaknesses when it comes to compliance and risk management?
STROUD: In terms of compliance, I think most organizations have got major enterprises in North America and other countries with group compliance requirements such as Sarbanes-Oxley, GLBA, and HIPAA in North America. We've gotten pretty good at understanding compliance and instrumenting or automating a lot of compliance to remove the manual controls. I terms of risk, though, I think risk enterprise management is still a new platform outside of some primary industries like banking insurance and so on. I think we really need to understand how we can leverage these. For instance, one of the things that I often see now is organizations will go and put a series of risk management controls in place. They'll go and measure risk, and then they'll just go wild on just trying to put mitigating controls in place. I go back to my former point: You really need to be able to balance risk in every aspect of your business, and you need to arm your staff with a capability for risk awareness and risk acceptance where appropriate, and also of course documenting it.
Industry LeadersFIELD: Now Robert you mentioned a moment ago the financial services industry. Which industry, whether the private or the public sector, can we look to for leadership in compliance and in risk management?
STROUD: I think we have certainly seen in the financial industry a lot of organizations put appropriate compliance requirements in place. Financial organizations in Europe have really leveraged what they will do to put appropriate fiduciary controls in place, so the fiduciary controls can be positive day or night at the organization. Then that in turn balances the risk profile. That is one very, very good example.
In North America, I think the insurance industry is good at putting both mitigating controls and risk acceptance in place. I don't know about you, but I've seen my premiums go up lately. That is the case of the insurance companies looking to put those risk profiles in place, understand how to link them to the business, and they are both good examples of where we need to get to. We need to make the risk management process part of our process that we do every day. It's kind of got to be enshrined in our normal everyday process like we do with compliance. And in an IT sense, one of the areas I think there is a lot of opportunity for improvement, which is probably the next question, is really in project management. Often we won't accept all the risk in an IT project, for instance, or understand the compliance requirements up front, or understand the risks. If we don't build them in right through the project plan at the end, we could come back with significant re-work.
Risk, Compliance ChallengesFIELD: Well, you anticipated the next question exactly, which is where do you see specific challenges for organizations? Project management is one. How about even just having the skills necessary within an organization -- is that a challenge?
STROUD: Yes skills are an interesting challenge. Many organizations have put a chief risk officer in place to really look at IT-related risks as well as business-related risks to IT. I think finding that person is an interesting challenge, right? Where does that person come from? Out of an internal audit, maybe? Finding those people is certainly difficult. It certainly takes some effort to drive that particular individual out and then surround that person with the appropriate skills sets. Certainly I've seen that get better in the last two years, certainly since the time that ISACA delivered our risk IT framework, which helps and assists with enterprise risk management. But I still think it is a learning curve, and we still need to go through that transition.
Advice to OrganizationsFIELD: Final question for you, Robert. If you could give advice to organizations specifically in how they can improve immediately in compliance and risk management as they head into the New Year, what advice would you give to them?
STROUD: So there are three pieces of advice I like to give. The first is: Risk has two sides of the coin. The first side is you need to be able to accept risk and use it for business advantage. The second side is you need to understand when a risk is unacceptable to the business, and mitigate that control. So we need to move away from the perspective of avoiding risk at all cost to where risk can be a business value enabler. Certainly that is the first piece of advice I would give to everybody.
The second piece in terms of compliance: You need to link your risk profile to your compliance profile, and I believe we need to be to that level now. If we have not understood the compliance requirements we have, we certainly need to do that. We certainly need to understand what they are. We need to get those controls in place, and then we need to automate those controls so that it can be part of business as usual without any impact to the business.
And the final piece is if someone is looking for guidance at the ISACA website. We, of course, have exceptional guidance on risk management, how to manage the risk and how to control it, as well as link it to compliance. We've actually developed a framework, which I encourage you all to take a quick look at, and you can see the risk guidance framework if you visit our website, which is www.ISACA.org.