IT GRC Forum

The past 24 months have seen a number of man-made and natural disasters bring risk management demands to the forefront of executives and board directors. Whether these have been natural disasters, such as the Japanese Tsunami or man-made disasters, such as the Gulf of Mexico oil spill, fat-tail disasters have created a renewed interest in enterprise risk management (ERM) practices.

Puneet Kapoor answered a series of questions written by marcus evans before the forthcoming 5th Annual Enterprise Risk Management Conference, March 19-21, 2012 in Chicago, IL. All responses represent the view of Mr. Kapoor and not necessarily those of Walgreens.

In this challenging environment, board members and management executives are striving to maintain their tight grip on costs while maintaining a proper focus on enterprise-wide risk.

A California supermarket chain recently sent letters informing customers that a security breach had been discovered at 20 of their stores. The breach notification letter released by Lucky Supermarkets reads, in part:

In my previous blog "Something Rotten in my Kingdom" I asked the question: Can we envisage a way to improve security through compliance? 

CIS-Partners, a consulting firm specializing in compliance strategies for the pharmaceutical industry, wrote an article entitled, “Don’t Get Burned”. The main focus of this article is to discuss how organizations are shifting to third-party vendors and in turn, how internal auditors need to respond to the risks associated with this process.

1. Data Breaches: Businesses suffer most often from data breaches, making up 35% of total breaches. Medical and healthcare services are also frequent targets, accounting for 29.1% of breaches. Government and military make up 16.2%, banking, credit, and financial services account for 10.5%, and 9.2% of breaches occur in educational institutes.

The congressionally appointed Financial Crisis Inquiry Commission released a 535-page report on Thursday blaming the meltdown in part on compliance breakdowns and deficiencies.

In Holland there is a saying: You catch more flies with honey than with vinegar. Indeed if we look at the causes of the financial crisis in a number of cases the drive to achieve the incredible bonuses that are customary in the financial sector seem to have outweighed the sanctions the enterprise risk department might or might not have imposed for excessive risky behaviour.

For the complete article read the IT RSC Blog:

When I look at the world today it seems everything is about risk these days. Data breaches left and right (your private data is continually at risk). Systemic risk and failed risk management is what caused the financial crisis. Earth quacks, tidal waves, forest fires, global warming, HIV, Mexican flue are threatening humanity. The current state of the economy is threatening the IT budgets and as a result my job as an IT Consultant is at risk. There is a risk of a new wave of regulations in response to the world-wide need for governments to bail-out private enterprise. As a result the lack of IT risk and compliance expertise is a risk. Or am I just paranoid?