Blogs

This is a guest post by Dana Simberkoff, AvePoint Vice President of Risk Management & Compliance.

(Note: This is part of our series “Collaborate with Confidence”. Previous posts: Defining Compliance for Your Organization)

In today’s marketplace, almost every employee is now a content contributor. This influx of new content, however, brings about new risks: legal systems worldwide are clamping down and demanding greater compliance, particularly on IT systems, making it essential that organizations quickly implement compliance and risk management protocols.

So how do we balance the business benefit of the free flow of information with the risk of inappropriate access and/or disclosure? “Information Assurance (IA) is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes.” (Wikipedia, 2011)

There are many methods of assessing risk, ranging from a flip of a coin to a much more prescriptive and mathematical approach. I’ve heard some companies describe their calculations as follows: “If something bad happens 1) will my CEO go to jail; 2) will the company suffer crippling fines, penalties or potential legal liabilities; or 3) will the cost of a preventative solution outweigh the costs of what the company would pay in the worst case scenario, and how likely is that to happen?

This approach lends to a lot of speculation, whereas a more mathematical approach allows a company to develop a more repeatable approach. Perhaps the most important thing for a risk officer or compliance worker to consider is what they actually consider to be risk within their organization. Analysis of this risk requires a balance of standards, exposure, and what it would mean to your business.

A robust risk management program not only involves surfacing or identifying risk, but also should include the ability to audit and limit the risk. You must not only identify or “surface and detect” risk, but you must also rate the risk and the likelihood of being impacted by the same as well as the real impact of one risk weighed against others. 

Further, the program must integrate policy with the people, processes and technology within the organization. This includes education, monitoring and enforcement. Risk officers must continually assess and review who needs access to what types of information and should work with their IT departments to automate controls around their enterprise systems. This will make it easier for employees to do the right thing than it is to do the wrong thing, or to simply neglect the consequences of their actions.

Generally speaking, organizations should look to use technologies to create policies that make information available to the people that should have it and protect it from the people who should not. With highly sensitive data (personally identifiable information, protected health information), limited and appropriate access is always critically important. Simply put, understanding the difference between what can be shared and what should be shared is always the key.