Issues - we all have them. I should clarify that statement. I am not talking about you personally or referring to the 'lie on the couch, tell me about your relationship with your mother' types of issues. I mean - all organizations have issues. Some are big and some are little but all organizations find gaps in their processes that cause some level of concern.
Security, risk and compliance professionals must feel like therapists at times. Every Risk and Compliance process identifies issues and most organizations end up with a virtual yellow legal pad of issues (just like a therapist uses). The story is always the same: an issue is found and then cataloged in some spreadsheet. That spreadsheet is then emailed around to various parties who dispute the issue, plan the remediation or assess the risk. Ultimately, that issue becomes a bullet point on some presentation for management to review. The spreadsheet ends up on some file share and hopefully, the correct actions are taken to close the Issue mitigating the risk.
This process is replicated across the spectrum of risk and compliance processes. Risk assessments identify possible risks. Compliance assessments find ineffective controls. Security assessments find vulnerabilities. Audits identify regulatory or compliance gaps. That is nature of GRC - find those areas where the business is at risk. Each one of those issues represents a possible exposure for the organization. That control gap could lead to a compliance violation; the security vulnerability could lead to a data breach. The longer those issues sit, the more likely something bad will come out of it.
I call this phenomenon "The Issues Pit". Scattered lists of issues and findings in various documents (Excel, Word, Exchange, Sharepoint) with no consolidated view of outstanding issues related to audits, compliance or risk assessments leads to missed issues that fall through the cracks. Limited documentation on current or planned remediation efforts to address open risks can lead to missed deadlines or poorly planned projects to remediate identified exposures. All of this spells doom - or possible doom - for the organization.
Issues Management is one of the foundations of governance, risk and compliance. Regardless of your level of maturity in risk management, there are issues being raised by some processes. How those issues are treated and tracked is the deciding point of failure for many organizations. Sometimes things are missed and there are consequences. That happens. But too often, known issues are the root cause of serious consequences such as breaches of personal information, a business disruption or a repeat audit finding.
What can be done?
First, identifying the processes that raise issues to the surface is the best place to start. Where do the issues come from in the first place? What is the method of delivering the issue (audit report, spreadsheet, automated system)? Who owns the process that finds the issues?
Second, determine how issues can be consolidated. Once you know which processes are identifying the issues and how those issues are delivered, defining a common taxonomy to describe the issue is necessary to start consolidating. What makes an issue? What are the best descriptors to "bucket" issues such as business unit, business process, application or organizational function?
Third, work out the process that communicates, tracks and manages the issues. Issue resolution will be owned by various parties so keep in mind prioritization will be critical in how issues are presented. Designing a process to fold in more and more business context (what the issue really means in terms of business risk) should be part of the long term plan.
In December, I participated in a webinar through Compliance Week discussing Issues Management. We talked about the "Issues Pit" and strategies to address this critical part of your GRC program. Our customer panelist shared his experience with this pressing issue and gave some great advice on how to think about improving your Issues Management process. In addition, check out this short video that shows how RSA Archer can help with your Issues Management process.