When risk is managed by the URO method, all decisions to transfer, avoid, mitigate or accept risk are made in full consideration of their impact on all business units. Of course, this means not every decision will reflect what you may feel is the best option for security, but every decision will take security into account and seek to provide the best possible outcome for the business as a whole.
If you look at the impact of non-compliance as a huge risk to the organization (a viewpoint borne out in the headlines on a regular basis), then enterprise regulatory compliance efforts fit precisely into the Unified Risk Oversight framework.
Cutting Costs by Joining Forces
If there is not such a framework in place, the most important part of creating one is getting senior management buy-in. In many organizations it is not a hard sell. In fact, many of the businesses that already use URO use it because the CEO drove the change from the top down. However, where URO is not already a management concern, you will need to make it one, and money is a good place to start.
Unified Risk Oversight saves money. For one, it can eliminate the gaps in compliance planning and implementation that allow breaches to occur — that is, it eliminates that collective idea that someone else has the ball. With Unified Risk Oversight, because all business units are involved in planning, all departments should be able to look at the compliance process and know exactly what is expected of them and of everyone else. Now, this cost savings is technically theoretical — by being proactive, you are saving money that has not been lost yet. Security executives know this angle can sometimes be a tough sell in organizations that have not experienced catastrophic loss in the past. So there's another savings to point out as well.
By bringing together all business units to plan overall compliance strategy, you will avoid costly duplications of effort. If two departments are working to comply with different standards, all of which require a similar level of access control, for instance, and they are not talking to one another throughout the process, they are quite likely to miss valuable opportunities to leverage one system or process for the benefit of both. But when they are part of an oversight team discussing each standard from the beginning, they will see that with this single access control system or process, they can kill two birds with one stone, slicing the cost of compliance in half.
Three Steps to Achieve URO
Once you have received support from management and created a team of your peers from other business units, how can you use URO to manage compliance, and what might your process look like? The process for managing compliance through URO is actually quite simple.
1. See what regulations apply to your company. You can do this most effectively by using all three of the methods listed at the beginning of this article: checking with industry associations, using non-industry-specific tools, and conferring with the other members of your URO team, including the legal or government affairs department, to compile a complete list of applicable laws, regulations and guidelines.
2. Prioritize the rules and their concerns by exposure and risk. We recommend that security be the URO team leader whenever possible, because this step should be intuitive for them, whereas other groups are not familiar with assessing and prioritizing risk as a basis of their work. Unfortunately, many security departments have the well-deserved reputation of preferring to work alone, and if they cannot overcome that propensity, they are probably not a good choice as team leader. A loner philosophy just does not work well in cross-functional teams.
3. Identify the stakeholders and get them involved. In any given compliance initiative you will have numerous departments that will potentially be impacted. Make sure they all have a voice. Sometimes this group will include almost every staff group and every business function — corporate security, IT security, legal, compliance, business conduct and ethics, human resources, the business units themselves, environmental and safety. In order to ensure you are including everyone who needs to be included, you will have to carefully review your organization, the rule in question, and your industry.