A number of years ago, I sat in a conference room, slacked jawed, at a response given by a senior manager from an Information Technology team to a federal examiner. The examiner, in an ad-hoc discussion about organizational structure and process, simply queried about the risk management processes used by the IT Team during development. The response provided, “We don’t do risk. Risk is managed by the Risk Management team,…their office is down the hall,” uncovered (for me) a general misunderstanding about what risk management is and how it is, or should be, implemented in each department, team, and/or business line throughout an organization.
It’s funny how compartmentalized and specialized we think we have become. The truth is all of us manage risk, all the time. Whether it is determining if you should put sunscreen on, have an extra slice of pizza, or go sky diving, each of these activities involves a risk component and management of that risk is required, to include identifying and assessing risk, understanding what the probability and impact will be of these activities and how it will affect overall goals.
When it comes to organizational approaches to risk management we hope that the identification and assessment processes are a bit more formalized, and the probability and impacts determination are more defined and consistently applied than what we may apply in our day-to-day personal lives. However, as referenced above, often they are not. Though an organization’s strategic goals are typically well documented and published, if risk management practices are not fully established, I have to wonder how realistic or obtainable these goals are.
What does this have to do with privacy?
Successful privacy programs are developed and maintained by implementing risk management processes including ongoing identification, analysis/evaluation, treatment, monitoring and review of privacy-associated risks. Risk identification, analysis and treatment decisions are what guide the development and implementation of appropriate privacy policies, procedures and practices – ultimately the controls used to manage privacy risks.
Common sense, right? You would think, but just a few months ago, sitting in a different conference room, in a different organization, I asked a question about how the privacy policies and procedures were developed and against what are they periodically reviewed. The response focused on alignment to well known privacy frameworks and little to nothing to do with the organization’s identified and analyzed risks. Though we all agree that industry related frameworks and legal/regulatory requirements are key components of our programs, actually understanding organizational specific risks should be the main source of our program requirements.
Recognizing and incorporating sound risk management processes into our privacy programs help to ensure our teams are addressing reasonably foreseeable risks. And, hopefully won’t answer the examiner question with “We don’t do risk…”!