CastleHill Managed Risk Solutions Blog

Managing Regulatory Changes – Thankless Job or Hidden Gem

Posted by Joseph Santangelo on Feb 12, 2018 12:02:11 PM

Managing Regulatory Changes – Thankless Job or Hidden Gem

Read More

Topics: GRC, Risk Management

Operational Risk Levels Remain Elevated - Third-Party Service Providers are the Reason

Posted by Joseph Santangelo on Feb 1, 2018 5:10:25 PM

Organizations have seen a steady increase in the use of third-party service providers. Not knowing if the risks associated with third-parties are being managed properly intensifies risk management challenges and keeps board members awake at night. These risks demand steadfast supervisory focus as well as effective programs to manage each organization’s Third-Party Risk. The OCC’s recent Semiannual Risk Perspective publication highlights the urgency to address these risks.

Read More

Topics: Risk Management

A Faster Path to “Yes:” Improve Your RFP Response Time and Win More Deals

Posted by Michael Duggan on Sep 22, 2017 8:59:30 AM

Let’s set the table. If you’re a vendor who regularly responds to Requests for Proposals or information (RFPs / RFIs) as part of your prospecting or sales process, we don’t have to tell you they’re a proverbial pain in the tush – pages and pages of company data is required upfront just to be in the running. The work is time (as in weekend) consuming and tedious. In fact, if you want to clear a room quickly, just casually remark “We’re responding to an RFP….” and watch sales people, relationship managers, and IT staff scatter. You won’t even hear crickets chirping in the background… they ran too.  The truth is it can be soul-crushing work to assemble solid responses for every last question, insight, use case, heading and subheading. Yet, for many businesses, RFPs represent some of the most enduring and lucrative business partnership opportunities. The potential value of every response is significant, so the struggle continues.

Read More

How Your Credit Union Can Stay Up to Date on Your Vendor Risk Management Program

Posted by Michael Duggan on Aug 25, 2017 10:20:00 AM

Weighing in at $18.5 million, Target has agreed to pay the largest-ever fine for a third-party data breach. When you consider the scope of the compromise – nearly 70 million customers and/or accounts affected and an estimated total loss of $202 million by Target, the fine almost pales by comparison. How did the thieves access Target’s data? Through an unlikely third-party vendor, specifically an HVAC contractor. More important lessons to learn from Target’s unfortunate risk debacle are in the details, specifically the breakdowns and negligence of their own risk management processes. While you might not see immediate parallels between a retail behemoth like Target and your credit union, the fact is that all third-party vendors put every organization at some degree of risk, making a functional and up to date vendor risk management program an important part of a mature approach to overall enterprise risk management.

Read More

Topics: Credit Unions

The Costs of Storing Protected Health Information (PHI) in Spreadsheets

Posted by Michael Duggan on Aug 8, 2017 2:29:00 PM

There is a data war being waged in many healthcare organizations – spreadsheets vs. overall data security and integrity. In fact, in our experience, the number one risk to data protection and management is the common spreadsheet. Excel has been around since 1985, and, while a long-proven data workhorse, carries with it a multitude of security risks. In fact, according to the Identity Theft Resource Center, 2016 data breaches overall increased 40%, and the Healthcare sector accounted for about 35% of those breaches which were largely driven by hacking or similar practices (over 50% and climbing sharply).

Read More

Topics: healthcare

Do You Really Know Where Your Data Resides?

Posted by Michael Duggan on Aug 3, 2017 2:10:00 PM

What you don’t know can hurt you. With the constant pressure of streamlining and creating cost-effective operations, outsourcing of core processing and data management to domestic third-parties by the banking and insurance industries has been common practice for many years. Although this practice is common and in most cases quite necessary, it is still important for an organization to ask the question of where their customer’s data will be stored when leveraging a third party.   

Read More

Topics: GRC

How Can I Ensure Our Vendors Are HIPAA Compliant?

Posted by Michael Duggan on Jul 20, 2017 1:54:00 PM

You’ve been diligent about developing the needed policies and procedures to ensure HIPAA compliance within your organization. It’s been challenging, but your internal audits have been positive, and you are confident your internal processes are up to standard. Are you as confident about your vendors and their HIPAA compliance?  If your vendors aren’t compliant, who pays the price? You do. As the outsourcing organization, you are responsible for the HIPAA practices of all vendors who have access to, work with, or store your sensitive PHI. Beyond the vendors who physically touch your data, such as IT providers, data centers, and document shredders, HIPAA compliance requirements could extend to other vendors who may have access to your contacts database, or even the data center where your IT provider backs up their own data (see: How Many Degrees of Separation Are There Between You and Your Data?

Read More

Topics: healthcare

How Do I Report Vendor Risk Management to My Board or Senior Management?

Posted by Michael Duggan on Jul 11, 2017 1:48:00 PM

If your bank or credit union outsources any of your functions to a third party, you are not only responsible for effective vendor risk management but for reporting the results of third party risk assessment to your leadership and board of directors. The Office of the Comptroller of the Currency (OCC) makes it clear – a credit union or bank with vendors “should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships.” Easy for them to say. If you’re that risk or compliance officer tasked with vendor risk management oversight and reporting, “commensurate” is a loaded term. How do you rate risk? How do you clearly lay out your program in a clear, understandable format? How can you be sure all your risk bases are covered?  No one wants to stand in front of senior management or their board of directors mumbling through a disjointed array of reporting or information. Whether you are flush with risk management data or aren’t sure where to start, your third-party risk management framework and reporting could spell the difference between a clear, supported program, and one that looks like an urgent SOS for intervention. We have some tips to make sure your reporting of third-party risk management to leadership is clear, effective, and on point. 

Read More

How Many Degrees of Separation Are Between You and Your Data?

Posted by Michael Duggan on Jun 29, 2017 2:17:00 PM

Being the master of all you survey is not enough in today’s business climate. Do you know the true risks which lie well below the apparent surface of your operations? Consider third parties – if you’re like most companies, you are increasingly dependent on third party entities to manage any number of a variety of critical functions, including IT, line of business applications, etc.  You understand third parties create a much more complicated operational and risk picture, but what about fourth and even fifth parties? 

Read More

Topics: Risk Management

Attending the ProcessUnity Customer Summit in October?

Posted by Michael Duggan on Jun 15, 2017 2:01:00 PM

An Insider’s Guide to Boston – where to stay, what to do, and how to prepare for the customer summit.

Summer may be in full swing, but we’re looking forward to a beautiful New England fall and the upcoming 2017 ProcessUnity Customer Summit in Boston October 24 and 25th.  Now is the time, before the whirlwind of travel and a busy summit schedule, to plan to take some time to enjoy historical and lively Boston.  We believe life should be a healthy balance between work and leisure and in that spirit, we offer you some insider Boston intel along with some of our time-tested strategies guaranteed to maximize your valuable time and energy.

Read More

Topics: Events & Conferences