The Global Privacy and Information Security Landscape - U.S. Federal Privacy Laws and Regulations  
  Today, more than ever, intangible assets such as customers, systems and information provide a foundation upon which corporate value is built. Ensuring the privacy of customer information and protecting critical corporate data have become front-of-mind issues for management teams. Yet, despite a growing number of privacy laws and regulations, security threats and vulnerabilities challenge every organization striving to manage these risks.In this episode, Carol Beaumier, the leader of Protiviti's Global Financial Services Industry and Regulatory Consulting practices, and Cathie Meyer, an attorney in the Privacy & Data Protection practice of Pillsbury Winthrop Shaw Pittman, talk about the global privacy and information security landscape. Protiviti and Pillsbury recently collaborated to publish a comprehensive resource guide on privacy and information security. ​  
  To listen now:  
  Launch Audio File
To Download the Audio file:
(Right-click the above link to save file.)
Podcast Transcript:
Kevin Donahue:      Hello! This is Kevin Donahue, senior director for Protiviti, welcoming you to a new installment of Powerful Insights. Today, we’re going to be talking a bit about the global risks environment – specifically, the views of board members and C-suite executives about that environment. Protiviti has joined again with the North Carolina State University ERM Initiative to conduct the fourth annual Executive Perspectives on Top Risks for 2016 study. I’m joined today by Mark Beasley and Jim DeLoach, who are going to be discussing some of the key results about this study. Mark is the Deloitte Professor of Enterprise Risk Management at North Carolina State University and director of the school’s ERM Initiative. Jim is a managing director with Protiviti and a member of the firm’s solution-leadership Team. Jim, thanks for joining us today.
Jim DeLoach:         Glad to be here.
Kevin Donahue:      And Mark, great to speak with you as well. Let me toss the first question to you. Our overall results this year indicate a global business environment that’s slightly more risky for organizations than it was a year ago, but our results say they were less risky, or the results are less risky than in 2014. Does this surprise you?
Mark Beasley:         Kevin, in some ways, I’m not surprised, particularly, to see the risk profile overall picking up a little bit over last year, when we think about what’s going on more recently with, obviously, the volatility in oil prices – the significant drop-off that’s happened in late ’15, and then it picking back up now. On top of that, the political uncertainty here in the United States, and then the more global ramp-up of a little bit of terrorist concerns and activities, just add to some of the confusion in the markets. We particularly saw that confusion in the late fall and early 2016 in the equity markets with the Dow and some of the drops there, coupled with the Fed kicking up interest rates a little bit in December and now sort of appearing to back off from some of its intentions. I think it’s signaling there’s a lot of uncertainty in the marketplace, and I think that uncertainty seems a little more heightened than it was a year ago. I think as we continue moving into this year, I’m wondering if we’ll see it continuing – buffing up even more. So I guess, in a lot of ways, I’m not that surprised with that difference from the prior year.
Kevin Donahue:      Thanks, Mark. I’ll point out for our audience that this year, Protiviti and North Carolina State received more than 500 board member and executive responses to its study from around the world. So this truly is a global look at the risk environment.
Jim, I have a similar question for you. Looking at the top ten risks identified in this year’s study, more of them are operational in nature. This is comparable to last year but different from a few years ago, when strategic risks were of a greater concern. Given the dynamic environment out there today, does this finding surprise you?
Jim DeLoach:         Not really, Kevin. Yes, it’s a risky world out there. Yes, there’s a lot of change. But I think as growth – organic growth, for example – becomes more challenging, companies tend to start focusing on operational issues. We think that companies may be concerned with, and even prone to accept, the reality that there may be a new normal for businesses, forcing them to learn to operate in an environment of slower organic growth. So that tends to drive the focus on operational issues. In fact, this year’s emphasis on operational risk is consistent with our results last year. So, when you look at the operational issues that the survey was concerned with, particularly in our top ten list – cybersecurity, succession and talent retention, privacy, identity management, resistance to change and cultural issues – these are matters that we certainly hear companies talking about. Some of these operational risks, Kevin, have been increasing steadily over the last two years, particularly cybersecurity, privacy, identity management, and resistance to change, for example.
Kevin Donahue:      Thanks, Jim. Again, a reminder for those in our audience, I want to tell them that you can find a copy of our detailed report on the results of this study at the North Carolina State website, erm.ncsu.edu, or at the Protiviti landing page for the project: Protiviti.com/TopRisks.
Mark, following up on Jim’s comments, we do see a lot of similarities in the key risks identified this year compared to prior years, but one risk issue that seems to be on the rise is the rapid speed of disruptive innovations and new technologies. What are you personally seeing in the market that helps explain these concerns?
