Even when these are available, they typically tend to be written to requirements of compliance and regulations rather than reflecting an informed enterprise risk management strategy. Incomplete asset inventories are another area of concern. Existing asset inventories may not support the necessary information requirements, sensitive operating processes and other related information technology components and systems.

Similarly, lack of understanding of regulatory requirements and stakeholder participation; absence of robust enterprise risk management strategy and recurring incidents of data breaches are some of the other key issues. Understanding of regulatory and compliance requirements often do not take a rationalized view of all business needs and tend to focus more on the specifics of compliance.

Process development tends to focus mainly on functionality, interoperability, and user experience, leaving privacy and data protection, security and continuity, third-party oversight, and regulatory compliance stakeholders to compete with business stakeholders during the budgeting process. Vulnerabilities are often managed on a process by process basis, leading to inconsistent risk tolerances being adopted across the enterprise and unaligned stakeholder strategies tend to result in costly remediation of breaches.

The biggest challenge facing the organizations is how to comply with the increasing number of
regulations and standards and at the same time enforce endpoint security and retain customer loyalty.

Organizations will need to manage risk through an informed understanding of the origin of risk and migrate from a reactive compliance based approach to a proactive enterprise risk management approach. Business expectations will need to be aligned with compliance and vulnerability management, eliminating costly and less effective stand-alone efforts.

It would be a good idea to involve key leadership team, including senior officials for privacy, security, information, technology, etc; stakeholders including business process, system, data, relationship owners, etc., and subject matter experts including legal counsel and compliance officials to determine acceptable risk tolerances and define and manage business expectations.

Sensitive data flowing through enterprise key business processes needs to be identified clearly and should be mapped with related information technology (IT) components that
possess and controls the sensitive data. Inventory of sensitive data types and mapping of the sensitive data through the business processes provides key insights into the origin of risk and facilitates compliance and vulnerability management.

When an organization creates and maintains an inventory of its sensitive data types, it is taking a key step towards becoming a more risk intelligent organization and building an enterprise risk management program. Finally, IT component vulnerabilities need to be assessed and remediated. In the entire process, organizations can leverage existing capabilities and available resources to formulate better risk tolerance.

Well, one can ask, is there any good news after all? Yes, process and technology changes that come along with compliance requirements, present a great opportunity to improve business efficiency and performance. With implementation of an integrated and secure technology infrastructure that is aligned with business expectations, organizations can ensure a continuous and cost effective compliance structure.

The author is Director, Enterprise Risk Services at Deloitte Haskins & Sells. Views expressed in this article are his own.