In part 1 and part 2 of this series, we examined the common assumptions, realities and best practices for implementing an integrated risk management solutions. In this conclusion, we explore assumptions and misconceptions around IRM implementation on-premises vs. in the cloud.
Assumption: We Should Implement an On-premises Solution Since the Cloud Won’t Meet Our Data Protection Requirements
Reality: Many modern SaaS providers of IRM solutions have implemented robust security architectures that meet or exceed an organization’s security requirements, and the costs of internal hosting, IT staff for infrastructure support, and upgrades can become show stoppers to meaningful implementation progress.
Think back to the mammoth banks during the financial crisis of a decade ago that were so large and had taken on so much risk that they were deemed “too big to fail.” Financial resources beyond their own were ultimately required to keep them from failing. The merits of that government-led rescue effort are still being debated at office water coolers around the country.
Similarly, the idea that an organization’s own data center is so robust that the likelihood of failure being lower is arguably outdated thinking.
Contrast this with the emerging cloud architectures of technology providers like AWS, where networks can be efficiently segmented, can include built-in redundancy, and can be purpose-built by forward-thinking engineers such that no single service is “too big to fail.” Rather, these DevOps engineers are constructing use cases for specific objectives but where data sharing can still be achieved via interfaces that use industry-recognized protocols to securely communicate.
Well, which model is better?
Remember, your integrated risk management program needs to adapt to regulatory changes, control environment changes, new corporate mandates, and expanded policy initiatives. How will your on-premise implementation fare given your anticipated need to be quick, nimble, and in direct control of the business outcome? Perhaps fine, but you may discover that the unforeseen nuances of infrastructure maintenance for you or your IT support staff may at times dramatically slow your progress.
Perform a thorough security review of the candidate solution’s policies, security program, and controls in properly protecting the confidentiality, availability, and integrity of your organization’s data. Request and review the candidate’s SOC 2 Type 2 report or other security certifications and documentation to ensure there are no adverse findings or gaps in control coverage.
Make a list of the pros and cons for deploying your IRM capability in the cloud versus on-premise. Include the results your TCO analysis together with your list of qualitative pros and cons.
Ensure that any integrated risk management candidate solution has requisite integration capabilities for interfacing with both cloud and on-premise solutions. Flexibility is key, given that risk data may need to be consumed by internal (e.g., internal audit findings) and external (e.g., a list of IT applications from a cloud-based ticketing system) sources.
If an on-premise deployment is still the best path forward for the organization, ensure your budget for internal technical resources, hardware, and other ongoing infrastructure maintenance costs is adequate (as these can often be overlooked and become a hidden cost down the road).
Strategize with your leadership and team members within Risk and Compliance on the importance of being agile and in more direct control of the organization’s integrated risk management solution. Be very explicit in your strategy for either building internal administrative capability or outsourcing that capability to competent third-party providers.
Choose Your Integrated Risk Management Solution with Eyes Wide Open
The ultimate success of your integrated risk management implementation will be directly proportional to the amount of due diligence, planning and coordination, business process analysis, functional and technical requirements gathering, and aligning with key stakeholders that you can afford to invest in prior to making the final technology decision.
We all must make some assumptions when selecting technology. But because integrated risk management initiatives are uniquely designed to change behavior to improve the organization’s risk posture, we should take the time to challenge our assumptions by consulting the real-world advice of those who have successfully implemented IRM technology. While no single technology solution is perfect, many integrated risk management solutions have been designed to address the most pressing risk management challenges facing organizations today. Armed with the right information after having done your homework, you can move forward with confidence in your decision with your eyes wide open.