On August 14, 2019, the Association for Federal Enterprise Risk Management (AFERM) and the Information Systems Audit and Control Association (ISACA)-Greater Washington DC (GWDC) hosted a luncheon featuring a panel discussion. The panel was comprised of Jonathan Cantor, Chief Privacy Officer of the Department of Homeland Security (DHS) and Edward Killen, Chief Privacy Officer of the Internal Revenue Service (IRS). Karen Sheely, Technical Advisor for Privacy, Governmental Liaison and Disclosure at the IRS, moderated the panel.
The panel’s discussion of ERM and privacy risk management covered topics such as: emerging privacy risks; challenges and recommendations related to the management of privacy risks; and how the disciplines and related functions of privacy and enterprise risk management can work together in an organization.
Privacy Risks
Ms. Sheely asked the panelists to provide their perspectives on the biggest risks facing their privacy work. Panelists discussed how the proliferation of information, particularly personally identifiable information, in the data ecosystem and the use of emerging technologies has introduced new risks and potential exposures in the area of privacy.
Mr. Cantor noted that new types of data, such as biometrics and facial recognition, as well as emerging technologies, such as artificial intelligence and machine learning, raise a number of questions related to privacy. He noted that when implementing these capabilities, it is important to spend time considering privacy and other risks upfront. For example, when implementing a particular initiative at DHS, the Department convened an advisory committee of advocates to provide external feedback on and validation of the planned approach. As another example of this upfront approach to managing privacy risks, Mr. Cantor described how the Department was engaged early in the drafting a recent executive order, in order to ensure that privacy protections were specified.
Both panelists noted that finding and retaining personnel who are skilled in these disciplines and have the ability to communicate across different levels of proficiency remains a challenge.
Managing Privacy Risks with ERM
Next, Ms. Sheely asked panelists to discuss how ERM can help to manage risks related to privacy. Mr. Killen noted that ERM is critical to elevating issues, and specifically cited several privacy-related areas where ERM has been useful to the IRS. When discussing privacy risks, Mr. Killen cautioned attendees to remember the importance of reputational impacts, and how risks to an organization’s reputation can undermine operations. Mr. Killen further described the benefits of ERM at IRS, indicating that it has called further attention to some enterprise risks, resulting in increased focus and attention on them.
Mr. Cantor emphasized the importance of recognizing that risks to privacy are risks to the enterprise. Additionally, according to Mr. Cantor, it is critical to embed privacy into the entire lifecycle of an engagement, starting with the design phase; by doing so, an organization can avoid or mitigate risks to privacy and data.
Challenges to Integrating Privacy and Risk
Lastly, Ms. Sheely asked panelists to discuss challenges to integrating privacy and risk management. Both panelists cited cultural factors, noting that employees often have a natural reluctance to discuss risk. Mr. Cantor noted that encouraging transparency and partnership, engaging in good faith discussions about risk, and reinforcing the concept that everyone is a risk manager can help to facilitate healthier risk conversations in an organization. Mr. Cantor seconded the importance of addressing cultural factors and encouraging risk reporting. Mr. Cantor also reiterated his recommendation to engage privacy experts in the early stages of an initiative, so that privacy or other risks are addressed upfront, in the design stage.
Don’t Miss the Next AFERM Event
Look for upcoming events on AFERM’s Event Page and join the mailing list using the form on the right (or below) to be notified of new events by email.