By Deidre Rodriguez, CIPP/US
“Perform a risk assessment.” We have all heard this called out as a best practice. But sometimes it is difficult to know where and how to start. How do you begin to develop a risk assessment for your organization?
Start by doing some high-level brainstorming about the company’s risks and who your stakeholders are:
- Who are your customers?
- Which business areas interact directly with those customers or their data?
- What laws and regulations apply to your industry and company? Who has oversight over those laws and regulations?
- Which business areas are interacting directly with regulators? Who are your competitors and what are they doing regarding innovation, regarding overall direction of the industry and regarding privacy?
- What issues have you previously experienced or seen? Where has the company had issues or risk?
- What keeps you up at night?
- What keeps your C-Suite up at night?
- What is likely to land the company on the front of a newspaper?
This brainstorming will help jumpstart the process of what areas you need to talk to later on in your risk-assessment process. Jot down all of your thoughts, concerns and put them all on paper. When you are answering these questions, make sure that you consider past, present, as well as future states.
Evaluate the maturity of your privacy program. There are several maturity models in the privacy industry that can be used to assess your maturity, or you can develop your own. Take a look at the work that you perform as a privacy office day to day. Write down all of those activities, policies and procedures, training, advisory services, etc. Rank each item on a scale based on its maturity. A mature program has processes documented, implemented, measured/monitored and improved upon based on the results of that monitoring. Make sure to include those areas where you were least mature on your risk assessment, and document the desired future state. Consider one-year, two-year and three-year stages of improvement. This will help to continually improve and mature your program.
Look for business areas at risk, talk to their leadership about those risks. During your brainstorming in the first step towards your risk assessment, you identified several leaders that have an impact on customers and customer data, areas that deal with or talk to regulators. Make sure that you reach out to each of the areas that you identified, also think about other areas that may be able to add value in this process and reach out to their leadership as well. Partnering with your compliance area, risk-management area and internal audit as you are doing these interviews may prove to be very beneficial. Each of these areas plays a significant role in the company that may help your cause, especially when you are identifying mitigating controls and then testing those controls going forward.
Use a risk-ranking model that is specific to your business. Score each risk on a scale of one to five, one being the lowest. Give a risk score to each question below and then average the score for each item that is listed on your risk analysis. Consider the likelihood of risk occurring:
- Would customers be impacted?
- Would a high volume of business areas be impacted?
- Is there a potential for lost business?;
- Is there a potential for regulatory scrutiny?;
- Is there a potential for fines and penalties?;
- Is there potential for media publicity, is there potential for damage to reputation/loss of trust?
Think about additional questions that you need to add to your risk-ranking model to make it work for your business.
Consider having an external evaluation of your program. Many times, outsiders can bring a new perspective and see risks that we ourselves cannot see because we are down in the weeds. Having an external evaluation of your overall program including your risk-assessment and risk-assessment processes can strengthen your program. Often times, having an external review of your program gives customers and regulators more confidence in a program because it has been vetted by external parties.
For each item listed on your risk assessment, apply a compensating control. Often you will need to identify interim/short-term controls that will eventually feed into a longer-term vision of how the risk should be mitigated. The work necessary to implement the compensating controls must be included in your work plan. Make sure that you document progress, milestones and completion to show the progress that you have made.
Make your risk assessment live and breathe. Performing a risk assessment is not a once-a-year activity. It is something that will grow and change, that will continually be under revision and refinement. For instance, as you develop training, communications, awareness, and tools/resources, use your risk assessment as your guide. The majority of the activities that you do will tie back to your risk assessment.
Deidre Rodriguez, CIPP/US, has actively been working in privacy compliance for 10 years, including policy development, incident response, advisory support and strategic planning. Currently, Deidre is the director of the Corporate Privacy Office and Regulatory Oversight for WellPoint, Inc.