The hottest topic in GRC this year is likely to be risk management within the IT field, and not compliance or the Protection of Personal Information Act (POPIA), as many may anticipate.
This is according to Dr Peter Tobin, director of Peter Tobin Consultancy, speaking at the ITWeb Governance, Risk and Compliance 2018 event in Johannesburg yesterday.
Although the information regulator indicated late last year that we are up to 12 months away from the POPIA commencement date, Tobin believes this will not be the issue on everyone's lips this year.
"Risk management is absolutely going to be the big issue in 2018, not only because of scandal-hit Steinhoff, and other corporate failures, but because of an expectation that organisations need to look ahead and anticipate the unexpected. Risk management in technology is going to mature, I foresee more company executives trying to go for vendor independent frameworks, particularly looking at the ISO standard in the risk management area, which is codified by the International Organisation for Standardisation, or the US-sourced Committee of Sponsoring Organisations of the Treadway Commissionenterprise management framework which is already popular within our JSE-listed companies."
Although many local organisations are already looking into their risks, Tobin pointed out that one of the key things that IT executives need to do when advising the board of directors about their governance responsibilities is to help identify the IT domain risks or areas of risk, such as technology infrastructure hardware, software and services, including cloud solutions.
"Risk domains are not purely associated with technology vulnerabilities as a lot of risk in organisations comes from behavioural activities of people within the organisations and actions that individuals take, which can result in unexpected consequences – that's why risk management must focus on the use of technology, to meet business objectives."
John Giles, legal services provider at law firm Michalsons, discussed the many international laws that will have an impact on local businesses this year. These include the General Data Protection Regulation (GDPR), ePrivacy Regulation; EU-US Privacy shield, PIPA in Japan the Data Protection bill in the UK, among others.
"Many local organisations assume that because GDPR is a European law, it doesn't apply to them, but there is a list of questions that organisations have to ask themselves in order to determine if they have to comply. The GDPR deadline is 25 May 2018, so if you have to comply with the GDPR there really is no time to lose; you have to start working on meeting the requirements," he warned.
GDPR, he adds, is Europe's equivalent to SA's POPIA and it is not a directive but rather a regulation that complies in the whole of the European Union.
"Among the plethora of questions that local firms have to ask to determine if they're expected to oblige by the GDPR is: Do I have a company, postal address, a local agent, a bank account, a registered legal entity within the European Union countries? If you've answered yes to some of these questions than there is a good chance that you have to comply," he explained.
Discussing the effects of cloud migration on GRC, Brian Pinnock, regional manager of engineering at Mimecast MEA, explained GRC practitioners face a nexus of forces when firms migrate to the cloud.
"The move to cloud has become synonymous with efficiency and agility, but it also introduces new and increased risks – a rise in cyber crime, increasingly onerous regulatory environments and growing client and employee privacy concerns. Cloud is changing business and the future of IT – on the one hand end-users are trying to circumvent new technologies, on the other hand businesses are developing a cloud ecosystem and information suddenly becomes a much more important asset, so inevitably there are major risks involved.
The evolving technology landscape, adds Pinnock, brings with it complex GRC-related issues which include: transparency and visibility from providers; compatible laws across jurisdictions; incomplete identity management and data sovereignty.
"Sometimes organisations are forced to comply with incompatible laws across jurisdictions and it becomes a challenge when they don't know where their data resides or where their applications are being delivered from," he concluded.