Bifrost Analytics

Changing the Conversation About Risk

Information Risk / Technology GRC Advisory

Brooklyn Bridge, New York City, New York, USA

Governance of risks arising from technology / information risk controls provides unique challenges.  They impact the business in terms of events that impede the smooth delivery of products and services to customers and potentially undermine overall business resiliency.   The technology function is also responsible for the delivery of capabilities to close control issues across the business.  Governance requires a shared understanding between the business and its technology partners of how the business is exposed together with an understanding of technical domains and specialized control frameworks.

We can help clients through the implementation of reporting frameworks to enable understanding and governance of information risks; design and implementation of solutions to enhance controls; and the development of the technology risk function / framework.

Technology GRC / Information Risk Intelligence

Design and implementation of reporting frameworks and dashboards for the governance of technology and information risk
  • Reporting to enable understanding of of potential business impacts of technology-sourced risks and prioritize remediation in terms of reduction of exposure of the business to disruption, financial loss, regulatory sanction and customer franchise.
  • Identification of major cross-business / resiliency risks.
  • Reporting to track remediation initiatives and provide visibility for remediation accountability within business and technology governance forums for:
    • Major cross-business / resiliency risks.
    • Initiatives to close of regulatory issues arising from control issues with technology and well as delivery of solutions to the business to close control issues arising from business processes.
Taxonomy and Indicator (Key Risk indicators / Key Control Metrics) design and selection
  • Extension of enterprise risk and control taxonomies to enable the understanding of technology control issues and resulting business impact.
  • “Top-Down” and “Bottom-Up” predictive metrics to monitor changes in risk exposure and identify new risk exposures.
  • Technology Risk Appetite definition and monitoring implementation.

Compliance mandate implementation, resolution / closure of regulatory and control issues

Compliance mandate implementation
  • Execution of current state assessments to identify control gaps requiring closure to achieve compliance.
  • Identification, definition and execution of initiatives to close gaps.
New Products / Technology Platform Introduction
  • Creation / update of policy / policy standards for the introduction of new technologies / platforms (e.g. Bring Your Own Device (BYOD), Distributed Ledger Technology / Blockchain).
  • Navigation of new platforms / technology platforms through technology and enterprise governance processes / forums.

Information Risk / Technology GRC Management Framework

Capability maturity assessment and target operating model
  • Assessment of current state control maturity with respect to internal policy and industry frameworks e.g. COBIT, ITIL.
  • Identification of required standards, processes, procedures, accountabilities and tools appropriate to the current maturity and needs of the organization.
Information Risk / Technology GRC Policy Framework
  • Policy authoring / update.
  • Policy / policy standard taxonomy design and alignment to control frameworks e.g. ITIL, COBIT, IT General Controls, NIST.
  • Alignment of policies / policy standards with minimum mandatory requirements for control consolidated from across applicable regulatory mandates.
  • Alignment of policy / policy standard framework to control testing program.