Risk Governance: To Stay Safe, Write Policies Addressing These Five Areas
Whether the company you work for has five employees or 5,000, it should have a risk governance program. Specifically, it should have policies and procedures covering the five key areas of data retention, data access, device security, people security, and social media.
Related on MHA Consulting: How GRC Can Help You Gain Real Control
Risk Governance Is for Everyone
Every organization, regardless of size or industry, should implement a risk governance program to reduce the chances of its being impacted by a crisis. The formality and complexity of the program can vary with the size of the company, but every organization with an interest in securing its future should at least put some thought into devising policies and procedures to reduce its risks.
Moreover, those policies and procedures should be reviewed on an annual basis and updated as needed, to ensure they remain suited to the company’s evolving reality.
Experience shows that there are five areas where risk governance policies and procedures are especially important: data retention, data access, device security, people security, and social media.
Let’s look at them one by one.
1. Data Retention and Management
In setting policies that control where and how long to retain data, it’s important to balance the needs of regulatory requirements, business advantage, data storage costs, and the risks associated with possessing the data. Sound risk management requires that company data be stored in an appropriate manner and deleted at the appropriate time.
Regulatory requirements should be thought of as minimums, and while some data might need to be kept forever, some might no longer be needed after a month.
Most companies have both physical and digital records, and setting policies on storage can require deciding when physical records should be moved to off-site storage (after four years? after seven years?) and when digital records should be archived.
Policies on data retention and management should reflect an informed awareness of the costs of keeping data, something that is often overlooked. The costs of digital storage are not negligible, and those for physical offsite storage can mount quickly. Some companies pay every month to store physical records going back 50 years or more.
Beyond the financial costs, retaining data can be expensive in other ways as well. Any data the company possesses is data that can be stolen, causing liability and reputational impacts. Retained data is also information the company could be obliged to turn over in the event of a lawsuit. (Needless to say, no one should ever delete data that is subject to a legal or auditing hold.)
A possible approach to data retention that stops short of keeping data in its entirety is making summaries of information and deleting the details.
Most of the pushback to deleting data comes from people who believe it might offer an eventual business advantage. This is an important concern but one that can usually be accommodated by a policy saying, for example, that only data that is older than four years and which has not been accessed in six months will be subject to deletion.
In setting policies for data retention and management, input should be sought from all concerned departments, including risk, legal, IT, the regulatory folks, and the people on the business side.
Once the organization has decided on its data retention policies and procedures, it must publish and enforce them to reap their benefits.
2. Network and Data Access
The second area for which every organization should develop and enforce thoughtful policies and procedures is network and data access, something that is more important than ever in today’s landscape of pervasive cyber risk. Access policies should spell out the company’s rules for handling such matters as usernames, passwords (length, special characters, schedule for changing), two-factor authentication, and network and app-based access. They should specify how, where, and by whom digital resources can be used.
One data access policy item that many organizations have found it advisable to adopt is one stating that employees can only use their work email address for work-related activities. Allowing personal use of work email addresses tends to result in more spam and heightened cyber risk for the company.
3. Device Security
Another area for which organizations should develop risk governance policies is device security. The issues to cover in this area include whether employees can use company devices to conduct personal business (such as shopping and checking personal email) and, if so, what are the limits on that use, if any. The policies might require employees to consent to a degree of monitoring as a condition for being allowed to use their company devices to conduct personal business. Another issue that might be addressed is whether and when employees must use a VPN.
Companies should also consider crafting policies that address employees’ digital hygiene, the goal being to reduce the organization’s vulnerability to cyberattack. The policies might spell out the consequences for employees who chronically click on unsafe email links or reveal confidential information (as determined by company phishing tests), with the consequences including remedial training, reassignment, or even, in extreme cases, termination.
Risk governance policies should also address the conduct of employees in terms of their physical actions, such as badging in and out and “tailgating” (when people enter a facility so closely behind badge-using individuals they are able to gain access without verifying their right to do so).
4. People Security
Policies in this area should also set forth the rules regarding visitors, who might be divided into groups (such as trusted contractors and one-time guests, for example) that are governed by different rules. The policies should address access to the various parts of the facility, the need for nametags and escorts, and similar matters. Policies should emphasize the requirement that everyone must badge in and out individually, no exceptions.
In devising these policies, it helps to be mindful that this is an area where most peoples’ desire to be friendly exists in tension with the organization’s need to ensure the safety of its employees and the security of its assets. Well-crafted policies strike a balance between these aims.
5. Social Media
Social media is the last key area for which every organization should develop a risk governance policy. The issue with social media is that in sharing information about the company on Facebook, TikTok, and other platforms, employees might reveal information to the public that puts the company at risk. This can happen completely inadvertently.
Indiscreet posts can be in the form of written messages, photos, or videos, and the data revealed could be anything from confidential company projects to the location of facility entrances (as seen in the background of photos of a company barbecue, for example). Policies should be devised that set forth the company’s expectations and limits on what employees can post about the organization on social media, the goal being to reduce the chances that information harmful to the organization will be allowed to escape into the wild.
Protecting the Organization’s Future
Implementing a risk governance program is essential for organizations of all sizes and industries. By developing policies and procedures that address the five key areas of data retention, data access, device security, people security, and social media, companies can significantly reduce their vulnerability to crises and protect the organization’s future.
Regularly reviewing and updating policies and procedures, considering input from various departments, and enforcing the rules consistently will maximize the benefits of the program. Being proactive in this area can help organizations protect their people and facilities, safeguard sensitive information, reduce data storage expenses, minimize cyber threats, and mitigate the risks associated with social media.
Further Reading
For more information on risk management, and other hot topics in business continuity and IT disaster recovery, check out the following recent posts from MHA Consulting:
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
