Serious pensive mature corporate executive doing planning of compliance frameworks

Privacy, Information Security, Risk Management, AI, Compliance: How to Operate Multiple Frame-works at the Same Time

A lot is happening these days when it comes to frameworks and programs being proposed or even necessary to be implemented. This is first and for all for big and global companies on which there is most pressure to stay compliant and ethical in whatever they do or intend to do.

Amid great number of existing frameworks in the area of risk management, compliance, privacy and security, new ones are still drafted and existing ones updated and refined. To this, AI is one of the most prominent new areas for which separate frameworks are developed and important regulatory documents and legislation are also underway.

The source of this frameworks are many. We obviously have documents from NIST and ISO, but there are other organisations, and, arguably, regulatory requirements can be, an often times are, de facto coined into frameworks, such as with the GDPR providing de facto framework with a lot of detailed requirements in the area of management and state-of-art measures. In the area of risk management traditionally ISO 31000 and COSO are named as most important, but we also have documents from NIST which are very prominent in this regard.

While going deeper into all these distinctive areas and great plethora of documents, could be fascinating in all sense, and there is room for great number of distinguished professionals not only working within these areas, but even specializing in implementation of specific frameworks (or even one specific framework), as we see on the market, it is still impossible not to observe the difficulty which lies for the organizations in having such a complex environment. All in all, this is not just about drafting ways to implement, and putting in place such and such framework, which, often times, is achieved with the help of external consultants or advisories. What might be most challenging, at the end, is to operate, and not just one single framework, but all these multiple frameworks effectively at the same time, while new are still coming and wait to be implemented in their turn.

So what would be some pieces of practical advice one may conceive to help organizations with this overwhelming challenge?

First, quite obviously, acknowledging that we have these multiple framework and corresponding programs in place, and why they are important in terms of compliance, ethics, risk management, and for the overall existence and growth of our organizations.

Secondly, that operating such frameworks and programs requires resources, knowledge and training and that such resources are there to stay, not just in a time of implementation but essentially for the foreseeable future, that is until such frameworks and programs need to be operated (and we know none of these requirements in the areas of privacy, information security, risk management, AI, compliance are going away, quite on the contrary, there are more and more requirements and also new areas, such as AI, which require frameworks and programs by themselves).

Then, and this is something which surprisingly might be a biggest challenge, acknowledging that operating such multiple frameworks and programs at the same time is by itself a challenge, but not only that, but also that there must be ways to make sure they work with as little friction and divergences as possible. In addition to that, tasks and activities should not be repeated, that is time and resources simply wasted but on the contrary, as much as possible same controls or activities should serve to satisfy the requirements of multiple frameworks and their specific functions.

With this in mind, ways to achieve even greater integration and alignment can be identified, provided that the level of organizational maturity allows. On the flip side, with limited resources, such integration might even be necessary. The idea is to coordinate multiple frameworks and programs on a higher level, even, when possible, by assigning the same resources in terms of personnel, technology etc. such as tools, provided they are adapted, so as to operate this on a large scale. Accordingly, there is some room to create overarching documents and processes to satisfy such different requirement, though, it is not at all something traditionally in place for large organizations, where specific documents, regulating certain aspects in a very detailed way are often times preferred to putting such different requirements together, which is not at all an easy undertaking.

Should we go as far as to create a framework by itself to manage multiple programs and frameworks?

Well, this might be too much, let us wait and see if NIST or ISO come to the same idea at some point in time. What is definitely to consider, however, is enhancing existing and creating new tools which allow to feed the same information to satisfy the requirements of multiple frameworks and programs and, at the same time, provide enhanced reporting capabilities (as expected by internal and external stakeholders, including, increasingly, by relevant regulatory authorities). Other, possibly useful idea is to create a dedicated function to govern this topic. This could be for example someone like global inter-program coordinator or the like. This would be an employee of at least mid-management level, specifically in the process management, with sufficient experience and, at least some knowledge and understating of each of the frameworks and programs, given that dedicated internal and external experts from all these fields will likely support her whenever specific, expert knowledge is needed. Such person should preferably report directly to the C-level, but also should have an extensive network of contacts on all level of organization, and especially in the business and in the areas of privacy, information security, risk management, AI and compliance.

Then, after all these considerations, and inherent question remains, which is how to measure the integration and functioning of our integrated program?

Well, again, not easy to draft something from the scratch given that we have no specific guidance e.g. from NIST or ISO on the topic. Still, using something like NIST suggests in its privacy and cybersecurity frameworks as Implementation Tiers, that is having tiers like: Partial, Risk Informed, Repeatable and Adaptive, could be useful and handy. This would not be a sum of what we evaluated for the frameworks and programs in place, but it should refer to the level of maturity in integrating and operating such programs and frameworks in close coordination. Partial would mean this is still something done mostly ad hoc, Risk Informed would mean at least deep awareness of a need to operate all these programs and frameworks in alignment exists, then Repeatable would be if there are some processes and resources as well as an organization-wide approach to manage the topic, while Adaptive could only be achieved if we also are able to adapt our practices based on lessons learned, continuously improve our technologies and practices, as well as can provide a consistent response to changing policy and technology landscape while maintaining our integrated system of managing multiple programs and frameworks.

We will likely soon see that this topic will be very much on the agenda, as the new frameworks and requirements are constantly drafted and added and resources seem to be already quite stretched.

 

Senior Counsel Data Privacy at ABB