GRC Tuesdays: Organizations’ Internal Control and Risk Environments Need to Be “Healthy”
Colleagues and customers often ask me about various use cases for our governance, risk, and compliance (GRC) solutions, and typically, the ones that get the attention solve financial problems (like duplicate invoice payments, inappropriate manual journal vouchers). However, trust and privacy have been on my mind lately, so today I want to share a story with you.
Earlier this year I gave birth to my son. A few days later, I was mailed a copy of my hospital invoice AND the invoice of another patient. Imagine my surprise. Now, I don’t know this person, but I now know about his/her health, treatment, address, and time spent in the hospital all for the price of the hospital’s stamp.
The Need for Manual Controls
We often talk about SOX, Foreign Corrupt Practices Act, and so on—but what about basic privacy? While we espouse the value of automation, manual internal controls are still important for any organization. Being a GRC professional, I kept thinking about how the mistake of receiving another patient’s invoice could have been avoided. Maybe if the hospital had secure printing and/or maybe if the people in the department handling invoices were more careful, I wouldn’t have received someone else’s information. Yes, people make mistakes, but what internal controls are in place to make sure that these mistakes don’t occur? And what further internal controls could be created in order to mitigate the risks occurring in the future?
When I notified the hospital of the error, it immediately replied and asked me to return the invoice. Since I’d just had a “C-section,” the thought of getting up and mailing a letter was the furthest thing on my mind. So a representative from the hospital came to my house to pick up the misdelivered invoice and the hospital sent me a fruit and flower basket a couple days later. While I appreciated the gesture, ultimately the “damage” to that other person’s privacy was done. Moreover, I don’t think that person will ever know that his/her data was compromised. (I know I won’t forget.)
To Check and Double Check
When we do business with an organization or transact with any institution, we end up trusting that our information is protected. We trust that there are internal controls that are operating effectively in place to ensure that the risks that might damage that trust are mitigated.
As I was being stitched up from my “C-section,” I could hear the hospital staff counting. I remember hearing them count repeatedly, “1, 2, 3, 4, 5, 6 …”. After they finished, I asked my doctor about the counting. He told me it’s a check to ensure that what they brought in is what they were taking out. I don’t know about you, but I have seen shows about medical equipment being left in people’s bodies, so I found such a simple, manual process to be quite reassuring.
Business executives typically need a business case in order to justify any software purchase. It’s always easier to justify an expenditure when you’re able to quantify the costs associated with it. However, we know that not all risks are quantifiable. Some risks need to be assessed qualitatively.
Reputational risk is real and a breach of trust can be quite damaging to an institution, so when you think about leveraging technology to manage internal controls and risks, let’s not forget or underestimate the need for manual control testing. Further, why not leverage solutions that enable you to have a single platform to manage your GRC needs so that you have a comprehensive view of the performance of your automated and manual controls and can assess your risks?