The future of operational risk management

The future of operational risk management is collaboration.


Assess your risk

Consider your organization’s risk profile. If you collect customer data that includes social security numbers and credit card information you will have a different risk profile to an organization that is simply collecting names and email addresses. Once you understand your risk profile you are ready to look at how to manage your risk.


Select a framework

You can only measure progress if you set a standard to be measured against. Many organizations measure themselves against more than one security framework.  Popular frameworks and standards include  NIST CSFSOC2, HITRUST, HIPAA, and FedRAMP.  U.S. States have local regulations like CCPA and the New York Shield Act which may also apply.  Individually each of these frameworks may contain hundreds of controls that must be implemented and tracked. Using the Ostendio MyVCM platform allows organizations to simultaneously build and manage activities against more than 100 industry standards and regulations.  Ostendio MyVCM allows customers to select any base framework, e.g. NIST-800 53, and then automatically map every control to any and all other frameworks selected.  This means you can build one security program but seamlessly manage multiple frameworks at the same time.  No spreadsheets or cross tracking required.  You can even extend this feature to your customers’ audit requests by simply mapping existing evidence to their questions. This saves your organization time and money by reducing the duplication required in answering each request individually.


Build out your program

Know how information is processed, stored and transmitted in your organization using the Ostendio MyVCM platform. Define how internal and external systems interact with one another. Make sure that everyone in your organization understands their role with regard to data security. Consider which employees are going to be directly involved with your risk management program and agree a budget that will support your program. Encouraging a culture of data security is important to success that is why security training is built into the Ostendio MyVCM platform, so you can manage and track security training. While building out your program might seem overwhelming, Ostendio Professional Services experts can help establish your program which reduces the distraction from running your business.


Track and manage progress

Ostendio MyVCM offers clear and easy to read dashboards, one that provides metrics so you can easily prepare status reports and one that offers crosswalk capabilities so you can apply evidence collected for one standard to another that is similar thereby allowing you to consider compliance to multiple frameworks.  Ostendio MyVCM is a cloud-based tool that your employees can access remotely, which has become essential in the COVID era.  Easy to read dashboards can show you on an individual, group or overall organizational level how you are progressing towards your goal. 


Communicate status to key stakeholders

Make security and risk management a board level discussion - it should be operationalized across the organization with a key member of the leadership team holding responsibility.  By elevating the importance of data security and risk management to a board level position you are showing that you place importance on this element of your company strategy.  Using the Ostendio MyVCM platform makes it easy to produce reports that will show how your organization is performing and what work still needs to be done.


Seek independent verification

If you have followed Step 1 and established a framework you will also be able to be audited against this framework to see how you are doing. Preparers can help you get ready for an audit and make sure you have the evidence and documentation in place to undergo an audit.  When you are ready you will select an independent auditor who will audit your organization in line with your selected framework.  This Independent Verification is an important step to show externally to customers, investors and partners that you take security and risk management seriously.


Compliance is a journey

Don’t forget the need for on-going monitoring of your security and risk management program with possible annual audits and re-certifications required. Review processes if a breach happens or if there are known cybersecurity risks in your industry.  Reviews are also necessary if your organization has a major structural change due to an acquisition or takeover.  By using the Ostendio MyVCM platform these tasks will be straightforward as you can track and update evidence from one year to the next ensuring that the relevant stakeholders have reviewed and updated as necessary.  Setting up a robust framework for security and risk management at the start pays off in the future.


Ready to find out more?

Schedule a free live demo of the Ostendio MyVCM platform to see how we can support your business in your cybersecurity journey.

Schedule a Demo