FutureRisk: Prioritizing Integrated IT Risk Management With Boeing
FutureRisk spotlights emerging risk areas and unique approaches to risk treatment with risk leaders from the world’s most prominent organizations.
In this episode of FutureRisk, John Wheeler, former Gartner IRM Analyst and AuditBoard’s Senior Advisor, Risk and Technology, sits down with Rachelle Butler, IT Risk Management Leader at Boeing, to discuss how her team approaches the four key risk objectives of performance, resilience, assurance, and compliance, including:
- Prioritizing risk management activities to improve performance.
- Implementing technology to monitor the ever-expanding third-party ecosystem.
- Identifying the top business priorities driving a need for greater assurance.
- Leveraging COSO in conjunction with NIST CSF.
Watch the full conversation, and read the can’t-miss highlights below.
Introduction: Four Key Risk Objectives for Organizations
John Wheeler: Rachelle, I’m so glad to have you on our series. I think what you have to share is going to be so compelling for folks as they’re looking at their challenges and how to draw more meaning, understanding, and visibility out of the risk profile that they face. There are four key risk objectives that most, if not all, companies have, and these risk objectives are going to guide us through the questions that I have for you today.
- The performance risk objective is about how organizations can understand not only their financial performance, but their non-financial performance, and the metrics and risk indicators that would lead them to better understand whether or not they’re going to achieve those goals. In the non-financial realm we’re seeing today risk areas like ESG — environmental, social, and governance — and cybersecurity. We’ve got a big focus also on digital risk and new digital products and services. These risk metrics are a challenge for most organizations because there’s not a lot of standards out there, or in other cases there may be too many standards. For example, in ESG, there’s over 600 competing standards today. In the coming year, I think we’re going to see a lot of consolidation around what we need to be focused on.
- The resilience risk objective has to do with how companies can better respond and recover from risk in a very quick and effective way. This has become even more important for organizations as they’ve made their way through the pandemic, but also looking forward to more operational disruptions in the areas I just described. Certainly cybersecurity having a big impact on organizations.
- With the assurance risk objective, we look to help organizations manage the right risks in the right way. So, identifying the risks that are truly relevant to the business, and maybe not just driven by regulation or compliance, but really focused on what the organization is trying to achieve and then making sure that they are controlling those risks, mitigating those risks in the right way.
- Compliance is a very important risk category for a lot of organizations. We’re finding today that not only is maintaining compliance so important, but in areas of noncompliance, when those issues or incidents surface, how do you act upon those in a effective way — and in a timely way as more regulation requires quicker response and quicker disclosure of what’s going on.
Prioritizing Risk Management Activities to Improve Performance
John Wheeler: Let’s talk first about performance. What I’d like to find out from you is, where is your organization prioritizing the non-financial risk management activities to improve your overall performance as an organization at Boeing?
Rachelle Butler: One way that we’re prioritizing our performance is that we’re actually having our internal corporate audit team come in and audit all of our processes. We’re opening up our processes and our procedures to literally be scrutinized, weighed, and analyzed to make sure that we’re doing what we need to do — and almost more importantly, to improve our processes. We’re having them look at how we elevate our risks within the environment. We want to ensure that we’re building a culture where our teams and staff are comfortable raising risks to their managers, and then we can bring them all the way up to the CIO and the board of directors if needed. We’re looking to get a much more holistic view of our overall risk posture. We can report out on the findings and then improvements to mature our entire risk process. So, that’s one way that we’re trying to improve our non-financial risk management activities.
John Wheeler: Well, that makes a lot of sense, and given that you’re leading the IT risk and compliance space, making sure that you can raise those issues and risks up to the appropriate levels very quickly and efficiently is, I think, very important.
Implementing Technology to Monitor Ever-Expanding Third-Party Ecosystem From an IT Perspective
John Wheeler: The next area, resilience, one area that is a key focus for many companies is the realm of third-party risk. My question to you is, how has your organization addressed the challenges created by that ever-expanding ecosystem of third-party suppliers, vendors, and partners that have a significant impact on your business operation, especially in the IT realm?
Rachelle Butler: This last year we’ve started implementing a morecloud-based risk management tool. We’ve always had products, but implementing these SaaS products that enable our team to use an out-of-the-box product hopefully will free up our developers and resources for much more customized tasks, and to analyze that data. We also have to look at a much more holistic view of our vendors, suppliers, and partners, both internal and external. We’ve actually seen it impact our organization, giving us a much more holistic ability to monitor them. We can use that built-in reporting, and we have the tools to help us monitor the content. Our goal is that our team members aren’t building these dashboards and customizing them constantly, we’re just able to have our teams track and monitor these very critical and ever-changing areas with our vendors and our partners. There are so many different things going on from an IT perspective, so pulling them all together is really our goal. We’re hoping that these more out-of-the-box cloud products will give us that view and that lens that we’ve been looking for.
John Wheeler: I see a lot of other organizations doing the exact same thing, moving more and more to cloud service providers helping to provide a more comprehensive picture. I think the various third parties that may not be hosted in the cloud at this time are going to suffer going forward because the majority of organizations need to do exactly what you’re doing at Boeing — monitoring on, if not real-time, a near-time basis to understand where things might be starting to go off the tracks a little bit. Getting into those third-party organizations either through a targeted audit or maybe having some of your own resources within your group work directly with them, and working to shore up an area of compliance that needs strengthening or if there are any malware events that are lurking out there, getting those handled quickly.
