Talking About Information Risk
Compliance officers can’t ponder the threat of information risk enough these days—so to fill that need, I’ll be hosting a three-part webinar series starting next week to explore the subject. Set your calendars!
Information risk intrigues me so much because it’s so hard to define, and therefore so slippery to address. Sure, once upon a time it was the domain of the chief information officer or the IT security team, but those days are long gone. Now so much of a company’s regulatory compliance and operational risk hinges on proper management of data that the subject is very much in a compliance officer’s domain.
So I was delighted to get a call from AccessData, asking me to host these webinars exploring information risk. The formal name of the series is “Information Overload: Navigating Information Risk, Investigations, and Privacy in Today’s Environment.” Really, it’s me talking with a leading thinkers about information risk, privacy, data forensics and corporate compliance, to tease out how companies can manage such a complex challenge.
The webinars will take place at 11 am ET every other Tuesday: June 27, July 11, and July 25. You can register on the AccessData website, and yes, it’s free. We just want as many people as possible to participate.
You can see the full agenda on the registration page. In brief, here’s the rundown.
June 27: Information Risk & Compliance in Today’s World. This session will examine the modern challenges of information risk, and the oversight systems necessary for enterprise-wide management of information risk. How much is this a question of regulatory compliance, and demonstrating effective compliance programs? How much is it about litigation or cybersecurity risk? What do boards want for assurance that information risk is under control?
July 11: Internal Investigations Drenched in Data. Our second webinar examines strategies and techniques for internal investigations where data forensics is crucial. How does a company police against insider threats? What sort of BYOD policy management can satisfy modern corporate life and modern information risk? Can a company inadvertently jeopardize privacy or IP rights (its own or someone else’s) during investigations?
July 25: Europe’s GDPR and Other Emergent Privacy Issues. Europe’s General Data Protection Regulation will come into force next spring. The GDPR will impose significant new duties of risk assessment, data protection, breach response, and much more on companies around the world. So how will those obligations affect companies’ information risk management efforts, and how prepared (or not) are businesses for those compliance burdens coming soon?
What Information Risk Really Is
I think often about information risk because I am still trying to define exactly what it is in the modern business era. Auditors have one definition—information risk is the chance that information circulated by the company is false or misleading—and that definition is correct as far as it goes.
But that perception of information risk doesn’t go far enough for corporate legal or compliance. A business must also ensure that information isn’t acquired improperly, left unsecured, or mishandled. A better definition for our purposes might be “the chance that information controlled by the company is created, acquired, secured, or processed without proper duty of care.”
That’s new—or more precisely, the business world has changed so much in the last 15 years that all your policies and procedures to fulfill that duty are new. No wonder, then, that no single C-level executive can oversee information risk directly; at least not without feeling overwhelmed and uneasy that something, somewhere, has fallen through the cracks of your internal controls.
So what’s the best structure to govern information risk? Or how do you assess the regulatory landscape facing your business and the technology reality that your employees and customers use, and then develop that governance structure?
That’s what we want to explore. It only works with you participating, so I hope to see you there online in a few weeks.
Bonus reading, if you like: I also just explored this topic in a guest column at LegalTech News.