CREATe and Frontier Strategy Group (FSG) recently hosted a webinar focused on the global business and compliance outlook for 2017. FSG’s Antonio Martinez provided an overview of the global business environment, touching on emerging markets and disruptive events such as the oil supply shock and populist wave that is shaping the business environment. Martinez also provided a breakdown of how the year will look for various regions in terms of business and investment.
Given the diverse risk environment, how can companies manage top threats? In the webinar, CREATe CEO Pamela Passman suggested that every organization start with an assessment to determine where it is most important to focus. She identified the elements of an effective program for key risk areas – cybersecurity, anti-corruption, intellectual property and trade secret protection. The program categories range from policies and procedures to establishing a cross-functional compliance team, communications, monitoring, third party management and other business processes. She also emphasized the importance of being aware of the changing global standards and adapting policies accordingly.
For organizations that are heavily dependent on third parties, she noted that it is important to understand the systems that partners have in place to manage risks. Given many organizations can have thousands of third party partners, Passman suggested that organizations should focus on third parties that are highest risk. As part of an assessment, it’s important to ensure that compliance programs are in place and third parties understand how they need to organize themselves internally to manage risk.
During the webinar, Passman highlighted the risks stemming from insiders, ranging from employees to vendors. She shared the example of Epic Systems, a health records company. In that case, a vendor was using credentials from a previous contracting assignment to access an Epic Systems portal that housed confidential trade secrets. In the role of the new assignment with Tata Consulting Services (TCS), the contractor was not supposed to have access to the portal. However, he did and shared the credentials with his new colleagues. Confidential information and trade secrets were copied and supplied to a competitor. This example highlights the need for continuous monitoring of third parties.
It is not only third party contractors that need monitoring, however. Employees can pose a threat as well by accessing networks from insecure devices, downloading unlicensed software or succumbing to phishing attacks. To better manage this risk, the organization must put controls in place – from securing access points to the network to knowing who is in the eco-system.
Watch the video here.