Expert Insights: Improving the Practice of IT Risk and Control Performance

Expert Insights: Improving the Practice of IT Risk and Control Performance

What are the top priorities for executives as they work to improve the practice of IT risk and control performance? Steve Schlegel (Managing Director, Deloitte & Touche, LLP) moderates a lively discussion between Bill Bowman (Chief Information Security Officer at Emburse), Greg Keches (Information Security Director at Boston Consulting Group), and Jonathan Shih (Director of Enterprise Cybersecurity Risk Compliance and Resilience at Aptiv) that covers:

  1. Risk identification and assessment processes.
  2. Building and operating your program to address those risks.
  3. Conveying the mission and brand of your organization internally.

Watch the full conversation, and read the can’t-miss highlights below.

Leaders from Emburse, Aptiv, and Boston Consulting Group discuss changes in the IT risk industry, addressing risk, and conveying value internally. 

How have you seen IT risk and control change over the past few years, and how do you see it continuing to evolve?

Bill Bowman, Emburse: Emburse handles financial data. We are materially responsible for our client’s ability to report their financials. Thus, we want to make sure our SOC audits are all done correctly. Having those relationships with the regulators and with internal counsel and external counsel so you can understand what’s going on in that space is critically important. Another critical component is people. Making sure that we can have this collective conversation around the initiatives for our organization, what our customers need, what our regulators need, and how we can leverage different controls to help grow the organization.

Jonathan Shih, Aptiv: A big part of it is partnering with the business to understand what they’re trying to drive from a revenue perspective. That also tailors what you do from a security investment standpoint.

Greg Keches, Boston Consulting Group: IT compliance isn’t a rote methodology anymore. It’s a real, hard process that we need to explain to leadership that there’s no such thing as zero risk, there are no monolithic control improvements. We need to all work together as a team to show threat models and show how telemetry leads to good results.

How do you stay on top of emerging risks and various compliance requirements? What are the top two or three risks you are focused on right now?

Greg Keches, Boston Consulting Group: We can’t confuse compliance activities with our actual security posture. For instance, there’s no such thing as zero risk. Instead, it’s crucial to focus on availability, confidentiality, and integrity. You’re going to have issues in all those spaces that might shut the company down and prevent revenue. In order to tackle those baseline things, you have to use a mixture of risk management and assessment and good conversations with leadership.

Bill Bowman, Emburse:  Let me cover three risks I’m seeing right now. Integrity is one area I’m looking at, especially with the evolution of machine learning and data science. M&A is also a huge area. Finally, talent is an important piece. As we manage our people, it’s critical to make sure they feel connected to the organization and the mission.

Jonathan Shih, Aptiv: An important part of staying on top of risk and compliance is investing in the right areas. This includes protecting our intellectual property and maintaining our manufacturing sites across our global footprint. That’s especially crucial since manufacturing is a top-targeted area for ransomware right now. It’s crucial to get ahead of that and share your expertise with other customers and vendors in your field.

What are some must-haves of any effective IT risk or cyber function?

Jonathan Shih, Aptiv: For starters, it’s crucial to expect your entire organization, including your subsidiaries, to meet a basic level of cyber hygiene. One of the best ways to manage cyber risk is to train your employees on cyber hygiene and implement role-based training. In terms of technology, we use AuditBoard. It’s been a very good partner for us. What’s great about AuditBoard is that it allows you to roll out a GRC tool quickly. AuditBoard just gets it done right with the standard features that you need, and the best part of AuditBoard is the service behind it – AuditBoard is there even after implementation.  

Bill Bowman, Emburse: I remember an auditor asking me once: do you have your annual risk meeting to identify risks? At Emburse, we’re talking about this every single day! I have to be in those conversations and meetings to be able to do my job. That really helps me get the visibility I need to help run the business.

Greg Keches, Boston Consulting Group: It’s crucial to manage relationships with control owners, understand how the controls are performed, and how we take that very tactical plan of actions and milestones and put perspective on it.

2024 Focus on the Future Report

What key metrics are you using to measure your work, and how do you convey that internally?

Bill Bowman, Emburse: Metrics are everything in my world. Being able to add different metrics year over year is crucial. So is being able to communicate those metrics – I believe in continuous improvement. 

Jonathan Shih: An area of focus for Aptiv has been using outside parties to do a compliance assessment. It’s a big way we also tell the story of good sound investment and good return.

How do you convey the value of investing in IT risk and control performance?

Greg Keches, Boston Consulting Group: If you conduct tabletop exercises and risk assessments and show your work, it translates from subjective to meaningful. I think it’s possible for IT compliance to change the conversation and explain the improvements we’re making.

Jonathan Shih, Aptiv: One big thing is your relationship with the revenue-generating professionals in your organization. Work with them to develop the right control framework and ensure the right regulatory matters are being acted on. Depending on how those controls are ranked from a business impact risk perspective, leadership wants to invest more in those areas.

Greg Keches, Boston Group Consulting: I think you’ve heard from the past questions: look up, look down, design good committees and processes, bring good information into those processes, and develop something that’s sustainable.

Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more Expert Insight videos featuring insutry leaders and experts discussing timely issues, insights, and experiences.