CastleHill Managed Risk Solutions Blog

Capturing the "First and a Half" Line of Defense

Posted by Timothy Carbery on Dec 5, 2018 4:06:49 PM

The concept and definition for the First, Second and Third Line of Defense roles have been established for many years. However, the neat categorization of the lines of defense rarely cover the intermediate “First and a half” Line of Defense that operates between the First and Second Line. As a risk management service provider and a broad GRC transformation and advisory firm, CastleHill actively performs in that intermediary role for our clients. Recently, we have both been witnessing and driving an evolution of the First and a half Line of Defense responsibilities across our clients that is raising the risk identification bar and helping to reduce the noise. Though we partner with many different GRC technology providers we must drive consistency across those tools, implementations, and frameworks to achieve our required level of efficiency. To reduce the reliance on our First and a half Line of Defense and increase the effectiveness of our client’s risk frameworks,  we needed to institute a change of approach to achieve the desired value and insights from the risk management processes and investments.

Read More

Topics: Insider, Platforms & Software, GRC, Policy and Procedure Management

Policy Management – What would Henry Ford do?

Posted by Joseph Santangelo on Apr 17, 2018 6:04:57 PM

Ford’s Model N cars (the Model T’s predecessor) were built by workers adding parts that were laid out on the floor.

Read More

Topics: Policy Exception Management, Policy Management, Policy and Procedure Management

CastleHill exhibiting at the 7th Annual Risk Americas Conference - May 17-18, 2018 in New York

Posted by Michael Duggan on Mar 26, 2018 2:45:44 PM

7th Annual Risk Americas 2018 Conference
May 17-18, 2018
New York Marriot Downtown 

Read More

Topics: Events & Conferences

GDPR in the USA

Posted by Joseph Santangelo on Mar 6, 2018 12:51:36 PM

Coming soon!   Actually, very soon!  In May of this year, the EU's General Data Protection Regulation (“GDPR”) goes live.

Read More

Topics: Risk Management, GDPR, GDPR Compliance, GDPR for US Companies

Managing Regulatory Changes – Thankless Job or Hidden Gem

Posted by Joseph Santangelo on Feb 12, 2018 12:02:11 PM

Managing Regulatory Changes – Thankless Job or Hidden Gem

Read More

Topics: GRC, Risk Management

Operational Risk Levels Remain Elevated - Third-Party Service Providers are the Reason

Posted by Joseph Santangelo on Feb 1, 2018 5:10:25 PM

Organizations have seen a steady increase in the use of third-party service providers. Not knowing if the risks associated with third-parties are being managed properly intensifies risk management challenges and keeps board members awake at night. These risks demand steadfast supervisory focus as well as effective programs to manage each organization’s Third-Party Risk. The OCC’s recent Semiannual Risk Perspective publication highlights the urgency to address these risks.

Read More

Topics: Risk Management

A Faster Path to “Yes:” Improve Your RFP Response Time and Win More Deals

Posted by Michael Duggan on Sep 22, 2017 8:59:30 AM

Let’s set the table. If you’re a vendor who regularly responds to Requests for Proposals or information (RFPs / RFIs) as part of your prospecting or sales process, we don’t have to tell you they’re a proverbial pain in the tush – pages and pages of company data is required upfront just to be in the running. The work is time (as in weekend) consuming and tedious. In fact, if you want to clear a room quickly, just casually remark “We’re responding to an RFP….” and watch sales people, relationship managers, and IT staff scatter. You won’t even hear crickets chirping in the background… they ran too.  The truth is it can be soul-crushing work to assemble solid responses for every last question, insight, use case, heading and subheading. Yet, for many businesses, RFPs represent some of the most enduring and lucrative business partnership opportunities. The potential value of every response is significant, so the struggle continues.

Read More

How Your Credit Union Can Stay Up to Date on Your Vendor Risk Management Program

Posted by Michael Duggan on Aug 25, 2017 10:20:00 AM

Weighing in at $18.5 million, Target has agreed to pay the largest-ever fine for a third-party data breach. When you consider the scope of the compromise – nearly 70 million customers and/or accounts affected and an estimated total loss of $202 million by Target, the fine almost pales by comparison. How did the thieves access Target’s data? Through an unlikely third-party vendor, specifically an HVAC contractor. More important lessons to learn from Target’s unfortunate risk debacle are in the details, specifically the breakdowns and negligence of their own risk management processes. While you might not see immediate parallels between a retail behemoth like Target and your credit union, the fact is that all third-party vendors put every organization at some degree of risk, making a functional and up to date vendor risk management program an important part of a mature approach to overall enterprise risk management.

Read More

Topics: Credit Unions

The Costs of Storing Protected Health Information (PHI) in Spreadsheets

Posted by Michael Duggan on Aug 8, 2017 2:29:00 PM

There is a data war being waged in many healthcare organizations – spreadsheets vs. overall data security and integrity. In fact, in our experience, the number one risk to data protection and management is the common spreadsheet. Excel has been around since 1985, and, while a long-proven data workhorse, carries with it a multitude of security risks. In fact, according to the Identity Theft Resource Center, 2016 data breaches overall increased 40%, and the Healthcare sector accounted for about 35% of those breaches which were largely driven by hacking or similar practices (over 50% and climbing sharply).

Read More

Topics: healthcare

Do You Really Know Where Your Data Resides?

Posted by Michael Duggan on Aug 3, 2017 2:10:00 PM

What you don’t know can hurt you. With the constant pressure of streamlining and creating cost-effective operations, outsourcing of core processing and data management to domestic third-parties by the banking and insurance industries has been common practice for many years. Although this practice is common and in most cases quite necessary, it is still important for an organization to ask the question of where their customer’s data will be stored when leveraging a third party.   

Read More

Topics: GRC