Mark Beasley:         Yes, that was an interesting one to see. In some ways, when you think about, at the big-picture level, the advances in technology across the industry spectrum, there’s a lot of concern that my competitors, particularly, are moving faster through R&D and their product developments, surface developments and innovative ways that could be hugely disruptive. Where we particularly see that was in industries of, not surprisingly, the technology/media area, but also, this year, moving to the significant-impact level, the health care and life sciences industry, where they rated that risk at the significant-impact, or highest, level in the study. That was a move particularly into that category for health care and life sciences. When you think about disruption and business models, I guess I’m not surprised at all, particularly as we listen to that whole industry deal with the realities of health care from an insurance perspective. Then, in this political environment, where that’s a part of the debate, I think executives in that industry are noticing and have that concern that their entire business model could be disrupted by innovations and how we deliver health care, as well as the technologies that are used in delivering health care. The other industries that moved from what was our lowest level to the moderate level were the manufacturing and distribution industries, where, if you think about manufacturing – obviously, the innovations in how we deliver products and services and how a lot of that supply chain process of raw materials getting into the production and distribution side with the global events going on – I think people are realizing that we could see some disruptions there as well as now dealing with a pandemic potential concern from Latin America. That could impact our ability to manufacture the products in the ways we have and could, again, with some innovative ways of dealing with these challenges, disrupt how my organization’s process is designed. So, in a lot of ways, I guess I’m not surprised to see that issue escalating with the speed of the way technology evolves, and the way businesses are really trying to think about how they do things differently.
Kevin Donahue:      I would tend to agree. I would expect we’re going to see that pretty high up in the list and in the coming years as well. So, a final question for you, Jim – maybe the best for last – and Mark, you can weigh in on this as well. As we dig into some of the deeper data cuts in the study this year, one of the most notable findings is that board members and C-suite executives have differing views of the top risk exposures facing their organization. Jim, what does this say to you?
Jim DeLoach:         I think several things, Kevin. Certainly, it’s vitally important that directors and senior executives be on the same page. When you look at the results, the board members rated 17 of the 27 risks at the lowest impact level, while CEOs weighted none of the 27 risks at the lowest level. And that’s an interesting divergence. Directors were concerned with the economy and with succession-of-talent, cybersecurity, regulatory and geopolitical political issues. And that’s not an unreasonable picture. That’s a picture that directors kind of think about. Meanwhile, CEOs and other members of the C-suite executive team report different results with the top risks exposure. To me, these findings suggest that there’s a strong need for discussion and dialogue to ensure that the organization is focused on the right emerging risks exposures. I believe that the findings suggest a need to improve risks assessment processes. For example, is management periodically evaluating changes in the business environment to identify the risks inherent in the corporate strategy? Is the board, for example, sufficiently involved in the process? Particularly, such changes involve acquisition of new businesses, entering into new markets, introduction of innovative technology – to Mark’s point, the alteration of key assumptions underlying the strategy, or if there is any understanding of the risks or the threat to the business environment that could be real. Regarding your organization’s ability to execute its strategy, certainly, there needs to be some early warning capability on these points. My conclusion is, given that divergence you raised, given the rapid pace of change, I think that there needs to be some effort to ensure that organizations are positioning their periodic risks assessments for a proactive versus reactive response to risks that may emerge. For that reason, Kevin, we put a call to action in our report suggesting that companies take a look at their periodic risks assessment processes.
Mark Beasley:         Yes, Kevin. I couldn’t agree with Jim more. I think when I read and see the results and think about the data, what stands out to me is that there are significant differences and views on the overall risks profile. If we’re not seeing organizations having explicit focus discussions about their views on risks and what they see on the horizon, if they’re basically getting the risk insights from implicit discussions about other issues and thinking they’re talking about those risks, I think they are in a lot of ways sort of misleading themselves in the sense that there are significant differences in views of which risks are less important, and overall, are we concerned about the risk environment? As Jim pointed out, the fact that 17 of the 27 risks were rated at the lowest level by board members and none were by the CEO to me just pops out. I think that we need to have dialogues about that. The interesting thing that I want to highlight is when we asked the question “To what extent do you think the organization plans to devote additional resources to risk management over the next twelve months?” ironically, it was the board members whose rating is higher than other executives other than the chief technology officer, which I’m not surprised about, given cyber risks. But the fact that board members signaled the highest sort of indication “We’re going to do more in risk management,” even though they’re rating many risks low, is an interesting finding to me. So, there’s definite interest at the board level, I guess, but let’s make sure we’re talking about what the specific issues are.
Kevin Donahue:     Well, Mark and Jim, I want to thank you very much for joining me today in discussing these issues. Really, as you know, we just scratched the surface of the results found in our study. I invite our audience to visit erm.ncsu.edu or Protiviti.com/TopRisks, or you can download a free copy of our report, Executive Perspectives on Top Risks for 2013. The report contains detailed findings and analysis with results broken down by role, by industry, by company size. Great information, and we look forward to hearing feedback from the market on the results on this insightful study.