Identifying the Top Business Priorities Driving a Need for Greater Assurance
John Wheeler: The third objective that I described at the outset of our call is assurance. How do you make sure that you’re addressing the right risks in the right way? For Boeing, what are the top business priorities driving the need for greater assurance within your organization?
Rachelle Butler: We actually have four strategic objectives for our whole IT and data analytics organization. We’re excited that in 2023, we’re having the same strategic objectives from 2022. We get to continue to implement these four: digital-led growth, product-centricity, cloud stability, and predictability in employee digital experience.
Three of them are really focusing on digital transformation, I would say that that’s an overarching top priority for our organization. It doesn’t come without its challenges, such as getting people to accept the change. They’ve done certain tasks for so long, they don’t necessarily want to change. Or we get a new tool and they’re trying to customize it to fit exactly what the old tool did, so it’s also about getting them to think outside of the box and really strategically implement.
As we move to the cloud and really work on digital transformation, compliance is a huge area of concern for the risk and compliance team. Our cloud vendors may or may not understand the great importance of change management or user management. We have very strict and stringent policies and regulations that we have to follow. As we’ve moved to the cloud and added some of these cloud products, it’s improved some areas, right? We freed up our developers to do some really intense tasks, but it’s added a little bit of extra burden on our compliance focals because not all vendors see the importance of just adding a new user without any documentation. We recently found one user named John Wayne with the email of batman@test.com. I’m sure that there was no ill intent, but at Boeing, we have very strict guidelines and processes and protocols. That digital transformation has added a little bit of a different challenge, I would say, and we’re now monitoring our vendors as well as our employees and our processes.
Prioritizing Compliance Resources & Using COSO in Conjunction With NIST CSF
John Wheeler: With that compliance challenge, you’ve taken me to the final objective around compliance and the need to prioritize resources in a way that aligns with where the business is headed. My question to you in the compliance realm would be, how does your organization prioritize its resources on compliance activities and, in particular, as it relates to major changes or overlaps in the regulatory requirements that you face?
Rachelle Butler: As you said, compliance is a huge deal and a huge conversation. It’s very important to our organization. Not only do we have our governmental requirements, we have internal requirements — and these two don’t always align. Our internal controls are actually a lot more stringent than the government. Trying to report on these two types of controls is also part of the challenge we face. We have dashboards and we have what we call our “scorecard” thatt goes all the way up to the CIO and down to the actual application owner. We’re trying to report to the board of directors and our senior leadership that, hey, our compliance numbers may not look great, but from a government standpoint we’re doing fantastic. We’ve had different audits where we’ve literally scored a hundred percent — so maintaining that is a big thing.
Prioritizing compliance is a really central focus. We actually report on it to the leadership team once a month, and our teams are working on it right now as we’re preparing for the end of the year final report on how we’re doing with our compliance. From a strategic standpoint, we’ve tackled where we have control performers, those that do the controls, and we have teams that monitor those doing the controls. Then we have focals that monitor all those activities. As we’ve talked so much about budget constraints and things like that, we’ve had to tighten our belt strings in that area. Where in the past, we’d have one control performer maybe managing one or two applications or processes, now there’s more or that’s just one area of their statement of work. Looking at prioritizing the financial abilities and financial constraints, but knowing the importance of compliance. It’s a constant challenge, and something that we’re focusing on and tweaking.
John Wheeler: I think going into 2023, we’re going to continue to see those economic challenges persist, unfortunately. It’s really about focusing on the areas that add the greatest value. The other thing I’d like to mention, as it relates to your answer, is the fact that Boeing is doing so well around governmental compliance. In my experience, I was at Gartner for 10 years, and I have to tell you that over those 10 years I’ve been so impressed with what our federal government here in the U.S. has been doing around risk management as it relates to cyber, in particular NIST and their cybersecurity framework. I think it’s one of the areas where our government is doing a great job… given that you’re doing so well in complying with those regulations, I’m sure that you’re a standout for a lot of organizations who are looking to use NIST’s cybersecurity framework and the other guidance around risk management practices to be more effective. So, kudos to you!
Rachelle Butler: Actually, from a risk management perspective, we’ve always used the COSO framework. However, at the end of 2020 and really in 2021, we’ve implemented the NIST framework. We’ve reestablished all of our organizations and all of our cybersecurity risks, aligned to that NIST framework. It helped us really set the stage from a risk management perspective to make sure that we’re hitting all the different areas. We use both of them now, the COSO framework as well as the NIST more specifically in our cybersecurity realm. NIST is a really good framework and it helps set the stage and guides the teams that maybe don’t live and breathe risk management… It helped us train them. Training has been a huge thing that we’ve used as we’ve expanded our teams, and we’ve wrapped it around that NIST framework.
John Wheeler: It’s super important to draw more people into the program, and NIST has done a great job of making it practical and easy to understand, but also very targeted in terms of what it’s designed to accomplish. The fact that you’re using COSO in conjunction with NIST is great, because the other advice I always give folks as we talk about frameworks is there really isn’t a single framework that can address everything. Drawing upon multiple frameworks to design your own unique framework is a leading practice that I see, again it sounds like Boeing is on the leading edge — congratulations on that!
##
