"Tsunami" is the Japanese term for a series of violent and recurrent waves in the ocean caused by the displacement of a large volume of water. Earthquakes, volcanic eruptions, landslides or other underwater explosions or man-made events are usually the cause. Unlike normal ocean waves that are generated by wind, or tides that are generated by the gravitational pull of the Moon and Sun, a tsunami is much less predictable and often more sudden and impactful.
Do you ever feel like your organization is navigating an unrelenting tsunami of issues generated by multiple groups, such as audit, risk, and compliance, or external auditors and regulators? These fierce waves are usually caused by risk management activities, threats, cyber events, non-compliance with regulations or other forces.
Like tsunamis we don't see coming, today's business environment is a challenge for issues management, regardless of your industry, geographic location, or business model. With constant regulatory change, shifts in business strategies and rapid technology transformations, it is easy to become overwhelmed by the magnitude, velocity, and complexity of issues that must be addressed. Like dealing with the aftermath of a tsunami, remediation plans many organizations put in place to "clean up" are reactive, short term and may not solve the real problem.
Let's look at how most organizations deal with their issues and remediation plans.
- Issues come from a variety of sources. As a result, there is natural duplication and no real consistency in either the issue or remediation plans. Different individuals or groups document issues in various systems, but the issues are often incomplete or drive remediation plans that don't address the real problem.
- Issues are treated differently. This depends on many factors, such as the group that documented them. For example, audit findings may carry more weight than an issue documented by another group, even when the other issue may have more serious ramifications than the audit finding. This occurs when the organization has no consistent method of prioritizing issues across the board. For the business manager assigned multiple issues and remediation plans, once the audit is final and their day job takes over, priorities change and the issues never get resolved.
- Tracking and resolution of issues is inadequate. In this case, the audit group or compliance function that first raised the issue has no good way to follow-up on status of the issue or its remediation plans after the audit is over. Often because their first priority is the next audit engagement, and if the business process owner doesn't track resolution of the issues, they are dropped or forgotten.
To properly address issue management, organizations need a strategic and comprehensive approach, including the following:
- A process that works for the whole organization. Every environment is different, but every issues management process needs to ensure issues and remediation plans are documented consistently, assigned to the right owners, and tracked to completion.
- A way to prioritize issues and remediation plans. This must be consistently applied and driven by business priorities, such as the most important products and services the organization produces, and the criticality of the business processes and IT infrastructure that support them.
- A single automated tool the entire organization can use. RSA® Archer offers an Issues Management use case that enables your organization to manage the lifecycle of all issues regardless of where they originate from. The use case includes a Business Hierarchy to establish the corporate structure and accountability, workflow to drive consistency, and reporting to provide visibility into the results. To learn more visit: RSA Archer Issues Management.
There are other requirements, but these are a few critical areas to set the stage, enable quick implementation of the process and drive buy-in across the organization.
Preparing for tsunamis won't eliminate all the risk or impacts, but it can significantly reduce the effects and make clean up afterwards that much more manageable. Similarly, implementing a well-thought-out issues management process reduces much of the risk of the findings that are sure to come, as well as make the remediation process that much more complete, streamlined and consistent.
For more discussion, email me at Patrick.firstname.lastname@example.org
Author: Patrick Potter
Category: RSA Fundamentals
Keywords: Compliance, Issues Management, Process, RSA Archer, Tsunami