The concept and definition for the First, Second and Third Line of Defense roles have been established for many years. However, the neat categorization of the lines of defense rarely cover the intermediate “First and a half” Line of Defense that operates between the First and Second Line. As a risk management service provider and a broad GRC transformation and advisory firm, CastleHill actively performs in that intermediary role for our clients. Recently, we have both been witnessing and driving an evolution of the First and a half Line of Defense responsibilities across our clients that is raising the risk identification bar and helping to reduce the noise. Though we partner with many different GRC technology providers we must drive consistency across those tools, implementations, and frameworks to achieve our required level of efficiency. To reduce the reliance on our First and a half Line of Defense and increase the effectiveness of our client’s risk frameworks, we needed to institute a change of approach to achieve the desired value and insights from the risk management processes and investments.
Ford’s Model N cars (the Model T’s predecessor) were built by workers adding parts that were laid out on the floor.
Topics: Events & Conferences
Coming soon! Actually, very soon! In May of this year, the EU's General Data Protection Regulation (“GDPR”) goes live.
Organizations have seen a steady increase in the use of third-party service providers. Not knowing if the risks associated with third-parties are being managed properly intensifies risk management challenges and keeps board members awake at night. These risks demand steadfast supervisory focus as well as effective programs to manage each organization’s Third-Party Risk. The OCC’s recent Semiannual Risk Perspective publication highlights the urgency to address these risks.
Topics: Risk Management
Let’s set the table. If you’re a vendor who regularly responds to Requests for Proposals or information (RFPs / RFIs) as part of your prospecting or sales process, we don’t have to tell you they’re a proverbial pain in the tush – pages and pages of company data is required upfront just to be in the running. The work is time (as in weekend) consuming and tedious. In fact, if you want to clear a room quickly, just casually remark “We’re responding to an RFP….” and watch sales people, relationship managers, and IT staff scatter. You won’t even hear crickets chirping in the background… they ran too. The truth is it can be soul-crushing work to assemble solid responses for every last question, insight, use case, heading and subheading. Yet, for many businesses, RFPs represent some of the most enduring and lucrative business partnership opportunities. The potential value of every response is significant, so the struggle continues.
Weighing in at $18.5 million, Target has agreed to pay the largest-ever fine for a third-party data breach. When you consider the scope of the compromise – nearly 70 million customers and/or accounts affected and an estimated total loss of $202 million by Target, the fine almost pales by comparison. How did the thieves access Target’s data? Through an unlikely third-party vendor, specifically an HVAC contractor. More important lessons to learn from Target’s unfortunate risk debacle are in the details, specifically the breakdowns and negligence of their own risk management processes. While you might not see immediate parallels between a retail behemoth like Target and your credit union, the fact is that all third-party vendors put every organization at some degree of risk, making a functional and up to date vendor risk management program an important part of a mature approach to overall enterprise risk management.
Topics: Credit Unions
There is a data war being waged in many healthcare organizations – spreadsheets vs. overall data security and integrity. In fact, in our experience, the number one risk to data protection and management is the common spreadsheet. Excel has been around since 1985, and, while a long-proven data workhorse, carries with it a multitude of security risks. In fact, according to the Identity Theft Resource Center, 2016 data breaches overall increased 40%, and the Healthcare sector accounted for about 35% of those breaches which were largely driven by hacking or similar practices (over 50% and climbing sharply).
What you don’t know can hurt you. With the constant pressure of streamlining and creating cost-effective operations, outsourcing of core processing and data management to domestic third-parties by the banking and insurance industries has been common practice for many years. Although this practice is common and in most cases quite necessary, it is still important for an organization to ask the question of where their customer’s data will be stored when leveraging a third party.