Compliance, Risk & Resilience Services
Helping clients become resilient, risk-managed organizations
Organizations increasingly face disruption as a sustained operating condition. The risk comes from the seemingly ubiquitous threat of cybersecurity incidents, supply chain failures, workforce challenges from public health crises, climate-related threats to physical infrastructure, and enhanced regulatory enforcement.
Well-managed organizations address this challenging enterprise risk environment by making operational resilience both a strategic imperative and a competitive advantage, and compliance an intended outcome. Boards establish these strategic governance objectives and expect senior management to execute them.
SOLUTIONS & RESOURCES
Organizations should approach operational resilience through an overall crisis management framework across the enterprise:
- shared culture of responsibility
- flexible and adaptive response capability
- risks managed from the perspective of their impact on achieving the strategic objectives of the organization
Leaders that recognize that the consequences of poor risk management and prolonged business interruption can impact the financial, reputational, legal, and regulatory health of the enterprise.
Our Compliance, Risk & Resilience team includes professionals experienced in enterprise risk management, cybersecurity compliance and risk management, business continuity, disaster recovery, crisis management, and operational resilience.
We help clients in every industry sector develop organizational and risk systems to prepare for, respond effectively to, and recover from operational disruptions and to develop the compliance systems necessary to support this capability.
Cybersecurity Compliance & Risk Management
Cybersecurity remains among the most ubiquitous and pervasive enterprise risks addressed by compliance, legal, risk management and internal audit officers and board committees. When upwards of 85% of assets today are digital, cybersecurity universally affects organizations as one of the most malicious and consequential risks they face.
Not only have information technology and operating environments evolved into complex hybrid systems, but also the means, motivations, and skills of threat actors have rapidly matured to a state of tradecraft that is sophisticated, patient and perversely effective.
Regulators that recognize the inherent vulnerability of critical infrastructure in key industries to the evolving threat landscape are steadily putting more teeth into regulations, attestation systems, disclosure requirements and enforcement actions.
Well-prepared organizations should have cybersecurity programs based on the value of their assets, their risk profile and tolerance, the opportunity cost of breach-related operational downtime, and their regulatory obligations and enforcement exposure. It is never "one size fits all". Our perspective is that, because compromise of digital assets and systems is essentially inevitable, resilience must be the prudent endgame after efforts around prevention, detection and response have done their best.
Compliance advisory services for cybersecurity regulations:
- Defense Industrial Base - practical preparation for binary new Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC) regulatory obligations for prime and subcontractors provided by former defense industry security experts
- Healthcare - The Health and Human Services' Office of Civil Rights (HHC OCR) audit readiness, Health Insurance Portability and Accountability Act (HIPAA) security and privacy compliance for covered entities and business associates, meaningful use audits of electronic health records (EHR) systems, revenue cycle assessment and remediation
- Financial Services - sustaining compliance with global, federal, and state cybersecurity regulations such as Federal Financial Institutions Examination Council (FFIEC) and New York State's 23 New York Codes, Rules and Regulations (NYCRR) Part 500
Cybersecurity strategy, policy, posture, and maturity
- Posture measured against International Standards Organization (ISO), National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), CMMC, HIPAA and other cyber frameworks
- Cyber-related mergers and acquisitions (M&A) due diligence
- Policy and procedure development, socialization and training
- Maturity strategy roadmaps and implementation oversight
Risk assessments, technical testing, and vulnerability remediation
- Secure software development process
- Penetration and vulnerability testing, phishing and social engineering tests
- Current state program assessment - people, process and technology across network, web, and mobile security - and vulnerability remediation oversight and validation
- Security assessments of industrial/process control systems that comprise the operational technology (OT) environment
Short-term Interim Management
- Office of the Chief Information Security Officer (CISO) services
- Data Privacy Officer (DPO) services
Cybersecurity Maturity Model Certification (CMMC) & Defense Federal Acquisition Regulation Supplement (DFARS)
Led by senior cybersecurity leaders with deep defense experience, our Compliance, Risk & Resilience team helps defense contractors develop a practical approach to their DFARS and CMMC obligations, with a methodology that is never one-size-fits-all. We:
- Assess the current state of contractors' cybersecurity programs, capabilities, and practices, including maturity levels, against CMMC, NIST 800-171, and other cyber frameworks.
- Document how controlled unclassified information (CUI) enters, moves into, and exits your organization, as a basis for determining if the DFARS/CMMC environment should be enterprise-wide or enclaved.
- Create and document the System Security Plan (SSP), Plan of Action and Milestones (POAM), and Supplier Performance Risk System (SPRS) score (or guide contractors in implementing their existing POAMs).
- Remediate the identified gaps, and/or, re-evaluate after the remediation is complete to allow for an accurate SSP, POAM, or SPRS score.
