Despite its guiding force for most enterprise’s security initiatives, today’s approach to governance, risk and compliance (GRC) is still primarily a manual process. While a necessity—driven by ever-evolving rules regarding privacy, the environment and cybercrime, traditional GRC approaches often fall short, particularly as risks increase and the inability to mitigate them come with dire consequences.
With a tendency to rely on people more than technology, current practices are often implemented after a risk or a new regulation is identified, which is why digital risk management (DRM) is critical. As a more encompassing and modern approach that extends not only GRC capabilities but also Integrated Risk Management (IRM) and Enterprise Risk Management (ERM), DRM provides new tools and techniques risk professionals can interweave into operations and technology with unprecedented detail to strengthening the enterprise.
Bringing risk management into the software development life cycle
Building DRM into new initiatives creates an integrated system, brings upfront value and sets the stage for constant improvements in the future. Implementing DRM can also help address concerns and improve decision making throughout the six phases of the Software Development Live Cycle (SDLC), which include the following:
- Planning: SDLC begins with a project plan, then assessing the market for the viability of the product or service and getting feedback from those who will purchase it, as well as industry experts. With the goal to implement the project with the least roadblocks, potential risks are identified in this stage.
- Requirements Analysis: Design requirements of each software feature and capability that the software must include within its full implementation are listed at this stage.
- Prototyping: At this stage, architects develop one or more design approach plans, identifying key technologies to use and desired toolsets to build the product.
- Software Development: The product enters the actual development stage, where features are implemented based on the previously established requirements and design phases.
- Software Testing: Quality assurance finds and reports software defects and retests.
- Deployment and Maintenance Stage: The product is launched to the market. As necessary, software defects are remediated, and new product features become available based on market feedback.
Incorporating DRM throughout the SDLC enables organizations to develop software with anticipation of and relevant mitigation of risks throughout its life cycle. With assessment an integral part of the SDLC process, enterprises can quickly address internal risks for developing the project while anticipating any outside risks (i.e., data privacy, cybersecurity), as well as required compliance with both regulatory and internal policies and procedures. Because DRM focuses on working agilely, it also promotes and fosters a shared responsibility of all those involved in the planning and developing of the product.
Here are the key benefits at a glance:
- Increases efficiency and transparency while empowering staff at every level to identify and consider potential risks
- Automates time-consuming tasks that require hours of staff power at a high cost, with digital processes frequently running to spot risks and anomalies early on
- Brings risk management in as an active participating stakeholder within Agile/SCRUM development teams
- Identifies overlapping redundancies within different silos and condenses them to one process
- Increases an organization’s competitiveness and agility
- Reduces costs by freeing up staff to monitor dashboards rather than just crunching the numbers
Things to consider before implementing DRM
As an organization’s technology portfolio broadens and more processes are automated, it’s crucial to ensure new security vulnerabilities aren’t unintentionally being created along the way. In business, the constant push to evolve can sometimes mean skimping on documentation and auditability, leaving those hidden trails at the edges (where subcontractors are involved on multiples projects, for example).
Before putting a DRM strategy in place, create a map of current digital tools and the protocols around them. In some cases, adopting DRM is a quick step along an organization’s maturity path. It may be adopting a few new tools and processes and creating or reassigning new roles to accomplish them. In other cases, it may take a bit of an effort and require significant changes.
Also, consider what new roles may be required:
DRM Analyst
Benefit: DRM concerns are brought to the development team’s attention when initially writing specifications so the team anticipates any potential risks, governance or compliance issues that the new features might necessitate. The analyst also answers any questions during the team’s Sprint Planning session.
DRM Quality Assurance (QA)
Benefit: Depending on the scope of work, QA team members’ quality checks verify that governance, risk and compliance defects are caught and remediated during the development phase, so the product is released to the market on time while meeting those requirements.
DRM is no longer big brother watching over teams with mysterious processes but rather a way to address risk concerns and their importance to the product’s overall success. Even more, it can motivate and inspire teams to look for issues proactively.
For most companies, the best step forward would be to partner with a trusted DRM vendor that has the experience needed to make this digital transformation as seamless as possible. This vendor would understand all the moving parts and how to interweave them into developing a DRM strategy that serves your specific business case.
Conclusion
This digital transformation provides tremendous opportunity, and DRM vendors have rich offerings for prophylaxis, surveillance, machine anomaly prediction and resolution platforms. The benefits and value of migrating to Digital Risk Management (DRM) and “compliance as a code” within a Software Development Life Cycle (SDLC) environment will set the stage and provide an elevated product.
With tremendous opportunity, however, comes tremendous responsibility. The more multifaceted the world becomes, the harder it is to achieve something meaningful alone. Ultimately, the goal is to get the most out of your risk dollar with the least disruption to your stakeholders.
Just as adopting Agile and DevOps required broad cultural acceptance of significant changes to the organization, so will DRM. Your GRC team and processes are currently siloed, with barriers erected between it and the rest of the organization.
Above all, find a partner, an advisor you can trust to work with precision on a roadmap. Design a risk program that helps the organization balance agility with safety. This will enhance the way GRC/IRM/ERM teams confront risk by bringing DRM into the forefront of this technological evolution.
Source: https://www.securitymagazine.com/articles/95881-elevating-governance-risk-and-compliance-throughout-the-software-development-life-cycle-with-digital-risk-management