Our cybersecurity team has been deeply embedded in the defense sector at the CISO level, and was integral in the development and negotiation of the original DFARS 252.204-7012. Our perspective is that risk-aware defense contractors must be prepared to protect the digital assets undergirding our nation's secrets. To the extent the CMMC regulation and the new DFARS require effort, expense and attention, we think every size and type of contractor can develop a cost-effective way to meet the requirements.
Our commitment is to help our clients with a practical experience-based technical and compliance strategy, a reasonable gap remediation plan, and defensible decisions to prepare them for their DFARS filings and audits, and their CMMC assessment by an independent CMMC Third-Party Assessor Organization (C3PAO).
Enterprise Risk Management (ERM)
The confluence of complex and disparate risks that confront organizations demands a disciplined way to evaluate risks and commit resources appropriate to their potential impact on strategy and execution.
To manage these risks, well-managed organizations have in common a process for identifying, assessing, and handling the risks they face.
Enterprise risk management (ERM) is an approach for identifying, assessing, and managing all types of risk the organization faces by priority, consistent with business objectives and risk appetite. It goes well beyond the traditional role of the risk manager and enables leadership to understand, prioritize and make consequential decisions. ERM enables companies to communicate, compare and decide on a preferred strategy to prioritize and address risks based on the company's objectives and risk appetite or tolerance. ERM provides a deliberate, strategy-based method for companies to accept, avoid, mitigate, transfer or exploit the risks inherent in their business model and operations strategy.
Our ERM approach provides a practical methodology and prism through which clients recognize, consider and articulate the risks that threaten their success; evaluate their approach to risk management; make optimal risk-based decisions; and develop risk-based decision-making throughout the organization to create enterprise value.
- Independently assessing ERM program effectiveness
- Developing and implementing ERM frameworks
- ERM program maturity and benchmarking
- Formulating the risk appetite statement
- Identifying/assessing key risks, evaluating mitigation, and controls
- Conducting Strategic Risk Reviews to refresh existing risk assessments
- Quantifying risk and measuring risk performance
- Organization, governance and reporting structure
Operational Continuity & Resilience
The inevitability of disruption to operations from increasingly common natural, intentional, and unintentional incidents elevates operational resilience to a board-level issue because of the potential financial, legal/regulatory, brand and reputational impact. Developing and documenting a predictable recovery capacity helps organizations:
- Meet governance, risk and compliance goals
- Address audit comments or respond to losses or insurance claims
- Align with global standards
- Meet partner requirements, loan covenants, insurance requirements and service level agreements
- Address risk issues in the supply chain
IT Disaster Recovery
Testing and Exercises
Plans should be tested with facilitated, structured walk-throughs and failover tabletop exercises to help IT managers and business owners identify what events could occur and how they should respond, by practicing with simulations of business interruption scenarios, from routine to extraordinary. Well-rehearsed plans can mitigate impact and damage, while un-practiced plans can slow recovery.
Crisis situations require accelerated decision-making
Managing effectively through crisis with these types of plans is now expected of resilient and well-managed organizations. Stakeholders, regulators, markets and the media are unforgiving of management teams that do not prepare their organizations effectively for crisis situations and boards that do not demand it. Poor readiness leads to negative impact on reputation, financial performance, market value and an increased threat of enforcement action.
Companies should develop a "toolbox" of response plans within an overall crisis management governance framework. Crisis situations require accelerated decision-making that may have to leapfrog the conventional management and budget approvals process and normal communication systems.
Emergencies and crises seem to ironically occur when responsible persons are least connected, available and reachable. As a result, effective crisis plans are increasingly being built on innovative mobile platforms that can dynamically geolocate team members, support live multilingual collaboration and accelerate crisis management decision-making among geographically dispersed staff.
Our team provides practical, best-in-class business continuity planning and COOP solutions, facilitated services and technology platforms to private and public sector clients in virtually every industry. We maintain the technical expertise to help clients align their disaster recovery capacity with their continuity plans and help organizations manage crisis situations with these services and capabilities:
- Business continuity management (BCM) strategic governance modeling for senior management
- Current state assessments of BCPs and COOPs
- Business impact assessments (BIA)
- Risk-adjusted software application recovery policies
- Plan upgrades on cloud-hosted SaaS and mobile platforms
- Staff training programs and facilitated tabletop exercise and COVID look-back assessments
- Regular plan maintenance programs
- COVID-driven work-at-home and back-to-work assessments, plans and policies
- Critical IT resources inventory and minimum equipment configuration
- Critical application inventory, run books, recovery mode operational procedures
- Disaster recovery plan preparation, development and testing
- Recovery strategy alternatives for equipment and applications
- Safety, security and vulnerability assessments
- Plan review, assessment and development on desktop and mobile crisis management platforms
- Facilitated structured walk-throughs and tabletop, functional, and full-scale exercises
- Strategic crisis management frameworks and governance models